High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 10-Strike Software–Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains a buffer overflow vulnerability that allows attackers to bypass SafeSEH, ASLR, and DEP protections through carefully crafted input. Attackers can exploit the vulnerability by sending a malicious payload to the application’s registration key input, enabling remote code execution and launching arbitrary system commands. | 2026-01-30 | 9.8 | CVE-2020-37043 | ExploitDB-48570 Product Webpage VulnCheck Advisory: 10-Strike Bandwidth Monitor 3.9 – Buffer Overflow |
| 10-Strike Software–Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.65 contains a buffer overflow vulnerability in exception handling that allows remote attackers to execute arbitrary code. Attackers can craft a malicious file with 209 bytes of padding and a specially constructed Structured Exception Handler to trigger code execution. | 2026-01-28 | 9.8 | CVE-2020-36961 | ExploitDB-49134 10-Strike Network Inventory Explorer Vendor Homepage VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.65 – Buffer Overflow (SEH) |
| 10-Strike–Bandwidth Monitor | 10-Strike Bandwidth Monitor 3.9 contains an unquoted service path vulnerability in multiple services that allows local attackers to escalate privileges. Attackers can place a malicious executable in specific file path locations to achieve privilege escalation to SYSTEM during service startup. | 2026-01-29 | 7.8 | CVE-2020-37021 | ExploitDB-48591 Vendor Homepage VulnCheck Advisory: Bandwidth Monitor 3.9 – ‘Svc10StrikeBandMontitor’ Unquoted Service Path |
| Acer–Global Registration Service | Acer Global Registration Service 1.0.0.3 contains an unquoted service path vulnerability in its service configuration that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)AcerRegistration to inject malicious executables that would run with elevated LocalSystem privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36976 | ExploitDB-49142 Acer Official Homepage VulnCheck Advisory: Global Registration Service 1.0.0.3 – ‘GREGsvc.exe’ Unquoted Service Path |
| Ajenti Project–Ajenti | Ajenti 2.1.36 contains an authentication bypass vulnerability that allows remote attackers to execute arbitrary commands after successful login. Attackers can leverage the /api/terminal/create endpoint to send a netcat reverse shell payload targeting a specified IP and port. | 2026-01-29 | 9.8 | CVE-2020-37002 | ExploitDB-48929 Ajenti GitHub Repository VulnCheck Advisory: Ajenti 2.1.36 – Remote Code Execution |
| Akn Software Computer Import Export Industry and Trade Ltd.–QR Menu | Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 8 | CVE-2025-7016 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| aliasrobotics–cai | Cybersecurity AI (CAI) is a framework for AI Security. In versions up to and including 0.5.10, the CAI (Cybersecurity AI) framework contains multiple argument injection vulnerabilities in its function tools. User-controlled input is passed directly to shell commands via `subprocess.Popen()` with `shell=True`, allowing attackers to execute arbitrary commands on the host system. The `find_file()` tool executes without requiring user approval because find is considered a “safe” pre-approved command. This means an attacker can achieve Remote Code Execution (RCE) by injecting malicious arguments (like -exec) into the args parameter, completely bypassing any human-in-the-loop safety mechanisms. Commit e22a1220f764e2d7cf9da6d6144926f53ca01cde contains a fix. | 2026-01-30 | 9.7 | CVE-2026-25130 | https://github.com/aliasrobotics/cai/security/advisories/GHSA-jfpc-wj3m-qw2m https://github.com/aliasrobotics/cai/commit/e22a1220f764e2d7cf9da6d6144926f53ca01cde https://github.com/aliasrobotics/cai/blob/559de8fcbc2b44f3b0360f35ffdc2bb975e7d7e4/src/cai/tools/reconnaissance/filesystem.py#L60 |
| amitkolloldey–e-learning PHP Script | e-Learning PHP Script 0.1.0 contains a SQL injection vulnerability in the search functionality that allows attackers to manipulate database queries through unvalidated user input. Attackers can inject malicious SQL code in the ‘search’ parameter to potentially extract, modify, or access sensitive database information. | 2026-01-30 | 8.2 | CVE-2020-37035 | ExploitDB-48629 Vendor Homepage VulnCheck Advisory: e-learning Php Script 0.1.0 – ‘search’ SQL Injection |
| ammarfaizi2–Tea LaTex | Tea LaTex 1.0 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary shell commands through the /api.php endpoint. Attackers can craft a malicious LaTeX payload with shell commands that are executed when processed by the application’s tex2png API action. | 2026-01-29 | 9.8 | CVE-2020-37012 | ExploitDB-48805 Vendor Homepage VulnCheck Advisory: Tea LaTex 1.0 – Remote Code Execution |
| Andrea Electronics–Andrea ST Filters Service | Andrea ST Filters Service 1.0.64.7 contains an unquoted service path vulnerability in its Windows service configuration. Local attackers can exploit the unquoted path to inject malicious code that will execute with elevated LocalSystem privileges during service startup. | 2026-01-30 | 7.8 | CVE-2020-37058 | ExploitDB-48396 Andrea Electronics Official Homepage VulnCheck Advisory: Andrea ST Filters Service 1.0.64.7 – Unquoted service path |
| Arcadia Technology, LLC–Crafty Controller | An input neutralization vulnerability in the File Operations API Endpoint component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 9.9 | CVE-2026-0963 | GitLab Issue #660 |
| Arcadia Technology, LLC–Crafty Controller | An input neutralization vulnerability in the Backup Configuration component of Crafty Controller allows a remote, authenticated attacker to perform file tampering and remote code execution via path traversal. | 2026-01-30 | 8.2 | CVE-2026-0805 | GitLab Issue #650 |
| asc Applied Software Consultants, s.r.o.–asc Timetables | aSc TimeTables 2021.6.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting subject title fields with excessive data. Attackers can generate a 10,000-character buffer and paste it into the subject title to trigger application instability and potential crash. | 2026-01-28 | 7.5 | CVE-2020-36943 | ExploitDB-49147 Vendor Homepage Software Download Page VulnCheck Advisory: aSc TimeTables 2021.6.2 – Denial of Service |
| Ashkon Software–Simple Startup Manager | Simple Startup Manager 1.17 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory through the ‘File’ input parameter. Attackers can craft a malicious payload with 268 bytes to trigger code execution, bypassing DEP and overwriting memory addresses to launch calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37031 | ExploitDB-48678 Product Webpage VulnCheck Advisory: Simple Startup Manager 1.17 – ‘File’ Local Buffer Overflow |
| Atheros–Coex Service Application | Atheros Coex Service Application 8.0.0.255 contains an unquoted service path vulnerability in its Windows service configuration. Attackers can exploit the unquoted path by placing malicious executables in the service path to gain elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36979 | ExploitDB-49053 Vendor Homepage Software Download Link VulnCheck Advisory: Atheros Coex Service Application 8.0.0.255 -‘ZAtheros Bt&Wlan Coex Agent’ Unquoted Service Path |
| avalanche123–Cassandra Web | Cassandra Web 0.5.0 contains a directory traversal vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating path traversal parameters. Attackers can exploit the disabled Rack::Protection module to read sensitive system files like /etc/passwd and retrieve Apache Cassandra database credentials. | 2026-01-27 | 7.5 | CVE-2020-36939 | ExploitDB-49362 Cassandra Web GitHub Repository Cassandra Web RubyGems Package VulnCheck Advisory: Cassandra Web 0.5.0 – Remote File Read |
| Avast–AVAST SecureLine | Avast SecureLine 5.5.522.0 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37037 | ExploitDB-48249 Avast Official Homepage VulnCheck Advisory: AVAST SecureLine 5.5.522.0 – ‘SecureLine’ Unquoted Service Path |
| backstage–backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, when TechDocs is configured with `runIn: local`, a malicious actor who can submit or modify a repository’s `mkdocs.yml` file can execute arbitrary Python code on the TechDocs build server via MkDocs hooks configuration. @backstage/plugin-techdocs-node versions 1.13.11 and 1.14.1 contain a fix. The fix introduces an allowlist of supported MkDocs configuration keys. Unsupported configuration keys (including `hooks`) are now removed from `mkdocs.yml` before running the generator, with a warning logged to indicate which keys were removed. Users of `@techdocs/cli` should also upgrade to the latest version, which includes the fixed `@backstage/plugin-techdocs-node` dependency. Some workarounds are available. Configure TechDocs with `runIn: docker` instead of `runIn: local` to provide container isolation, though it does not fully mitigate the risk. Limit who can modify `mkdocs.yml` files in repositories that TechDocs processes; only allow trusted contributors. Implement PR review requirements for changes to `mkdocs.yml` files to detect malicious `hooks` configurations before they are merged. Use MkDocs < 1.4.0 (e.g., 1.3.1) which does not support hooks. Note: This may limit access to newer MkDocs features. Building documentation in CI/CD pipelines using `@techdocs/cli` does not mitigate this vulnerability, as the CLI uses the same vulnerable `@backstage/plugin-techdocs-node` package. | 2026-01-30 | 7.7 | CVE-2026-25153 | https://github.com/backstage/backstage/security/advisories/GHSA-6jr7-99pf-8vgf |
| Barcode-Ocr–BarcodeOCR | BarcodeOCR 19.3.6 contains an unquoted service path vulnerability that allows local attackers to execute code with elevated privileges during system startup. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will run with LocalSystem privileges. | 2026-01-29 | 7.8 | CVE-2020-37016 | ExploitDB-48740 BarcodeOCR Official Homepage VulnCheck Advisory: BarcodeOCR 19.3.6 – ‘BarcodeOCR’ Unquoted Service Path |
| BearshareOfficial–BearShare Lite | BearShare Lite 5.2.5 contains a buffer overflow vulnerability in the Advanced Search keywords input that allows attackers to execute arbitrary code. Attackers can craft a specially designed payload to overwrite the EIP register and execute shellcode by pasting malicious content into the search keywords field. | 2026-01-29 | 9.8 | CVE-2020-37010 | ExploitDB-48839 Official BearShare Homepage BearShare Lite 5.2.5 Download Page VulnCheck Advisory: BearShare Lite 5.2.5 – ‘Advanced Search’Buffer Overflow in (PoC) |
| Beckhoff Automation–Beckhoff.Device.Manager.XAR | A low privileged remote attacker can execute arbitrary code by sending specially crafted calls to the web service of the Device Manager or locally via an API and can cause integer overflows which then may lead to arbitrary code execution within privileged processes. | 2026-01-27 | 8.8 | CVE-2025-41726 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beckhoff Automation–Beckhoff.Device.Manager.XAR | A local low privileged attacker can bypass the authentication of the Device Manager user interface, allowing them to perform privileged operations and gain administrator access. | 2026-01-27 | 7.8 | CVE-2025-41727 | https://certvde.com/de/advisories/VDE-2025-092 |
| bentoml–BentoML | BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML’s `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_template`, `conda.environment_yml`). An attacker can craft a malicious bentofile that, when built by a victim, exfiltrates arbitrary files from the filesystem into the bento archive. This enables supply chain attacks where sensitive files (SSH keys, credentials, environment variables) are silently embedded in bentos and exposed when pushed to registries or deployed. Version 1.4.34 contains a patch for the issue. | 2026-01-26 | 7.4 | CVE-2026-24123 | https://github.com/bentoml/BentoML/security/advisories/GHSA-6r62-w2q3-48hf https://github.com/bentoml/BentoML/commit/84d08cfeb40c5f2ce71b3d3444bbaa0fb16b5ca4 https://github.com/bentoml/BentoML/releases/tag/v1.4.34 |
| bloompixel–TableMaster for Elementor Advanced Responsive Tables for Elementor | The TableMaster for Elementor plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.3.6. This is due to the plugin not restricting which URLs can be fetched when importing CSV data from a URL in the Data Table widget. This makes it possible for authenticated attackers, with Author-level access and above, to make web requests to arbitrary locations, including localhost and internal network services, and read sensitive files such as wp-config.php via the ‘csv_url’ parameter. | 2026-01-28 | 7.2 | CVE-2025-14610 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ef07d6b0-ccdb-4b33-817f-6d4b3ad96243?source=cve https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/trunk/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/browser/tablemaster-for-elementor/tags/1.3.6/modules/data-table/widgets/data-table.php#L446 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442158%40tablemaster-for-elementor&new=3442158%40tablemaster-for-elementor&sfp_email=&sfph_mail= |
| Broadcom–Symantec Web Security Services Agent | WSS Agent, prior to 9.8.5, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 7 | CVE-2025-13917 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36778 |
| C4illin–ConvertX | ConvertXis a self-hosted online file converter. In versions prior to 0.17.0, the `POST /delete` endpoint uses a user-controlled `filename` value to construct a filesystem path and deletes it via `unlink` without sufficient validation. By supplying path traversal sequences (e.g., `../`), an attacker can delete arbitrary files outside the intended uploads directory, limited only by the permissions of the server process. Version 0.17.0 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24741 | https://github.com/C4illin/ConvertX/security/advisories/GHSA-w372-w6cr-45jp https://github.com/C4illin/ConvertX/commit/7a936bdc0463936463616381ca257b13babc5e77 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. A SQL Injection vulnerability exists in endpoint `/PaddleNumEditor.php` in ChurchCRM prior to version 6.7.2. Any authenticated user, including one with zero assigned permissions, can exploit SQL injection through the `PerID` parameter. Version 6.7.2 contains a patch for the issue. | 2026-01-30 | 8.8 | CVE-2026-24854 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-p3q7-q68q-h2gr http://github.com/ChurchCRM/CRM/commit/748f5084fc06c5e12463dc7fdd62d1d31fc08d38 |
| Cleanersoft Software–Free MP3 CD Ripper | Free MP3 CD Ripper 2.8 contains a stack buffer overflow vulnerability that allows remote attackers to execute arbitrary code by crafting a malicious WAV file with oversized payload. Attackers can leverage a specially crafted exploit file with shellcode, SEH bypass, and egghunter technique to achieve remote code execution on vulnerable Windows systems. | 2026-01-29 | 9.8 | CVE-2020-37000 | ExploitDB-48696 Vendor Homepage VulnCheck Advisory: Free MP3 CD Ripper 2.8 – Stack Buffer Overflow (SEH + Egghunter) |
| code-projects–Online Examination System | A vulnerability was found in code-projects Online Examination System 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php of the component Login Page. Performing a manipulation of the argument User results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | 2026-01-26 | 7.3 | CVE-2026-1422 | VDB-342838 | code-projects Online Examination System Login Page index.php sql injection VDB-342838 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736606 | code-projects Online Examination System 1 SQL Injection https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-2-sql-injection-on-login-page https://code-projects.org/ |
| code-projects–Online Music Site | A flaw has been found in code-projects Online Music Site 1.0. Affected by this issue is some unknown functionality of the file /Administrator/PHP/AdminDeleteUser.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-26 | 7.3 | CVE-2026-1443 | VDB-342872 | code-projects Online Music Site AdminDeleteUser.php sql injection VDB-342872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736967 | code-projects Online Music Site V1.0 SQL Injection https://github.com/Volije/cve/issues/1 https://code-projects.org/ |
| code-projects–Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. This affects an unknown function of the file /Administrator/PHP/AdminEditUser.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1534 | VDB-343220 | code-projects Online Music Site AdminEditUser.php sql injection VDB-343220 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738705 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/3 https://code-projects.org/ |
| code-projects–Online Music Site | A security vulnerability has been detected in code-projects Online Music Site 1.0. This impacts an unknown function of the file /Administrator/PHP/AdminReply.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-28 | 7.3 | CVE-2026-1535 | VDB-343221 | code-projects Online Music Site AdminReply.php sql injection VDB-343221 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738706 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/4 https://code-projects.org/ |
| Code::Blocks–Code::Blocks | Code Blocks 17.12 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious file name with Unicode characters. Attackers can trigger the vulnerability by pasting a specially crafted payload into the file name field during project creation, potentially executing system commands like calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37040 | ExploitDB-48594 Code Blocks Official Website Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 17.12 – ‘File Name’ Local Buffer Overflow |
| Code::Blocks–Code::Blocks | Code Blocks 20.03 contains a denial of service vulnerability that allows attackers to crash the application by manipulating input in the FSymbols search field. Attackers can paste a large payload of 5000 repeated characters into the search field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37038 | ExploitDB-48617 Code Blocks Official Homepage Code Blocks SourceForge Page VulnCheck Advisory: Code Blocks 20.03 – Denial Of Service |
| codexcube–Ultimate Project Manager CRM PRO | Ultimate Project Manager CRM PRO 2.0.5 contains a blind SQL injection vulnerability that allows attackers to extract usernames and password hashes from the tbl_users database table. Attackers can exploit the /frontend/get_article_suggestion/ endpoint by crafting malicious search parameters to progressively guess and retrieve user credentials through boolean-based inference techniques. | 2026-01-29 | 8.2 | CVE-2020-37004 | ExploitDB-48912 Ultimate Project Manager CRM PRO Vendor Homepage VulnCheck Advisory: Ultimate Project Manager CRM PRO 2.0.5 – SQLi Credentials Leakage |
| Codriapp Innovation and Software Technologies Inc.–HeyGarson | Generation of Error Message Containing Sensitive Information vulnerability in Codriapp Innovation and Software Technologies Inc. HeyGarson allows Fuzzing for application mapping. This issue affects HeyGarson: through 30012026. NOTE: The vendor was contacted several times to verifying fixing process but did not respond in any way. | 2026-01-30 | 8.2 | CVE-2025-1395 | https://www.usom.gov.tr/bildirim/tr-26-0009 |
| crm-now GmbH–berliCRM | berliCRM 1.0.24 contains a SQL injection vulnerability in the ‘src_record’ parameter that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through a crafted POST request to the index.php endpoint to potentially extract or modify database information. | 2026-01-29 | 8.2 | CVE-2020-37006 | ExploitDB-48872 Vendor Homepage VulnCheck Advisory: berliCRM 1.0.24 – ‘src_record’ SQL Injection |
| Crystal Shard–http-protection | Crystal Shard http-protection 0.2.0 contains an IP spoofing vulnerability that allows attackers to bypass protection middleware by manipulating request headers. Attackers can hardcode consistent IP values across X-Forwarded-For, X-Client-IP, and X-Real-IP headers to circumvent security checks and gain unauthorized access. | 2026-01-30 | 9.8 | CVE-2020-37056 | ExploitDB-48533 HTTP Protection Crystal Shard Repository VulnCheck Advisory: Crystal Shard http-protection 0.2.0 – IP Spoofing Bypass |
| D-Link–DIR-615 | A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-26 | 7.2 | CVE-2026-1448 | VDB-342880 | D-Link DIR-615 Web Management wiz_policy_3_machine.php os command injection VDB-342880 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737006 | Dlink DIR615 Firmware v4.10 and earlier (DIR-615 Rev D) OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-v4-10-2e7e5dd4c5a580a5aac5c8ce35933396?pvs=73 https://www.dlink.com/ |
| D-Link–DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This issue affects some unknown processing of the file /set_temp_nodes.php of the component URL Filter. The manipulation results in os command injection. The attack can be executed remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1505 | VDB-343117 | D-Link DIR-615 URL Filter set_temp_nodes.php os command injection VDB-343117 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737061 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/D-Link-DIR-615-2e7e5dd4c5a580109a14fdeb6f105cd6 https://www.dlink.com/ |
| D-Link–DIR-615 | A vulnerability was determined in D-Link DIR-615 4.10. Impacted is an unknown function of the file /adv_mac_filter.php of the component MAC Filter Configuration. This manipulation of the argument mac causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 7.2 | CVE-2026-1506 | VDB-343118 | D-Link DIR-615 MAC Filter Configuration adv_mac_filter.php os command injection VDB-343118 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737078 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-MAC_FILTER-2e7e5dd4c5a58091b027f50271cc7c6a https://www.dlink.com/ |
| Dassault Systmes–SOLIDWORKS eDrawings | A Heap-based Buffer Overflow vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1283 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1283 |
| Dassault Systmes–SOLIDWORKS eDrawings | An Out-Of-Bounds Write vulnerability affecting the EPRT file reading procedure in SOLIDWORKS eDrawings from Release SOLIDWORKS 2025 through Release SOLIDWORKS 2026 could allow an attacker to execute arbitrary code while opening a specially crafted EPRT file. | 2026-01-26 | 7.8 | CVE-2026-1284 | https://www.3ds.com/trust-center/security/security-advisories/cve-2026-1284 |
| Deepinstinct–Deep Instinct Windows Agent | Deep Instinct Windows Agent 1.2.29.0 contains an unquoted service path vulnerability in the DeepMgmtService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program FilesHP Sure SenseDeepMgmtService.exe to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-02-01 | 7.8 | CVE-2020-37047 | ExploitDB-48174 Deep Instinct Official Homepage VulnCheck Advisory: Deep Instinct Windows Agent 1.2.29.0 – ‘DeepMgmtService’ Unquoted Service Path |
| Dell–CloudBoost Virtual Appliance | Dell CloudBoost Virtual Appliance, versions prior to 19.14.0.0, contains a Plaintext Storage of Password vulnerability. A high privileged attacker with remote access could potentially exploit this vulnerability, leading to Elevation of privileges. | 2026-01-27 | 7 | CVE-2026-21417 | https://www.dell.com/support/kbdoc/en-us/000419894/dsa-2026-025-security-update-for-dell-cloudboost-virtual-appliance-multiple-vulnerabilities |
| Dell–PremierColor | Dell PremierColor Panel Driver, versions prior to 1.0.0.1 A01, contains an Improper Access Control vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-01-28 | 7.8 | CVE-2025-46691 | https://www.dell.com/support/kbdoc/en-us/000394670/dsa-2025-444?lang=en |
| Dell–Unity | Dell Unity, version(s) 5.5.2 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-21418 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Dell–UnityVSA | Dell UnityVSA, version(s) 5.4 and prior, contain(s) an Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to arbitrary command execution with root privileges. | 2026-01-30 | 7.8 | CVE-2026-22277 | https://www.dell.com/support/kbdoc/en-us/000421197/dsa-2026-054-security-update-for-dell-unity-dell-unityvsa-and-dell-unity-xt-security-update-for-multiple-vulnerabilities |
| Delta Electronics–ASDA-Soft | ASDA-Soft Stack-based Buffer Overflow Vulnerability | 2026-01-27 | 7.8 | CVE-2026-1361 | https://filecenter.deltaww.com/news/download/doc/Delta-PCSA-2026-00003_ASDA-Soft%20Stack-based%20Buffer%20Overflow%20Vulnerability%20(CVE-2026-1361).pdf |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, some subscription endpoints lack proper checking for ownership before making changes. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.1 | CVE-2025-68479 | https://github.com/discourse/discourse/security/advisories/GHSA-6gjr-5897-m327 |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, a hostname validation issue in FinalDestination could allow bypassing SSRF protections under certain conditions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 7.6 | CVE-2025-68662 | https://github.com/discourse/discourse/security/advisories/GHSA-gcfp-rjfc-925c |
| dnnsoftware–Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, module title supports richtext which could include scripts that would execute in certain scenarios. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 9.1 | CVE-2026-24838 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-w9pf-h6m6-v89h |
| dnnsoftware–Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Prior to versions 9.13.10 and 10.2.0, a module could install with richtext in its description field which could contain scripts that will run for user in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24833 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-9r3h-mpf8-25gj |
| dnnsoftware–Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, extensions could write richtext in log notes which can include scripts that would run in the PersonaBar when displayed. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24836 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-2g5g-hcgh-q3rp |
| dnnsoftware–Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a module friendly name could include scripts that will run during some module operations in the Persona Bar. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 7.7 | CVE-2026-24837 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-vm5q-8qww-h238 |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a critical command injection vulnerability exists in Dokploy’s WebSocket endpoint `/docker-container-terminal`. The `containerId` and `activeWay` parameters are directly interpolated into shell commands without sanitization, allowing authenticated attackers to execute arbitrary commands on the host server. Version 0.26.6 fixes the issue. | 2026-01-28 | 9.9 | CVE-2026-24841 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-vx6x-6559-x35r https://github.com/Dokploy/dokploy/commit/74e0bd5fe3ef7199f44fcd19c6f5a2f09b806d6f https://github.com/Dokploy/dokploy/blob/canary/apps/dokploy/server/wss/docker-container-terminal.ts |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, a hardcoded credential in the provided installation script (located at https://dokploy.com/install.sh, line 154) uses a hardcoded password when creating the database container. This means that nearly all Dokploy installations use the same database credentials and could be compromised. Version 0.26.6 contains a patch for the issue. | 2026-01-28 | 8 | CVE-2026-24840 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-jr65-3j3w-gjmc https://github.com/Dokploy/dokploy/commit/b902c160a256ad345ac687c87eb092f1fab2c64d |
| Drive-Software–Atomic Alarm Clock x86 | Atomic Alarm Clock 6.3 contains a local privilege escalation vulnerability in its service configuration that allows attackers to execute arbitrary code with SYSTEM privileges. Attackers can exploit the unquoted service path by placing a malicious executable named ‘Program.exe’ to gain persistent system-level access. | 2026-01-30 | 7.8 | CVE-2020-37060 | ExploitDB-48352 Vendor Homepage VulnCheck Advisory: Atomic Alarm Clock x86 6.3 – ‘AtomicAlarmClock’ Unquoted Service Path |
| Dummysoftware–BacklinkSpeed | BacklinkSpeed 2.4 contains a buffer overflow vulnerability that allows attackers to corrupt the Structured Exception Handler (SEH) chain through malicious file import. Attackers can craft a specially designed payload file to overwrite SEH addresses, potentially executing arbitrary code and gaining control of the application. | 2026-01-29 | 9.8 | CVE-2020-36997 | ExploitDB-48726 Vendor Homepage Software Download Page VulnCheck Advisory: BacklinkSpeed 2.4 – Buffer Overflow PoC (SEH) |
| Eclipse Foundation–Eclipse Theia – Website | In the Eclipse Theia Website repository, the GitHub Actions workflow .github/workflows/preview.yml used pull_request_target trigger while checking out and executing untrusted pull request code. This allowed any GitHub user to execute arbitrary code in the repository’s CI environment with access to repository secrets and a GITHUB_TOKEN with extensive write permissions (contents:write, packages:write, pages:write, actions:write). An attacker could exfiltrate secrets, publish malicious packages to the eclipse-theia organization, modify the official Theia website, and push malicious code to the repository. | 2026-01-30 | 10 | CVE-2026-1699 | https://gitlab.eclipse.org/security/vulnerability-reports/-/issues/332 |
| Eclipse Foundation–Eclipse ThreadX | The vulnerability stems from an incorrect error-checking logic in the CreateCounter() function (in threadx/utility/rtos_compatibility_layers/OSEK/tx_osek.c) when handling the return value of osek_get_counter(). Specifically, the current code checks if cntr_id equals 0u to determine failure, but @osek_get_counter() actually returns E_OS_SYS_STACK (defined as 12U) when it fails. This mismatch causes the error branch to never execute even when the counter pool is exhausted. As a result, when the counter pool is depleted, the code proceeds to cast the error code (12U) to a pointer (OSEK_COUNTER *), creating a wild pointer. Subsequent writes to members of this pointer lead to writes to illegal memory addresses (e.g., 0x0000000C), which can trigger immediate HardFaults or silent memory corruption. This vulnerability poses significant risks, including potential denial-of-service attacks (via repeated calls to exhaust the counter pool) and unauthorized memory access. | 2026-01-27 | 7.8 | CVE-2026-0648 | https://github.com/eclipse-threadx/threadx/security/advisories/GHSA-xj75-fc68-h4rw |
| Elaniin–Elaniin CMS | Elaniin CMS 1.0 contains an authentication bypass vulnerability that allows attackers to access the dashboard by manipulating the login page with SQL injection. Attackers can bypass authentication by sending crafted email and password parameters with ‘=”or’ payload to login.php, granting unauthorized access to the system. | 2026-01-29 | 8.2 | CVE-2020-36999 | ExploitDB-48705 Vendor Homepage Elaniin CMS GitHub Repository VulnCheck Advisory: elaniin CMS 1.0 – Authentication Bypass |
| Elektraweb–EasyPMS | EasyPMS 1.0.0 contains an authentication bypass vulnerability that allows unprivileged users to manipulate SQL queries in JSON requests to access admin user information. Attackers can exploit weak input validation by injecting single quotes in ID parameters and modify admin user passwords without proper token authentication. | 2026-01-29 | 7.5 | CVE-2020-37008 | ExploitDB-48858 Vendor Homepage VulnCheck Advisory: EasyPMS 1.0.0 – Authentication Bypass |
| Enigmasoftware–SpyHunter | SpyHunter 4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific file system locations to gain elevated access during service startup. | 2026-02-01 | 7.8 | CVE-2020-37055 | ExploitDB-48172 Vendor Homepage VulnCheck Advisory: SpyHunter 4 – ‘SpyHunter 4 Service’ Unquoted Service Path |
| Epson–EPSON | EPSON 1.124 contains an unquoted service path vulnerability in the SENADB service that allows local attackers to execute code with elevated system privileges. Attackers can exploit the unquoted path in C:Program Files (x86)EPSON_P2BPrinter SoftwareStatus Monitor to inject malicious executables that will run with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36984 | ExploitDB-48965 EPSON Official Support Page VulnCheck Advisory: EPSON 1.124 – ‘seksmdb.exe’ Unquoted Service Path |
| Epson–EPSON EasyMP Network Projection | EPSON EasyMP Network Projection 2.81 contains an unquoted service path vulnerability in the EMP_NSWLSV service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)EPSON ProjectorEasyMP Network Projection V2 to inject malicious code that would execute with LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37064 | ExploitDB-48069 EPSON EasyMP Network Projection Support Page VulnCheck Advisory: EPSON EasyMP Network Projection 2.81 – ‘EMP_NSWLSV’ Unquoted Service Path |
| ErugoOSS–Erugo | Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user supplied paths when creating shares. By specifying a writable path within the public web root, an attacker can upload and execute arbitrary code on the server, resulting in remote code execution (RCE). This vulnerability allows a low-privileged user to fully compromise the affected Erugo instance. Version 0.2.15 fixes the issue. | 2026-01-28 | 10 | CVE-2026-24897 | https://github.com/ErugoOSS/Erugo/security/advisories/GHSA-336w-hgpq-6369 https://github.com/ErugoOSS/Erugo/commit/256bc63831a0b5e9a94cb024a0724e0cd5fa5e38 https://github.com/ErugoOSS/Erugo/releases/tag/v0.2.15 |
| Filehorse–Motorola Device Manager | Motorola Device Manager 2.4.5 contains an unquoted service path vulnerability in the PST Service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in ForwardDaemon.exe to inject malicious code that will execute with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36981 | ExploitDB-49011 Motorola Device Manager Download Page ExploitDB-49013 VulnCheck Advisory: Motorola Device Manager 2.4.5 – ‘ForwardDaemon.exe ‘ Unquoted Service Path |
| Filigran–OpenCTI | OpenCTI 3.3.1 is vulnerable to a directory traversal attack via the static/css endpoint. An unauthenticated attacker can read arbitrary files from the filesystem by sending crafted GET requests with path traversal sequences (e.g., ‘../’) in the URL. For example, requesting /static/css//../../../../../../../../etc/passwd returns the contents of /etc/passwd. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 7.5 | CVE-2020-37041 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 – Directory Traversal |
| Flexense Ltd.–SyncBreeze | SyncBreeze 10.0.28 contains a denial of service vulnerability in the login endpoint that allows remote attackers to crash the service. Attackers can send an oversized payload in the login request to overwhelm the application and potentially disrupt service availability. | 2026-01-27 | 7.5 | CVE-2020-36946 | ExploitDB-49291 Vendor Homepage VulnCheck Advisory: SyncBreeze 10.0.28 – ‘login’ Denial of Service |
| Forensit–ForensiTAppxService | ForensiT AppX Management Service 2.2.0.4 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-28 | 7.8 | CVE-2020-36989 | ExploitDB-48821 ForensiT Official Downloads Page VulnCheck Advisory: ForensiTAppxService 2.2.0.4 – ‘ForensiTAppxService.exe’ Unquoted Service Path |
| Fortinet–FortiProxy | An Authentication Bypass Using an Alternate Path or Channel vulnerability [CWE-288] vulnerability in Fortinet FortiAnalyzer 7.6.0 through 7.6.5, FortiAnalyzer 7.4.0 through 7.4.9, FortiAnalyzer 7.2.0 through 7.2.11, FortiAnalyzer 7.0.0 through 7.0.15, FortiManager 7.6.0 through 7.6.5, FortiManager 7.4.0 through 7.4.9, FortiManager 7.2.0 through 7.2.11, FortiManager 7.0.0 through 7.0.15, FortiOS 7.6.0 through 7.6.5, FortiOS 7.4.0 through 7.4.10, FortiOS 7.2.0 through 7.2.12, FortiOS 7.0.0 through 7.0.18, FortiProxy 7.6.0 through 7.6.4, FortiProxy 7.4.0 through 7.4.12, FortiProxy 7.2.0 through 7.2.15, FortiProxy 7.0.0 through 7.0.22, FortiWeb 8.0.0 through 8.0.3, FortiWeb 7.6.0 through 7.6.6, FortiWeb 7.4.0 through 7.4.11 may allow an attacker with a FortiCloud account and a registered device to log into other devices registered to other accounts, if FortiCloud SSO authentication is enabled on those devices. | 2026-01-27 | 9.4 | CVE-2026-24858 | https://fortiguard.fortinet.com/psirt/FG-IR-26-060 |
| Frigate3–Frigate Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the Pack File feature that allows attackers to execute arbitrary code by overflowing the ‘Archive To’ input field. Attackers can craft a malicious payload that overwrites the Structured Exception Handler (SEH) and uses an egghunter technique to execute a reverse shell payload. | 2026-01-29 | 8.4 | CVE-2020-37001 | ExploitDB-48688 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 – ‘Pack File’ Buffer Overflow (SEH Egghunter) |
| Gearboxcomputers–IP Watcher | IP Watcher 3.0.0.30 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be launched with elevated LocalSystem privileges during service startup. | 2026-01-28 | 7.8 | CVE-2020-36985 | ExploitDB-48968 Vendor Homepage VulnCheck Advisory: IP Watcher v3.0.0.30 – ‘PACService.exe’ Unquoted Service Path |
| Gearboxcomputers–Program Access Controller | Program Access Controller 1.2.0.0 contains an unquoted service path vulnerability in PACService.exe that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36987 | ExploitDB-48966 Vendor Homepage VulnCheck Advisory: Program Access Controller v1.2.0.0 – ‘PACService.exe’ Unquoted Service Path |
| geraked–phpscript-sgh | Phpscript-sgh 0.1.0 contains a time-based blind SQL injection vulnerability in the admin interface that allows attackers to manipulate database queries through the ‘id’ parameter. Attackers can exploit this vulnerability by crafting malicious payloads that trigger time delays, enabling them to extract sensitive database information through conditional sleep techniques. | 2026-01-27 | 8.2 | CVE-2020-36951 | ExploitDB-49192 Vendor Homepage VulnCheck Advisory: Phpscript-sgh 0.1.0 – Time Based Blind SQL Injection |
| gerstrong–Commander-Genius | Out-of-bounds Write vulnerability in gerstrong Commander-Genius. This issue affects Commander-Genius: before Release refs/pull/358/merge. | 2026-01-27 | 7.5 | CVE-2026-24827 | https://github.com/gerstrong/Commander-Genius/pull/379 |
| Getoutline–Outline Service | Outline Service 1.3.3 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in C:Program Files (x86)Outline to inject malicious code that would execute with LocalSystem permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37030 | ExploitDB-48414 Outline Service Official Homepage VulnCheck Advisory: Outline Service 1.3.3 – ‘Outline Service ‘ Unquoted Service Path |
| Getpopcorntime–Popcorn Time | Popcorn Time 6.2.1.14 contains an unquoted service path vulnerability that allows local non-privileged users to potentially execute code with elevated system privileges. Attackers can insert malicious executables in Program Files (x86) or system root directories to be executed with SYSTEM-level permissions during service startup. | 2026-01-30 | 7.8 | CVE-2020-37059 | ExploitDB-48378 Popcorn Time Official Homepage VulnCheck Advisory: Popcorn Time 6.2 – ‘Update service’ Unquoted Service Path |
| Gila CMS–Gila CMS | Gila CMS versions prior to 2.0.0 contain a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through manipulated HTTP headers. Attackers can inject PHP code in the User-Agent header with shell_exec() to run system commands by sending crafted requests to the admin endpoint. | 2026-01-27 | 9.8 | CVE-2021-47900 | ExploitDB-49412 Official Vendor Homepage Gila CMS GitHub Repository VulnCheck Advisory: Gila CMS < 2.0.0 – Remote Code Execution |
| Global Interactive Design Media Software Inc.–Content Management System (CMS) | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7713 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| Global Interactive Design Media Software Inc.–Content Management System (CMS) | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows Command Line Execution through SQL Injection. This issue affects Content Management System (CMS): through 21072025. | 2026-01-29 | 7.5 | CVE-2025-7714 | https://www.usom.gov.tr/bildirim/tr-26-0008 |
| GNOME–Fonts Viewer | Gnome Fonts Viewer 3.34.0 contains a heap corruption vulnerability that allows attackers to trigger an out-of-bounds write by crafting a malicious TTF font file. Attackers can generate a specially crafted TTF file with an oversized pattern to cause an infinite malloc() loop and potentially crash the gnome-font-viewer process. | 2026-01-29 | 7.5 | CVE-2020-37011 | ExploitDB-48803 Gnome Official Website Gnome Font Viewer App Webpage VulnCheck Advisory: Gnome Fonts Viewer 3.34.0 Heap Corruption |
| GnuPG–GnuPG | In GnuPG before 2.5.17, a crafted CMS (S/MIME) EnvelopedData message carrying an oversized wrapped session key can cause a stack-based buffer overflow in gpg-agent during PKDECRYPT–kem=CMS handling. This can easily be leveraged for denial of service; however, there is also memory corruption that could lead to remote code execution. | 2026-01-27 | 8.1 | CVE-2026-24881 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8044 |
| GnuPG–GnuPG | In GnuPG before 2.5.17, a stack-based buffer overflow exists in tpm2daemon during handling of the PKDECRYPT command for TPM-backed RSA and ECC keys. | 2026-01-27 | 8.4 | CVE-2026-24882 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8045 |
| Grafana–grafana/grafana | The dashboard permissions API does not verify the target dashboard scope and only checks the dashboards.permissions:* action. As a result, a user who has permission management rights on one dashboard can read and modify permissions on other dashboards. This is an organization internal privilege escalation. | 2026-01-27 | 8.1 | CVE-2026-21721 | https://grafana.com/security/security-advisories/CVE-2026-21721 |
| Grafana–grafana/grafana-enterprise | Every uncached /avatar/:hash request spawns a goroutine that refreshes the Gravatar image. If the refresh sits in the 10-slot worker queue longer than three seconds, the handler times out and stops listening for the result, so that goroutine blocks forever trying to send on an unbuffered channel. Sustained traffic with random hashes keeps tripping this timeout, so goroutine count grows linearly, eventually exhausting memory and causing Grafana to crash on some systems. | 2026-01-27 | 7.5 | CVE-2026-21720 | https://grafana.com/security/security-advisories/CVE-2026-21720 |
| guelfoweb–knock | Knockpy 4.1.1 contains a CSV injection vulnerability that allows attackers to inject malicious formulas into CSV reports through unfiltered server headers. Attackers can manipulate server response headers to include spreadsheet formulas that will execute when the CSV is opened in spreadsheet applications. | 2026-01-27 | 9.8 | CVE-2020-36941 | ExploitDB-49342 Knockpy GitHub Repository VulnCheck Advisory: Knockpy 4.1.1 – CSV Injection |
| hayyatapps–Sell BTC Cryptocurrency Selling Calculator | The Sell BTC – Cryptocurrency Selling Calculator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘orderform_data’ AJAX action in all versions up to, and including, 1.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in order records that will execute whenever an administrator accesses the Orders page in the admin dashboard. The vulnerability was partially patched in version 1.5. | 2026-01-31 | 7.2 | CVE-2025-14554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/720be34d-3fe4-4395-a27b-d386f8612ba9?source=cve https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions-admin.php#L39 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/functions/form_tab.php#L12 https://plugins.trac.wordpress.org/browser/sell-btc-by-hayyatapps/trunk/Pages/orders.php#L30 https://plugins.trac.wordpress.org/changeset/3433480/ https://plugins.trac.wordpress.org/changeset/3450361/ |
| HELLOWEB–HelloWeb | HelloWeb 2.0 contains an arbitrary file download vulnerability that allows remote attackers to download system files by manipulating filepath and filename parameters. Attackers can send crafted GET requests to download.asp with directory traversal to access sensitive configuration and system files. | 2026-01-30 | 7.5 | CVE-2020-37034 | ExploitDB-48659 Archived HelloWeb Vendor Homepage VulnCheck Advisory: HelloWeb 2.0 – Arbitrary File Download |
| Hewlett Packard Enterprise (HPE)–HPE Aruba Networking Fabric Composer | Insecure file operations in HPE Aruba Networking Fabric Composer’s backup functionality could allow authenticated attackers to achieve remote code execution. Successful exploitation could allow an attacker to execute arbitrary commands on the underlying operating system. | 2026-01-27 | 7.2 | CVE-2026-23592 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| Hewlett Packard Enterprise (HPE)–HPE Aruba Networking Fabric Composer | A vulnerability in the web-based management interface of HPE Aruba Networking Fabric Composer could allow an unauthenticated remote attacker to view some system files. Successful exploitation could allow an attacker to read files within the affected directory. | 2026-01-27 | 7.5 | CVE-2026-23593 | https://support.hpe.com/hpesc/public/docDisplay?docId=hpesbnw04996en_us&docLocale=en_US |
| HIKSEMI–HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can execute arbitrary commands on the device by crafting specific messages. | 2026-01-30 | 7.2 | CVE-2026-22623 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| Hikvision–DS-3WAP521-SI | Some Hikvision Wireless Access Points are vulnerable to authenticated command execution due to insufficient input validation. Attackers with valid credentials can exploit this flaw by sending crafted packets containing malicious commands to affected devices, leading to arbitrary command execution. | 2026-01-30 | 7.2 | CVE-2026-0709 | https://www.hikvision.com/en/support/cybersecurity/security-advisory/command-execution-vulnerability-in-some-hikvision-wireless-access-point-products/ |
| Hisense TransTech–Smart Bus Management System | A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 7.3 | CVE-2026-1449 | VDB-342881 | Hisense TransTech Smart Bus Management System TireMng.aspx Page_Load sql injection VDB-342881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #737032 | Hisense TransTech Hisense Smart Bus Management System 1.0 SQL Injection https://github.com/master-abc/cve/issues/15 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Windows 12.1.0 – 12.1.3 could allow a local user with filesystem access to escalate their privileges due to the use of an unquoted search path element. | 2026-01-30 | 8.4 | CVE-2025-36384 | https://www.ibm.com/support/pages/node/7257678 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 could allow an instance owner to execute malicious code that escalate their privileges to root due to execution of unnecessary privileges operated at a higher than minimum level. | 2026-01-30 | 7.2 | CVE-2025-36184 | https://www.ibm.com/support/pages/node/7257519 |
| IDT–IDT PC Audio | IDT PC Audio 1.0.6499.0 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the STacSV service to inject malicious code that would execute with LocalSystem account permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36959 | ExploitDB-49191 Software Download Link VulnCheck Advisory: IDT PC Audio 1.0.6499.0 – ‘STacSV’ Unquoted Service Path |
| iForwarder and upRedSun Technologies, LLC.–Port Forwarding Wizard | Port Forwarding Wizard 4.8.0 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code through a long request in the Register feature. Attackers can craft a malicious payload with an egg tag and overwrite SEH handlers to potentially execute shellcode on vulnerable Windows systems. | 2026-01-30 | 8.4 | CVE-2020-37025 | ExploitDB-48695 Vendor Homepage VulnCheck Advisory: Port Forwarding Wizard 4.8.0 – Buffer Overflow |
| ik80–YATinyWinFTP | YATinyWinFTP contains a denial of service vulnerability that allows attackers to crash the FTP service by sending a 272-byte buffer with a trailing space. Attackers can exploit the service by connecting and sending a malformed command that triggers a buffer overflow and service crash. | 2026-01-28 | 9.8 | CVE-2020-36964 | ExploitDB-49127 YATinyWinFTP GitHub Repository VulnCheck Advisory: YATinyWinFTP – Denial of Service |
| immich-app–immich | immich is a high performance self-hosted photo and video management solution. Prior to version 2.5.0, API keys can escalate their own permissions by calling the update endpoint, allowing a low-privilege API key to grant itself full administrative access to the system. Version 2.5.0 fixes the issue. | 2026-01-29 | 7.2 | CVE-2026-23896 | https://github.com/immich-app/immich/security/advisories/GHSA-237r-x578-h5mv |
| inc2734–Snow Monkey Forms | The Snow Monkey Forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the ‘generate_user_dirpath’ function in all versions up to, and including, 12.0.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the server, which can easily lead to remote code execution when the right file is deleted (such as wp-config.php). | 2026-01-28 | 9.8 | CVE-2026-1056 | https://www.wordfence.com/threat-intel/vulnerabilities/id/37a8642d-07f5-4b1b-8419-e30589089162?source=cve https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/snow-monkey-forms.php#L186 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Model/Directory.php#L58 https://plugins.trac.wordpress.org/browser/snow-monkey-forms/tags/12.0.3/App/Rest/Route/View.php#L189 https://plugins.trac.wordpress.org/changeset/3448278/ |
| infiniflow–ragflow | RAGFlow is an open-source RAG (Retrieval-Augmented Generation) engine. In version 0.23.1 and possibly earlier versions, the MinerU parser contains a “Zip Slip” vulnerability, allowing an attacker to overwrite arbitrary files on the server (leading to Remote Code Execution) via a malicious ZIP archive. The MinerUParser class retrieves and extracts ZIP files from an external source (mineru_server_url). The extraction logic in `_extract_zip_no_root` fails to sanitize filenames within the ZIP archive. Commit 64c75d558e4a17a4a48953b4c201526431d8338f contains a patch for the issue. | 2026-01-27 | 9.8 | CVE-2026-24770 | https://github.com/infiniflow/ragflow/security/advisories/GHSA-v7cf-w7gj-pgf4 https://github.com/infiniflow/ragflow/commit/64c75d558e4a17a4a48953b4c201526431d8338f |
| Inputdirector–Input Director | Input Director 1.4.3 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted path during system startup or reboot to inject and run malicious executables with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36990 | ExploitDB-48795 Input Director Official Homepage VulnCheck Advisory: Input Director 1.4.3 – ‘Input Director’ Unquoted Service Path |
| Insite Software–Infor Storefront B2B | Infor Storefront B2B 1.0 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the ‘usr_name’ parameter in login requests. Attackers can exploit the vulnerability by injecting malicious SQL code into the ‘usr_name’ parameter to potentially extract or modify database information. | 2026-01-30 | 8.2 | CVE-2020-37033 | ExploitDB-48674 Archived Infor Storefront Homepage VulnCheck Advisory: Infor Storefront B2B 1.0 – ‘usr_name’ SQL Injection |
| Intelbras–Intelbras Router RF 301K | Intelbras Router RF 301K firmware version 1.1.2 contains an authentication bypass vulnerability that allows unauthenticated attackers to download router configuration files. Attackers can send a specific HTTP GET request to /cgi-bin/DownloadCfg/RouterCfm.cfg to retrieve sensitive router configuration without authentication. | 2026-01-28 | 7.5 | CVE-2020-36963 | ExploitDB-49126 Intelbras Official Homepage VulnCheck Advisory: Intelbras Router RF 301K 1.1.2 – Authentication Bypass |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Versions prior to 2.3.1.2 have an undefined behavior issue when floating-point NaN values are converted to unsigned short integer types during ICC profile XML parsing potentially corrupting memory structures and enabling arbitrary code execution. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 7.8 | CVE-2026-24856 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-w585-cv3v-c396 https://github.com/InternationalColorConsortium/iccDEV/issues/532 https://github.com/InternationalColorConsortium/iccDEV/pull/541 https://github.com/InternationalColorConsortium/iccDEV/commit/5e53a5d25923b7794ba44e390e9b35d391f2b9c1 |
| Iobit–IObit Uninstaller | IObit Uninstaller 10 Pro contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated system privileges. Attackers can exploit the unquoted service path in the IObit Uninstaller Service to insert malicious code that would execute with SYSTEM-level permissions during service startup. | 2026-01-26 | 7.8 | CVE-2020-36952 | ExploitDB-49371 IObit Official Homepage VulnCheck Advisory: IObit Uninstaller 10 Pro – Unquoted Service Path |
| Is-Daouda–is-Engine | Missing Release of Memory after Effective Lifetime vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 7.5 | CVE-2026-24828 | https://github.com/Is-Daouda/is-Engine/pull/6 |
| isaacs–node-tar | node-tar,a Tar for Node.js, contains a vulnerability in versions prior to 7.5.7 where the security check for hardlink entries uses different path resolution semantics than the actual hardlink creation logic. This mismatch allows an attacker to craft a malicious TAR archive that bypasses path traversal protections and creates hardlinks to arbitrary files outside the extraction directory. Version 7.5.7 contains a fix for the issue. | 2026-01-28 | 8.2 | CVE-2026-24842 | https://github.com/isaacs/node-tar/security/advisories/GHSA-34×7-hfp2-rc4v https://github.com/isaacs/node-tar/commit/f4a7aa9bc3d717c987fdf1480ff7a64e87ffdb46 |
| Iskysoft–Iskysoft Application Framework Service | Iskysoft Application Framework Service 2.4.3.241 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that would be run with the service’s high-level system permissions. | 2026-02-01 | 7.8 | CVE-2020-37048 | ExploitDB-48171 Vendor Homepage VulnCheck Advisory: Iskysoft Application Framework Service 2.4.3.241 – ‘IsAppService’ Unquoted Service Path |
| itsourcecode–Directory Management System | A security vulnerability has been detected in itsourcecode Directory Management System 1.0. The affected element is an unknown function of the file /admin/index.php. The manipulation of the argument Username leads to sql injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1688 | VDB-343482 | itsourcecode Directory Management System index.php sql injection VDB-343482 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741283 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/jackhong1236/CVE_1/issues/1 https://itsourcecode.com/ |
| itsourcecode–School Management System | A weakness has been identified in itsourcecode School Management System 1.0. The affected element is an unknown function of the file /course/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 7.3 | CVE-2026-1545 | VDB-343229 | itsourcecode School Management System index.php sql injection VDB-343229 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739647 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/33 https://itsourcecode.com/ |
| itsourcecode–School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/inquiry/index.php. This manipulation of the argument txtsearch causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-29 | 7.3 | CVE-2026-1589 | VDB-343352 | itsourcecode School Management System index.php sql injection VDB-343352 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740686 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/DQUWSY7Y#CLcuhD1KE2s0VtEvYqH_PDCyhpGS0HDo_MKj9sheUPA https://itsourcecode.com/ |
| itsourcecode–School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/faculty/index.php. Such manipulation of the argument ID leads to sql injection. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-01-29 | 7.3 | CVE-2026-1590 | VDB-343353 | itsourcecode School Management System index.php sql injection VDB-343353 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740687 | itsourcecode School Management System v1.0 SQL Injection https://mega.nz/file/GYsm2Q7K#B7NUGX5Fy9iLYssM474U3zFsmZp_14v0n5Sp-5N95yI https://itsourcecode.com/ |
| itsourcecode–Society Management System | A weakness has been identified in itsourcecode Society Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/edit_expenses_query.php. Executing a manipulation of the argument detail can lead to sql injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 7.3 | CVE-2026-1593 | VDB-343355 | itsourcecode Society Management System edit_expenses_query.php sql injection VDB-343355 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740689 | itsourcecode Society Management System V1.0 SQL injection https://github.com/yyzq-wsx/for_cve/issues/3 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A security vulnerability has been detected in itsourcecode Society Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/add_expenses.php. The manipulation of the argument detail leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 7.3 | CVE-2026-1594 | VDB-343356 | itsourcecode Society Management System add_expenses.php sql injection VDB-343356 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740691 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/2 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This affects an unknown part of the file /admin/edit_student_query.php. The manipulation of the argument student_id results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-01-29 | 7.3 | CVE-2026-1595 | VDB-343357 | itsourcecode Society Management System edit_student_query.php sql injection VDB-343357 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740692 | itsourcecode Society Management System V1.0 SQL Injection https://github.com/yyzq-wsx/for_cve/issues/1 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security vulnerability has been detected in itsourcecode Student Management System 1.0. This issue affects some unknown processing of the file /enrollment/index.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-01-30 | 7.3 | CVE-2026-1701 | VDB-343491 | itsourcecode Student Management System index.php sql injection VDB-343491 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742024 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/34 https://itsourcecode.com/ |
| Ivanti–Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1281 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| Ivanti–Endpoint Manager Mobile | A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution. | 2026-01-29 | 9.8 | CVE-2026-1340 | https://forums.ivanti.com/s/article/Security-Advisory-Ivanti-Endpoint-Manager-Mobile-EPMM-CVE-2026-1281-CVE-2026-1340 |
| ixray-team–ixray-1.6-stcop | Out-of-bounds Write vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 9.8 | CVE-2026-24832 | https://github.com/ixray-team/ixray-1.6-stcop/pull/257 |
| ixray-team–ixray-1.6-stcop | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 7.5 | CVE-2026-24831 | https://github.com/ixray-team/ixray-1.6-stcop/pull/248 |
| Juniper Networks–Session Smart Router | An Authentication Bypass Using an Alternate Path or Channel vulnerability in Juniper Networks Session Smart Router may allows a network-based attacker to bypass authentication and take administrative control of the device. This issue affects Session Smart Router: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects Session Smart Conductor: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2; This issue affects WAN Assurance Managed Routers: * from 5.6.7 before 5.6.17, * from 6.0 before 6.0.8 (affected from 6.0.8), * from 6.1 before 6.1.12-lts, * from 6.2 before 6.2.8-lts, * from 6.3 before 6.3.3-r2. | 2026-01-27 | 9.8 | CVE-2025-21589 | https://supportportal.juniper.net/ https://support.juniper.net/support/eol/software/ssr/ https://kb.juniper.net/JSA94663 |
| K.soft–FTPDummy | FTPDummy 4.80 contains a local buffer overflow vulnerability in its preference file handling that allows attackers to execute arbitrary code. Attackers can craft a malicious preference file with carefully constructed shellcode to trigger a structured exception handler overwrite and execute system commands. | 2026-01-30 | 8.4 | CVE-2020-37029 | ExploitDB-48685 Official FTPDummy Software Homepage VulnCheck Advisory: FTPDummy 4.80 – Local Buffer Overflow |
| KiloView–Encoder Series E1 hardware Version 1.4 | A missing authentication for critical function vulnerability in KiloView Encoder Series could allow an unauthenticated attacker to create or delete administrator accounts. This vulnerability can grant the attacker full administrative control over the product. | 2026-01-29 | 9.8 | CVE-2026-1453 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-029-01 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-029-01.json |
| Kite–Kite | Kite 1.2020.1119.0 contains an unquoted service path vulnerability in the KiteService Windows service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesKiteKiteService.exe’ to inject malicious executables and escalate privileges on the system. | 2026-01-26 | 7.8 | CVE-2020-36958 | ExploitDB-49205 Vendor Homepage VulnCheck Advisory: Kite 1.2020.1119.0 – ‘KiteService’ Unquoted Service Path |
| Kludex–python-multipart | Python-Multipart is a streaming multipart parser for Python. Prior to version 0.0.22, a Path Traversal vulnerability exists when using non-default configuration options `UPLOAD_DIR` and `UPLOAD_KEEP_FILENAME=True`. An attacker can write uploaded files to arbitrary locations on the filesystem by crafting a malicious filename. Users should upgrade to version 0.0.22 to receive a patch or, as a workaround, avoid using `UPLOAD_KEEP_FILENAME=True` in project configurations. | 2026-01-27 | 8.6 | CVE-2026-24486 | https://github.com/Kludex/python-multipart/security/advisories/GHSA-wp53-j4wj-2cfg https://github.com/Kludex/python-multipart/commit/9433f4bbc9652bdde82bbe380984e32f8cfc89c4 https://github.com/Kludex/python-multipart/releases/tag/0.0.22 |
| Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co.–Online Exam and Assessment | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Kodmatic Computer Software Tourism Construction Industry and Trade Ltd. Co. Online Exam and Assessment allows SQL Injection. This issue affects Online Exam and Assessment: through 30012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-30 | 8.6 | CVE-2025-4686 | https://www.usom.gov.tr/bildirim/tr-26-0010 |
| kohler–hotcrp | HotCRP is conference review software. HotCRP versions from October 2025 through January 2026 delivered documents of all types with inline Content-Disposition, causing them to be rendered in the user’s browser rather than downloaded. (The intended behavior was for only `text/plain`, `application/pdf`, `image/gif`, `image/jpeg`, and `image/png` to be delivered inline, though adding `save=0` to the document URL could request inline delivery for any document.) This made users who clicked a document link vulnerable to cross-site scripting attacks. An uploaded HTML or SVG document would run in the viewer’s browser with access to their HotCRP credentials, and Javascript in that document could eventually make arbitrary calls to HotCRP’s API. Malicious documents could be uploaded to submission fields with “file upload” or “attachment” type, or as attachments to comments. PDF upload fields were not vulnerable. A search of documents uploaded to hotcrp.com found no evidence of exploitation. The vulnerability was introduced in commit aa20ef288828b04550950cf67c831af8a525f508 (11 October 2025), present in development versions and v3.2, and fixed in commit 8933e86c9f384b356dc4c6e9e2814dee1074b323 and v3.2.1. Additionally, c3d88a7e18d52119c65df31c2cc994edd2beccc5 and v3.2.1 remove support for `save=0`. | 2026-01-30 | 7.3 | CVE-2026-25156 | https://github.com/kohler/hotcrp/security/advisories/GHSA-p88p-2f2p-2476 https://github.com/kohler/hotcrp/commit/8933e86c9f384b356dc4c6e9e2814dee1074b323 https://github.com/kohler/hotcrp/commit/aa20ef288828b04550950cf67c831af8a525f508 https://github.com/kohler/hotcrp/commit/c3d88a7e18d52119c65df31c2cc994edd2beccc5 |
| Koken–Koken CMS | Koken CMS 0.22.24 contains a file upload vulnerability that allows authenticated attackers to bypass file extension restrictions by renaming malicious PHP files. Attackers can upload PHP files with system command execution capabilities by manipulating the file upload request through a web proxy and changing the file extension. | 2026-01-30 | 8.8 | CVE-2020-37023 | ExploitDB-48706 Koken CMS Official Homepage Softaculous Koken CMS Software Page Researcher PoC VulnCheck Advisory: Koken CMS 0.22.24 – Arbitrary File Upload |
| kyverno–kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have a critical authorization boundary bypass in namespaced Kyverno Policy apiCall. The resolved `urlPath` is executed using the Kyverno admission controller ServiceAccount, with no enforcement that the request is limited to the policy’s namespace. As a result, any authenticated user with permission to create a namespaced Policy can cause Kyverno to perform Kubernetes API requests using Kyverno’s admission controller identity, targeting any API path allowed by that ServiceAccount’s RBAC. This breaks namespace isolation by enabling cross-namespace reads (for example, ConfigMaps and, where permitted, Secrets) and allows cluster-scoped or cross-namespace writes (for example, creating ClusterPolicies) by controlling the urlPath through context variable substitution. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 10 | CVE-2026-22039 | https://github.com/kyverno/kyverno/security/advisories/GHSA-8p9x-46gm-qfx2 https://github.com/kyverno/kyverno/commit/e0ba4de4f1e0ca325066d5095db51aec45b1407b https://github.com/kyverno/kyverno/commit/eba60fa856c781bcb9c3be066061a3df03ae4e3e |
| kyverno–kyverno | Kyverno is a policy engine designed for cloud native platform engineering teams. Versions prior to 1.16.3 and 1.15.3 have unbounded memory consumption in Kyverno’s policy engine that allows users with policy creation privileges to cause denial of service by crafting policies that exponentially amplify string data through context variables. Versions 1.16.3 and 1.15.3 contain a patch for the vulnerability. | 2026-01-27 | 7.7 | CVE-2026-23881 | https://github.com/kyverno/kyverno/security/advisories/GHSA-r2rj-wwm5-x6mq https://github.com/kyverno/kyverno/commit/7a651be3a8c78dcabfbf4178b8d89026bf3b850f https://github.com/kyverno/kyverno/commit/f5617f60920568a301740485472bf704892175b7 |
| LibreNMS–LibreNMS | LibreNMS 1.46 contains an authenticated SQL injection vulnerability in the MAC accounting graph endpoint that allows remote attackers to extract database information. Attackers can exploit the vulnerability by manipulating the ‘sort’ parameter with crafted SQL injection techniques to retrieve sensitive database contents through time-based blind SQL injection. | 2026-01-27 | 7.1 | CVE-2020-36947 | ExploitDB-49246 LibreNMS Official Website LibreNMS GitHub Repository LibreNMS Community VulnCheck Advisory: LibreNMS 1.46 – MAC Accounting Graph Authenticated SQL Injection |
| loft-sh–loft | vCluster Platform provides a Kubernetes platform for managing virtual clusters, multi-tenancy, and cluster sharing. Prior to versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10, when an access key is created with a limited scope, the scope can be bypassed to access resources outside of it. However, the user still cannot access resources beyond what is accessible to the owner of the access key. Versions 4.6.0, 4.5.4, 4.4.2, and 4.3.10 fix the vulnerability. Some other mitigations are available. Users can limit exposure by reviewing access keys which are scoped and ensuring any users with access to them have appropriate permissions set. Creating automation users with very limited permissions and using access keys for these automation users can be used as a temporary workaround where upgrading is not immediately possible but scoped access keys are needed. | 2026-01-29 | 9.1 | CVE-2026-22806 | https://github.com/loft-sh/loft/security/advisories/GHSA-c539-w4ch-7wxq |
| M.J.M Soft–Quick Player | Quick Player 1.3 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting a malicious .m3l file with carefully constructed payload. Attackers can trigger the vulnerability by loading a specially crafted file through the application’s file loading mechanism, potentially enabling remote code execution. | 2026-01-30 | 9.8 | CVE-2020-37050 | ExploitDB-48564 Software Download Link Archived Researcher Blog Post Archived Researcher Video PoC VulnCheck Advisory: Quick Player 1.3 – ‘.m3l’ Buffer Overflow |
| maurosoria–dirsearch | Dirsearch 0.4.1 contains a CSV injection vulnerability when using the –csv-report flag that allows attackers to inject formulas through redirected endpoints. Attackers can craft malicious server redirects with comma-separated paths containing Excel formulas to manipulate the generated CSV report. | 2026-01-27 | 9.8 | CVE-2021-47901 | ExploitDB-49370 dirsearch GitHub Repository VulnCheck Advisory: dirsearch 0.4.1 – CSV Injection |
| MedDream–MedDream PACS Server | MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevated privileges. | 2026-01-29 | 8.8 | CVE-2020-37009 | ExploitDB-48853 MedDream PACS Server Product Page VulnCheck Advisory: MedDream PACS Server 6.8.3.751 – Remote Code Execution |
| meshtastic–firmware | Meshtastic is an open source mesh networking solution. In the current Meshtastic architecture, a Node is identified by their NodeID, generated from the MAC address, rather than their public key. This aspect downgrades the security, specifically by abusing the HAM mode which doesn’t use encryption. An attacker can, as such, forge a NodeInfo on behalf of a victim node advertising that the HAM mode is enabled. This, in turn, will allow the other nodes on the mesh to accept the new information and overwriting the NodeDB. The other nodes will then only be able to send direct messages to the victim by using the shared channel key instead of the PKC. Additionally, because HAM mode by design doesn’t provide any confidentiality or authentication of information, the attacker could potentially also be able to change the Node details, like the full name, short code, etc. To keep the attack persistent, it is enough to regularly resend the forged NodeInfo, in particular right after the victim sends their own. A patch is available in version 2.7.6.834c3c5. | 2026-01-27 | 8.2 | CVE-2025-55292 | https://github.com/meshtastic/firmware/security/advisories/GHSA-45vg-3f35-7ch2 https://github.com/meshtastic/firmware/commit/e5e8683cdba133e726033101586c3235a8678893 |
| Microsoft–Microsoft Office 2019 | Reliance on untrusted inputs in a security decision in Microsoft Office allows an unauthorized attacker to bypass a security feature locally. | 2026-01-26 | 7.8 | CVE-2026-21509 | Microsoft Office Security Feature Bypass Vulnerability |
| midgetspy–Sickbeard | Sickbeard alpha contains a remote command injection vulnerability that allows unauthenticated attackers to execute arbitrary commands through the extra scripts configuration. Attackers can set malicious commands in the extra scripts field and trigger processing to execute remote code on the vulnerable Sickbeard installation. | 2026-01-30 | 9.8 | CVE-2020-37027 | ExploitDB-48646 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 – Remote Command Injection |
| Mini-stream Software–RM Downloader | RM Downloader 2.50.60 contains a local buffer overflow vulnerability in the ‘Load’ parameter that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload with an egg hunter technique to bypass memory protections and execute commands like launching calc.exe. | 2026-01-30 | 8.4 | CVE-2020-37036 | ExploitDB-48628 Software v2.50.60 Archive Software Informer Product Page VulnCheck Advisory: RM Downloader 2.50.60 2006.06.23 – ‘Load’ Local Buffer Overflow |
| Minitool–MiniTool ShadowMaker | MiniTool ShadowMaker 3.2 contains an unquoted service path vulnerability in the MTAgentService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesMiniTool ShadowMakerAgentService.exe’ to inject malicious executables and escalate privileges. | 2026-01-26 | 7.8 | CVE-2020-36953 | ExploitDB-49336 Vendor Homepage VulnCheck Advisory: MiniTool ShadowMaker 3.2 – ‘MTAgentService’ Unquoted Service Path |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure a malicious DrupalWiki URL) to write arbitrary files to the server. This can lead to Remote Code Execution (RCE) by overwriting configuration files or writing executable scripts. Version 1.10.0 fixes the issue. | 2026-01-26 | 7.2 | CVE-2026-24478 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-jp2f-99h9-7vjv |
| MobSF–Mobile-Security-Framework-MobSF | MobSF is a mobile application security testing tool used. Prior to version 4.4.5, a Stored Cross-site Scripting (XSS) vulnerability in MobSF’s Android manifest analysis allows an attacker to execute arbitrary JavaScript in the context of a victim’s browser session by uploading a malicious APK. The `android:host` attribute from `<data android:scheme=”android_secret_code”>` elements is rendered in HTML reports without sanitization, enabling session hijacking and account takeover. Version 4.4.5 fixes the issue. | 2026-01-27 | 8.1 | CVE-2026-24490 | https://github.com/MobSF/Mobile-Security-Framework-MobSF/security/advisories/GHSA-8hf7-h89p-3pqj https://github.com/MobSF/Mobile-Security-Framework-MobSF/commit/2b08dd050e7685ee2a14fdbb454affab94129eae https://github.com/MobSF/Mobile-Security-Framework-MobSF/releases/tag/v4.4.5 |
| Motorola-Device-Manager–Motorola Device Manager | Motorola Device Manager 2.5.4 contains an unquoted service path vulnerability in the MotoHelperService.exe service that allows local users to potentially inject malicious code. Attackers can exploit the unquoted path in the service configuration to execute arbitrary code with elevated system privileges during service startup. | 2026-01-27 | 7.8 | CVE-2020-36982 | ExploitDB-49012 Motorola Device Manager Vendor Homepage VulnCheck Advisory: Motorola Device Manager 2.5.4 – ‘MotoHelperService.exe’ Unquoted Service Path |
| n8n–n8n | n8n contains a critical Remote Code Execution (RCE) vulnerability in its workflow Expression evaluation system. Expressions supplied by authenticated users during workflow configuration may be evaluated in an execution context that is not sufficiently isolated from the underlying runtime. An authenticated attacker could abuse this behavior to execute arbitrary code with the privileges of the n8n process. Successful exploitation may lead to full compromise of the affected instance, including unauthorized access to sensitive data, modification of workflows, and execution of system-level operations. | 2026-01-27 | 9.9 | CVE-2026-1470 | https://github.com/n8n-io/n8n/commit/aa4d1e5825829182afa0ad5b81f602638f55fa04 https://research.jfrog.com/vulnerabilities/n8n-expression-node-rce/ |
| NaturalIntelligence–fast-xml-parser | fast-xml-parser allows users to validate XML, parse XML to JS object, or build XML from JS object without C/C++ based libraries and no callback. In versions 4.3.6 through 5.3.3, a RangeError vulnerability exists in the numeric entity processing of fast-xml-parser when parsing XML with out-of-range entity code points (e.g., `�` or `�`). This causes the parser to throw an uncaught exception, crashing any application that processes untrusted XML input. Version 5.3.4 fixes the issue. | 2026-01-30 | 7.5 | CVE-2026-25128 | https://github.com/NaturalIntelligence/fast-xml-parser/security/advisories/GHSA-37qj-frw5-hhjh https://github.com/NaturalIntelligence/fast-xml-parser/commit/4e387f61c4a5cef792f6a2f42467013290bf95dc https://github.com/NaturalIntelligence/fast-xml-parser/releases/tag/v5.3.4 |
| Naviwebs S.C.–Navigate CMS | Navigate CMS 2.8.7 contains an authenticated SQL injection vulnerability that allows attackers to leak database information by manipulating the ‘sidx’ parameter in comments. Attackers can exploit the vulnerability to extract user activation keys by using time-based blind SQL injection techniques, potentially enabling password reset for administrative accounts. | 2026-01-30 | 7.1 | CVE-2020-37053 | ExploitDB-48545 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 – ”sidx’ SQL Injection |
| NetPCLinker–NetPCLinker | NetPCLinker 1.0.0.0 contains a buffer overflow vulnerability in the Clients Control Panel DNS/IP field that allows attackers to execute arbitrary shellcode. Attackers can craft a malicious payload in the DNS/IP input to overwrite SEH handlers and execute shellcode when adding a new client. | 2026-01-30 | 9.8 | CVE-2019-25232 | ExploitDB-48680 NetPCLinker SourceForge Page VulnCheck Advisory: NetPCLinker 1.0.0.0 – Buffer Overflow |
| neutrinolabs–xrdp | xrdp is an open source RDP server. xrdp before v0.10.5 contains an unauthenticated stack-based buffer overflow vulnerability. The issue stems from improper bounds checking when processing user domain information during the connection sequence. If exploited, the vulnerability could allow remote attackers to execute arbitrary code on the target system. The vulnerability allows an attacker to overwrite the stack buffer and the return address, which could theoretically be used to redirect the execution flow. The impact of this vulnerability is lessened if a compiler flag has been used to build the xrdp executable with stack canary protection. If this is the case, a second vulnerability would need to be used to leak the stack canary value. Upgrade to version 0.10.5 to receive a patch. Additionally, do not rely on stack canary protection on production systems. | 2026-01-27 | 9.1 | CVE-2025-68670 | https://github.com/neutrinolabs/xrdp/security/advisories/GHSA-rwvg-gp87-gh6f https://github.com/neutrinolabs/xrdp/commit/488c8c7d4d189514a366cd8301b6e816c5218ffa https://github.com/neutrinolabs/xrdp/releases/tag/v0.10.5 |
| Nidesoft Studio–Nidesoft DVD Ripper | Nidesoft DVD Ripper 5.2.18 contains a local buffer overflow vulnerability in the License Code registration parameter that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the License Code field to trigger a stack-based buffer overflow and execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37024 | ExploitDB-48687 Nidesoft DVD Ripper Software Download Page VulnCheck Advisory: Nidesoft DVD Ripper 5.2.18 – Local Buffer Overflow |
| Nidesoft–Nidesoft 3GP Video Converter | Nidesoft 3GP Video Converter 2.6.18 contains a local stack buffer overflow vulnerability in the license registration parameter. Attackers can craft a malicious payload and paste it into the ‘License Code’ field to execute arbitrary code on the system. | 2026-01-28 | 8.4 | CVE-2020-36971 | ExploitDB-49034 Archived Software Repository VulnCheck Advisory: Nidesoft 3GP Video Converter 2.6.18 – Local Stack Buffer Overflow |
| nmedia–Frontend File Manager Plugin | The Frontend File Manager Plugin for WordPress is vulnerable to unauthorized file sharing due to a missing capability check on the ‘wpfm_send_file_in_email’ AJAX action in all versions up to, and including, 23.5. This makes it possible for unauthenticated attackers to share arbitrary uploaded files via email by supplying a file ID. Since file IDs are sequential integers, attackers can enumerate all uploaded files on the site and exfiltrate sensitive data that was intended to be restricted to administrators only. | 2026-01-28 | 7.5 | CVE-2026-1280 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e739e7d3-756a-4c93-9ca7-f7b9f9657033?source=cve https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/trunk/inc/callback-functions.php#L98 https://plugins.trac.wordpress.org/browser/nmedia-user-file-uploader/tags/23.5/inc/callback-functions.php#L98 |
| nmedia–Simple User Registration | The Simple User Registration plugin for WordPress is vulnerable to privilege escalation in versions up to, and including, 6.7 due to insufficient restriction on the ‘profile_save_field’ function. This makes it possible for authenticated attackers, with minimal permissions such as a subscriber, to modify their user role by supplying the ‘wp_capabilities’ parameter during a profile update. | 2026-01-28 | 8.8 | CVE-2026-0844 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bb0e77e1-7e9f-4f7e-8953-c86ab0e5ae7a?source=cve https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.profile.php#L401 https://plugins.trac.wordpress.org/browser/wp-registration/tags/6.7/inc/classes/class.user.php#L305 |
| nordvpn–nordvpn | Nord VPN 6.31.13.0 contains an unquoted service path vulnerability in its nordvpn-service that allows local attackers to execute code with elevated privileges. Attackers can exploit the unquoted binary path during system startup or reboot to potentially run malicious code with LocalSystem permissions. | 2026-01-28 | 7.8 | CVE-2020-36992 | ExploitDB-48790 NordVPN Official Homepage VulnCheck Advisory: Nord VPN-6.31.13.0 – ‘nordvpn-service’ Unquoted Service Path |
| NVIDIA–GeForce | NVIDIA Display Driver for Windows contains a vulnerability where an attacker could trigger a use after free. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, and information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33217 | https://nvd.nist.gov/vuln/detail/CVE-2025-33217 https://www.cve.org/CVERecord?id=CVE-2025-33217 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA–GeForce | NVIDIA GPU Display Driver for Windows contains a vulnerability in the kernel mode layer (nvlddmkm.sys), where an attacker could cause an integer overflow. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33218 | https://nvd.nist.gov/vuln/detail/CVE-2025-33218 https://www.cve.org/CVERecord?id=CVE-2025-33218 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA–GeForce | NVIDIA Display Driver for Linux contains a vulnerability in the NVIDIA kernel module where an attacker could cause an integer overflow or wraparound. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33219 | https://nvd.nist.gov/vuln/detail/CVE-2025-33219 https://www.cve.org/CVERecord?id=CVE-2025-33219 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA–GeForce | NVIDIA vGPU software contains a vulnerability in the Virtual GPU Manager, where a malicious guest could cause heap memory access after the memory is freed. A successful exploit of this vulnerability might lead to code execution, escalation of privileges, data tampering, denial of service, or information disclosure. | 2026-01-28 | 7.8 | CVE-2025-33220 | https://nvd.nist.gov/vuln/detail/CVE-2025-33220 https://www.cve.org/CVERecord?id=CVE-2025-33220 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| NVIDIA–NVIDIA runx | NVIDIA runx contains a vulnerability where an attacker could cause a code injection. A successful exploit of this vulnerability might lead to code execution, denial of service, escalation of privileges, information disclosure, and data tampering. | 2026-01-27 | 7.8 | CVE-2025-33234 | https://nvd.nist.gov/vuln/detail/CVE-2025-33234 https://www.cve.org/CVERecord?id=CVE-2025-33234 https://nvidia.custhelp.com/app/answers/detail/a_id/5764 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Versions prior to 0.8.26 have a sandbox escape vulnerability due to `AsyncFunction` not being isolated in `SandboxFunction`. The library attempts to sandbox code execution by replacing the global `Function` constructor with a safe, sandboxed version (`SandboxFunction`). This is handled in `utils.ts` by mapping `Function` to `sandboxFunction` within a map used for lookups. However, before version 0.8.26, the library did not include mappings for `AsyncFunction`, `GeneratorFunction`, and `AsyncGeneratorFunction`. These constructors are not global properties but can be accessed via the `.constructor` property of an instance (e.g., `(async () => {}).constructor`). In `executor.ts`, property access is handled. When code running inside the sandbox accesses `.constructor` on an async function (which the sandbox allows creating), the `executor` retrieves the property value. Since `AsyncFunction` was not in the safe-replacement map, the `executor` returns the actual native host `AsyncFunction` constructor. Constructors for functions in JavaScript (like `Function`, `AsyncFunction`) create functions that execute in the global scope. By obtaining the host `AsyncFunction` constructor, an attacker can create a new async function that executes entirely outside the sandbox context, bypassing all restrictions and gaining full access to the host environment (Remote Code Execution). Version 0.8.26 patches this vulnerability. | 2026-01-27 | 10 | CVE-2026-23830 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-wxhw-j4hc-fmq6 https://github.com/nyariv/SandboxJS/commit/345aee6566e47979dee5c337b925b141e7f78ccd |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, crafted DCERPC traffic can cause Suricata to expand a buffer w/o limits, leading to memory exhaustion and the process getting killed. While reported for DCERPC over UDP, it is believed that DCERPC over TCP and SMB are also vulnerable. DCERPC/TCP in the default configuration should not be vulnerable as the default stream depth is limited to 1MiB. Versions 8.0.3 and 7.0.14 contain a patch. Some workarounds are available. For DCERPC/UDP, disable the parser. For DCERPC/TCP, the `stream.reassembly.depth` setting will limit the amount of data that can be buffered. For DCERPC/SMB, the `stream.reassembly.depth` can be used as well, but is set to unlimited by default. Imposing a limit here may lead to loss of visibility in SMB. | 2026-01-27 | 7.5 | CVE-2026-22258 | https://github.com/OISF/suricata/security/advisories/GHSA-289c-h599-3xcx https://github.com/OISF/suricata/commit/39d8c302af3422a096b75474a4f295a754ec6a74 https://github.com/OISF/suricata/commit/f82a388d0283725cb76782cf64e8341cab370830 https://redmine.openinfosecfoundation.org/issues/8182 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, specially crafted traffic can cause Suricata to consume large amounts of memory while parsing DNP3 traffic. This can lead to the process slowing down and running out of memory, potentially leading to it getting killed by the OOM killer. Versions 8.0.3 or 7.0.14 contain a patch. As a workaround, disable the DNP3 parser in the suricata yaml (disabled by default). | 2026-01-27 | 7.5 | CVE-2026-22259 | https://github.com/OISF/suricata/security/advisories/GHSA-878h-2x6v-84q9 https://github.com/OISF/suricata/commit/50cac2e2465ca211eabfa156623e585e9037bb7e https://github.com/OISF/suricata/commit/63225d5f8ef64cc65164c0bb1800730842d54942 https://redmine.openinfosecfoundation.org/issues/8181 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, Suricata can crash with a stack overflow. Version 8.0.3 patches the issue. As a workaround, use default values for `request-body-limit` and `response-body-limit`. | 2026-01-27 | 7.5 | CVE-2026-22260 | https://github.com/OISF/suricata/security/advisories/GHSA-3gm8-84cm-5×22 https://github.com/OISF/suricata/commit/0dddac7278c8b9cf3c1e4c1c71e620a78ec1c185 https://redmine.openinfosecfoundation.org/issues/8185 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Prior to version 8.0.3 and 7.0.14, an unsigned integer overflow can lead to a heap use-after-free condition when generating excessive amounts of alerts for a single packet. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not run untrusted rulesets or run with less than 65536 signatures that can match on the same packet. | 2026-01-27 | 7.4 | CVE-2026-22264 | https://github.com/OISF/suricata/security/advisories/GHSA-mqr8-m3m4-2hw5 https://github.com/OISF/suricata/commit/549d7bf60616de8e54686a188196453b5b22f715 https://github.com/OISF/suricata/commit/5789a3d3760dbf33d93fc56c27bd9529e5bdc8f2 https://github.com/OISF/suricata/commit/ac1eb394181530430fb7262969f423a1bf8f209b https://redmine.openinfosecfoundation.org/issues/8190 |
| OpenClaw–OpenClaw | OpenClaw (aka clawdbot or Moltbot) before 2026.1.29 obtains a gatewayUrl value from a query string and automatically makes a WebSocket connection without prompting, sending a token value. | 2026-02-01 | 8.8 | CVE-2026-25253 | https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys https://github.com/openclaw/openclaw/security/advisories/GHSA-g8p2-7wf7-98mq https://openclaw.ai/blog |
| openemr–openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a broken access control in the Profile Edit endpoint. An authenticated normal user can modify the request parameters (pubpid / pid) to reference another user’s record; the server accepts the modified IDs and applies the changes to that other user’s profile. This allows one user to alter another user’s profile data (name, contact info, etc.), and could enable account takeover. Version 7.0.4 fixes the issue. | 2026-01-27 | 8.8 | CVE-2025-67645 | https://github.com/openemr/openemr/security/advisories/GHSA-vjmv-cf46-gffv https://github.com/openemr/openemr/commit/e2a682ee71aac71a9f04ae566f4ffca10052bc4a |
| opf–openproject | OpenProject is an open-source, web-based project management software. To enable the real time collaboration on documents, OpenProject 17.0 introduced a synchronization server. The OpenPrioject backend generates an authentication token that is currently valid for 24 hours, encrypts it with a shared secret only known to the synchronization server. The frontend hands this encrypted token and the backend URL over to the synchronization server to check user’s ability to work on the document and perform intermittent saves while editing. The synchronization server does not properly validate the backend URL and sends a request with the decrypted authentication token to the endpoint that was given to the server. An attacker could use this vulnerability to decrypt a token that he intercepted by other means to gain an access token to interact with OpenProject on the victim’s behalf. This vulnerability was introduced with OpenProject 17.0.0 and was fixed in 17.0.2. As a workaround, disable the collaboration feature via Settings -> Documents -> Real time collaboration -> Disable. Additionally the `hocuspocus` container should also be disabled. | 2026-01-28 | 8.9 | CVE-2026-24772 | https://github.com/opf/openproject/security/advisories/GHSA-r854-p5qj-x974 |
| Pablosoftwaresolutions–Quick ‘n Easy FTP Service | Quick ‘n Easy FTP Service 3.2 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code during service startup. Attackers can exploit the misconfigured service binary path to inject malicious executables with elevated LocalSystem privileges during system boot or service restart. | 2026-01-27 | 7.8 | CVE-2020-36983 | ExploitDB-48983 Vendor Homepage Software Download Page VulnCheck Advisory: Quick ‘n Easy FTP Service 3.2 – Unquoted Service Path |
| patriksimek–vm2 | vm2 is an open source vm/sandbox for Node.js. In vm2 prior to version 3.10.2, `Promise.prototype.then` `Promise.prototype.catch` callback sanitization can be bypassed. This allows attackers to escape the sandbox and run arbitrary code. In lib/setup-sandbox.js, the callback function of `localPromise.prototype.then` is sanitized, but `globalPromise.prototype.then` is not sanitized. The return value of async functions is `globalPromise` object. Version 3.10.2 fixes the issue. | 2026-01-26 | 9.8 | CVE-2026-22709 | https://github.com/patriksimek/vm2/security/advisories/GHSA-99p7-6v5w-7xg8 https://github.com/patriksimek/vm2/commit/4b009c2d4b1131c01810c1205e641d614c322a29 https://github.com/patriksimek/vm2/releases/tag/v3.10.2 |
| Pdf-Complete–PDF Complete | PDF Complete 3.5.310.2002 contains an unquoted service path vulnerability in its pdfsvc.exe service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges. | 2026-01-26 | 7.8 | CVE-2020-36957 | ExploitDB-49226 PDF Complete Vendor Homepage VulnCheck Advisory: PDF Complete 3.5.310.2002 – ‘pdfsvc.exe’ Unquoted Service Path |
| PHPSUGAR–PHP Melody | PHP Melody version 3.0 contains a remote SQL injection vulnerability in the video edit module that allows authenticated attackers to inject malicious SQL commands. Attackers can exploit the unvalidated ‘vid’ parameter to execute arbitrary database queries and potentially compromise the web application and database management system. | 2026-02-01 | 8.1 | CVE-2021-47915 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 SQL Injection Vulnerability via Edit Video Parameter |
| PMB Services–PMB Services | PMB 5.6 contains a local file disclosure vulnerability in getgif.php that allows attackers to read arbitrary system files by manipulating the ‘chemin’ parameter. Attackers can exploit the unsanitized file path input to access sensitive files like /etc/passwd by sending crafted requests to the getgif.php endpoint. | 2026-01-28 | 8.4 | CVE-2020-36970 | ExploitDB-49054 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 – ‘chemin’ Local File Disclosure |
| polarnl–PolarLearn | PolarLearn is a free and open-source learning program. Prior to version 0-PRERELEASE-15, the vote API route (`POST /api/v1/forum/vote`) trusts the JSON body’s `direction` value without runtime validation. TypeScript types are not enforced at runtime, so an attacker can send arbitrary strings (e.g., `”x”`) as `direction`. Downstream (`VoteServer`) treats any non-`”up”` and non-`null` value as a downvote and persists the invalid value in `votes_data`. This can be exploited to bypass intended business logic. Version 0-PRERELEASE-15 fixes the vulnerability. | 2026-01-29 | 7.1 | CVE-2026-25126 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-ghpx-5w2p-p3qp https://github.com/polarnl/PolarLearn/commit/e6227d94d0e53e854f6a46480db8cd1051184d41 |
| Preyproject–Prey | Prey 1.9.6 contains an unquoted service path vulnerability that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in the CronService to insert malicious code that would execute during application startup or system reboot. | 2026-01-28 | 7.8 | CVE-2020-36986 | ExploitDB-48967 Vendor Homepage VulnCheck Advisory: Prey 1.9.6 – “CronService” Unquoted Service Path |
| ProjectSkyfire–SkyFire_548 | improper pointer arithmetic vulnerability in ProjectSkyfire SkyFire_548. This issue affects SkyFire_548: before 5.4.8-stable5. | 2026-01-27 | 9.8 | CVE-2026-24872 | https://github.com/cadaver/turso3d/pull/11 |
| pytorch–pytorch | PyTorch is a Python package that provides tensor computation. Prior to version 2.10.0, a vulnerability in PyTorch’s `weights_only` unpickler allows an attacker to craft a malicious checkpoint file (`.pth`) that, when loaded with `torch.load(…, weights_only=True)`, can corrupt memory and potentially lead to arbitrary code execution. Version 2.10.0 fixes the issue. | 2026-01-27 | 8.8 | CVE-2026-24747 | https://github.com/pytorch/pytorch/security/advisories/GHSA-63cw-57p8-fm3p https://github.com/pytorch/pytorch/issues/163105 https://github.com/pytorch/pytorch/163122/commit/954dc5183ee9205cbe79876ad05dd2d9ae752139 https://github.com/pytorch/pytorch/releases/tag/v2.10.0 |
| Raimersoft–TapinRadio | TapinRadio 2.13.7 contains a denial of service vulnerability in the application proxy settings that allows attackers to crash the program by overflowing input fields. Attackers can paste a large buffer of 20,000 characters into the username and address fields to cause the application to become unresponsive and require reinstallation. | 2026-01-27 | 7.5 | CVE-2020-36949 | ExploitDB-49206 Vendor Homepage VulnCheck Advisory: TapinRadio 2.13.7 – Denial of Service |
| Ralim–IronOS | Integer Overflow or Wraparound vulnerability in Ralim IronOS. This issue affects IronOS: before v2.23-rc2. | 2026-01-27 | 9.8 | CVE-2026-24830 | https://github.com/Ralim/IronOS/pull/2083 |
| Realtek–Realtek Andrea RT Filters | Realtek Andrea RT Filters 1.0.64.7 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in ‘C:Program FilesIDTWDMAESTSr64.exe’ to inject malicious code that would execute during service startup or system reboot. | 2026-01-27 | 7.8 | CVE-2020-36974 | ExploitDB-49158 Realtek Official Homepage VulnCheck Advisory: Realtek Andrea RT Filters 1.0.64.7 – ‘AERTSr64.EXE’ Unquoted Service Path |
| Red Hat–OpenShift Serverless | A flaw was found in Undertow. Servlets using a method that calls HttpServletRequestImpl.getParameterNames() can cause an OutOfMemoryError when the client sends a request with large parameter names. This issue can be exploited by an unauthorized user to cause a remote denial-of-service (DoS) attack. | 2026-01-30 | 7.5 | CVE-2024-4027 | https://access.redhat.com/security/cve/CVE-2024-4027 RHBZ#2276410 |
| Red Hat–osim | The $uri$args concatenation in nginx configuration file present in Open Security Issue Management (OSIM) prior v2025.9.0 allows path traversal attacks via query parameters. | 2026-01-29 | 7.5 | CVE-2026-1616 | https://github.com/RedHatProductSecurity/osim/pull/615 |
| Red Hat–RHEL-9-CNV-4.19 | A flaw was found in KubeVirt Containerized Data Importer (CDI). This vulnerability allows a user to clone PersistentVolumeClaims (PVCs) from unauthorized namespaces, resulting in unauthorized access to data via the DataImportCron PVC source mechanism. | 2026-01-26 | 8.5 | CVE-2025-14459 | RHSA-2026:0950 https://access.redhat.com/security/cve/CVE-2025-14459 RHBZ#2420938 |
| Rinnegatamante–lpp-vita | Out-of-bounds Read vulnerability in Rinnegatamante lpp-vita. This issue affects lpp-vita: before lpp-vita r6. | 2026-01-27 | 7.8 | CVE-2026-24873 | https://github.com/Rinnegatamante/lpp-vita/pull/82 |
| Ruijienetworks–Ruijie Networks Switch eWeb S29_RGOS | Ruijie Networks Switch eWeb S29_RGOS 11.4 contains a directory traversal vulnerability that allows unauthenticated attackers to access sensitive configuration files by manipulating file path parameters. Attackers can exploit the /download.do endpoint with ‘../’ sequences to retrieve system configuration files containing credentials and network settings. | 2026-01-29 | 7.5 | CVE-2020-37015 | ExploitDB-48755 Ruijie Networks Official Homepage Directory Traversal Vulnerability Source VulnCheck Advisory: Ruijie Networks Switch eWeb S29_RGOS 11.4 – Directory Traversal |
| runtipi–runtipi | Runtipi is a personal homeserver orchestrator. Starting in version 4.5.0 and prior to version 4.7.2, an unauthenticated Path Traversal vulnerability in the `UserConfigController` allows any remote user to overwrite the system’s `docker-compose.yml` configuration file. By exploiting insecure URN parsing, an attacker can replace the primary stack configuration with a malicious one, resulting in full Remote Code Execution (RCE) and host filesystem compromise the next time the instance is restarted by the operator. Version 4.7.2 fixes the vulnerability. | 2026-01-29 | 7.6 | CVE-2026-25116 | https://github.com/runtipi/runtipi/security/advisories/GHSA-mwg8-x997-cqw6 https://github.com/runtipi/runtipi/releases/tag/v4.7.2 |
| saadiqbal–New User Approve | The New User Approve plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on multiple REST API endpoints in all versions up to, and including, 3.2.2. This makes it possible for unauthenticated attackers to approve or deny user accounts, retrieve sensitive user information including emails and roles, and force logout of privileged users. | 2026-01-28 | 7.3 | CVE-2026-0832 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f86a69ab-2fc5-4c84-872b-929dbec429cd?source=cve https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L60 https://plugins.trac.wordpress.org/browser/new-user-approve/trunk/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/browser/new-user-approve/tags/3.2.1/includes/end-points/mobile-api.php#L24 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3425140%40new-user-approve&new=3425140%40new-user-approve&sfp_email=&sfph_mail= https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442291%40new-user-approve&new=3442291%40new-user-approve&sfp_email=&sfph_mail= |
| Salt Project–Salt | Salt’s junos execution module contained an unsafe YAML decode/load usage. A specially crafted YAML payload processed by the junos module could lead to unintended code execution under the context of the Salt process. | 2026-01-30 | 7.8 | CVE-2025-62348 | Salt 3006.17 release notes (fix for CVE-2025-62348) |
| Sangfor–Operation and Maintenance Security Management System | A vulnerability has been found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. The impacted element is an unknown function of the file /fort/audit/get_clip_img of the component HTTP POST Request Handler. Such manipulation of the argument frame/dirno leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 7.3 | CVE-2026-1412 | VDB-342801 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_clip_img command injection VDB-342801 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736513 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injectiona https://github.com/LX-LX88/cve/issues/22 |
| Scille–parsec-cloud | Parsec is a cloud-based application for cryptographically secure file sharing. In versions on the 3.x branch prior to 3.6.0, `libparsec_crypto`, a component of the Parsec application, does not check for weak order point of Curve25519 when compiled with its RustCrypto backend. In practice this means an attacker in a man-in-the-middle position would be able to provide weak order points to both parties in the Diffie-Hellman exchange, resulting in a high probability to for both parties to obtain the same shared key (hence leading to a successful SAS code exchange, misleading both parties into thinking no MITM has occurred) which is also known by the attacker. Note only Parsec web is impacted (as Parsec desktop uses `libparsec_crypto` with the libsodium backend). Version 3.6.0 of Parsec patches the issue. | 2026-01-29 | 8.3 | CVE-2025-62514 | https://github.com/Scille/parsec-cloud/security/advisories/GHSA-hrc9-gm58-pgj9 https://github.com/Scille/parsec-cloud/commit/197bb6387b49fec872b5e4a04dcdb82b3d2995b2 https://github.com/Scille/parsec-cloud/blob/e7c5cdbc4234f606ccf3ab2be7e9edc22db16feb/libparsec/crates/crypto/src/rustcrypto/private.rs#L136-L138 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/curve25519-dalek/src/montgomery.rs#L132-L146 https://github.com/dalek-cryptography/curve25519-dalek/blob/8c53a8f10b146a2fd65069437e3576e49b390e7a/x25519-dalek/src/x25519.rs#L364-L366 |
| script3–soroban-fixed-point-math | soroban-fixed-point-math is a fixed-point math library for Soroban smart contacts. In versions 1.3.0 and 1.4.0, the `mulDiv(x, y, z)` function incorrectly handled cases where both the intermediate product $x * y$ and the divisor $z$ were negative. The logic assumed that if the intermediate product was negative, the final result must also be negative, neglecting the sign of $z$. This resulted in rounding being applied in the wrong direction for cases where both $x * y$ and $z$ were negative. The functions most at risk are `fixed_div_floor` and `fixed_div_ceil`, as they often use non-constant numbers as the divisor $z$ in `mulDiv`. This error is present in all signed `FixedPoint` and `SorobanFixedPoint` implementations, including `i64`, `i128`, and `I256`. Versions 1.3.1 and 1.4.1 contain a patch. No known workarounds for this issue are available. | 2026-01-27 | 7.5 | CVE-2026-24783 | https://github.com/script3/soroban-fixed-point-math/security/advisories/GHSA-x5m4-43jf-hh65 https://github.com/script3/soroban-fixed-point-math/commit/c9233f7094198a49ed66a4d75786a8a3755c936a https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.3.1 https://github.com/script3/soroban-fixed-point-math/releases/tag/v1.4.1 |
| sebastianbergmann–phpunit | PHPUnit is a testing framework for PHP. A vulnerability has been discovered in versions prior to 12.5.8, 11.5.50, 10.5.62, 9.6.33, and 8.5.52 involving unsafe deserialization of code coverage data in PHPT test execution. The vulnerability exists in the `cleanupForCoverage()` method, which deserializes code coverage files without validation, potentially allowing remote code execution if malicious `.coverage` files are present prior to the execution of the PHPT test. The vulnerability occurs when a `.coverage` file, which should not exist before test execution, is deserialized without the `allowed_classes` parameter restriction. An attacker with local file write access can place a malicious serialized object with a `__wakeup()` method into the file system, leading to arbitrary code execution during test runs with code coverage instrumentation enabled. This vulnerability requires local file write access to the location where PHPUnit stores or expects code coverage files for PHPT tests. This can occur through CI/CD pipeline attacks, the local development environment, and/or compromised dependencies. Rather than just silently sanitizing the input via `[‘allowed_classes’ => false]`, the maintainer has chosen to make the anomalous state explicit by treating pre-existing `.coverage` files for PHPT tests as an error condition. Starting in versions in versions 12.5.8, 11.5.50, 10.5.62, 9.6.33, when a `.coverage` file is detected for a PHPT test prior to execution, PHPUnit will emit a clear error message identifying the anomalous state. Organizations can reduce the effective risk of this vulnerability through proper CI/CD configuration, including ephemeral runners, code review enforcement, branch protection, artifact isolation, and access control. | 2026-01-27 | 7.8 | CVE-2026-24765 | https://github.com/sebastianbergmann/phpunit/security/advisories/GHSA-vvj3-c3rp-c85p https://github.com/sebastianbergmann/phpunit/commit/3141742e00620e2968d3d2e732d320de76685fda https://github.com/sebastianbergmann/phpunit/releases/tag/10.5.63 https://github.com/sebastianbergmann/phpunit/releases/tag/11.5.50 https://github.com/sebastianbergmann/phpunit/releases/tag/12.5.8 https://github.com/sebastianbergmann/phpunit/releases/tag/8.5.52 https://github.com/sebastianbergmann/phpunit/releases/tag/9.6.33 |
| Segurazo–SAntivirus IC | SAntivirus IC 10.0.21.61 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted executable path to inject malicious files in the service binary path, enabling privilege escalation to system-level permissions. | 2026-01-27 | 7.8 | CVE-2020-36980 | ExploitDB-49042 Vendor Homepage VulnCheck Advisory: SAntivirus IC 10.0.21.61 – ‘SAntivirusIC’ Unquoted Service Path |
| SEIKO EPSON Corp–Status Monitor 3 | EPSON Status Monitor 3 version 8.0 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can leverage the unquoted path in ‘C:Program FilesCommon FilesEPSONEPW!3SSRPE_S60RPB.EXE’ to inject malicious executables and escalate privileges. | 2026-01-27 | 7.8 | CVE-2020-36975 | ExploitDB-49141 Official EPSON Corporate Homepage VulnCheck Advisory: EPSON Status Monitor 3 ‘EPSON_PM_RPCV4_06’ – Unquoted Service Path |
| shahrukhlinkgraph–Search Atlas SEO Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization | The Search Atlas SEO – Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the ‘generate_sso_url’ and ‘validate_sso_token’ functions in versions 2.4.4 to 2.5.12. This makes it possible for authenticated attackers, with Subscriber-level access and above, to extract the ‘nonce_token’ authentication value to log in to the first Administrator’s account. | 2026-01-28 | 8.8 | CVE-2025-14386 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6f63d2c4-cbae-4177-8494-daca96449ecc?source=cve https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1042 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L851 https://plugins.trac.wordpress.org/browser/metasync/tags/2.5.12/admin/class-metasync-admin.php#L1141 |
| Sharemouse–ShareMouse | ShareMouse 5.0.43 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the insecure service path configuration by placing malicious executables in specific system directories to gain elevated access during service startup. | 2026-01-28 | 7.8 | CVE-2020-36991 | ExploitDB-48794 ShareMouse Official Vendor Homepage VulnCheck Advisory: ShareMouse 5.0.43 – ‘ShareMouse Service’ Unquoted Service Path |
| Simplephpscripts–Simple CMS | Simple CMS 2.1 contains a remote SQL injection vulnerability that allows privileged attackers to inject unfiltered SQL commands in the users module. Attackers can exploit unvalidated input parameters in the admin.php file to compromise the database management system and web application. | 2026-02-01 | 8.1 | CVE-2021-47918 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 SQL Injection Vulnerability via Users Module |
| smartdatasoft–SmartBlog | SmartBlog 2.0.1 contains a blind SQL injection vulnerability in the ‘id_post’ parameter of the details controller that allows attackers to extract database information. Attackers can systematically test and retrieve database contents by injecting crafted SQL queries that compare character-by-character of database information. | 2026-01-28 | 8.2 | CVE-2020-36972 | ExploitDB-48995 SmartBlog GitHub Repository VulnCheck Advisory: SmartBlog 2.0.1 – ‘id_post’ Blind SQL injection |
| SOCUSOFT–Photo to Video Converter Professional | Socusoft Photo to Video Converter Professional 8.07 contains a local buffer overflow vulnerability in the ‘Output Folder’ input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload and paste it into the output folder field to trigger a stack-based buffer overflow and potentially execute shellcode. | 2026-01-30 | 8.4 | CVE-2020-37028 | ExploitDB-48691 Archived Vendor Homepage VulnCheck Advisory: Socusoft Photo to Video Converter Professional 8.07 – ‘Output Folder’ Buffer Overflow |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40551 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40551 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that if exploited, would allow a malicious actor to execute actions and methods that should be protected by authentication. | 2026-01-28 | 9.8 | CVE-2025-40552 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40552 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an untrusted data deserialization vulnerability that could lead to remote code execution, which would allow an attacker to run commands on the host machine. This could be exploited without authentication. | 2026-01-28 | 9.8 | CVE-2025-40553 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40553 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to an authentication bypass vulnerability that, if exploited, could allow an attacker to invoke specific actions within Web Help Desk. | 2026-01-28 | 9.8 | CVE-2025-40554 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40554 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a security control bypass vulnerability that if exploited, could allow an unauthenticated attacker to gain access to certain restricted functionality. | 2026-01-28 | 8.1 | CVE-2025-40536 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40536 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| SolarWinds–Web Help Desk | SolarWinds Web Help Desk was found to be susceptible to a hardcoded credentials vulnerability that, under certain situations, could allow access to administrative functions. | 2026-01-28 | 7.5 | CVE-2025-40537 | https://www.solarwinds.com/trust-center/security-advisories/CVE-2025-40537 https://documentation.solarwinds.com/en/success_center/whd/content/release_notes/whd_2026-1_release_notes.htm |
| Sonarqube–SonarQube | SonarQube 8.3.1 contains an unquoted service path vulnerability that allows local attackers to gain SYSTEM privileges by exploiting the service executable path. Attackers can replace the wrapper.exe in the service path with a malicious executable to execute code with highest system privileges during service restart. | 2026-01-29 | 7.8 | CVE-2020-37020 | ExploitDB-48677 SonarQube Official Homepage VulnCheck Advisory: SonarQube 8.3.1 – Unquoted Service Path |
| Squidex–squidex | Squidex is an open source headless content management system and content management hub. Versions of the application up to and including 7.21.0 allow users to define “Webhooks” as actions within the Rules engine. The url parameter in the webhook configuration does not appear to validate or restrict destination IP addresses. It accepts local addresses such as 127.0.0.1 or localhost. When a rule is triggered (Either manual trigger by manually calling the trigger endpoint or by a content update or any other triggers), the backend server executes an HTTP request to the user-supplied URL. Crucially, the server logs the full HTTP response in the rule execution log (lastDump field), which is accessible via the API. Which turns a “Blind” SSRF into a “Full Read” SSRF. As of time of publication, no patched versions are available. | 2026-01-27 | 9.1 | CVE-2026-24736 | https://github.com/Squidex/squidex/security/advisories/GHSA-wxg2-953m-fg2w |
| sunnygkp10–Online-Exam-System | Online-Exam-System 2015 contains a time-based blind SQL injection vulnerability in the feedback form that allows attackers to extract database password hashes. Attackers can exploit the ‘feed.php’ endpoint by crafting malicious payload requests that use time delays to systematically enumerate user password characters. | 2026-01-30 | 8.2 | CVE-2020-37051 | ExploitDB-48560 Software Repository VulnCheck Advisory: Online-Exam-System 2015 – ‘feedback’ SQL Injection |
| sunnygkp10–Online-Exam-System | Online-Exam-System 2015 contains a SQL injection vulnerability in the feedback module that allows attackers to manipulate database queries through the ‘fid’ parameter. Attackers can inject malicious SQL code into the ‘fid’ parameter to potentially extract, modify, or delete database information. | 2026-01-30 | 8.2 | CVE-2020-37057 | ExploitDB-48529 Software Repository VulnCheck Advisory: Online-Exam-System 2015 – ‘fid’ SQL Injection |
| Techraft–Digital Multivendor Marketplace Online Store | Mult-E-Cart Ultimate 2.4 contains multiple SQL injection vulnerabilities in inventory, customer, vendor, and order modules. Remote attackers with privileged vendor or admin roles can exploit the ‘id’ parameter to execute malicious SQL commands and compromise the database management system. | 2026-02-01 | 8.1 | CVE-2021-47909 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Mult-E-Cart Ultimate 2.4 SQL Injection via Vulnerable ID Parameters |
| telnet-lite–Mocha Telnet Lite for iOS | Mocha Telnet Lite for iOS 4.2 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the user configuration input. Attackers can overwrite the ‘User’ field with 350 bytes of repeated characters to trigger an application crash and prevent normal functionality. | 2026-01-29 | 7.5 | CVE-2020-36995 | ExploitDB-48728 Official App Store Page for Mocha Telnet Lite VulnCheck Advisory: Mocha Telnet Lite for iOS 4.2 – ‘User’ Denial of Service |
| Tenda–AC21 | A vulnerability was identified in Tenda AC21 16.03.08.16. The affected element is the function fromAdvSetMacMtuWan of the file /goform/AdvSetMacMtuWan. The manipulation leads to stack-based buffer overflow. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-01-29 | 8.8 | CVE-2026-1637 | VDB-343416 | Tenda AC21 AdvSetMacMtuWan fromAdvSetMacMtuWan stack-based overflow VDB-343416 | CTI Indicators (IOB, IOC, IOA) Submit #740865 | Tenda AC21 V16.03.08.16 Buffer Overflow https://github.com/LX-LX88/cve/issues/25 https://www.tenda.com.cn/ |
| Tenda–AC23 | A flaw has been found in Tenda AC23 16.03.07.52. This impacts an unknown function of the file /goform/WifiExtraSet. This manipulation of the argument wpapsk_crypto causes buffer overflow. Remote exploitation of the attack is possible. The exploit has been published and may be used. | 2026-01-26 | 8.8 | CVE-2026-1420 | VDB-342836 | Tenda AC23 WifiExtraSet buffer overflow VDB-342836 | CTI Indicators (IOB, IOC, IOA) Submit #736559 | Tenda AC23 V16.03.07.52 Buffer Overflow https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md https://github.com/xyh4ck/iot_poc/blob/main/Tenda%20AC23_Buffer_Overflow_WifiExtraSet/Tenda%20AC23_Buffer_Overflow_WifiExtraSet.md#poc https://www.tenda.com.cn/ |
| Tenda–AX12 Pro V2 | A vulnerability was found in Tenda AX12 Pro V2 16.03.49.24_cn. Affected by this issue is some unknown functionality of the component Telnet Service. Performing a manipulation results in hard-coded credentials. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. The exploitation is known to be difficult. The exploit has been made public and could be used. | 2026-01-29 | 8.1 | CVE-2026-1610 | VDB-343378 | Tenda AX12 Pro V2 Telnet Service hard-coded credentials VDB-343378 | CTI Indicators (IOB, IOC, TTP) Submit #740766 | Tenda AX12 pro V2 V16.03.49.24_cn Hard-coded Credentials https://github.com/QIU-DIE/CVE/issues/49 https://www.tenda.com.cn/ |
| Tenda–HG10 | A weakness has been identified in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. Impacted is an unknown function of the file /boaform/formSamba of the component Boa Webserver. Executing a manipulation of the argument serverString can lead to command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 7.3 | CVE-2026-1687 | VDB-343481 | Tenda HG10 Boa Webserver formSamba command injection VDB-343481 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741281 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSamba-serverString-command.md#poc https://www.tenda.com.cn/ |
| Tenda–HG10 | A vulnerability was detected in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. The impacted element is the function checkUserFromLanOrWan of the file /boaform/admin/formLogin of the component Login Interface. The manipulation of the argument Host results in command injection. The attack can be launched remotely. The exploit is now public and may be used. | 2026-01-30 | 7.3 | CVE-2026-1689 | VDB-343483 | Tenda HG10 Login formLogin checkUserFromLanOrWan command injection VDB-343483 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741411 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formLogin-Host-command.md#poc https://www.tenda.com.cn/ |
| Tendenci–Tendenci | Tendenci 12.3.1 contains a CSV formula injection vulnerability in the contact form message field that allows attackers to inject malicious formulas during export. Attackers can submit crafted payloads like ‘=10+20+cmd|’ /C calc’!A0′ in the message field to trigger arbitrary command execution when the CSV is opened in spreadsheet applications. | 2026-01-28 | 9.8 | CVE-2020-36962 | ExploitDB-49145 Official Vendor Homepage Tendenci GitHub Repository VulnCheck Advisory: Tendenci 12.3.1 – CSV/ Formula Injection |
| Testa–Testa Online Test Management System | Testa Online Test Management System 3.4.7 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the ‘q’ search parameter. Attackers can inject malicious SQL code in the search field to extract database information, potentially accessing sensitive user or system data. | 2026-01-27 | 8.2 | CVE-2021-47902 | ExploitDB-49194 Archived Vendor Homepage VulnCheck Advisory: Testa Online Test Management System 3.4.7 – ‘q’ SQL Injection |
| themrdemonized–xray-monolith | Access of Resource Using Incompatible Type (‘Type Confusion’) vulnerability in themrdemonized xray-monolith. This issue affects xray-monolith: before 2025.12.30. | 2026-01-27 | 9.1 | CVE-2026-24874 | https://github.com/themrdemonized/xray-monolith/pull/399 |
| tigroumeow–AI Engine The Chatbot and AI Framework for WordPress | The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the `rest_helpers_update_media_metadata` function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attackers, with Editor-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. The attacker can upload a benign image file, then use the `update_media_metadata` endpoint to rename it to a PHP file, creating an executable PHP file in the uploads directory. | 2026-01-28 | 7.2 | CVE-2026-1400 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d5227269-4406-4fcf-af37-f1db0af857d6?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1104 https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.0/classes/rest.php#L1141 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/rest.php |
| Tildeslash Ltd.–M/Monit | M/Monit 3.7.4 contains a privilege escalation vulnerability that allows authenticated users to modify user permissions by manipulating the admin parameter. Attackers can send a POST request to the /api/1/admin/users/update endpoint with a crafted payload to grant administrative access to a standard user account. | 2026-01-28 | 8.8 | CVE-2020-36969 | ExploitDB-49080 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 – Privilege Escalation |
| TimeClock Software–TimeClock Software | TimeClock Software 1.01 contains an authenticated time-based SQL injection vulnerability that allows attackers to enumerate valid usernames by manipulating the ‘notes’ parameter. Attackers can inject conditional time delays in the add_entry.php endpoint to determine user existence by measuring response time differences. | 2026-01-29 | 7.1 | CVE-2020-37005 | ExploitDB-48874 Archived Product Homepage VulnCheck Advisory: TimeClock Software 1.01 Authenticated Time-Based SQL Injection |
| Totolink–A3600R | A security flaw has been discovered in Totolink A3600R 5.9c.4959. This issue affects the function setAppEasyWizardConfig in the library /lib/cste_modules/app.so. Performing a manipulation of the argument apcliSsid results in buffer overflow. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-30 | 8.8 | CVE-2026-1686 | VDB-343480 | Totolink A3600R app.so setAppEasyWizardConfig buffer overflow VDB-343480 | CTI Indicators (IOB, IOC, IOA) Submit #740888 | TOTOLINK A3600R V5.9c.4959 Buffer Overflow https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A3600R/4959-apcliSsid-setAppEasyWizardConfig.md#poc https://www.totolink.net/ |
| TrustTunnel–TrustTunnel | TrustTunnel is an open-source VPN protocol with a server-side request forgery and and private network restriction bypass in versions prior to 0.9.114. In `tcp_forwarder.rs`, SSRF protection for `allow_private_network_connections = false` was only applied in the `TcpDestination::HostName(peer)` path. The `TcpDestination::Address(peer) => peer` path proceeded to `TcpStream::connect()` without equivalent checks (for example `is_global_ip`, `is_loopback`), allowing loopback/private targets to be reached by supplying a numeric IP. The vulnerability is fixed in version 0.9.114. | 2026-01-29 | 7.1 | CVE-2026-24902 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-hgr9-frvw-5r76 https://github.com/TrustTunnel/TrustTunnel/commit/734bb5cf103b72390a95c853cbf91e699cc01bc0 |
| TryGhost–Ghost | Ghost is an open source content management system. In Ghost versions 5.43.0 through 5.12.04 and 6.0.0 through 6.14.0, an attacker was able to craft a malicious link that, when accessed by an authenticated staff user or member, would execute JavaScript with the victim’s permissions, potentially leading to account takeover. Ghost Portal versions 2.29.1 through 2.51.4 and 2.52.0 through 2.57.0 were vulnerable to this issue. Ghost automatically loads the latest patch of the members Portal component via CDN. For Ghost 5.x users, upgrading to v5.121.0 or later fixes the vulnerability. v5.121.0 loads Portal v2.51.5, which contains the patch. For Ghost 6.x users, upgrading to v6.15.0 or later fixes the vulnerability. v6.15.0 loads Portal v2.57.1, which contains the patch. For Ghost installations using a customized or self-hosted version of Portal, it will be necessary to manually rebuild from or update to the latest patch version. | 2026-01-27 | 8.8 | CVE-2026-24778 | https://github.com/TryGhost/Ghost/security/advisories/GHSA-gv6q-2m97-882h https://github.com/TryGhost/Ghost/commit/da858e640e88e69c1773a7b7ecdc2008fa143849 |
| Tucows Inc.–Audio Playback Recorder | Audio Playback Recorder 3.2.2 contains a local buffer overflow vulnerability in the eject and registration parameters that allows attackers to execute arbitrary code. Attackers can craft malicious payloads and overwrite Structured Exception Handler (SEH) to execute shellcode when pasting specially crafted input into the application’s input fields. | 2026-01-29 | 8.4 | CVE-2020-37013 | ExploitDB-48796 Archived Researcher Proof of Concept Video Product Software Archive VulnCheck Advisory: Audio Playback Recorder 3.2.2 – Local Buffer Overflow (SEH) |
| Tucows–Easy CD & DVD Cover Creator | Easy CD & DVD Cover Creator 4.13 contains a buffer overflow vulnerability in the serial number input field that allows attackers to crash the application. Attackers can generate a 6000-byte payload and paste it into the serial number field to trigger an application crash. | 2026-01-27 | 9.8 | CVE-2020-36940 | ExploitDB-49337 VulnCheck Advisory: Easy CD & DVD Cover Creator 4.13 – Denial of Service |
| Ubiquiti, Inc.–AirControl | AirControl 1.4.2 contains a pre-authentication remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary system commands through malicious Java expression injection. Attackers can exploit the /.seam endpoint by crafting a specially constructed URL with embedded Java expressions to run commands with the application’s system privileges. | 2026-01-30 | 9.8 | CVE-2020-37052 | ExploitDB-48541 Vendor Homepage VulnCheck Advisory: AirControl 1.4.2 – PreAuth Remote Code Execution |
| Veritas–NetBackup | Veritas NetBackup 7.0 contains an unquoted service path vulnerability in the NetBackup INET Daemon service that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program FilesVeritasNetBackupbinbpinetd.exe to inject malicious code that would execute with elevated LocalSystem privileges. | 2026-02-01 | 7.8 | CVE-2020-37045 | ExploitDB-48227 Veritas Official Homepage VulnCheck Advisory: NetBackup 7.0 – ‘NetBackup INET Daemon’ Unquoted Service Path |
| VeryPDF.com, Inc.–docPrint Pro | docPrint Pro 8.0 contains a local buffer overflow vulnerability in the ‘Add URL’ input field that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload that triggers a structured exception handler (SEH) overwrite to execute shellcode and gain remote system access. | 2026-01-28 | 8.4 | CVE-2020-36965 | ExploitDB-49100 Vendor Homepage VulnCheck Advisory: docPrint Pro 8.0 – ‘Add URL’ Buffer Overflow (SEH Egghunter) |
| VestaCP–VestaCP | VestaCP 0.9.8-26 contains a session token vulnerability in the LoginAs module that allows remote attackers to manipulate authentication tokens. Attackers can exploit insufficient token validation to access user accounts and perform unauthorized login requests without proper administrative permissions. | 2026-01-27 | 9.8 | CVE-2020-36948 | ExploitDB-49219 VestaCP Official Homepage Vulnerability Lab Advisory Benjamin Kunz Mejri Profile VulnCheck Advisory: VestaCP 0.9.8-26 – ‘LoginAs’ Insufficient Session Validation |
| VictorAlagwu–CMSsite | Victor CMS 1.0 contains a file upload vulnerability that allows authenticated users to upload malicious PHP files through the profile image upload feature. Attackers can upload a PHP shell to the /img directory and execute system commands by accessing the uploaded file via web browser. | 2026-01-27 | 8.8 | CVE-2020-36942 | ExploitDB-49310 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 – File Upload To RCE |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). Prior to version 0.14.1, a Server-Side Request Forgery (SSRF) vulnerability exists in the `MediaConnector` class within the vLLM project’s multimodal feature set. The load_from_url and load_from_url_async methods obtain and process media from URLs provided by users, using different Python parsing libraries when restricting the target host. These two parsing libraries have different interpretations of backslashes, which allows the host name restriction to be bypassed. This allows an attacker to coerce the vLLM server into making arbitrary requests to internal network resources. This vulnerability is particularly critical in containerized environments like `llm-d`, where a compromised vLLM pod could be used to scan the internal network, interact with other pods, and potentially cause denial of service or access sensitive data. For example, an attacker could make the vLLM pod send malicious requests to an internal `llm-d` management endpoint, leading to system instability by falsely reporting metrics like the KV cache state. Version 0.14.1 contains a patch for the issue. | 2026-01-27 | 7.1 | CVE-2026-24779 | https://github.com/vllm-project/vllm/security/advisories/GHSA-qh4c-xf7m-gxfc https://github.com/vllm-project/vllm/pull/32746 https://github.com/vllm-project/vllm/commit/f46d576c54fb8aeec5fc70560e850bed38ef17d7 |
| WEBDAMN.COM–WebDamn User Registration & Login System with User Panel | WebDamn User Registration Login System contains a SQL injection vulnerability that allows unauthenticated attackers to bypass login authentication by manipulating email credentials. Attackers can inject the payload ‘<email>’ OR ‘1’=’1′ in both username and password fields to gain unauthorized access to the user panel. | 2026-01-28 | 8.2 | CVE-2020-36945 | ExploitDB-49170 Vendor Homepage Software Product Page VulnCheck Advisory: WebDamn User Registration & Login System with User Panel – SQLi Auth Bypass |
| Weird Solutions–DHCP Turbo | DHCP Turbo 4.61298 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code by exploiting the service binary path. Attackers can place malicious executables in the service path to gain elevated privileges when the service starts. | 2026-02-01 | 7.8 | CVE-2020-37062 | ExploitDB-48080 Vendor Homepage VulnCheck Advisory: DHCP Turbo 4.6.1298- ‘DHCP Turbo 4’ Unquoted Service Path |
| Weird-Solutions–BOOTP Turbo | BOOTP Turbo 2.0.1214 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted executable path to inject malicious code that will be executed when the service starts with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37061 | ExploitDB-48078 Vendor Homepage VulnCheck Advisory: BOOTP Turbo 2.0.1214 – ‘BOOTP Turbo’ Unquoted Service Path |
| Weird-Solutions–TFTP Turbo | TFTP Turbo 4.6.1273 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-01 | 7.8 | CVE-2020-37063 | ExploitDB-48085 Vendor Homepage VulnCheck Advisory: TFTP Turbo 4.6.1273 – ‘TFTP Turbo 4’ Unquoted Service Path |
| WellChoose–Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1427 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| WellChoose–Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the server. | 2026-01-26 | 8.8 | CVE-2026-1428 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| Wibu–CodeMeter | CodeMeter 6.60 contains an unquoted service path vulnerability that allows local users to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the CodeMeter Runtime Server service to inject malicious code that would execute with LocalSystem permissions. | 2026-01-29 | 7.8 | CVE-2020-37017 | ExploitDB-48735 CodeMeter Runtime Product Homepage VulnCheck Advisory: CodeMeter 6.60 – ‘CodeMeter.exe’ Unquoted Service Path |
| WinAVR–WinAVR | WinAVR version 20100110 contains an insecure permissions vulnerability that allows authenticated users to modify system files and executables. Attackers can leverage the overly permissive access controls to potentially modify critical DLLs and executable files in the WinAVR installation directory. | 2026-01-27 | 8.8 | CVE-2020-36938 | ExploitDB-49379 WinAVR Official Project Homepage VulnCheck Advisory: WinAVR Version 20100110 – Insecure Folder Permissions |
| WinFrigate–Frigate 2 | Frigate 2.02 contains a denial of service vulnerability that allows attackers to crash the application by sending oversized input to the command line interface. Attackers can generate a payload of 8000 repeated characters and paste it into the application’s command line field to trigger an application crash. | 2026-01-30 | 7.5 | CVE-2020-37039 | ExploitDB-48613 Archived Vendor Homepage VulnCheck Advisory: Frigate 2.02 – Denial Of Service |
| WinFrigate–Frigate 3 Professional | Frigate Professional 3.36.0.9 contains a local buffer overflow vulnerability in the ‘Find Computer’ feature that allows attackers to execute arbitrary code by overflowing the computer name input field. Attackers can craft a malicious payload that triggers a buffer overflow, enabling code execution and launching calculator as a proof of concept. | 2026-01-30 | 8.4 | CVE-2020-37042 | ExploitDB-48579 Archived Vendor Homepage VulnCheck Advisory: Frigate Professional 3.36.0.9 – ‘Find Computer’ Local Buffer Overflow |
| WinFrigate–Frigate 3 Professional | Frigate 3.36.0.9 contains a local buffer overflow vulnerability in the Command Line input field that allows attackers to execute arbitrary code. Attackers can craft a malicious payload to overflow the buffer, bypass DEP, and execute commands like launching calc.exe through a specially crafted input sequence. | 2026-01-30 | 8.4 | CVE-2020-37049 | ExploitDB-48563 Archived Vendor Homepage VulnCheck Advisory: Frigate 3.36.0.9 – ‘Command Line’ Local Buffer Overflow |
| Wing FTP Server–Wing FTP Server | Wing FTP Server 6.3.8 contains a remote code execution vulnerability in its Lua-based web console that allows authenticated users to execute system commands. Attackers can leverage the console to send POST requests with malicious commands that trigger operating system execution through the os.execute() function. | 2026-01-30 | 8.8 | CVE-2020-37032 | ExploitDB-48676 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.3.8 – Remote Code Execution |
| Wondershare–Wondershare Driver Install Service help | Wondershare Driver Install Service contains an unquoted service path vulnerability in the ElevationService executable that allows local attackers to potentially inject malicious code. Attackers can exploit the unquoted path to replace the service binary with a malicious executable, enabling privilege escalation to LocalSystem account. | 2026-01-27 | 7.8 | CVE-2020-36977 | ExploitDB-49101 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Driver Install Service help 10.7.1.321 – ‘ElevationService’ Unquote Service Path |
| wpcreatix–VidShop Shoppable Videos for WooCommerce | The VidShop – Shoppable Videos for WooCommerce plugin for WordPress is vulnerable to time-based SQL Injection via the ‘fields’ parameter in all versions up to, and including, 1.1.4 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-28 | 7.5 | CVE-2026-0702 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a61d8d2a-742f-45f1-9146-f733b80ef195?source=cve https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L224 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/rest-api/v1/class-videos-controller.php#L297 https://plugins.trac.wordpress.org/browser/vidshop-for-woocommerce/trunk/includes/utils/class-query-builder.php#L778 https://plugins.trac.wordpress.org/changeset/3441106/ |
| yoyofr–modizer | Integer Overflow or Wraparound vulnerability in yoyofr modizer. This issue affects modizer: before 4.1.1. | 2026-01-27 | 7.8 | CVE-2026-24875 | https://github.com/yoyofr/modizer/pull/133 |
| zalando–skipper | Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper’s network access to reach internal services. Version 0.24.0 disables Kubernetes ExternalName by default. As a workaround, developers can allow list targets of an ExternalName and allow list via regular expressions. | 2026-01-26 | 8.1 | CVE-2026-24470 | https://github.com/zalando/skipper/security/advisories/GHSA-mxxc-p822-2hx9 https://github.com/zalando/skipper/commit/a4c87ce029a58eb8e1c2c1f93049194a39cf6219 https://kubernetes.io/docs/concepts/services-networking/service/#externalname |
| Zortam.com–Zortam Mp3 Media Studio | Zortam Mp3 Media Studio 27.60 contains a buffer overflow vulnerability in the library creation file selection process that allows remote code execution. Attackers can craft a malicious text file with shellcode to trigger a structured exception handler (SEH) overwrite and execute arbitrary commands on the target system. | 2026-01-28 | 9.8 | CVE-2020-36967 | ExploitDB-49084 Zortam Official Homepage Zortam Software Download Page VulnCheck Advisory: Zortam Mp3 Media Studio 27.60 – Remote Code Execution (SEH) |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| 2100 Technology–Official Document Management System | Official Document Management System developed by 2100 Technology has a Incorrect Authorization vulnerability, allowing authenticated remote attackers to modify front-end code to read all official documents. | 2026-01-28 | 6.5 | CVE-2026-1514 | https://www.twcert.org.tw/tw/cp-132-10658-c5a07-1.html https://www.twcert.org.tw/en/cp-139-10659-264cd-2.html |
| Adikiss–Sistem Informasi Pengumuman Kelulusan Online | Sistem Informasi Pengumuman Kelulusan Online 1.0 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized admin users through the tambahuser.php endpoint. Attackers can craft a malicious HTML form to submit admin credentials and create new administrative accounts without the victim’s consent. | 2026-01-30 | 5.3 | CVE-2020-37046 | ExploitDB-48571 Vendor Homepage Software Download Page VulnCheck Advisory: Sistem Informasi Pengumuman Kelulusan Online 1.0 – Cross-Site Request Forgery |
| ajay138–Knap Advanced PHP Login | Knap Advanced PHP Login 3.1.3 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script code in the name parameter. Attackers can exploit the vulnerability to execute arbitrary scripts in users and activity log backend modules, potentially leading to session hijacking and persistent phishing attacks. | 2026-02-01 | 6.4 | CVE-2022-50940 | Vulnerability Lab Advisory Laravel & Vue.js VulnCheck Advisory: Knap Advanced PHP Login 3.1.3 Persistent Cross-Site Scripting via Name Parameter |
| Akn Software Computer Import Export Industry and Trade Ltd.–QR Menu | Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation. This issue affects QR Menu: before s1.05.12. | 2026-01-29 | 5.7 | CVE-2025-7015 | https://www.usom.gov.tr/bildirim/tr-26-0006 |
| Author: Scott Ferreira–Free Photo & Video Vault – WiFi Transfer | Free Photo & Video Vault 0.0.2 contains a directory traversal web vulnerability that allows remote attackers to manipulate application path requests and access sensitive system files. Attackers can exploit the vulnerability without privileges to retrieve environment variables and access unauthorized system paths. | 2026-02-01 | 6.5 | CVE-2021-47921 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Free Photo & Video Vault 0.0.2 Directory Traversal Vulnerability via Web Request |
| ays-pro–Popup Box Create Countdown, Coupon, Video, Contact Form Popups | The Popup Box plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 6.1.1. This is due to a flawed nonce implementation in the ‘publish_unpublish_popupbox’ function that verifies a self-created nonce rather than one submitted in the request. This makes it possible for unauthenticated attackers to change the publish status of popups via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-01-31 | 4.3 | CVE-2026-1165 | https://www.wordfence.com/threat-intel/vulnerabilities/id/585a9eb4-f394-4cb2-9050-659171a994d9?source=cve https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/admin/partials/ays-pb-admin-display.php#L22 https://plugins.trac.wordpress.org/browser/ays-popup-box/tags/6.1.0/includes/lists/class-ays-pb-list-table.php#L701 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3439514@ays-popup-box/tags/6.1.1/&new=3444612@ays-popup-box/tags/6.1.2/ |
| B&R Industrial Automation GmbH–Process Visualization Interface (PVI) | An Insertion of Sensitive Information into Log File vulnerability in B&R PVI client versions prior to 6.5 may be abused by an authenticated local attacker to gather credential information which is processed by the PVI client application. The logging function of the PVI client application is disabled by default and must be explicitly enabled by the user. | 2026-01-29 | 5 | CVE-2026-0936 | https://www.br-automation.com/fileadmin/SA26P001-2862434c.pdf |
| backstage–backstage | Backstage is an open framework for building developer portals, and @backstage/plugin-techdocs-node provides common node.js functionalities for TechDocs. In versions of @backstage/plugin-techdocs-node prior to 1.13.11 and 1.14.1, a path traversal vulnerability in the TechDocs local generator allows attackers to read arbitrary files from the host filesystem when Backstage is configured with `techdocs.generator.runIn: local`. When processing documentation from untrusted sources, symlinks within the docs directory are followed by MkDocs during the build process. File contents are embedded into generated HTML and exposed to users who can view the documentation. This vulnerability is fixed in` @backstage/plugin-techdocs-node` versions 1.13.11 and 1.14.1. Some workarounds are available. Switch to `runIn: docker` in `app-config.yaml` and/or restrict write access to TechDocs source repositories to trusted users only. | 2026-01-30 | 5.3 | CVE-2026-25152 | https://github.com/backstage/backstage/security/advisories/GHSA-w669-jj7h-88m9 |
| Banco de Guayaquil–Banco Guayaquil | Banco Guayaquil 8.0.0 mobile iOS application contains a persistent cross-site scripting vulnerability in the TextBox Name Profile input. Attackers can inject malicious script code through a POST request that executes on application review without user interaction. | 2026-02-01 | 6.4 | CVE-2022-50952 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Banco Guayaquil 8.0.0 Mobile iOS Cross-Site Scripting via Profile Name Input |
| Bdtask–Bhojon All-In-One Restaurant Management System | A vulnerability was determined in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The affected element is an unknown function of the file /hungry/placeorder of the component Checkout. Executing a manipulation of the argument orggrandTotal/vat/service_charge/grandtotal can lead to business logic errors. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1599 | VDB-343361 | Bdtask Bhojon All-In-One Restaurant Management System Checkout placeorder logic error VDB-343361 | CTI Indicators (IOB, IOC, IOA) Submit #740740 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/13 https://www.youtube.com/watch?v=n7xLBAOrKAU |
| Bdtask–Bhojon All-In-One Restaurant Management System | A vulnerability was identified in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. The impacted element is an unknown function of the file /hungry/addtocart of the component Add-to-Cart Submission Endpoint. The manipulation of the argument price/allprice leads to business logic errors. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 4.3 | CVE-2026-1600 | VDB-343362 | Bdtask Bhojon All-In-One Restaurant Management System Add-to-Cart Submission Endpoint addtocart logic error VDB-343362 | CTI Indicators (IOB, IOC, IOA) Submit #740741 | Bdtask Bhojon All-In-One Restaurant Management System latest Business Logic Errors https://github.com/4m3rr0r/PoCVulDb/issues/14 https://www.youtube.com/watch?v=UESZTjVS4Fs |
| Bdtask–SalesERP | A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument ci_session leads to improper authorization. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1597 | VDB-343359 | Bdtask SalesERP Administrative Endpoint improper authorization VDB-343359 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740735 | Bdtask SalesERP — AI-Powered ERP Software For Small Business Unknown Broken Access Control / Privilege Escalation https://github.com/4m3rr0r/PoCVulDb/issues/11 https://www.youtube.com/watch?v=KSducixS3pk |
| Beckhoff Automation–Beckhoff.Device.Manager.XAR | A low privileged remote attacker may be able to disclose confidential information from the memory of a privileged process by sending specially crafted calls to the Device Manager web service that cause an out-of-bounds read operation under certain circumstances due to ASLR and thereby potentially copy confidential information into a response. | 2026-01-27 | 5.3 | CVE-2025-41728 | https://certvde.com/de/advisories/VDE-2025-092 |
| Beetel–777VR1 | A vulnerability was detected in Beetel 777VR1 up to 01.00.09/01.00.09_55. Impacted is an unknown function of the component UART Interface. The manipulation results in missing authentication. An attack on the physical device is feasible. This attack is characterized by high complexity. The exploitability is considered difficult. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.4 | CVE-2026-1410 | VDB-342799 | Beetel 777VR1 UART missing authentication VDB-342799 | CTI Indicators (IOB, IOC) Submit #739433 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-306” Missing Authentication for Critical Function https://gist.github.com/raghav20232023/96a6b13ab00c493d21362e744627ea9f |
| Beetel–777VR1 | A flaw has been found in Beetel 777VR1 up to 01.00.09/01.00.09_55. The affected element is an unknown function of the component UART Interface. This manipulation causes improper access controls. It is feasible to perform the attack on the physical device. The complexity of an attack is rather high. The exploitability is described as difficult. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-26 | 6.1 | CVE-2026-1411 | VDB-342800 | Beetel 777VR1 UART access control VDB-342800 | CTI Indicators (IOB, IOC, TTP) Submit #740674 | Beetel Beetel 777VR1 Broadband Router Firmware Versions: V01.00.09 / V01.00.09_55 CWE-284” Improper Access Control https://gist.github.com/raghav20232023/ea6adcd6d1eca35683570a1094164bd3 |
| bfintal–Interactions Create Interactive Experiences in the Block Editor | The Interactions – Create Interactive Experiences in the Block Editor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via event selectors in all versions up to, and including, 1.3.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-12709 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab97f125-3a4a-4293-b218-07586c1c021c?source=cve https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448073%40interactions&new=3448073%40interactions |
| birkir–prime | birkir prime <= 0.4.0.beta.0 contains a cross-site request forgery vulnerability in its GraphQL endpoint that allows attackers to exploit GET-based query requests. Attackers can craft malicious GET requests to trigger unauthorized actions against privileged users by manipulating GraphQL query parameters. | 2026-01-29 | 5.3 | CVE-2025-15550 | GitHub Issue #547 VulnCheck Advisory: birkir prime <= 0.4.0.beta.0 – Cross-Site Request Forgery in GraphQL |
| bobthecow–psysh | PsySH is a runtime developer console, interactive debugger, and REPL for PHP. Prior to versions 0.11.23 and 0.12.19, PsySH automatically loads and executes a `.psysh.php` file from the Current Working Directory (CWD) on startup. If an attacker can write to a directory that a victim later uses as their CWD when launching PsySH, the attacker can trigger arbitrary code execution in the victim’s context. When the victim runs PsySH with elevated privileges (e.g., root), this results in local privilege escalation. This is a CWD configuration poisoning issue leading to arbitrary code execution in the victim user’s context. If a privileged user (e.g., root, a CI runner, or an ops/debug account) launches PsySH with CWD set to an attacker-writable directory containing a malicious `.psysh.php`, the attacker can execute commands with that privileged user’s permissions, resulting in local privilege escalation. Downstream consumers that embed PsySH inherit this risk. For example, Laravel Tinker (`php artisan tinker`) uses PsySH. If a privileged user runs Tinker while their shell is in an attacker-writable directory, the `.psysh.php` auto-load behavior can be abused in the same way to execute attacker-controlled code under the victim’s privileges. Versions 0.11.23 and 0.12.19 patch the issue. | 2026-01-30 | 6.7 | CVE-2026-25129 | https://github.com/bobthecow/psysh/security/advisories/GHSA-4486-gxhx-5mg7 https://github.com/bobthecow/psysh/releases/tag/v0.11.23 https://github.com/bobthecow/psysh/releases/tag/v0.12.19 |
| bolo-solo–bolo-solo | A vulnerability has been found in bolo-solo up to 2.6.4. This impacts the function importMarkdownsSync of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component SnakeYAML. Such manipulation leads to deserialization. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1691 | VDB-343485 | bolo-solo SnakeYAML BackupService.java importMarkdownsSync deserialization VDB-343485 | CTI Indicators (IOB, IOC, IOA) Submit #741899 | bolo-solo V2.6.4 SnakeYAML deserialization vulnerability https://github.com/bolo-blog/bolo-solo/issues/325 https://github.com/bolo-blog/bolo-solo/issues/325#issue-3828755519 |
| bplugins–Document Embedder Embed PDFs, Word, Excel, and Other Files | The Document Embedder – Embed PDFs, Word, Excel, and Other Files plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 2.0.4. This is due to the plugin not verifying that a user has permission to access the requested resource in the ‘bplde_save_document_library’, ‘bplde_get_single’, and ‘bplde_delete_document_library’ AJAX actions. This makes it possible for authenticated attackers, with Author-level access and above, to read, modify, and delete Document Library entries created by other users, including administrators, via the ‘id’ parameter. | 2026-01-28 | 5.3 | CVE-2026-1389 | https://www.wordfence.com/threat-intel/vulnerabilities/id/59d14f6c-6286-454c-8629-96a0c2de943c?source=cve https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L66 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L103 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.3/includes/DocumentLibrary/Init-DocumentLibrary.php#L159 https://plugins.trac.wordpress.org/browser/document-emberdder/tags/2.0.5/includes/DocumentLibrary/Init-DocumentLibrary.php |
| Broadcom–Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a Elevation of Privilege vulnerability, which is a type of issue whereby an attacker may attempt to compromise the software application to gain elevated access to resources that are normally protected from an application or user. | 2026-01-28 | 6.7 | CVE-2025-13918 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Broadcom–Symantec Endpoint Protection Windows Client | Symantec Endpoint Protection, prior to 14.3 RU10 Patch 1, RU9 Patch 2, and RU8 Patch 3, may be susceptible to a COM Hijacking vulnerability, which is a type of issue whereby an attacker attempts to establish persistence and evade detection by hijacking COM references in the Windows Registry. | 2026-01-28 | 4.4 | CVE-2025-13919 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36774 |
| Brother Industries, Ltd.–Multiple MFPs | Hidden functionality issue exists in multiple MFPs provided by Brother Industries, Ltd., which may allow an attacker to obtain the logs of the affected product and obtain sensitive information within the logs. | 2026-01-29 | 5.3 | CVE-2025-55704 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://jvn.jp/en/vu/JVNVU92878805/ |
| Bun–Bun | In Bun before 1.3.5, the default trusted dependencies list (aka trust allow list) can be spoofed by a non-npm package in the case of a matching name (for file, link, git, or github). | 2026-01-27 | 5.9 | CVE-2026-24910 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://bun.com/blog/bun-v1.3.5 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| chainguard-dev–malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 0.10.0 and prior to version 1.20.3, malcontent could be made to expose Docker registry credentials if it scanned a specially crafted OCI image reference. malcontent uses google/go-containerregistry for OCI image pulls, which by default uses the Docker credential keychain. A malicious registry could return a `WWW-Authenticate` header redirecting token authentication to an attacker-controlled endpoint, causing credentials to be sent to that endpoint. Version 1.20.3 fixes the issue by defaulting to anonymous auth for OCI pulls. | 2026-01-29 | 6.5 | CVE-2026-24845 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-9m43-p3cx-w8j5 https://github.com/chainguard-dev/malcontent/commit/538ed00cdc639d687a4bd1e843a2be0428a3b3e7 |
| chainguard-dev–malcontent | malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. Starting in version 1.8.0 and prior to version 1.20.3, malcontent could be made to create symlinks outside the intended extraction directory when scanning a specially crafted tar or deb archive. The `handleSymlink` function received arguments in the wrong order, causing the symlink target to be used as the symlink location. Additionally, symlink targets were not validated to ensure they resolved within the extraction directory. Version 1.20.3 introduces fixes that swap handleSymlink arguments, validate symlink location, and validate symlink targets that resolve within an extraction directory. | 2026-01-29 | 5.5 | CVE-2026-24846 | https://github.com/chainguard-dev/malcontent/security/advisories/GHSA-923j-vrcg-hxwh https://github.com/chainguard-dev/malcontent/commit/259fca5abc004f3ab238895463ef280a87f30e96 https://github.com/chainguard-dev/malcontent/commit/a7dd8a5328ddbaf235568437813efa7591e00017 |
| chrisnowak–Change WP URL | The Change WP URL plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the ‘change-wp-url’ page. This makes it possible for unauthenticated attackers to change the WP Login URL via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1398 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f5dead05-5960-4ccb-89c2-c8bb0cd9c9e9?source=cve https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L18 https://plugins.trac.wordpress.org/browser/change-wp-url/trunk/change-wp-url.php#L85 https://plugins.trac.wordpress.org/browser/change-wp-url/tags/1.0/change-wp-url.php#L85 |
| code-projects–Online Examination System | A vulnerability was determined in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file /admin_pic.php. Executing a manipulation can lead to unrestricted upload. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1423 | VDB-342839 | code-projects Online Examination System admin_pic.php unrestricted upload VDB-342839 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736607 | code-projects Online Examination System 1 Unrestricted Upload https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-3-remote-code-execution-via-unsafe-file-upload https://code-projects.org/ |
| code-projects–Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. The impacted element is an unknown function of the file /Administrator/PHP/AdminAddCategory.php. The manipulation results in sql injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 4.7 | CVE-2026-1533 | VDB-343219 | code-projects Online Music Site AdminAddCategory.php sql injection VDB-343219 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738704 | Code-Projects ONLINE MUSIC SITE V1.0 SQL injection https://github.com/yuji0903/silver-guide/issues/2 https://code-projects.org/ |
| codeccoop–Forms Bridge Infinite integrations | The Forms Bridge – Infinite integrations plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘id’ shortcode attribute in the ‘financoop_campaign’ shortcode in all versions up to, and including, 4.2.5. This is due to insufficient input sanitization and output escaping on the user-supplied ‘id’ parameter in the forms_bridge_financoop_shortcode_error function. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1244 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3e047822-5766-4e7f-be89-f4a15f0e6d51?source=cve https://plugins.trac.wordpress.org/browser/forms-bridge/trunk/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/browser/forms-bridge/tags/4.2.3/addons/financoop/shortcodes.php#L389 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3446693%40forms-bridge&new=3446693%40forms-bridge&sfp_email=&sfph_mail=#file1 |
| codepeople–Appointment Hour Booking Booking Calendar | The Appointment Hour Booking – Booking Calendar plugin for WordPress is vulnerable to Stored Cross-Site Scripting via form field configuration parameters in all versions up to, and including, 1.5.60 due to insufficient input sanitization and output escaping on the ‘Min length/characters’ and ‘Max length/characters’ field configuration values. This makes it possible for authenticated attackers, with administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the form builder interface. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1083 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a5cb1fea-134f-4c81-8f2f-76ee42df7f77?source=cve https://plugins.trac.wordpress.org/browser/appointment-hour-booking/trunk/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/browser/appointment-hour-booking/tags/1.5.57/js/fields-admin/01_fbuilder.ftext.js#L64 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442650%40appointment-hour-booking&new=3442650%40appointment-hour-booking&sfp_email=&sfph_mail= |
| CriticalGears–PayPal PRO Payment Terminal | Multiple payment terminal versions contain non-persistent cross-site scripting vulnerabilities in billing and payment information input fields. Attackers can inject malicious script code through vulnerable parameters to manipulate client-side requests and potentially execute session hijacking or phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47885 | Vulnerability Lab Advisory Product Homepage Product Homepage Product Homepage VulnCheck Advisory: Payment Terminal Multiple Versions Non-Persistent Cross-Site Scripting |
| crmperks–Database for Contact Form 7, WPforms, Elementor forms | The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to authorization bypass due to missing capability checks on the CSV export functionality in all versions up to, and including, 1.4.5. This makes it possible for unauthenticated attackers to download sensitive form submission data containing personally identifiable information (PII) by accessing the CSV export endpoint with an export key that is exposed in publicly accessible page source code. The vulnerability is created because while the shortcode properly filters displayed entries by user, the CSV export handler completely bypasses this filtering and exports all entries regardless of user permissions. | 2026-01-28 | 5.3 | CVE-2026-0825 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4048ae11-fece-42aa-baf3-c636c4875635?source=cve https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/tags/1.4.5/contact-form-entries.php#L76 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/contact-form-entries.php#L301 https://plugins.trac.wordpress.org/browser/contact-form-entries/trunk/templates/leads-table.php#L10 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442962%40contact-form-entries&new=3442962%40contact-form-entries&sfp_email=&sfph_mail= |
| D-Link–DCS700l | A weakness has been identified in D-Link DCS700l 1.03.09. Affected is an unknown function of the file /setDayNightMode of the component Web Form Handler. Executing a manipulation of the argument LightSensorControl can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-26 | 4.7 | CVE-2026-1419 | VDB-342815 | D-Link DCS700l Web Form setDayNightMode command injection VDB-342815 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736554 | D-Link DCS700l v1.03.09 Command Injection https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Command-Injection-Vulnerability-in-LightSensorControl-Parameter-2e6b5c52018a80ada0f6d7e72efd7a45?source=copy_link https://www.dlink.com/ |
| D-Link–DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. Impacted is the function sub_41E2A0 of the file /goform/set_mode. Performing a manipulation of the argument lan_gateway results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 6.3 | CVE-2026-1544 | VDB-343228 | D-Link DIR-823X set_mode sub_41E2A0 os command injection VDB-343228 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739155 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/16 https://www.dlink.com/ |
| D-Link–DWR-M961 | A flaw has been found in D-Link DWR-M961 1.1.47. This vulnerability affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-01-29 | 6.3 | CVE-2026-1596 | VDB-343358 | D-Link DWR-M961 formLtefotaUpgradeQuectel sub_419920 command injection VDB-343358 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740693 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/48 https://www.dlink.com/ |
| D-Link–DWR-M961 | A security vulnerability has been detected in D-Link DWR-M961 1.1.47. The affected element is an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-01-29 | 6.3 | CVE-2026-1624 | VDB-343383 | D-Link DWR-M961 formLtefotaUpgradeFibocom command injection VDB-343383 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740770 | D-Link DWR-M961 V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/50 https://www.dlink.com/ |
| D-Link–DWR-M961 | A vulnerability was detected in D-Link DWR-M961 1.1.47. The impacted element is the function sub_4250E0 of the file /boafrm/formSmsManage of the component SMS Message. Performing a manipulation of the argument action_value results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. | 2026-01-29 | 6.3 | CVE-2026-1625 | VDB-343384 | D-Link DWR-M961 SMS Message formSmsManage sub_4250E0 command injection VDB-343384 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740792 | D-Link DW V1.1.47 Command Injection https://github.com/QIU-DIE/CVE/issues/51 https://www.dlink.com/ |
| dcooney–Ajax Load More Infinite Scroll, Load More, & Lazy Load | The Ajax Load More – Infinite Scroll, Load More, & Lazy Load plugin for WordPress is vulnerable to unauthorized access of data due to incorrect authorization on the parse_custom_args() function in all versions up to, and including, 7.8.1. This makes it possible for unauthenticated attackers to expose the titles and excerpts of private, draft, pending, scheduled, and trashed posts. | 2026-01-31 | 5.3 | CVE-2025-15525 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d01f4e67-a463-4973-97b1-41a64398686a?source=cve https://plugins.trac.wordpress.org/browser/ajax-load-more/tags/7.8.1/core/classes/class-alm-queryargs.php#L500 |
| Dell–OpenManage Network Integration | Dell OpenManage Network Integration, versions prior to 3.9, contains an Improper Authentication vulnerability. A low privileged attacker with remote access could potentially exploit this vulnerability, leading to Information exposure. | 2026-01-29 | 4.3 | CVE-2026-22764 | https://www.dell.com/support/kbdoc/en-us/000420893/dsa-2026-045-security-update-for-dell-openmanage-network-integration-omni-vulnerabilities |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators with the `moderators_change_post_ownership` setting enabled can change ownership of posts in private messages and restricted categories they cannot access, then export their data to view the content. This is a broken access control vulnerability affecting sites that grant moderators post ownership transfer permissions. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. The patch adds visibility checks for both the topic and posts before allowing ownership transfer. As a workaround, disable the `moderators_change_post_ownership` site setting to prevent non-admin moderators from using the post ownership transfer feature. | 2026-01-28 | 6.9 | CVE-2025-68933 | https://github.com/discourse/discourse/security/advisories/GHSA-hpxv-mw7v-fqg2 |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, authenticated users can submit crafted payloads to /drafts.json that cause O(n^2) processing in Base62.decode, tying up workers for 35-60 seconds per request. This affects all users as the shared worker pool becomes exhausted. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. Lowering the max_draft_length site setting reduces attack surface but does not fully mitigate the issue, as payloads under the limit can still trigger the slow code path. | 2026-01-28 | 6.5 | CVE-2025-68934 | https://github.com/discourse/discourse/security/advisories/GHSA-vwjh-vrx9-9849 |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can convert some personal messages to public topics when they shouldn’t have access. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site admin can temporarily revoke the moderation role from untrusted moderators or remove the moderator group from the “personal message enabled groups” site setting until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | 6.5 | CVE-2026-21865 | https://github.com/discourse/discourse/security/advisories/GHSA-4777-wrv5-3g39 |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, non-admin moderators can view sensitive information in staff action logs that should be restricted to administrators only. The exposed information includes webhook payload URLs and secrets, API key details, site setting changes, private message content, restricted category names and structures, and private chat channel titles. This allows moderators to bypass intended access controls and extract confidential data by monitoring the staff action logs. With leaked webhook secrets, an attacker could potentially spoof webhook events to integrated services. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, site administrators should review and limit moderator appointments to fully trusted users. There is no configuration-based workaround to prevent this access. | 2026-01-28 | 6.5 | CVE-2026-24742 | https://github.com/discourse/discourse/security/advisories/GHSA-hwjv-9gqj-m7h6 |
| discourse–discourse | Discourse is an open source discussion platform. A vulnerability present in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 affects anyone who uses S3 for uploads. While scripts may be executed, they will only be run in the context of the S3/CDN domain, with no site credentials. Versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 fix the issue. As a workaround, disallow html or xml files for uploads in authorized_extensions. For existing html xml uploads, site owners can consider deleting them. | 2026-01-28 | 4.6 | CVE-2025-66488 | https://github.com/discourse/discourse/security/advisories/GHSA-68jp-3934-62rx |
| discourse–discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have a content-security-policy-mitigated cross-site scriptinv vulnerability on the Discourse Math plugin when using its KaTeX variant. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, the Discourse Math plugin can be disabled, or the Mathjax provider can be used instead of KaTeX. | 2026-01-28 | 4.6 | CVE-2025-67723 | https://github.com/discourse/discourse/security/advisories/GHSA-955h-m28g-5379 |
| discourse–discourse | Discourse is an open source discussion platform. Versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 have an application level denial of service vulnerabilityin the username change functionality at try.discourse.org. The vulnerability allows attackers to cause noticeable server delays and resource exhaustion by sending large JSON payloads to the username preference endpoint PUT /u//preferences/username, resulting in degraded performance for other users and endpoints. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | 4.3 | CVE-2025-68659 | https://github.com/discourse/discourse/security/advisories/GHSA-rmp6-c9rq-6q7p |
| dnnsoftware–Dnn.Platform | DNN (formerly DotNetNuke) is an open-source web content management platform (CMS) in the Microsoft ecosystem. Starting in version 9.0.0 and prior to versions 9.13.10 and 10.2.0, a content editor could inject scripts in module headers/footers that would run for other users. Versions 9.13.10 and 10.2.0 contain a fix for the issue. | 2026-01-27 | 6.8 | CVE-2026-24784 | https://github.com/dnnsoftware/Dnn.Platform/security/advisories/GHSA-jjwg-4948-6wxp |
| Dokploy–dokploy | Dokploy is a free, self-hostable Platform as a Service (PaaS). In versions prior to 0.26.6, the Dokploy web interface is vulnerable to Clickjacking attacks due to missing frame-busting headers. This allows attackers to embed Dokploy pages in malicious iframes and trick authenticated users into performing unintended actions. Version 0.26.6 patches the issue. | 2026-01-28 | 4.7 | CVE-2026-24839 | https://github.com/Dokploy/dokploy/security/advisories/GHSA-c94j-8wgf-2q9q https://github.com/Dokploy/dokploy/pull/3500 https://github.com/Dokploy/dokploy/commit/9714695d5a78fe24496f989ab81807ba04699df8 |
| Dolibarr–Dolibarr | Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows attackers to inject malicious scripts through multiple parameters. Attackers can exploit the host, slave, and port parameters in /dolibarr/admin/ldap.php to execute arbitrary JavaScript and potentially steal user cookie information. | 2026-01-30 | 6.4 | CVE-2020-36966 | ExploitDB-48504 Official Dolibarr Product Homepage VulnCheck Advisory: Dolibarr 11.0.3 – ‘ldap.php’ – Persistent Cross-Site Scripting |
| Eclipse Foundation–Eclipse ThreadX – USBX | The function _ux_host_class_storage_media_mount() is responsible for mounting partitions on a USB mass storage device. When it encounters an extended partition entry in the partition table, it recursively calls itself to mount the next logical partition. This recursion occurs in _ux_host_class_storage_partition_read(), which parses up to four partition entries. If an extended partition is found (with type UX_HOST_CLASS_STORAGE_PARTITION_EXTENDED or EXTENDED_LBA_MAPPED), the code invokes: _ux_host_class_storage_media_mount(storage, sector + _ux_utility_long_get(…)); There is no limit on the recursion depth or tracking of visited sectors. As a result, a malicious or malformed disk image can include cyclic or excessively deep chains of extended partitions, causing the function to recurse until stack overflow occurs. | 2026-01-27 | 4.2 | CVE-2025-55095 | https://github.com/eclipse-threadx/usbx/security/advisories/GHSA-qfmp-wch9-rpv2 |
| Esri–ArcGIS Pro | There is a Cross Site Scripting issue in Esri ArcGIS Pro versions 3.6.0 and earlier. A local attacker could supply malicious strings into ArcGIS Pro which may execute when a specific dialog is opened. This issue is fixed in ArcGIS Pro 3.6.1. | 2026-01-26 | 5 | CVE-2026-1446 | https://www.esri.com/arcgis-blog/products/arcgis-pro/administration/arcgis-pro-3-6-1-patch |
| EVerest–everest-core | EVerest is an EV charging software stack. In versions up to and including 2025.12.1, it is possible to bypass the sequence state verification including authentication, and send requests that transition to forbidden states relative to the current one, thereby updating the current context with illegitimate data.cThanks to the modular design of EVerest, authorization is handled in a separate module and EVSEManager Charger internal state machine cannot transition out of the `WaitingForAuthentication` state through ISO 15118-2 communication. From this state, it was however possible through ISO 15118-2 messages which are published to the MQTT server to trick it into preparing to charge, and even to prepare to send current. The final requirement to actually send current to the EV was the closure of the contactors, which does not appear to be possible without leaving the `WaitingForAuthentication` state and leveraging ISO 15118-2 messages. As of time of publication, no fixed versions are available. | 2026-01-26 | 4.3 | CVE-2026-24003 | https://github.com/EVerest/everest-core/security/advisories/GHSA-9vv5-67cv-9crq https://github.com/EVerest/everest-core/blob/main/modules/EVSE/EvseV2G/iso_server.cpp#L44 |
| Filigran–OpenCTI | OpenCTI 3.3.1 is vulnerable to a reflected cross-site scripting (XSS) attack via the /graphql endpoint. An attacker can inject arbitrary JavaScript code by sending a crafted GET request with a malicious payload in the query string, leading to execution of JavaScript in the victim’s browser. For example, a request to /graphql?’”–></style></scRipt><scRipt>alert(‘Raif_Berkay’)</scRipt> will trigger an alert. This vulnerability was discovered by Raif Berkay Dincel and confirmed on Linux Mint and Windows 10. | 2026-01-30 | 5.4 | CVE-2020-37044 | ExploitDB-48595 OpenCTI Official Homepage OpenCTI GitHub Repository VulnCheck Advisory: OpenCTI 3.3.1 – Cross Site Scripting |
| forma–E-Learning Suite | Forma.lms The E-Learning Suite 2.3.0.2 contains a persistent cross-site scripting vulnerability in multiple course and profile parameters. Attackers can inject malicious scripts in course code, name, description fields, and email parameter to execute arbitrary JavaScript without proper input sanitization. | 2026-01-30 | 6.4 | CVE-2020-36998 | ExploitDB-48478 Vendor Homepage Software Download Link VulnCheck Advisory: forma.lms The E-Learning Suite 2.3.0.2 – Persistent Cross-Site Scripting |
| Formalms–Forma LMS | Forma LMS 2.3 contains a stored cross-site scripting vulnerability that allows attackers to inject malicious scripts into user profile first and last name fields. Attackers can craft scripts like ‘<script>alert(document.cookie)</script>’ to execute arbitrary JavaScript when the profile is viewed by other users. | 2026-01-26 | 6.4 | CVE-2020-36960 | ExploitDB-49197 Official Product Website VulnCheck Advisory: Forma LMS 2.3 – ‘First & Last Name’ Stored Cross-Site Scripting |
| Free5GC–SMF | A flaw has been found in Free5GC SMF up to 4.1.0. Affected is the function HandlePfcpAssociationReleaseRequest of the file internal/pfcp/handler/handler.go of the component PFCP UDP Endpoint. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been published and may be used. A patch should be applied to remediate this issue. | 2026-01-30 | 5.3 | CVE-2026-1682 | VDB-343475 | Free5GC SMF PFCP UDP Endpoint handler.go HandlePfcpAssociationReleaseRequest null pointer dereference VDB-343475 | CTI Indicators (IOB, IOC, IOA) Submit #739508 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/794 https://github.com/free5gc/free5gc/issues/794#issuecomment-3761063382 https://github.com/free5gc/free5gc/issues/794#issue-3811888505 https://github.com/free5gc/smf/pull/188 |
| Free5GC–SMF | A vulnerability has been found in Free5GC SMF up to 4.1.0. Affected by this vulnerability is the function HandlePfcpSessionReportRequest of the file internal/pfcp/handler/handler.go of the component PFCP. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. To fix this issue, it is recommended to deploy a patch. | 2026-01-30 | 5.3 | CVE-2026-1683 | VDB-343476 | Free5GC SMF PFCP handler.go HandlePfcpSessionReportRequest denial of service VDB-343476 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739653 | free5gc SMF v4.1.0 Denial of Service Submit #739654 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/804 https://github.com/free5gc/free5gc/issues/804#issue-3816086696 https://github.com/free5gc/smf/pull/188 |
| Free5GC–SMF | A vulnerability was found in Free5GC SMF up to 4.1.0. Affected by this issue is the function HandleReports of the file /internal/context/pfcp_reports.go of the component PFCP UDP Endpoint. The manipulation results in denial of service. The attack can be executed remotely. It is advisable to implement a patch to correct this issue. | 2026-01-30 | 5.3 | CVE-2026-1684 | VDB-343477 | Free5GC SMF PFCP UDP Endpoint pfcp_reports.go HandleReports denial of service VDB-343477 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739655 | free5gc SMF v4.1.0 Denial of Service Submit #739656 | free5gc SMF v4.1.0 Denial of Service (Duplicate) https://github.com/free5gc/free5gc/issues/806 https://github.com/free5gc/smf/pull/188 |
| Froxlor–Froxlor Froxlor Server Management Panel | Froxlor Server Management Panel 0.10.16 contains a persistent cross-site scripting vulnerability in customer registration input fields. Attackers can inject malicious scripts through username, name, and firstname parameters to execute code when administrators view customer traffic modules. | 2026-01-27 | 6.4 | CVE-2020-36978 | ExploitDB-49063 Official Froxlor Homepage Froxlor Download Page Vulnerability Lab Advisory Vulnerability Lab Profile Researcher Profile VulnCheck Advisory: Froxlor Froxlor Server Management Panel 0.10.16 – Persistent Cross-Site Scripting |
| Getgrav–Grav CMS Admin Plugin | Grav CMS 1.6.30 with Admin Plugin 1.9.18 contains a persistent cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the page title field. Attackers can create a new page with a malicious script in the title, which will be executed when the page is viewed in the admin panel or on the site. | 2026-01-26 | 6.4 | CVE-2020-36955 | ExploitDB-49264 Grav CMS Official Homepage VulnCheck Advisory: Grav CMS 1.6.30 Admin Plugin 1.9.18 – ‘Page Title’ Persistent Cross-Site Scripting |
| gi-docgen–gi-docgen | A flaw was found in the gi-docgen. This vulnerability allows arbitrary JavaScript execution in the context of the page – enabling DOM access, session cookie theft and other client-side attacks – via a crafted URL that supplies a malicious value to the q GET parameter (reflected DOM XSS). | 2026-01-26 | 6.1 | CVE-2025-11687 | https://access.redhat.com/security/cve/CVE-2025-11687 RHBZ#2403536 https://gitlab.gnome.org/GNOME/gi-docgen/-/issues/228 |
| GitoxideLabs–gitoxide | A flaw was found in gix-date. The `gix_date::parse::TimeBuf::as_str` function can generate strings containing invalid non-UTF8 characters. This issue violates the internal safety invariants of the `TimeBuf` component, leading to undefined behavior when these malformed strings are subsequently processed. This could potentially result in application instability or other unforeseen consequences. | 2026-01-26 | 6.8 | CVE-2026-0810 | https://access.redhat.com/security/cve/CVE-2026-0810 RHBZ#2427057 https://crates.io/crates/gix-date https://github.com/GitoxideLabs/gitoxide/issues/2305 https://rustsec.org/advisories/RUSTSEC-2025-0140.html |
| Goautodial–GOautodial | GOautodial 4.0 contains a persistent cross-site scripting vulnerability that allows authenticated agents to inject malicious scripts through message subjects. Attackers can craft messages with embedded JavaScript that will execute when an administrator reads the message, potentially stealing session cookies or executing client-side attacks. | 2026-01-29 | 6.4 | CVE-2020-37018 | ExploitDB-48690 Official Vendor Homepage VulnCheck Advisory: GOautodial 4.0 – Persistent Cross-Site Scripting |
| GPAc–GPAC | A security vulnerability has been detected in GPAC up to 2.4.0. This affects the function gf_text_import_srt_bifs of the file src/scene_manager/text_to_bifs.c of the component SRT Subtitle Import. Such manipulation leads to out-of-bounds write. The attack needs to be performed locally. The exploit has been disclosed publicly and may be used. The name of the patch is 10c73b82cf0e367383d091db38566a0e4fe71772. It is best practice to apply a patch to resolve this issue. | 2026-01-26 | 5.3 | CVE-2026-1418 | VDB-342807 | GPAC SRT Subtitle Import text_to_bifs.c gf_text_import_srt_bifs out-of-bounds write VDB-342807 | CTI Indicators (IOB, IOC, IOA) Submit #736544 | gpac v2.4.0 Out-of-bounds Write https://github.com/gpac/gpac/issues/3425 https://github.com/gpac/gpac/issues/3425#issue-3801961068 https://github.com/enocknt/gpac/commit/10c73b82cf0e367383d091db38566a0e4fe71772 |
| GuidoNeele–PDW File Browser | PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. Attackers can craft malicious URLs or rename files with XSS payloads to execute arbitrary JavaScript in victims’ browsers when they access the file browser. | 2026-01-28 | 5.4 | CVE-2020-36988 | ExploitDB-48947 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser <= v1.3 – Cross-Site Scripting (XSS) |
| halfdata–Stripe Green Downloads | Stripe Green Downloads WordPress Plugin 2.03 contains a persistent cross-site scripting vulnerability allowing remote attackers to inject malicious scripts in button label fields. Attackers can exploit input parameters to execute arbitrary scripts, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50797 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Stripe Green Downloads WordPress Plugin 2.03 Persistent XSS via Settings |
| HappyHackingSpace–gakido | Gakido is a Python HTTP client focused on browser impersonation and anti-bot evasion. A vulnerability was discovered in Gakido prior to version 0.1.1 that allowed HTTP header injection through CRLF (Carriage Return Line Feed) sequences in user-supplied header values and names. When making HTTP requests with user-controlled header values containing `rn` (CRLF), `n` (LF), or `x00` (null byte) characters, an attacker could inject arbitrary HTTP headers into the request. The fix in version 0.1.1 adds a `_sanitize_header()` function that strips `r`, `n`, and `x00` characters from both header names and values before they are included in HTTP requests. | 2026-01-27 | 5.3 | CVE-2026-24489 | https://github.com/HappyHackingSpace/gakido/security/advisories/GHSA-gcgx-chcp-hxp9 https://github.com/HappyHackingSpace/gakido/commit/369c67e67c63da510c8a9ab021e54a92ccf1f788 https://github.com/HappyHackingSpace/gakido/releases/tag/v0.1.1-1bc6019 |
| HCLSoftware–BigFix Compliance | A sensitive information disclosure in HCL BigFix Compliance allows a remote attacker to access files under the WEB-INF directory, which may contain Java class files and configuration information, leading to unauthorized access to application internals. | 2026-01-28 | 5.3 | CVE-2023-37525 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128385 |
| HIKSEMI–HS-AFS-S1H1 | Due to inadequate access control, authenticated users of certain HIKSEMI NAS products can manipulate other users’ file resources without proper authorization. | 2026-01-30 | 4.3 | CVE-2026-22624 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI–HS-AFS-S1H1 | Improper handling of filenames in certain HIKSEMI NAS products may lead to the exposure of sensitive system files. | 2026-01-30 | 4.6 | CVE-2026-22625 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| HIKSEMI–HS-AFS-S1H1 | Due to insufficient input parameter validation on the interface, authenticated users of certain HIKSEMI NAS products can cause abnormal device behavior by crafting specific messages. | 2026-01-30 | 4.9 | CVE-2026-22626 | https://www.hiksemitech.com/en/hiksemi/support/security-advisory.html |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Cache Middleware contains an information disclosure vulnerability caused by improper handling of HTTP cache control directives. The middleware does not respect standard cache control headers such as `Cache-Control: private` or `Cache-Control: no-store`, which may result in private or authenticated responses being cached and subsequently exposed to unauthorized users. Version 4.11.7 has a patch for the issue. | 2026-01-27 | 5.3 | CVE-2026-24472 | https://github.com/honojs/hono/security/advisories/GHSA-6wqw-2p9w-4vw4 https://github.com/honojs/hono/commit/12c511745b3f1e7a3f863a23ce5f921c7fa805d1 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, IP Restriction Middleware in Hono is vulnerable to an IP address validation bypass. The `IPV4_REGEX` pattern and `convertIPv4ToBinary` function in `src/utils/ipaddr.ts` do not properly validate that IPv4 octet values are within the valid range of 0-255, allowing attackers to craft malformed IP addresses that bypass IP-based access controls. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | 4.8 | CVE-2026-24398 | https://github.com/honojs/hono/security/advisories/GHSA-r354-f388-2fhh https://github.com/honojs/hono/commit/edbf6eea8e6c26a3937518d4ed91d8666edeec37 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, a Cross-Site Scripting (XSS) vulnerability exists in the `ErrorBoundary` component of the hono/jsx library. Under certain usage patterns, untrusted user-controlled strings may be rendered as raw HTML, allowing arbitrary script execution in the victim’s browser. Version 4.11.7 patches the issue. | 2026-01-27 | 4.7 | CVE-2026-24771 | https://github.com/honojs/hono/security/advisories/GHSA-9r54-q6cx-xmh5 https://github.com/honojs/hono/commit/2cf60046d730df9fd0aba85178f3ecfe8212d990 |
| hu_chao–imwptip | The imwptip plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.1. This is due to missing nonce validation on the settings update functionality. This makes it possible for unauthenticated attackers to update the plugin’s settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1377 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0fe987f0-6887-4ad1-a748-eb987bb574fa?source=cve https://plugins.trac.wordpress.org/browser/imwptip/trunk/classes/imwptipadmin.php#L11 https://plugins.trac.wordpress.org/browser/imwptip/tags/1.1/classes/imwptipadmin.php#L11 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 is vulnerable to a denial of service as the server may crash when an authenticated user creates a specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-2668 | https://www.ibm.com/support/pages/node/7257518 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow an authenticated user to cause a denial of service using a specially crafted SQL statement including XML that performs uncontrolled recursion. | 2026-01-30 | 6.5 | CVE-2025-36001 | https://www.ibm.com/support/pages/node/7257616 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow an unauthenticated user to cause a denial of service due to excessive use of a global variable. | 2026-01-30 | 6.5 | CVE-2025-36009 | https://www.ibm.com/support/pages/node/7257623 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 is vulnerable to a denial of service as a trap may occur when selecting from certain types of tables. | 2026-01-30 | 6.5 | CVE-2025-36070 | https://www.ibm.com/support/pages/node/7257624 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow an authenticated user to cause a denial of service due to improper allocation of resources. | 2026-01-30 | 6.5 | CVE-2025-36098 | https://www.ibm.com/support/pages/node/7257629 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service when copying large table containing XML data due to improper allocation of system resources. | 2026-01-30 | 6.2 | CVE-2025-36123 | https://www.ibm.com/support/pages/node/7257627 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.2 | CVE-2025-36353 | https://www.ibm.com/support/pages/node/7257632 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 under specific configuration of cataloged remote storage aliases could allow an authenticated user to execute unauthorized commands due to an authorization bypass vulnerability using a user-controlled key. | 2026-01-30 | 6.8 | CVE-2025-36365 | https://www.ibm.com/support/pages/node/7257665 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36366 | https://www.ibm.com/support/pages/node/7257681 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes DB2 Connect Server) 11.5.0 – 11.5.9 could allow an authenticated user to cause a denial of service when given specially crafted query. | 2026-01-30 | 6.5 | CVE-2025-36387 | https://www.ibm.com/support/pages/node/7257690 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36407 | https://www.ibm.com/support/pages/node/7257692 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36423 | https://www.ibm.com/support/pages/node/7257694 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36424 | https://www.ibm.com/support/pages/node/7257695 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow a local user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-01-30 | 6.5 | CVE-2025-36427 | https://www.ibm.com/support/pages/node/7257696 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 is vulnerable to a denial of service as the server may crash under certain conditions with a specially crafted query with XML columns. | 2026-01-30 | 6.5 | CVE-2025-36442 | https://www.ibm.com/support/pages/node/7257698 |
| IBM–Db2 for Linux, UNIX and Windows | IBM Db2 for Linux, UNIX and Windows (includes Db2 Connect Server) 11.5.0 – 11.5.9 and 12.1.0 – 12.1.3 could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when the RPSCAN feature is enabled. | 2026-01-30 | 5.3 | CVE-2025-36428 | https://www.ibm.com/support/pages/node/7257697 |
| igniterealtime–Openfire | Openfire 4.6.0 contains a stored cross-site scripting vulnerability in the nodejs plugin that allows attackers to inject malicious scripts through the ‘path’ parameter. Attackers can craft a payload with script tags to execute arbitrary JavaScript in the context of administrative users viewing the nodejs configuration page. | 2026-01-26 | 6.4 | CVE-2020-36956 | ExploitDB-49229 Openfire GitHub Repository Openfire Software Downloads VulnCheck Advisory: Openfire 4.6.0 – ‘path’ Stored XSS |
| iJason-Liu–Books_Manager | A vulnerability was found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This vulnerability affects unknown code of the file controllers/books_center/upload_bookCover.php. Performing a manipulation of the argument book_cover results in unrestricted upload. The attack may be initiated remotely. The exploit has been made public and could be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. | 2026-01-26 | 4.7 | CVE-2026-1445 | VDB-342874 | iJason-Liu Books_Manager upload_bookCover.php unrestricted upload VDB-342874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736971 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 File Upload https://blog.y1fan.work/2026/01/13/%E4%BB%BB%E6%84%8F%E6%96%87%E4%BB%B6%E4%B8%8A%E4%BC%A0getshell/ |
| ilias.de–ILIAS Learning Management System | ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. Attackers can inject a script that uses XMLHttpRequest to retrieve local file contents when the portfolio is exported to PDF. | 2026-01-28 | 4 | CVE-2020-36944 | ExploitDB-49148 ILIAS Official Vendor Homepage ILIAS GitHub Repository VulnCheck Advisory: ILIAS Learning Management System 4.3 – SSRF |
| Inciga–Inciga Web | Inciga Web 2.8.2 contains a client-side cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through the icinga.min.js file. Attackers can exploit the EventListener.handleEvent method to execute arbitrary scripts, potentially leading to session hijacking and non-persistent phishing attacks. | 2026-02-01 | 5.4 | CVE-2022-50942 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Inciga Web 2.8.2 Client-Side Cross-Site Scripting via EventListener |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, a heap buffer over-read when the strlen() function attempts to read a non-null-terminated buffer potentially leaking heap memory contents and causing application termination. This vulnerability affects users of the iccDEV library who process ICC color profiles. ICC Profile Injection vulnerabilities arise when user-controllable input is incorporated into ICC profile data or other structured binary blobs in an unsafe manner. Version 2.3.1.2 contains a fix for the issue. No known workarounds are available. | 2026-01-28 | 6.1 | CVE-2026-24852 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-q8g2-mp32-3j7f https://github.com/InternationalColorConsortium/iccDEV/pull/540 https://github.com/InternationalColorConsortium/iccDEV/commit/3092499cd4d0775f4a716b999899f9c26f9bc614 |
| Is-Daouda–is-Engine | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in Is-Daouda is-Engine. This issue affects is-Engine: before 3.3.4. | 2026-01-27 | 6.5 | CVE-2026-24829 | https://github.com/Is-Daouda/is-Engine/pull/7 |
| itsourcecode–School Management System | A weakness has been identified in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/course/controller.php. Executing a manipulation of the argument ID can lead to sql injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1551 | VDB-343247 | itsourcecode School Management System controller.php sql injection VDB-343247 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740644 | itsourcecode School Management System V1.0 SQL Injection Submit #740680 | itsourcecode School Management System v1.0 SQL Injection (Duplicate) https://mega.nz/file/6cVwiA5A#BVwaxWlfeQCkkpHnuxPiMDZVb5qcYrsI6ftqdm_8mGk https://itsourcecode.com/ |
| iulia-cazan–Easy Replace Image | The Easy Replace Image plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.5.2. This is due to missing capability checks on the `image_replacement_from_url` function that is hooked to the `eri_from_url` AJAX action. This makes it possible for authenticated attackers, with Contributor-level access and above, to replace arbitrary image attachments on the site with images from external URLs, potentially enabling site defacement, phishing attacks, or content manipulation. | 2026-01-28 | 5.3 | CVE-2026-1298 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27332c13-c25f-47ec-980d-035fc35ce553?source=cve https://plugins.trac.wordpress.org/browser/easy-replace-image/trunk/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/browser/easy-replace-image/tags/3.5.2/easy-replace-image.php#L961 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447984%40easy-replace-image&new=3447984%40easy-replace-image&sfp_email=&sfph_mail= |
| jdwebdesigner–Affiliate Pro | Affiliate Pro 1.7 contains multiple reflected cross-site scripting vulnerabilities in the index module’s input fields. Attackers can inject malicious scripts through fullname, username, and email parameters to execute client-side attacks and manipulate browser requests. | 2026-02-01 | 5.4 | CVE-2021-47911 | Vulnerability Lab Advisory Product Homepage Product Homepage VulnCheck Advisory: Affiliate Pro 1.7 Reflected Cross-Site Scripting via Index Module |
| Jirafeau project–Jirafeau | Jirafeau normally prevents browser preview for text files due to the possibility that for example SVG and HTML documents could be exploited for cross site scripting. This was done by storing the MIME type of a file and allowing only browser preview for MIME types beginning with image (except for image/svg+xml, see CVE-2022-30110, CVE-2024-12326 and CVE-2025-7066), video and audio. However, it was possible to bypass this check by sending a manipulated HTTP request with an invalid MIME type like image. When doing the preview, the browser tries to automatically detect the MIME type resulting in detecting SVG and possibly executing JavaScript code. To prevent this, MIME sniffing is disabled by sending the HTTP header X-Content-Type-Options: nosniff. | 2026-01-28 | 6.1 | CVE-2026-1466 | https://gitlab.com/jirafeau/Jirafeau/-/commit/747afb20bfcff14bb67e40e7035d47a6311ba3e1 https://www.cve.org/CVERecord?id=CVE-2022-30110 https://www.cve.org/CVERecord?id=CVE-2024-12326 https://www.cve.org/CVERecord?id=CVE-2025-7066 |
| jishenghua–jshERP | A security vulnerability has been detected in jishenghua jshERP up to 3.6. The impacted element is the function getBillItemByParam of the file /jshERP-boot/depotItem/importItemExcel of the component com.jsh.erp.datasource.mappers.DepotItemMapperEx. The manipulation of the argument barCodes leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 6.3 | CVE-2026-1546 | VDB-343230 | jishenghua jshERP com.jsh.erp.datasource.mappers.DepotItemMapperEx importItemExcel getBillItemByParam sql injection VDB-343230 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739688 | https://github.com/jishenghua/jshERP jshERP v3.6 SQL Injection https://github.com/jishenghua/jshERP/issues/145 https://github.com/jishenghua/jshERP/issues/145#issue-3816930151 https://github.com/jishenghua/jshERP/ |
| jishenghua–jshERP | A vulnerability was identified in jishenghua jshERP up to 3.6. Affected by this vulnerability is an unknown functionality of the file /jshERP-boot/plugin/uploadPluginConfigFile of the component PluginController. Such manipulation of the argument configFile leads to path traversal. The attack may be launched remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-28 | 4.3 | CVE-2026-1549 | VDB-343245 | jishenghua jshERP PluginController uploadPluginConfigFile path traversal VDB-343245 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739805 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/146 https://github.com/jishenghua/jshERP/issues/146#issue-3817997461 https://github.com/jishenghua/jshERP/ |
| Laravel Holdings Inc.–Laravel Nova | Laravel Nova 3.7.0 contains a denial of service vulnerability that allows authenticated users to crash the application by manipulating the ‘range’ parameter. Attackers can send simultaneous requests with an extremely high range value to overwhelm and crash the server. | 2026-01-27 | 6.5 | CVE-2020-36950 | ExploitDB-49198 Laravel Nova Official Homepage Laravel Nova Releases Page VulnCheck Advisory: Laravel Nova 3.7.0 – ‘range’ DoS |
| libexpat project–libexpat | In libexpat before 2.7.4, the doContent function does not properly determine the buffer size bufSize because there is no integer overflow check for tag buffer reallocation. | 2026-01-30 | 6.9 | CVE-2026-25210 | https://github.com/libexpat/libexpat/pull/1075 https://github.com/libexpat/libexpat/pull/1075/commits/9c2d990389e6abe2e44527eeaa8b39f16fe859c7 |
| Limesurvey–LimeSurvey | LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. Attackers can inject malicious SVG scripts through the Surveymenu[title] and Surveymenu[parent_id] parameters to execute arbitrary JavaScript in administrative contexts. | 2026-01-28 | 6.4 | CVE-2020-36993 | ExploitDB-48762 LimeSurvey Official Website LimeSurvey Patch Commit VulnCheck Advisory: LimeSurvey <= 4.3.10 – ‘Survey Menu’ Persistent Cross-Site Scripting |
| linknacional–Link Invoice Payment for WooCommerce | The Link Invoice Payment for WooCommerce plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the createPartialPayment and cancelPartialPayment functions in all versions up to, and including, 2.8.0. This makes it possible for unauthenticated attackers to create partial payments on any order or cancel any existing partial payment via ID enumeration. | 2026-01-27 | 5.3 | CVE-2025-14971 | https://www.wordfence.com/threat-intel/vulnerabilities/id/96a8fc8b-6f0a-486c-89d1-7211b4ca31bd?source=cve https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L19 https://plugins.trac.wordpress.org/browser/invoice-payment-for-woocommerce/tags/2.8.0/Includes/WcPaymentInvoiceEndpoint.php#L179 |
| litonice13–WP Adminify White Label WordPress, Admin Menu Editor, Login Customizer | The WP Adminify plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.0.7.7 via the /wp-json/adminify/v1/get-addons-list REST API endpoint. The endpoint is registered with permission_callback set to __return_true, allowing unauthenticated attackers to retrieve the complete list of available addons, their installation status, version numbers, and download URLs. | 2026-01-28 | 5.3 | CVE-2026-1060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7ecb4f95-346e-49b3-859f-44f28a72f065?source=cve https://plugins.trac.wordpress.org/browser/adminify/tags/4.0.6.1/Libs/Addons.php#L54 https://plugins.trac.wordpress.org/changeset/3442928/ |
| localsend–localsend | LocalSend is a free, open-source app that allows users to share files and messages with nearby devices over their local network without needing an internet connection. In versions up to and including 1.17.0, when a user initiates a “Share via Link” session, the LocalSend application starts a local HTTP server to host the selected files. The client-side logic for this web interface is contained in `app/assets/web/main.js`. Note that at [0], the `handleFilesDisplay` function constructs the HTML for the file list by iterating over the files received from the server. Commit 8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c contains a patch. | 2026-01-30 | 6.1 | CVE-2026-25154 | https://github.com/localsend/localsend/security/advisories/GHSA-34v6-52hh-x4r4 https://github.com/localsend/localsend/commit/8f3cec85aa29b2b13fed9b2f8e499e1ac9b0504c |
| lxicon–Bitcoin Donate Button | The Bitcoin Donate Button plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing or incorrect nonce validation on the settings page. This makes it possible for unauthenticated attackers to modify the plugin’s settings, including donation addresses and display configurations, via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2026-1380 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3c973dd9-cfa3-4f06-a25a-c2786e3dca4d?source=cve https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/trunk/btcbutton.php#L1 https://plugins.trac.wordpress.org/browser/bitcoin-donate-button/tags/1.0/btcbutton.php#L1 |
| mamunreza–Vzaar Media Management | The Vzaar Media Management plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping on the $_SERVER[‘PHP_SELF’] variable. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 5.3 | CVE-2026-1391 | https://www.wordfence.com/threat-intel/vulnerabilities/id/398a75b1-6470-44b3-aaea-d5e8b10db115?source=cve https://plugins.trac.wordpress.org/browser/vzaar-media-management/trunk/admin/vzaar-media-upload.php#L103 https://plugins.trac.wordpress.org/browser/vzaar-media-management/tags/1.2/admin/vzaar-media-upload.php#L103 |
| mapstructure–mapstructure | A flaw was found in github.com/go-viper/mapstructure/v2, in the field processing component using mapstructure.WeakDecode. This vulnerability allows information disclosure through detailed error messages that may leak sensitive input values via malformed user-supplied data processed in security-critical contexts. | 2026-01-26 | 5.3 | CVE-2025-11065 | https://access.redhat.com/security/cve/CVE-2025-11065 RHBZ#2391829 https://github.com/go-viper/mapstructure/commit/742921c9ba2854d27baa64272487fc5075d2c39c https://github.com/go-viper/mapstructure/security/advisories/GHSA-2464-8j7c-4cjm |
| metagauss–RegistrationMagic Custom Registration Forms, User Registration, Payment, and User Login | The RegistrationMagic plugin for WordPress is vulnerable to Missing Authorization in versions up to, and including, 6.0.7.4. This is due to missing nonce verification and capability checks on the rm_set_otp AJAX action handler. This makes it possible for unauthenticated attackers to modify arbitrary plugin settings, including reCAPTCHA keys, security settings, and frontend menu titles. | 2026-01-28 | 5.3 | CVE-2026-1054 | https://www.wordfence.com/threat-intel/vulnerabilities/id/daf4d246-85f3-48b3-985f-982fea4772f1?source=cve https://plugins.trac.wordpress.org/browser/custom-registration-form-builder-with-submission-manager/tags/6.0.6.9/admin/controllers/class_rm_options_controller.php#L209 https://plugins.trac.wordpress.org/changeset/3444777/ |
| michalc–PDW File Browser | PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. Attackers can upload a .txt webshell, rename it to .php, and move it to accessible directories using double-encoded path traversal techniques. | 2026-01-28 | 6.5 | CVE-2020-36973 | ExploitDB-48987 PDW File Browser GitHub Repository VulnCheck Advisory: PDW File Browser 1.3 – Remote Code Execution |
| microsoft–maker.js | Maker.js is a 2D vector line drawing and shape modeling for CNC and laser cutters. In versions up to and including 0.19.1, the `makerjs.extendObject` function copies properties from source objects without proper validation, potentially exposing applications to security risks. The function lacks `hasOwnProperty()` checks and does not filter dangerous keys, allowing inherited properties and potentially malicious properties to be copied to target objects. A patch is available in commit 85e0f12bd868974b891601a141974f929dec36b8, which is expected to be part of version 0.19.2. | 2026-01-28 | 6.5 | CVE-2026-24888 | https://github.com/microsoft/maker.js/security/advisories/GHSA-2cp6-34r9-54xx https://github.com/microsoft/maker.js/commit/85e0f12bd868974b891601a141974f929dec36b8 https://github.com/microsoft/maker.js/blob/98cffa82a372ff942194c925a12a311253587167/packages/maker.js/src/core/maker.ts#L232-L241 |
| midgetspy–Sickbeard | Sickbeard alpha contains a cross-site request forgery vulnerability that allows attackers to disable authentication by submitting crafted configuration parameters. Attackers can trick users into submitting a malicious form that clears web username and password, effectively removing authentication protection. | 2026-01-30 | 5.3 | CVE-2020-37026 | ExploitDB-48712 Archived Sickbeard Official Homepage Sickbeard GitHub Repository VulnCheck Advisory: Sickbeard 0.1 – Cross-Site Request Forgery |
| migaweb–Simple calendar for Elementor | The Simple calendar for Elementor plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 1.6.6. This is due to missing capability checks on the `miga_ajax_editor_cal_delete` function that is hooked to the `miga_editor_cal_delete` AJAX action with both authenticated and unauthenticated access enabled. This makes it possible for unauthenticated attackers to delete arbitrary calendar entries by sending a request with a valid nonce and the calendar entry ID. | 2026-01-28 | 5.3 | CVE-2026-1310 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e537c56d-7c5e-4f21-b266-ef3d1a87caf2?source=cve https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/trunk/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/browser/simple-calendar-for-elementor/tags/1.6.6/widget/includes/backend_functions.php#L3 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444617%40simple-calendar-for-elementor&new=3444617%40simple-calendar-for-elementor&sfp_email=&sfph_mail= |
| miles99–WP Google Ad Manager Plugin | The WP Google Ad Manager Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 1.1.0 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1399 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f3185d82-a785-4165-8469-abc0be38f852?source=cve https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/trunk/WP-Google-Ad-Manager.php#L194 https://plugins.trac.wordpress.org/browser/wp-google-ad-manager-plugin/tags/1.1.0/WP-Google-Ad-Manager.php#L194 |
| MongoDB–Mongo-c-driver | User-controlled chunkSize metadata from MongoDB lacks appropriate validation allowing malformed GridFS metadata to overflow the bounding container. | 2026-01-27 | 6.5 | CVE-2025-14911 | https://jira.mongodb.org/browse/CDRIVER-6125 |
| MrPlugins–BootCommerce | BootCommerce 3.2.1 contains persistent input validation vulnerabilities that allow remote attackers to inject malicious script code through guest order checkout input fields. Attackers can exploit unvalidated input parameters to execute arbitrary scripts, potentially leading to session hijacking, phishing attacks, and application module manipulation. | 2026-02-01 | 6.4 | CVE-2022-50941 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: BootCommerce 3.2.1 Persistent Cross-Site Scripting via Order Checkout |
| Naviwebs S.C.–Navigate CMS | Navigate CMS 2.8.7 contains a cross-site request forgery vulnerability that allows attackers to upload malicious extensions through a crafted HTML page. Attackers can trick authenticated administrators into executing arbitrary file uploads by leveraging the extension upload functionality without additional validation. | 2026-01-30 | 4.3 | CVE-2020-37054 | ExploitDB-48548 Navigate CMS Official Homepage Navigate CMS SourceForge Page VulnCheck Advisory: Navigate CMS 2.8.7 – Cross-Site Request Forgery |
| nebojsadabic–Target Video Easy Publish | The Target Video Easy Publish plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘placeholder_img’ parameter in all versions up to, and including, 3.8.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-8072 | https://www.wordfence.com/threat-intel/vulnerabilities/id/26e16dd3-66bc-4174-acc1-ee22713ae979?source=cve https://plugins.trac.wordpress.org/browser/brid-video-easy-publish/tags/3.8.6/lib/BridShortcode.php#L204 https://wordpress.org/plugins/brid-video-easy-publish/#developers https://plugins.trac.wordpress.org/changeset/3437514/brid-video-easy-publish/trunk/lib/BridShortcode.php |
| NetArt Media–Easy Cart Shopping Cart | Easy Cart Shopping Cart 2021 contains a non-persistent cross-site scripting vulnerability in the search module’s keyword parameter. Remote attackers can inject malicious script code through the search input to compromise user sessions and manipulate application content. | 2026-02-01 | 6.4 | CVE-2021-47856 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Easy Cart Shopping Cart 2021 Cross-Site Scripting via Search Parameter |
| nocodb–nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an authenticated user with org-level-creator permissions can exploit prototype pollution in the `/api/v2/meta/connection/test` endpoint, causing all database write operations to fail application-wide until server restart. While the pollution technically bypasses SUPER_ADMIN authorization checks, no practical privileged actions can be performed because database operations fail immediately after pollution. Version 0.301.0 patches the issue. | 2026-01-28 | 4.9 | CVE-2026-24766 | https://github.com/nocodb/nocodb/security/advisories/GHSA-95ff-46g6-6gw9 |
| nocodb–nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a blind Server-Side Request Forgery (SSRF) vulnerability exists in the `uploadViaURL` functionality due to an unprotected `HEAD` request. While the subsequent file retrieval logic correctly enforces SSRF protections, the initial metadata request executes without validation. This allows limited outbound requests to arbitrary URLs before SSRF controls are applied. Version 0.301.0 contains a patch for the issue. | 2026-01-28 | 4.9 | CVE-2026-24767 | https://github.com/nocodb/nocodb/security/advisories/GHSA-xr7v-j379-34v9 |
| NVIDIA–GeForce | NVIDIA HD Audio Driver for Windows contains a vulnerability where an attacker could exploit a NULL pointer dereference issue. A successful exploit of this vulnerability might lead to a denial of service. | 2026-01-28 | 5.5 | CVE-2025-33237 | https://nvd.nist.gov/vuln/detail/CVE-2025-33237 https://www.cve.org/CVERecord?id=CVE-2025-33237 https://nvidia.custhelp.com/app/answers/detail/a_id/5747 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. While saving a dataset a stack buffer is used to prepare the data. Prior to versions 8.0.3 and 7.0.14, if the data in the dataset is too large, this can result in a stack overflow. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, do not use rules with datasets `save` nor `state` options. | 2026-01-27 | 5.9 | CVE-2026-22262 | https://github.com/OISF/suricata/security/advisories/GHSA-9qg5-2gwh-xp86 https://github.com/OISF/suricata/commit/0eff24213763c2aa2bb0957901d5dc1e18414dbf https://github.com/OISF/suricata/commit/27a2180bceaa3477419c78c54fce364398d011f1 https://github.com/OISF/suricata/commit/32609e6896f9079c175665a94005417cec7637eb https://github.com/OISF/suricata/commit/32a1b9ae6aa80a60c073897e38a2ac6ea0f64521 https://github.com/OISF/suricata/commit/d6bc718e303ecbec5999066b8bc88eeeca743658 https://github.com/OISF/suricata/commit/d767dfadcd166f82683757818b9e46943326ac90 https://redmine.openinfosecfoundation.org/issues/8110 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Starting in version 8.0.0 and prior to version 8.0.3, inefficiency in http1 headers parsing can lead to slowdown over multiple packets. Version 8.0.3 patches the issue. No known workarounds are available. | 2026-01-27 | 5.3 | CVE-2026-22263 | https://github.com/OISF/suricata/security/advisories/GHSA-rwc5-hxj6-hwx7 https://github.com/OISF/suricata/commit/018a377f74e3eb2b042c6f783ad9043060923428 https://redmine.openinfosecfoundation.org/issues/8201 |
| Open5GS–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_bearer_resource_failure_indication of the file src/sgwc/s5c-handler.c of the component SGWC. Performing a manipulation results in denial of service. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The patch is named 69b53add90a9479d7960b822fc60601d659c328b. It is recommended to apply a patch to fix this issue. | 2026-01-28 | 5.3 | CVE-2026-1521 | VDB-343192 | Open5GS SGWC s5c-handler.c denial of service VDB-343192 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738370 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4268 https://github.com/open5gs/open5gs/issues/4268#event-21989483261 https://github.com/open5gs/open5gs/issues/4268#issue-3795012861 https://github.com/open5gs/open5gs/commit/69b53add90a9479d7960b822fc60601d659c328b |
| Open5GS–Open5GS | A weakness has been identified in Open5GS up to 2.7.6. This vulnerability affects the function sgwc_s5c_handle_modify_bearer_response of the file src/sgwc/s5c-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. This patch is called b19cf6a. Applying a patch is advised to resolve this issue. The issue report is flagged as already-fixed. | 2026-01-28 | 5.3 | CVE-2026-1522 | VDB-343193 | Open5GS SGWC s5c-handler.c sgwc_s5c_handle_modify_bearer_response denial of service VDB-343193 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738371 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4266 https://github.com/open5gs/open5gs/issues/4266#event-21968568116 https://github.com/open5gs/open5gs/issues/4266#issue-3794991595 https://github.com/open5gs/open5gs/commit/b19cf6a |
| Open5GS–Open5GS | A flaw has been found in Open5GS up to 2.7.5. Impacted is the function ogs_gtp2_f_teid_to_ip of the file /sgwc/s11-handler.c of the component SGWC. Executing a manipulation can lead to denial of service. The attack may be performed from remote. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1586 | VDB-343349 | Open5GS SGWC s11-handler.c ogs_gtp2_f_teid_to_ip denial of service VDB-343349 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738375 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4273 https://github.com/open5gs/open5gs/issues/4273#event-21968643659 https://github.com/open5gs/open5gs/issues/4273#issue-3796030721 |
| Open5GS–Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. The affected element is the function sgwc_s11_handle_modify_bearer_request of the file /sgwc/s11-handler.c of the component SGWC. The manipulation leads to denial of service. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. Applying a patch is the recommended action to fix this issue. The issue report is flagged as already-fixed. | 2026-01-29 | 5.3 | CVE-2026-1587 | VDB-343350 | Open5GS SGWC s11-handler.c sgwc_s11_handle_modify_bearer_request denial of service VDB-343350 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738376 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4272 https://github.com/open5gs/open5gs/issues/4272#event-21968635948 https://github.com/open5gs/open5gs/issues/4272#issue-3795156752 |
| OpenZ–OpenZ ERP | OpenZ ERP 3.6.60 contains a persistent cross-site scripting vulnerability in the Employee module’s name and description parameters. Attackers can inject malicious scripts through POST requests to , enabling session hijacking and manipulation of application modules. | 2026-01-30 | 6.4 | CVE-2020-37022 | ExploitDB-48450 OpenZ Official Website OpenZ Download Page Vulnerability Lab Advisory VulnCheck Advisory: OpenZ ERP 3.6.60 – Persistent Cross-Site Scripting |
| opf–openproject | OpenProject is an open-source, web-based project management software. In the new editor for collaborative documents based on BlockNote, OpenProject maintainers added a custom extension in OpenProject version 17.0.0 that allows to mention OpenProject work packages in the document. To show work package details, the editor loads details about the work package via the OpenProject API. For this API call, the extension to the BlockNote editor did not properly validate the given work package ID to be only a number. This allowed an attacker to generate a document with relative links that upon opening could make arbitrary `GET` requests to any URL within the OpenProject instance. This issue was patched in version version 0.0.22 of op-blocknote-extensions, which was shipped with OpenProject 17.0.2. If users cannot update immediately to version 17.0.2 of OpenProject, administrators can disable collaborative document editing in Settings -> Documents -> Real time collaboration -> Disable. | 2026-01-28 | 6.3 | CVE-2026-24775 | https://github.com/opf/openproject/security/advisories/GHSA-35c6-x276-2pvc https://github.com/opf/op-blocknote-extensions/releases/tag/v0.0.22 |
| Orchardcore–Orchard Core | Orchard Core RC1 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts through blog post creation. Attackers can create blog posts with embedded JavaScript in the MarkdownBodyPart.Source parameter to execute arbitrary scripts in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-37019 | ExploitDB-48456 Orchard Core Official Website Orchard Core GitHub Repository GitHub Issue #5802 VulnCheck Advisory: Orchard Core RC1 – Persistent Cross-Site Scripting |
| Php-Fusion–PHPFusion | PHPFusion 9.03.50 contains a persistent cross-site scripting vulnerability in the print.php page that fails to properly sanitize user-submitted message content. Attackers can inject malicious JavaScript through forum messages that will execute when the print page is generated, allowing script execution in victim browsers. | 2026-01-30 | 6.4 | CVE-2020-36996 | ExploitDB-48497 PHPFusion Official Homepage PHPFusion Download Page VulnCheck Advisory: PHPFusion 9.03.50 – Persistent Cross-Site Scripting |
| PHPGurukul–Hospital Management System | A security flaw has been discovered in PHPGurukul Hospital Management System 1.0. Affected by this issue is some unknown functionality of the file /hms/hospital/docappsystem/adminviews.py of the component Admin Dashboard Page. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-01-28 | 6.3 | CVE-2026-1550 | VDB-343246 | PHPGurukul Hospital Management System Admin Dashboard adminviews.py improper authorization VDB-343246 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739837 | PHPGurukul Hospital Management System v1.0 Missing Authorization https://github.com/rsecroot/Hospital-Management-System/blob/main/Broken%20Access%20Control.md https://phpgurukul.com/ |
| PHPGurukul–News Portal | A vulnerability was identified in PHPGurukul News Portal 1.0. This affects an unknown part of the component Profile Pic Handler. The manipulation leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. | 2026-01-26 | 4.7 | CVE-2026-1424 | VDB-342840 | PHPGurukul News Portal Profile Pic unrestricted upload VDB-342840 | CTI Indicators (IOB, IOC, TTP) Submit #736637 | PHPGurukul News Portal v1.0 Cross Site Scripting https://github.com/rsecroot/News-Portal/blob/main/Cross%20Site%20Scripting.md https://phpgurukul.com/ |
| PHPSUGAR–PHP Melody | PHP Melody version 3.0 contains multiple non-persistent cross-site scripting vulnerabilities in categories, import, and user import files. Attackers can inject malicious scripts through unvalidated parameters to execute client-side attacks and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47912 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Non-Persistent Cross-Site Scripting via Multiple Parameters |
| PHPSUGAR–PHP Melody | PHP Melody 3.0 contains a persistent cross-site scripting vulnerability in the video editor that allows privileged users to inject malicious scripts. Attackers can exploit the WYSIWYG editor to execute persistent scripts, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47913 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent Cross-Site Scripting via Video Editor |
| PHPSUGAR–PHP Melody | PHP Melody version 3.0 contains a persistent cross-site scripting vulnerability in the edit-video.php submitted parameter that allows remote attackers to inject malicious script code. Attackers can exploit this vulnerability to execute arbitrary JavaScript, potentially leading to session hijacking, persistent phishing, and manipulation of application modules. | 2026-02-01 | 6.4 | CVE-2021-47914 | Vulnerability Lab Advisory Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: PHP Melody 3.0 Persistent XSS Vulnerability via Edit Video Parameter |
| pnpm–pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm’s binary fetcher allows malicious packages to write files outside the intended extraction directory. The vulnerability has two attack vectors: (1) Malicious ZIP entries containing `../` or absolute paths that escape the extraction root via AdmZip’s `extractAllTo`, and (2) The `BinaryResolution.prefix` field is concatenated into the extraction path without validation, allowing a crafted prefix like `../../evil` to redirect extracted files outside `targetDir`. The issue impacts all pnpm users who install packages with binary assets, users who configure custom Node.js binary locations and CI/CD pipelines that auto-install binary dependencies. It can lead to overwriting config files, scripts, or other sensitive files leading to RCE. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23888 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6pfh-p556-v868 https://github.com/pnpm/pnpm/commit/5c382f0ca3b7cc49963b94677426e66539dcb3f5 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm–pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm’s tarball extraction allows malicious packages to write files outside the package directory on Windows. The path normalization only checks for `./` but not `.`. On Windows, backslashes are directory separators, enabling path traversal. This vulnerability is Windows-only. This issue impacts Windows pnpm users and Windows CI/CD pipelines (GitHub Actions Windows runners, Azure DevOps). It can lead to overwriting `.npmrc`, build configs, or other files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23889 | https://github.com/pnpm/pnpm/security/advisories/GHSA-6×96-7vc8-cm3p https://github.com/pnpm/pnpm/commit/6ca07ffbe6fc0e8b8cdc968f228903ba0886f7c0 https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| pnpm–pnpm | pnpm is a package manager. Prior to version 10.28.1, a path traversal vulnerability in pnpm’s bin linking allows malicious npm packages to create executable shims or symlinks outside of `node_modules/.bin`. Bin names starting with `@` bypass validation, and after scope normalization, path traversal sequences like `../../` remain intact. This issue affects all pnpm users who install npm packages and CI/CD pipelines using pnpm. It can lead to overwriting config files, scripts, or other sensitive files. Version 10.28.1 contains a patch. | 2026-01-26 | 6.5 | CVE-2026-23890 | https://github.com/pnpm/pnpm/security/advisories/GHSA-xpqm-wm3m-f34h https://github.com/pnpm/pnpm/commit/8afbb1598445d37985d91fda18abb4795ae5062d https://github.com/pnpm/pnpm/releases/tag/v10.28.1 |
| presstigers–Simple Folio | The Simple Folio plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_simple_folio_item_client_name’ and ‘_simple_folio_item_link’ meta fields in all versions up to, and including, 1.1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14039 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32a71d6-d61c-4f6f-9d35-70140235af7c?source=cve https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L70 https://plugins.trac.wordpress.org/browser/simple-folio/trunk/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/browser/simple-folio/tags/1.1.1/templates/single-simple-folio.php#L76 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442515%40simple-folio&new=3442515%40simple-folio&sfp_email=&sfph_mail= |
| Product Owner: Webile–Webile | Webile 1.0.1 contains a directory traversal vulnerability that allows remote attackers to manipulate file system paths without authentication. Attackers can exploit path manipulation to access sensitive system directories and potentially compromise the mobile device’s local file system. | 2026-02-01 | 6.5 | CVE-2022-50950 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Webile 1.0.1 Directory Traversal Vulnerability via Web Application |
| psmplugins–SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to SQL Injection via the Number-type custom field filter in all versions up to, and including, 3.4.4. This is due to insufficient escaping on the user-supplied operand value when using the equals operator and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Subscriber-level access and above (customers), to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-01-31 | 6.5 | CVE-2026-0683 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a7856d0f-bc7d-436c-968c-631fd6a686ab?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1265 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/admin/tickets/class-wpsc-ticket-list.php#L1288 https://plugins.trac.wordpress.org/browser/supportcandy/tags/3.4.4/includes/custom-field-types/class-wpsc-cf-number.php#L371 https://plugins.trac.wordpress.org/changeset/3448376/ |
| psmplugins–SupportCandy Helpdesk & Customer Support Ticket System | The SupportCandy – Helpdesk & Customer Support Ticket System plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 3.4.4 via the ‘add_reply’ function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with subscriber-level access and above, to steal file attachments uploaded by other users by specifying arbitrary attachment IDs in the ‘description_attachments’ parameter, re-associating those files to their own tickets and removing access from the original owners. | 2026-01-31 | 5.4 | CVE-2026-1251 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89df3005-0967-474f-8a4e-3b23273dd1a2?source=cve https://plugins.trac.wordpress.org/browser/supportcandy/trunk/includes/admin/tickets/class-wpsc-individual-ticket.php#L1603 https://plugins.trac.wordpress.org/changeset/3448376/ |
| pymumu–SmartDNS | A security flaw has been discovered in pymumu SmartDNS up to 47.1. This vulnerability affects the function _dns_decode_rr_head/_dns_decode_SVCB_HTTPS of the file src/dns.c of the component SVBC Record Parser. The manipulation results in stack-based buffer overflow. It is possible to launch the attack remotely. A high complexity level is associated with this attack. It is stated that the exploitability is difficult. The patch is identified as 2d57c4b4e1add9b4537aeb403f794a084727e1c8. Applying a patch is advised to resolve this issue. | 2026-01-26 | 5.6 | CVE-2026-1425 | VDB-342841 | pymumu SmartDNS SVBC Record dns.c _dns_decode_SVCB_HTTPS stack-based overflow VDB-342841 | CTI Indicators (IOB, IOC, IOA) Submit #736827 | pymumu smartdns 47.1 Stack-based Buffer Overflow https://github.com/pymumu/smartdns/commit/2d57c4b4e1add9b4537aeb403f794a084727e1c8 |
| QlikTech International AB–QlikView | QlikView 12.50.20000.0 contains a denial of service vulnerability in the FTP server address input field that allows local attackers to crash the application. Attackers can paste a 300-character buffer into the FTP server address field to trigger an application crash and prevent normal functionality. | 2026-01-29 | 6.2 | CVE-2020-36994 | ExploitDB-48732 Vendor Homepage VulnCheck Advisory: QlikView 12.50.20000.0 – ‘FTP Server Address’ Denial of Service |
| QR Menu Pro Smart Menu Systems–Menu Panel | Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7013 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QR Menu Pro Smart Menu Systems–Menu Panel | Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking. This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 5.7 | CVE-2025-7014 | https://www.usom.gov.tr/bildirim/tr-26-0007 |
| QWE Labs–QWE DL | QWE DL 2.0.1 mobile web application contains a persistent input validation vulnerability allowing remote attackers to inject malicious script code through path parameter manipulation. Attackers can exploit the vulnerability to execute persistent cross-site scripting attacks, potentially leading to session hijacking and application module manipulation. | 2026-02-01 | 6.4 | CVE-2023-54343 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: QWE DL 2.0.1 Persistent XSS Vulnerability via Path Parameter |
| recooty–Recooty Job Widget (Old Dashboard) | The Recooty – Job Widget (Old Dashboard) plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0.6. This is due to missing nonce validation on the recooty_save_maybe() function. This makes it possible for unauthenticated attackers to update the recooty_key option and inject malicious content into iframe src attributes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-01-28 | 4.3 | CVE-2025-14616 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb14f084-6f36-4702-8a28-b62811739407?source=cve https://plugins.trac.wordpress.org/browser/recooty/trunk/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/admin/init.php#L72 https://plugins.trac.wordpress.org/browser/recooty/trunk/init.php#L41 https://plugins.trac.wordpress.org/browser/recooty/tags/1.0.4/init.php#L41 |
| Red Hat–Red Hat build of Quarkus | A flaw was found in Hibernate Reactive. When an HTTP endpoint is exposed to perform database operations, a remote client can prematurely close the HTTP connection. This action may lead to leaking connections from the database connection pool, potentially causing a Denial of Service (DoS) by exhausting available database connections. | 2026-01-26 | 4.3 | CVE-2025-14969 | https://access.redhat.com/security/cve/CVE-2025-14969 RHBZ#2423822 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client library. This vulnerability, known as CRLF (Carriage Return Line Feed) Injection, occurs when an HTTP proxy is configured and the library improperly handles URL-decoded input used to create the Host header. A remote attacker can exploit this by providing a specially crafted URL containing CRLF sequences, allowing them to inject additional HTTP headers or complete HTTP request bodies. This can lead to unintended or unauthorized HTTP requests being forwarded by the proxy, potentially impacting downstream services. | 2026-01-27 | 5.8 | CVE-2026-1467 | https://access.redhat.com/security/cve/CVE-2026-1467 RHBZ#2433174 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in GLib. An integer overflow vulnerability in its Unicode case conversion implementation can lead to memory corruption. By processing specially crafted and extremely large Unicode strings, an attacker could trigger an undersized memory allocation, resulting in out-of-bounds writes. This could cause applications utilizing GLib for string conversion to crash or become unstable. | 2026-01-27 | 5.4 | CVE-2026-1489 | https://access.redhat.com/security/cve/CVE-2026-1489 RHBZ#2433348 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup. An attacker who can control the input for the Content-Disposition header can inject CRLF (Carriage Return Line Feed) sequences into the header value. These sequences are then interpreted verbatim when the HTTP request or response is constructed, allowing arbitrary HTTP headers to be injected. This vulnerability can lead to HTTP header injection or HTTP response splitting without requiring authentication or user interaction. | 2026-01-28 | 5.8 | CVE-2026-1536 | https://access.redhat.com/security/cve/CVE-2026-1536 RHBZ#2433834 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the libsoup HTTP library that can cause proxy authentication credentials to be sent to unintended destinations. When handling HTTP redirects, libsoup removes the Authorization header but does not remove the Proxy-Authorization header if the request is redirected to a different host. As a result, sensitive proxy credentials may be leaked to third-party servers. Applications using libsoup for HTTP communication may unintentionally expose proxy authentication data. | 2026-01-28 | 5.8 | CVE-2026-1539 | https://access.redhat.com/security/cve/CVE-2026-1539 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the GnuTLS library, specifically in the gnutls_pkcs11_token_init() function that handles PKCS#11 token initialization. When a token label longer than expected is processed, the function writes past the end of a fixed-size stack buffer. This programming error can cause the application using GnuTLS to crash or, in certain conditions, be exploited for code execution. As a result, systems or applications relying on GnuTLS may be vulnerable to a denial of service or local privilege escalation attacks. | 2026-01-26 | 4 | CVE-2025-9820 | https://access.redhat.com/security/cve/CVE-2025-9820 RHBZ#2392528 https://gitlab.com/gnutls/gnutls/-/commit/1d56f96f6ab5034d677136b9d50b5a75dff0faf5 https://gitlab.com/gnutls/gnutls/-/issues/1732 https://www.gnutls.org/security-new.html#GNUTLS-SA-2025-11-18 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in the GLib Base64 encoding routine when processing very large input data. Due to incorrect use of integer types during length calculation, the library may miscalculate buffer boundaries. This can cause memory writes outside the allocated buffer. Applications that process untrusted or extremely large Base64 input using GLib may crash or behave unpredictably. | 2026-01-27 | 4.2 | CVE-2026-1484 | https://access.redhat.com/security/cve/CVE-2026-1484 RHBZ#2433259 |
| Red Hat–Red Hat OpenShift Virtualization 4 | A flaw was found in kubevirt. A user within a virtual machine (VM), if the guest agent is active, can exploit this by causing the agent to report an excessive number of network interfaces. This action can overwhelm the system’s ability to store VM configuration updates, effectively blocking changes to the Virtual Machine Instance (VMI). This allows the VM user to restrict the VM administrator’s ability to manage the VM, leading to a denial of service for administrative operations. | 2026-01-26 | 6.4 | CVE-2025-14525 | https://access.redhat.com/security/cve/CVE-2025-14525 RHBZ#2421360 |
| rupantorpay–Rupantorpay | The Rupantorpay plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the handle_webhook() function in all versions up to, and including, 2.0.0. This makes it possible for unauthenticated attackers to modify WooCommerce order statuses by sending crafted requests to the WooCommerce API endpoint. | 2026-01-28 | 5.3 | CVE-2025-15511 | https://www.wordfence.com/threat-intel/vulnerabilities/id/1b21bdfd-42ec-43fe-b581-04276b86c50b?source=cve https://plugins.trac.wordpress.org/browser/rupantorpay/tags/2.0.0/includes/class-wc-rupantorpay-gateway.php#L172 |
| RustCrypto–signatures | The ML-DSA crate is a Rust implementation of the Module-Lattice-Based Digital Signature Standard (ML-DSA). Starting in version 0.0.4 and prior to version 0.1.0-rc.4, the ML-DSA signature verification implementation in the RustCrypto `ml-dsa` crate incorrectly accepts signatures with repeated (duplicate) hint indices. According to the ML-DSA specification (FIPS 204 / RFC 9881), hint indices within each polynomial must be **strictly increasing**. The current implementation uses a non-strict monotonic check (`<=` instead of `<`), allowing duplicate indices. This is a regression bug. The original implementation was correct, but a commit in version 0.0.4 inadvertently changed the strict `<` comparison to `<=`, introducing the vulnerability. Version 0.1.0-rc.4 fixes the issue. | 2026-01-28 | 5.3 | CVE-2026-24850 | https://github.com/RustCrypto/signatures/security/advisories/GHSA-5x2r-hc65-25f9 https://github.com/RustCrypto/signatures/issues/894 https://github.com/RustCrypto/signatures/pull/895 https://github.com/RustCrypto/signatures/commit/400961412be2e2ab787942cf30e0a9b66b37a54a https://github.com/RustCrypto/signatures/commit/b01c3b73dd08d0094e089aa234f78b6089ec1f38 https://csrc.nist.gov/pubs/fips/204/final https://datatracker.ietf.org/doc/html/rfc9881 https://github.com/C2SP/wycheproof https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_44_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_65_verify_test.json https://github.com/C2SP/wycheproof/blob/master/testvectors_v1/mldsa_87_verify_test.json |
| salihciftci–Liman | Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. Attackers can craft malicious HTML forms to change user passwords or modify account information by tricking logged-in users into submitting unauthorized requests. | 2026-01-29 | 5.3 | CVE-2020-37007 | ExploitDB-48869 Archived Liman GitHub Repository VulnCheck Advisory: Liman 0.7 – Cross-Site Request Forgery (Change Password) |
| Salt Project–Salt | Salt contains an authentication protocol version downgrade weakness that can allow a malicious minion to bypass newer authentication/security features by using an older request payload format, enabling minion impersonation and circumventing protections introduced in response to prior issues. | 2026-01-30 | 6.2 | CVE-2025-62349 | Salt 3006.17 release notes (fix and minimum_auth_version) Salt 3007.9 release notes (fix and minimum_auth_version) |
| Sangfor–Operation and Maintenance Security Management System | A vulnerability was found in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This affects the function portValidate of the file /fort/ip_and_port/port_validate of the component HTTP POST Request Handler. Performing a manipulation of the argument port results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-01-26 | 6.3 | CVE-2026-1413 | VDB-342802 | Sangfor Operation and Maintenance Security Management System HTTP POST Request port_validate portValidate command injection VDB-342802 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736522 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/23 |
| Sangfor–Operation and Maintenance Security Management System | A vulnerability was determined in Sangfor Operation and Maintenance Security Management System up to 3.0.12. This impacts the function getInformation of the file /equipment/get_Information of the component HTTP POST Request Handler. Executing a manipulation of the argument fortEquipmentIp can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-01-26 | 6.3 | CVE-2026-1414 | VDB-342803 | Sangfor Operation and Maintenance Security Management System HTTP POST Request get_Information getInformation command injection VDB-342803 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736524 | Sangfor Operation and Maintenance Security Management System (OSM / è¿ç»´å®‰å…¨ç®¡ç†ç³»ç»Ÿ) v3.0.12 Command Injection https://github.com/LX-LX88/cve/issues/24 |
| SAP_SE–SAP Fiori App (Intercompany Balance Reconciliation) | SAP Fiori App Intercompany Balance Reconciliation does not perform necessary authorization checks for an authenticated user, resulting in escalation of privileges. This has low impact on confidentiality, integrity and availability are not impacted. | 2026-01-27 | 4.3 | CVE-2026-23683 | https://me.sap.com/notes/3122486 https://url.sap/sapsecuritypatchday |
| Sellacious–Sellacious eCommerce | Sellacious eCommerce 4.6 contains a persistent cross-site scripting vulnerability in the Manage Your Addresses module that allows attackers to inject malicious scripts. Attackers can exploit multiple address input fields like full name, company, and address to execute persistent script code that can hijack user sessions and manipulate application modules. | 2026-01-30 | 6.4 | CVE-2020-37003 | ExploitDB-48467 Official Sellacious eCommerce Homepage Sellacious Product Details Vulnerability Lab Advisory VulnCheck Advisory: Sellacious eCommerce 4.6 – Persistent Cross-Site Scripting |
| SEMCMS–SEMCMS | A security vulnerability has been detected in SEMCMS 5.0. This vulnerability affects unknown code of the file /SEMCMS_Info.php. The manipulation of the argument searchml leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 6.3 | CVE-2026-1552 | VDB-343248 | SEMCMS SEMCMS_Info.php sql injection VDB-343248 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740549 | SEMCMS SEMCMS 外贸网站php多è¯è¨€ç‰ˆ V5.0 SQL Injection https://github.com/Sqli22/Sqli/issues/4 |
| seomantis–SEO Links Interlinking | The SEO Links Interlinking plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘google_error’ parameter in all versions up to, and including, 1.7.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-01-28 | 6.1 | CVE-2025-14063 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d71143d6-d477-4a63-8f99-f4cc8a590536?source=cve https://wordpress.org/plugins/seo-links-interlinking/ https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L504 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/trunk/scdata.php#L512 https://plugins.trac.wordpress.org/browser/seo-links-interlinking/tags/1.7.5/scdata.php#L512 |
| Simplephpscripts–Simple CMS | Simple CMS 2.1 contains a persistent cross-site scripting vulnerability in user input parameters that allows remote attackers to inject malicious script code. Attackers can exploit the newUser and editUser modules to inject persistent scripts that execute on user list preview, potentially leading to session hijacking and application manipulation. | 2026-02-01 | 6.4 | CVE-2021-47917 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Persistent Cross-Site Scripting via User Input Parameters |
| Simplephpscripts–Simple CMS | Simple CMS 2.1 contains a non-persistent cross-site scripting vulnerability in the preview.php file’s id parameter. Attackers can inject malicious script code through a GET request to execute arbitrary scripts and potentially hijack user sessions or perform phishing attacks. | 2026-02-01 | 6.4 | CVE-2021-47919 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Simple CMS 2.1 Non-Persistent Cross-Site Scripting via Preview Parameter |
| smarterDroid–WiFi File Transfer | WiFi File Transfer 1.0.8 contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious script codes through file and folder names. Attackers can exploit the web server’s input validation weakness to execute arbitrary JavaScript when users preview infected file paths, potentially compromising user browser sessions. | 2026-02-01 | 6.4 | CVE-2022-50951 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WiFi File Transfer 1.0.8 Persistent XSS via Web Server Input Validation |
| SourceCodester–Pet Grooming Management Software | A vulnerability was detected in SourceCodester Pet Grooming Management Software 1.0. Impacted is an unknown function of the file /admin/operation/user.php of the component User Management. Performing a manipulation of the argument group_id results in improper authorization. The attack can be initiated remotely. The exploit is now public and may be used. | 2026-01-30 | 6.3 | CVE-2026-1702 | VDB-343492 | SourceCodester Pet Grooming Management Software User Management user.php improper authorization VDB-343492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742226 | SourceCodester Pet grooming management software 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control—in-Pet-Grooming-Management-Software https://www.sourcecodester.com/ |
| stellar–rs-soroban-sdk | soroban-sdk is a Rust SDK for Soroban contracts. Arithmetic overflow can be triggered in the `Bytes::slice`, `Vec::slice`, and `Prng::gen_range` (for `u64`) methods in the `soroban-sdk` in versions up to and including `25.0.1`, `23.5.1`, and `25.0.2`. Contracts that pass user-controlled or computed range bounds to `Bytes::slice`, `Vec::slice`, or `Prng::gen_range` may silently operate on incorrect data ranges or generate random numbers from an unintended range, potentially resulting in corrupted contract state. Note that the best practice when using the `soroban-sdk` and building Soroban contracts is to always enable `overflow-checks = true`. The `stellar contract init` tool that prepares the boiler plate for a Soroban contract, as well as all examples and docs, encourage the use of configuring `overflow-checks = true` on `release` profiles so that these arithmetic operations fail rather than silently wrap. Contracts are only impacted if they use `overflow-checks = false` either explicitly or implicitly. It is anticipated the majority of contracts could not be impacted because the best practice encouraged by tooling is to enable `overflow-checks`. The fix available in `25.0.1`, `23.5.1`, and `25.0.2` replaces bare arithmetic with `checked_add` / `checked_sub`, ensuring overflow traps regardless of the `overflow-checks` profile setting. As a workaround, contract workspaces can be configured with a profile available in the GitHub Securtity Advisory to enable overflow checks on the arithmetic operations. This is the best practice when developing Soroban contracts, and the default if using the contract boilerplate generated using `stellar contract init`. Alternatively, contracts can validate range bounds before passing them to `slice` or `gen_range` to ensure the conversions cannot overflow. | 2026-01-28 | 5.3 | CVE-2026-24889 | https://github.com/stellar/rs-soroban-sdk/security/advisories/GHSA-96xm-fv9w-pf3f https://github.com/stellar/rs-soroban-sdk/pull/1703 https://github.com/stellar/rs-soroban-sdk/commit/3890521426d71bb4d892b21f5a283a1e836cfa38 https://github.com/stellar/rs-soroban-sdk/commit/59fcef437260ed4da42d1efb357137a5c166c02e https://github.com/stellar/rs-soroban-sdk/commit/c2757c6d774dbb28b34a0b77ffe282e59f0f8462 https://github.com/stellar/rs-soroban-sdk/releases/tag/v22.0.9 https://github.com/stellar/rs-soroban-sdk/releases/tag/v23.5.1 https://github.com/stellar/rs-soroban-sdk/releases/tag/v25.0.2 |
| supercleanse–Stripe Payments by Buy Now Plus Best WordPress Stripe Credit Card Payments Plugin | The Buy Now Plus – Buy Now buttons for Stripe plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘buynowplus’ shortcode in all versions up to, and including, 1.0.2 due to insufficient input sanitization and output escaping on shortcode attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2026-1295 | https://www.wordfence.com/threat-intel/vulnerabilities/id/87d228bb-eb5b-44ca-91f7-ada730635a3f?source=cve https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L17 https://plugins.trac.wordpress.org/browser/buy-now-plus/tags/1.0.2/class-bnp-buttons.php#L36 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444416%40buy-now-plus&new=3444416%40buy-now-plus&sfp_email=&sfph_mail= |
| symfony–symfony | Symfony is a PHP framework for web and console applications and a set of reusable PHP components. Prior to versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5, the Symfony Process component did not correctly treat some characters (notably `=`) as “special” when escaping arguments on Windows. When PHP is executed from an MSYS2-based environment (e.g. Git Bash) and Symfony Process spawns native Windows executables, MSYS2’s argument/path conversion can mis-handle unquoted arguments containing these characters. This can cause the spawned process to receive corrupted/truncated arguments compared to what Symfony intended. If an application (or tooling such as Composer scripts) uses Symfony Process to invoke file-management commands (e.g. `rmdir`, `del`, etc.) with a path argument containing `=`, the MSYS2 conversion layer may alter the argument at runtime. In affected setups this can result in operations being performed on an unintended path, up to and including deletion of the contents of a broader directory or drive. The issue is particularly relevant when untrusted input can influence process arguments (directly or indirectly, e.g. via repository paths, extracted archive paths, temporary directories, or user-controlled configuration). Versions 5.4.51, 6.4.33, 7.3.11, 7.4.5, and 8.0.5 contains a patch for the issue. Some workarounds are available. Avoid running PHP/one’s own tooling from MSYS2-based shells on Windows; prefer cmd.exe or PowerShell for workflows that spawn native executables. Avoid passing paths containing `=` (and similar MSYS2-sensitive characters) to Symfony Process when operating under Git Bash/MSYS2. Where applicable, configure MSYS2 to disable or restrict argument conversion (e.g. via `MSYS2_ARG_CONV_EXCL`), understanding this may affect other tooling behavior. | 2026-01-28 | 6.3 | CVE-2026-24739 | https://github.com/symfony/symfony/security/advisories/GHSA-r39x-jcww-82v6 https://github.com/symfony/symfony/issues/62921 https://github.com/symfony/symfony/pull/63164 https://github.com/symfony/symfony/commit/35203939050e5abd3caf2202113b00cab5d379b3 https://github.com/symfony/symfony/commit/ec154f6f95f8c60f831998ec4d246a857e9d179b |
| Tanium–Asset | Tanium addressed a SQL injection vulnerability in Asset. | 2026-01-28 | 6.3 | CVE-2025-15344 | TAN-2025-035 |
| Tanium–Discover | Tanium addressed an uncontrolled resource consumption vulnerability in Discover. | 2026-01-26 | 4.9 | CVE-2026-1224 | TAN-2026-001 |
| Tanium–Tanium Server | Tanium addressed an improper access controls vulnerability in Tanium Server. | 2026-01-30 | 4.3 | CVE-2025-15322 | TAN-2025-028 |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause normally encrypted UDP traffic to be sent in cleartext. This can result in disclosure of sensitive information. | 2026-01-29 | 6.5 | CVE-2026-23564 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause the NomadBranch.exe process to terminate via crafted requests. This can result in a denial-of-service condition of the Content Distribution Service. | 2026-01-29 | 6.5 | CVE-2026-23565 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | A vulnerability in TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to inject, tamper with, or forge log entries in Nomad Branch.log via crafted data sent to the UDP network handler. This can impact log integrity and nonrepudiation. | 2026-01-29 | 6.5 | CVE-2026-23566 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | An integer underflow in the UDP command handler of the TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to trigger a heap-based buffer overflow and cause a denial-of-service (service crash) via specially crafted UDP packets. | 2026-01-29 | 6.5 | CVE-2026-23567 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows a remote attacker to leak stack memory and cause a denial of service via a crafted request. The leaked stack memory could be used to bypass ASLR remotely and facilitate exploitation of other vulnerabilities on the affected system. | 2026-01-29 | 6.5 | CVE-2026-23569 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | A missing validation of a user-controlled value in the TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an adjacent network attacker to tamper with log timestamps via crafted UDP Sync command. This could result in forged or nonsensical datetime prefixes and compromising log integrity and forensic correlation. | 2026-01-29 | 6.5 | CVE-2026-23570 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| TeamViewer–DEX | A command injection vulnerability was discovered in TeamViewer DEX (former 1E DEX), specifically within the 1E-Nomad-RunPkgStatusRequest instruction. Improper input validation allows authenticated attackers with actioner privilege to run elevated arbitrary commands on connected hosts via malicious commands injected into the instruction’s input field. Users of 1E Client version 24.5 or higher are not affected. | 2026-01-29 | 6.8 | CVE-2026-23571 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer–DEX | Improper Link Resolution Before File Access (invoked by 1E Explorer TachyonCore DeleteFileByPath instruction) in TeamViewer DEX – 1E Client before version 26.1 on Windows allows a low privileged local attacker to delete protected system files via a crafted RPC control junction or symlink that is followed when the delete instruction executes. | 2026-01-29 | 5.7 | CVE-2026-23563 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1002/ |
| TeamViewer–DEX | An out-of-bounds read vulnerability in the TeamViewer DEX Client (former 1E Client) – Content Distribution Service (NomadBranch.exe) prior version 26.1 for Windows allows an attacker on the adjacent network to cause information disclosure or denial-of-service via a special crafted packet. The leaked memory could be used to bypass ASLR and facilitate further exploitation. | 2026-01-29 | 5.4 | CVE-2026-23568 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1001/ |
| Tenda–AC21 | A security flaw has been discovered in Tenda AC21 1.1.1.1/1.dmzip/16.03.08.16. The impacted element is the function mDMZSetCfg of the file /goform/mDMZSetCfg. The manipulation of the argument dmzIp results in command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1638 | VDB-343417 | Tenda AC21 mDMZSetCfg command injection VDB-343417 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740871 | Tenda AC21 V16.03.08.16 Command Injection https://github.com/LX-LX88/cve/issues/26 https://www.tenda.com.cn/ |
| Tenda–HG10 | A flaw has been found in Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon. This affects the function system of the file /boaform/formSysCmd. This manipulation of the argument sysCmd causes command injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-01-30 | 4.7 | CVE-2026-1690 | VDB-343484 | Tenda HG10 formSysCmd system command injection VDB-343484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741425 | Tenda HG10 US_HG7_HG9_HG10re_300001138_en_xpon Command Injection https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/Tenda/HG10/formSysCmd-sysCmd-command.md#poc https://www.tenda.com.cn/ |
| theupdateframework–go-tuf | go-tuf is a Go implementation of The Update Framework (TUF). go-tuf’s TAP 4 Multirepo Client uses the map file repository name string (`repoName`) as a filesystem path component when selecting the local metadata cache directory. Starting in version 2.0.0 and prior to version 2.4.1, if an application accepts a map file from an untrusted source, an attacker can supply a `repoName` containing traversal (e.g., `../escaped-repo`) and cause go-tuf to create directories and write the root metadata file outside the intended `LocalMetadataDir` cache base, within the running process’s filesystem permissions. Version 2.4.1 contains a patch. | 2026-01-27 | 4.7 | CVE-2026-24686 | https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-jqc5-w2xx-5vq4 https://github.com/theupdateframework/go-tuf/commit/d361e2ea24e427581343dee5c7a32b485d79fcc0 |
| thewebfosters-thewebfosters | Ultimate POS 4.4 contains a persistent cross-site scripting vulnerability in the product name parameter that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability through product add or edit functions to execute arbitrary JavaScript and potentially hijack user sessions. | 2026-02-01 | 6.4 | CVE-2021-47908 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: Ultimate POS 4.4 Persistent Cross-Site Scripting via Product Name |
| tigroumeow–AI Engine The Chatbot and AI Framework for WordPress | The AI Engine plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 3.3.2 via the ‘get_audio’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services, if “Public API” is enabled in the plugin settings, and ‘allow_url_fopen’ is set to ‘On’ on the server. | 2026-01-27 | 6.4 | CVE-2026-0746 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cbba866d-93dd-4ef5-9670-ab958f61f06e?source=cve https://plugins.trac.wordpress.org/browser/ai-engine/tags/3.3.1/classes/engines/chatml.php#L946 https://plugins.trac.wordpress.org/changeset/3447500/ai-engine/trunk/classes/engines/chatml.php |
| Tildeslash Ltd.–M/Monit | M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. Attackers can send requests to the /api/1/admin/users/list and /api/1/admin/users/get endpoints to extract MD5 password hashes for all users. | 2026-01-28 | 6.5 | CVE-2020-36968 | ExploitDB-49081 M/Monit Official Vendor Homepage VulnCheck Advisory: M/Monit 3.7.4 – Password Disclosure |
| Totolink–A7000R | A vulnerability was detected in Totolink A7000R 4.1cu.4154. This affects the function setUnloadUserData of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument plugin_name results in command injection. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-01-28 | 6.3 | CVE-2026-1547 | VDB-343231 | Totolink A7000R cstecgi.cgi setUnloadUserData command injection VDB-343231 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739713 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/01_RCE_setUnloadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink–A7000R | A flaw has been found in Totolink A7000R 4.1cu.4154. This impacts the function CloudACMunualUpdateUserdata of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument url causes command injection. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-01-28 | 6.3 | CVE-2026-1548 | VDB-343232 | Totolink A7000R cstecgi.cgi CloudACMunualUpdateUserdata command injection VDB-343232 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #739715 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/02_RCE_CloudACMunualUpdateUserdata_RCE.md#poc https://www.totolink.net/ |
| Totolink–A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. The impacted element is the function setUploadUserData of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument FileName can lead to command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1601 | VDB-343373 | Totolink A7000R cstecgi.cgi setUploadUserData command injection VDB-343373 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740760 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/03_RCE_setUploadUserData_RCE.md#poc https://www.totolink.net/ |
| Totolink–A7000R | A weakness has been identified in Totolink A7000R 4.1cu.4154. Impacted is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi. This manipulation of the argument FileName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-29 | 6.3 | CVE-2026-1623 | VDB-343382 | Totolink A7000R cstecgi.cgi setUpgradeFW command injection VDB-343382 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740767 | TOTOLINK A7000R V4.1cu.4154 Command Injection https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md https://github.com/xyh4ck/iot_poc/blob/main/TOTOLINK/A7000R/04_RCE_setUpgradeFW_RCE.md#poc https://www.totolink.net/ |
| TrustTunnel–TrustTunnel | TrustTunnel is an open-source VPN protocol with a rule bypass issue in versions prior to 0.9.115. In `tls_listener.rs`, `TlsListener::listen()` peeks 1024 bytes and calls `extract_client_random(…)`. If `parse_tls_plaintext` fails (for example, a fragmented/partial ClientHello split across TCP writes), `extract_client_random` returns `None`. In `rules.rs`, `RulesEngine::evaluate` only evaluates `client_random_prefix` when `client_random` is `Some(…)`. As a result, when extraction fails (`client_random == None`), any rule that relies on `client_random_prefix` matching is skipped and evaluation falls through to later rules. As an important semantics note: `client_random_prefix` is a match condition only. It does not mean “block non-matching prefixes” by itself. A rule with `client_random_prefix = …` triggers its `action` only when the prefix matches (and the field is available to evaluate). Non-matches (or `None`) simply do not match that rule and continue to fall through. The vulnerability is fixed in version 0.9.115. | 2026-01-29 | 5.3 | CVE-2026-24904 | https://github.com/TrustTunnel/TrustTunnel/security/advisories/GHSA-fqh7-r5gf-3r87 https://github.com/TrustTunnel/TrustTunnel/commit/aa5060145506952b9431b0ed3edb52bb6c08d9a6 |
| Tryton–Tryton | Tryton 5.4 contains a persistent cross-site scripting vulnerability in the user profile name input that allows remote attackers to inject malicious scripts. Attackers can exploit the vulnerability by inserting script payloads in the name field, which execute in the frontend and backend user interfaces. | 2026-01-30 | 6.4 | CVE-2020-37014 | ExploitDB-48466 Official Tryton Homepage Tryton Download Page Vulnerability Lab Advisory VulnCheck Advisory: Tryton 5.4 – Persistent Cross-Site Scripting |
| vercel–next | A denial of service vulnerability exists in self-hosted Next.js applications that have `remotePatterns` configured for the Image Optimizer. The image optimization endpoint (`/_next/image`) loads external images entirely into memory without enforcing a maximum size limit, allowing an attacker to cause out-of-memory conditions by requesting optimization of arbitrarily large images. This vulnerability requires that `remotePatterns` is configured to allow image optimization from external domains and that the attacker can serve or control a large image on an allowed domain. Strongly consider upgrading to 15.5.10 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59471 | https://github.com/vercel/next.js/security/advisories/GHSA-9g9p-9gw9-jx7f |
| vercel–next | A denial of service vulnerability exists in Next.js versions with Partial Prerendering (PPR) enabled when running in minimal mode. The PPR resume endpoint accepts unauthenticated POST requests with the `Next-Resume: 1` header and processes attacker-controlled postponed state data. Two closely related vulnerabilities allow an attacker to crash the server process through memory exhaustion: 1. **Unbounded request body buffering**: The server buffers the entire POST request body into memory using `Buffer.concat()` without enforcing any size limit, allowing arbitrarily large payloads to exhaust available memory. 2. **Unbounded decompression (zipbomb)**: The resume data cache is decompressed using `inflateSync()` without limiting the decompressed output size. A small compressed payload can expand to hundreds of megabytes or gigabytes, causing memory exhaustion. Both attack vectors result in a fatal V8 out-of-memory error (`FATAL ERROR: Reached heap limit Allocation failed – JavaScript heap out of memory`) causing the Node.js process to terminate. The zipbomb variant is particularly dangerous as it can bypass reverse proxy request size limits while still causing large memory allocation on the server. To be affected you must have an application running with `experimental.ppr: true` or `cacheComponents: true` configured along with the NEXT_PRIVATE_MINIMAL_MODE=1 environment variable. Strongly consider upgrading to 15.6.0-canary.61 or 16.1.5 to reduce risk and prevent availability issues in Next applications. | 2026-01-26 | 5.9 | CVE-2025-59472 | https://github.com/vercel/next.js/security/advisories/GHSA-5f7q-jpqc-wp7h |
| vinod-dalvi–Ivory Search WordPress Search Plugin | The Ivory Search – WordPress Search Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 5.5.13 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1053 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cdc5ef6a-32d8-4c4b-b459-d9b543b56898?source=cve https://plugins.svn.wordpress.org/add-search-to-menu/tags/5.5.13/public/class-is-public.php https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L204 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/class-is-public.php#L249 https://plugins.trac.wordpress.org/browser/add-search-to-menu/tags/5.5.13/public/partials/is-ajax-results.php#L148 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444659%40add-search-to-menu&new=3444659%40add-search-to-menu&sfp_email=&sfph_mail= |
| vlt–vlt | vlt before 1.0.0-rc.10 mishandles path sanitization for tar, leading to path traversal during extraction. | 2026-01-27 | 5.9 | CVE-2026-24909 | https://www.scworld.com/news/six-javascript-zero-day-bugs-lead-to-fears-of-supply-chain-attack https://github.com/vltpkg/vltpkg/releases/tag/v1.0.0-rc.10 https://github.com/vltpkg/vltpkg/pull/1334 https://www.koi.ai/blog/packagegate-6-zero-days-in-js-package-managers-but-npm-wont-act |
| webaways–NEX-Forms Ultimate Forms Plugin for WordPress | The NEX-Forms – Ultimate Forms Plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the NF5_Export_Forms class constructor in all versions up to, and including, 9.1.8. This makes it possible for unauthenticated attackers to export form configurations, that may include sensitive data, such as email addresses, PayPal API credentials, and third-party integration keys by enumerating the nex_forms_Id parameter. | 2026-01-31 | 5.3 | CVE-2025-15510 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ddfa5a3d-fef2-4049-915c-51c3e28153bf?source=cve https://plugins.trac.wordpress.org/browser/nex-forms-express-wp-form-builder/tags/9.1.7/includes/classes/class.export.php#L11 |
| webguyio–Stop Spammers Classic | The Stop Spammers Classic plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2026.1. This is due to missing nonce validation in the ss_addtoallowlist class. This makes it possible for unauthenticated attackers to add arbitrary email addresses to the spam allowlist via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. The vulnerability was partially patched in version 2026.1. | 2026-01-28 | 4.3 | CVE-2025-14795 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5d6f38d7-a769-422d-ae3f-565cb1cc8a73?source=cve https://plugins.trac.wordpress.org/browser/stop-spammer-registrations-plugin/tags/2025.4/classes/ss_addtoallowlist.php#L21 https://plugins.trac.wordpress.org/changeset/3436357/ https://plugins.trac.wordpress.org/changeset/3440788/ |
| WebMO, LLC–WebMO Job Manager | WebMO Job Manager 20.0 contains a cross-site scripting vulnerability in search parameters that allows remote attackers to inject malicious script code. Attackers can exploit the filterSearch and filterSearchType parameters to perform non-persistent attacks including session hijacking and external redirects. | 2026-02-01 | 5.4 | CVE-2021-47920 | Vulnerability Lab Advisory Product Homepage VulnCheck Advisory: WebMO Job Manager 20.0 Cross-Site Scripting via Search Parameters |
| WellChoose–Single Sign-On Portal System | Single Sign-On Portal System developed by WellChoose has a Reflected Cross-site Scripting vulnerability, allowing authenticated remote attackers to execute arbitrary JavaScript codes in user’s browser through phishing attacks. | 2026-01-26 | 5.4 | CVE-2026-1429 | https://www.twcert.org.tw/tw/cp-132-10654-23f40-1.html https://www.twcert.org.tw/en/cp-139-10655-59160-2.html |
| withstudiocms–studiocms | StudioCMS is a server-side-rendered, Astro native, headless content management system. Versions prior to 0.2.0 contain a Broken Object Level Authorization (BOLA) vulnerability in the Content Management feature that allows users with the “Visitor” role to access draft content created by Editor/Admin/Owner users. Version 0.2.0 patches the issue. | 2026-01-27 | 6.5 | CVE-2026-24134 | https://github.com/withstudiocms/studiocms/security/advisories/GHSA-8cw6-53m5-4932 https://github.com/withstudiocms/studiocms/commit/efc10bee20db090fdd75463622c30dda390c50ad https://github.com/withstudiocms/studiocms/releases/tag/studiocms%400.2.0 |
| wpbits–WPBITS Addons For Elementor Page Builder | The WPBITS Addons For Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via multiple widget parameters in versions up to, and including, 1.8 due to insufficient input sanitization and output escaping when dynamic content is enabled. This makes it possible for authenticated attackers with contributor-level permissions and above to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-9082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/99b47856-502e-4e9d-b0ea-62c57509b46a?source=cve https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/image_compare.php#L607 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/tooltip.php#L860 https://plugins.trac.wordpress.org/browser/wpbits-addons-for-elementor/trunk/includes/widgets/text_rotator.php#L369 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3442812%40wpbits-addons-for-elementor&new=3442812%40wpbits-addons-for-elementor&sfp_email=&sfph_mail= |
| wpblockart–BlockArt Blocks Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library | The BlockArt Blocks – Gutenberg Blocks, Page Builder Blocks ,WordPress Block Plugin, Sections & Template Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the BlockArt Counter in all versions up to, and including, 2.2.14 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-01-28 | 6.4 | CVE-2025-14283 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d9526a8b-fefe-4ca6-871f-1ead3f498679?source=cve https://plugins.trac.wordpress.org/browser/blockart-blocks/trunk/dist/counter.js |
| wpchill–Passster Password Protect Pages and Content | The Passster – Password Protect Pages and Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘content_protector’ shortcode in all versions up to, and including, 4.2.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. The vulnerability was partially patched in version 4.2.21. | 2026-01-28 | 6.4 | CVE-2025-14865 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4ea939f5-8b56-44be-bd20-b69e9ded5970?source=cve https://plugins.trac.wordpress.org/browser/content-protector/tags/4.2.20/inc/class-ps-public.php#L136 https://plugins.trac.wordpress.org/changeset/3422595/ https://plugins.trac.wordpress.org/changeset/3439532/ |
| wpcodefactory–Order Minimum/Maximum Amount Limits for WooCommerce | The Order Minimum/Maximum Amount Limits for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via settings in all versions up to, and including, 4.6.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Shop Manager-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-01-28 | 4.4 | CVE-2026-1381 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3f54f117-0dde-49f9-8014-7650bc1a00ac?source=cve https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/settings/class-alg-wc-oma-settings-general.php https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/trunk/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/browser/order-minimum-amount-for-woocommerce/tags/4.6.8/includes/class-alg-wc-oma-core.php#L86 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3447432%40order-minimum-amount-for-woocommerce&new=3447432%40order-minimum-amount-for-woocommerce&sfp_email=&sfph_mail= |
| wpdevelop–Booking Calendar | The Booking Calendar plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the wpbc_ajax_WPBC_FLEXTIMELINE_NAV() function in all versions up to, and including, 10.14.13. This makes it possible for unauthenticated attackers to retrieve booking information including customer names, phones and emails. | 2026-01-31 | 5.3 | CVE-2026-1431 | https://www.wordfence.com/threat-intel/vulnerabilities/id/0bd92f91-d9b1-4f6f-ac1a-477950ea2e80?source=cve https://plugins.trac.wordpress.org/browser/booking/tags/10.14.13/core/lib/wpbc-ajax.php#L25 |
| Xeroneit–Xeroneit Library Management System | Xeroneit Library Management System 3.1 contains a stored cross-site scripting vulnerability in the Book Category feature that allows administrators to inject malicious scripts. Attackers can insert a payload in the Category Name field to execute arbitrary JavaScript code when the page is loaded. | 2026-01-26 | 6.4 | CVE-2020-36954 | ExploitDB-49292 Vendor Homepage Software Product Page VulnCheck Advisory: Xeroneit Library Management System 3.1 – “Add Book Category ” Stored XSS |
| zephyrproject-rtos–Zephyr | A flaw in Zephyr’s network stack allows an IPv4 packet containing ICMP type 128 to be misclassified as an ICMPv6 Echo Request. This results in an out-of-bounds memory read and creates a potential information-leak vulnerability in the networking subsystem. | 2026-01-30 | 6.5 | CVE-2025-12899 | https://github.com/zephyrproject-rtos/zephyr/security/advisories/GHSA-c2vg-hj83-c2vg |
| Zhong Bang–CRMEB | A security flaw has been discovered in Zhong Bang CRMEB up to 5.6.3. This vulnerability affects unknown code of the file crmeb/app/api/controller/v1/CrontabController.php of the component crontab Endpoint. The manipulation results in missing authorization. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 5.3 | CVE-2026-1734 | VDB-343633 | Zhong Bang CRMEB crontab Endpoint CrontabController.php authorization VDB-343633 | CTI Indicators (IOB, IOC, IOA) Submit #736619 | Zhongbang CRMEB v5.6.3 Missing Authorization https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md https://github.com/foeCat/CVE/blob/main/CRMEB/crontab_unauthorized_access.md#proof-of-concept |
| Zhong Bang–CRMEB | A vulnerability was identified in Zhong Bang CRMEB up to 5.6.3. This affects the function detail/tidyOrder of the file /api/store_integral/order/detail/:uni. The manipulation of the argument order_id leads to improper authorization. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-01 | 4.3 | CVE-2026-1733 | VDB-343632 | Zhong Bang CRMEB :uni tidyOrder improper authorization VDB-343632 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736558 | Zhongbang CRMEB v5.6.3 Improper Access Controls https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md https://github.com/foeCat/CVE/blob/main/CRMEB/integral_order_detail_idor.md#%E6%BC%8F%E6%B4%9E%E5%A4%8D%E7%8E%B0 |
| Zohocorp–ManageEngine OpManager | Zohocorp ManageEngine OpManager, NetFlow Analyzer, and OpUtils versions prior to 128582 are affected by a stored cross-site scripting vulnerability in the Subnet Details. | 2026-01-30 | 4.6 | CVE-2025-9226 | https://www.manageengine.com/itom/advisory/cve-2025-9226.html |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Bdtask–Bhojon All-In-One Restaurant Management System | A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. Performing a manipulation of the argument fullname results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-29 | 3.5 | CVE-2026-1598 | VDB-343360 | Bdtask Bhojon All-In-One Restaurant Management System User Information profile cross site scripting VDB-343360 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740738 | Bdtask Bhojon All-In-One Restaurant Management System Latest Stored Cross-Site Scripting https://github.com/4m3rr0r/PoCVulDb/issues/12 |
| Brother Industries, Ltd.–Multiple MFPs | Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. | 2026-01-29 | 3.7 | CVE-2025-53869 | https://faq.brother.co.jp/app/answers/detail/a_id/13716 https://www.konicaminolta.com/global-en/security/advisory/pdf/km-2026-0001.pdf https://www.ricoh.com/products/security/vulnerabilities/vul?id=ricoh-2026-000001 https://jvn.jp/en/vu/JVNVU92878805/ |
| code-projects–Online Examination System | A vulnerability has been found in code-projects Online Examination System 1.0. Affected is an unknown function of the component Add Pages. Such manipulation leads to cross site scripting. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. | 2026-01-26 | 3.5 | CVE-2026-1421 | VDB-342837 | code-projects Online Examination System Add Pages cross site scripting VDB-342837 | CTI Indicators (IOB, IOC, TTP) Submit #736605 | code-projects Online Examination System 1 Cross Site Scripting https://github.com/geo-chen/code-projects/blob/main/Online%20Examination%20System%20In%20PHP%20With%20Source%20Code.md#finding-1-stored-xss-in-all-add-pages https://code-projects.org/ |
| D-Link–DCS-700L | A vulnerability was identified in D-Link DCS-700L 1.03.09. The affected element is the function uploadmusic of the file /setUploadMusic of the component Music File Upload Service. The manipulation of the argument UploadMusic leads to path traversal. The attack can only be initiated within the local network. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-01-28 | 2.4 | CVE-2026-1532 | VDB-343218 | D-Link DCS-700L Music File Upload Service setUploadMusic uploadmusic path traversal VDB-343218 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #738693 | D-Link DCS700l v1.03.09 Absolute Path Traversal https://tzh00203.notion.site/D-Link-DCS700l-v1-03-09-Path-Traversal-Vulnerability-in-Music-File-Upload-2e8b5c52018a80369553f07ab91aabe2?source=copy_link https://www.dlink.com/ |
| D-Link–DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_40AC74 of the component Login. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. This attack is characterized by high complexity. It is stated that the exploitability is difficult. The exploit is publicly available and might be used. | 2026-01-30 | 3.7 | CVE-2026-1685 | VDB-343479 | D-Link DIR-823X Login sub_40AC74 excessive authentication VDB-343479 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740886 | D-Link dir-823X 250416 A logical flaw in the authentication mechanism exists https://github.com/master-abc/cve/issues/17 https://www.dlink.com/ |
| D-Link–DSL-6641K | A vulnerability was detected in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function ad_virtual_server_vdsl of the component Web Interface. Performing a manipulation of the argument Name results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-01-30 | 2.4 | CVE-2026-1705 | VDB-343510 | D-Link DSL-6641K Web ad_virtual_server_vdsl cross site scripting VDB-343510 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742421 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-ad_virtual_server_vdsl-Configuration-2eeb5c52018a805d97adfb23dfec39c9?source=copy_link https://www.dlink.com/ |
| GnuPG–GnuPG | In GnuPG before 2.5.17, a long signature packet length causes parse_signature to return success with sig->data[] set to a NULL value, leading to a denial of service (application crash). | 2026-01-27 | 3.7 | CVE-2026-24883 | https://www.openwall.com/lists/oss-security/2026/01/27/8 https://dev.gnupg.org/T8049 |
| GPAC–GPAC | A vulnerability was identified in GPAC up to 2.4.0. Affected is the function gf_media_export_webvtt_metadata of the file src/media_tools/media_export.c. The manipulation of the argument Name leads to null pointer dereference. The attack must be carried out locally. The exploit is publicly available and might be used. The identifier of the patch is af951b892dfbaaa38336ba2eba6d6a42c25810fd. To fix this issue, it is recommended to deploy a patch. | 2026-01-26 | 3.3 | CVE-2026-1415 | VDB-342804 | GPAC media_export.c gf_media_export_webvtt_metadata null pointer dereference VDB-342804 | CTI Indicators (IOB, IOC, IOA) Submit #736541 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3428 https://github.com/gpac/gpac/issues/3428#issue-3802223345 https://github.com/enocknt/gpac/commit/af951b892dfbaaa38336ba2eba6d6a42c25810fd |
| GPAC–GPAC | A security flaw has been discovered in GPAC up to 2.4.0. Affected by this vulnerability is the function DumpMovieInfo of the file applications/mp4box/filedump.c. The manipulation results in null pointer dereference. The attack must be initiated from a local position. The exploit has been released to the public and may be used for attacks. The patch is identified as d45c264c20addf0c1cc05124ede33f8ffa800e68. It is advisable to implement a patch to correct this issue. | 2026-01-26 | 3.3 | CVE-2026-1416 | VDB-342805 | GPAC filedump.c DumpMovieInfo null pointer dereference VDB-342805 | CTI Indicators (IOB, IOC, IOA) Submit #736542 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3427 https://github.com/gpac/gpac/issues/3427#issue-3802197432 https://github.com/enocknt/gpac/commit/d45c264c20addf0c1cc05124ede33f8ffa800e68 |
| GPAC–GPAC | A weakness has been identified in GPAC up to 2.4.0. Affected by this issue is the function dump_isom_rtp of the file applications/mp4box/filedump.c. This manipulation causes null pointer dereference. The attack needs to be launched locally. The exploit has been made available to the public and could be used for attacks. Patch name: f96bd57c3ccdcde4335a0be28cd3e8fe296993de. Applying a patch is the recommended action to fix this issue. | 2026-01-26 | 3.3 | CVE-2026-1417 | VDB-342806 | GPAC filedump.c dump_isom_rtp null pointer dereference VDB-342806 | CTI Indicators (IOB, IOC, IOA) Submit #736543 | gpac v2.4.0 NULL Pointer Dereference https://github.com/gpac/gpac/issues/3426 https://github.com/gpac/gpac/issues/3426#issue-3802172856 https://github.com/enocknt/gpac/commit/f96bd57c3ccdcde4335a0be28cd3e8fe296993de |
| iJason-Liu–Books_Manager | A vulnerability has been found in iJason-Liu Books_Manager up to 298ba736387ca37810466349af13a0fdf828e99c. This affects an unknown part of the file controllers/books_center/add_book_check.php. Such manipulation of the argument mark leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. | 2026-01-26 | 2.4 | CVE-2026-1444 | VDB-342873 | iJason-Liu Books_Manager add_book_check.php cross site scripting VDB-342873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #736968 | https://github.com/iJason-Liu/Books_Manager Books_Manager 1.0 Stored XSS https://blog.y1fan.work/2026/01/13/%E5%AD%98%E5%82%A8%E5%9E%8Bxss/ |
| ixray-team–ixray-1.6-stcop | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in ixray-team ixray-1.6-stcop. This issue affects ixray-1.6-stcop: before 1.3. | 2026-01-27 | 3.7 | CVE-2026-24870 | https://github.com/ixray-team/ixray-1.6-stcop/pull/258 |
| jishenghua–jshERP | A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. The manipulation of the argument path results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-01-29 | 2.7 | CVE-2026-1588 | VDB-343351 | jishenghua jshERP installByPath install path traversal VDB-343351 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #740649 | https://github.com/jishenghua/jshERP jshERP v3.6 Path Traversal https://github.com/jishenghua/jshERP/issues/147 https://github.com/jishenghua/jshERP/ |
| llamastack–Llama Stack | Llama Stack (aka llama-stack) before 0.4.0rc3 does not censor the pgvector password in the initialization log. | 2026-01-30 | 3.2 | CVE-2026-25211 | https://github.com/llamastack/llama-stack/pull/4439 https://github.com/llamastack/llama-stack/compare/v0.4.0rc2…v0.4.0rc3 |
| MoonshotAI–kimi-agent-sdk | Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. Prior to version 0.1.6, filenames containing shell metacharacters like $(cmd) could execute arbitrary commands. Note: This vulnerability exists only in the repository’s development scripts. The published VSCode extension does not include these files and end users are not affected. This is fixed in version 0.1.6 by replacing execSync with execFileSync using array arguments. As a workaround, ensure .vsix files in the project directory have safe filenames before running publish scripts. | 2026-01-29 | 2.9 | CVE-2026-25046 | https://github.com/MoonshotAI/kimi-agent-sdk/security/advisories/GHSA-mv58-gxx5-8hj3 |
| OISF–suricata | Suricata is a network IDS, IPS and NSM engine. Prior to versions 8.0.3 and 7.0.14, various inefficiencies in xff handling, especially for alerts not triggered in a tx, can lead to severe slowdowns. Versions 8.0.3 and 7.0.14 contain a patch. As a workaround, disable XFF support in the eve configuration. The setting is disabled by default. | 2026-01-27 | 3.7 | CVE-2026-22261 | https://github.com/OISF/suricata/security/advisories/GHSA-5jvg-5j3p-34cf https://github.com/OISF/suricata/commit/3f0725b34c7871c2de4346c8af872f10f4501e44 https://github.com/OISF/suricata/commit/af246ae7ab1b70c09f83c0619b253095ccc18667 https://redmine.openinfosecfoundation.org/issues/8156 |
| projectworlds–House Rental and Property Listing | A weakness has been identified in projectworlds House Rental and Property Listing 1.0. This vulnerability affects unknown code of the file /app/sms.php. This manipulation of the argument Message causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-01-30 | 3.5 | CVE-2026-1700 | VDB-343490 | projectworlds House Rental and Property Listing sms.php cross site scripting VDB-343490 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741977 | projectworlds.com House rental And Property Listing Project V1.0 cross site scripting https://github.com/jiahao412/CVE/issues/3 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak’s SAML brokering functionality. When Keycloak is configured as a client in a Security Assertion Markup Language (SAML) setup, it fails to validate the `NotOnOrAfter` timestamp within the `SubjectConfirmationData`. This allows an attacker to delay the expiration of SAML responses, potentially extending the time a response is considered valid and leading to unexpected session durations or resource consumption. | 2026-01-26 | 3.1 | CVE-2026-1190 | https://access.redhat.com/security/cve/CVE-2026-1190 RHBZ#2430835 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Glib’s content type parsing logic. This buffer underflow vulnerability occurs because the length of a header line is stored in a signed integer, which can lead to integer wraparound for very large inputs. This results in pointer underflow and out-of-bounds memory access. Exploitation requires a local user to install or process a specially crafted treemagic file, which can lead to local denial of service or application instability. | 2026-01-27 | 2.8 | CVE-2026-1485 | https://access.redhat.com/security/cve/CVE-2026-1485 RHBZ#2433325 |
| rethinkdb–rethinkdb | A vulnerability was identified in rethinkdb up to 2.4.3. Affected by this issue is some unknown functionality of the component Secondary Index Handler. Such manipulation leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-01-28 | 2.4 | CVE-2026-1520 | VDB-343191 | rethinkdb Secondary Index cross site scripting VDB-343191 | CTI Indicators (IOB, IOC, TTP) Submit #738312 | rethinkdb V2.4.3(latest) cross-site scripting(XSS) https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md https://github.com/59lab/dbdb/blob/main/There%20is%20a%20cross-site%20scripting(XSS)%20vulnerability%20in%20the%20rethinkdb%20database.md#poc |
| Tanium–Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-01-26 | 2.7 | CVE-2026-0925 | TAN-2026-002 |
| Tanium–Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-01-29 | 3.1 | CVE-2025-15288 | TAN-2025-034 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| aangine–aangine | An issue in continuous.software aangine v.2025.2 allows a remote attacker to obtain sensitive information via the excel-integration-service template download module, integration-persistence-service job listing module, portfolio-item-service data retrieval module endpoints | 2026-01-26 | not yet calculated | CVE-2025-67274 | https://aangine.com https://continuous.software/products https://gist.github.com/c4m0uflag3/26fec868b764c4e7314ad246bab01c88 |
| abcz316–SKRoot-linuxKernelRoot | NULL Pointer Dereference vulnerability in abcz316 SKRoot-linuxKernelRoot (testRoot/jni/utils modules). This vulnerability is associated with program files cJSON.Cpp. This issue affects SKRoot-linuxKernelRoot. | 2026-01-27 | not yet calculated | CVE-2026-24813 | https://github.com/abcz316/SKRoot-linuxKernelRoot/pull/116 |
| Acronis–Acronis Cloud Manager | Local privilege escalation due to insecure folder permissions. The following products are affected: Acronis Cloud Manager (Windows) before build 6.4.25342.354. | 2026-01-27 | not yet calculated | CVE-2026-0705 | SEC-7316 |
| AhaChat–AhaChat Messenger Marketing | The AhaChat Messenger Marketing WordPress plugin through 1.1 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin | 2026-01-26 | not yet calculated | CVE-2025-14316 | https://wpscan.com/vulnerability/7d69ebec-f940-4491-a51e-70a9e1bf8a4c/ |
| akuity–kargo | Kargo manages and automates the promotion of software artifacts. Prior to versions 1.8.7, 1.7.7, and 1.6.3, a bug was found with authentication checks on the `GetConfig()` API endpoint. This allowed unauthenticated users to access this endpoint by specifying an `Authorization` header with any non-empty `Bearer` token value, regardless of validity. This vulnerability did allow for exfiltration of configuration data such as endpoints for connected Argo CD clusters. This data could allow an attacker to enumerate cluster URLs and namespaces for use in subsequent attacks. Additionally, the same bug affected the `RefreshResource` endpoint. This endpoint does not lead to any information disclosure, but could be used by an unauthenticated attacker to perform a denial-of-service style attack against the Kargo API. `RefreshResource` sets an annotation on specific Kubernetes resources to trigger reconciliations. If run on a constant loop, this could also slow down legitimate requests to the Kubernetes API server. This problem has been patched in Kargo versiosn 1.8.7, 1.7.7, and 1.6.3. There are no workarounds for this issue. | 2026-01-27 | not yet calculated | CVE-2026-24748 | https://github.com/akuity/kargo/security/advisories/GHSA-w5wv-wvrp-v5m5 https://github.com/akuity/kargo/commit/23646eaefb449a6cc2e76a8033e8a57f71369772 https://github.com/akuity/kargo/commit/aa28f81ac15ad871c6eba329fc2f0417a08c39d7 https://github.com/akuity/kargo/commit/b3297ace0d3b9e7f7128858c5c4288d77f072b8c |
| ALSA Project–alsa-lib | alsa-lib versions 1.2.2 up to and including 1.2.15.2, prior to commit 5f7fe33, contain a heap-based buffer overflow in the topology mixer control decoder. The tplg_decode_control_mixer1() function reads the num_channels field from untrusted .tplg data and uses it as a loop bound without validating it against the fixed-size channel array (SND_TPLG_MAX_CHAN). A crafted topology file with an excessive num_channels value can cause out-of-bounds heap writes, leading to a crash. | 2026-01-29 | not yet calculated | CVE-2026-25068 | https://github.com/alsa-project/alsa-lib/commit/5f7fe33002d2d98d84f72e381ec2cccc0d5d3d40 https://www.vulncheck.com/advisories/alsa-lib-topology-decoder-heap-based-buffer-overflow |
| Altitude–Altitude Communication Server | Illegal HTTP request traffic vulnerability (CL.0) in Altitude Communication Server, caused by inconsistent analysis of multiple HTTP requests over a single Keep-Alive connection using Content-Length headers. This can cause a desynchronization of requests between frontend and backend servers, which could allow request hiding, cache poisoning or security bypass. | 2026-01-26 | not yet calculated | CVE-2025-41082 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| Altitude–Altitude Communication Server | Vulnerability in Altitude Authentication Service and Altitude Communication Server v8.5.3290.0 by Altitude, where manipulation of Host header in HTTP requests allows redirection to an arbitrary URL or modification of the base URL to trick the victim into sending login credentials to a malicious website. This behavior can be used to redirect clients to endpoints controlled by the attacker. | 2026-01-26 | not yet calculated | CVE-2025-41083 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-altitude-communication-server |
| AltumCode–AltumCode | A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. An attacker can include traversal sequences (e.g., ../) in ZIP entries to write files outside the intended extraction directory. This allows static files (html, js, css, images) file write to unintended locations, or overwriting existing HTML files, potentially leading to content defacement and, in certain deployments, further impact if sensitive files are overwritten. | 2026-01-28 | not yet calculated | CVE-2025-69601 | https://gist.github.com/Waqar-Arain/9cd59aa74de540eeb3b09d15bac35e36 |
| AltumCode–AltumCode | A session fixation vulnerability exists in 66biolinks v62.0.0 by AltumCode, where the application does not regenerate the session identifier after successful authentication. As a result, the same session cookie value is reused for users logging in from the same browser, allowing an attacker who can set or predict a session ID to potentially hijack an authenticated session. | 2026-01-28 | not yet calculated | CVE-2025-69602 | https://gist.github.com/Waqar-Arain/c8117308325a91b8f3b7829646915275 |
| Amidaware–Amidaware | A Server-Side Template Injection (SSTI) vulnerability in the /reporting/templates/preview/ endpoint of Amidaware Tactical RMM, affecting versions equal to or earlier than v1.3.1, allows low-privileged users with Report Viewer or Report Manager permissions to achieve remote command execution on the server. This occurs due to improper sanitization of the template_md parameter, enabling direct injection of Jinja2 templates. This occurs due to misuse of the generate_html() function, the user-controlled value is inserted into `env.from_string`, a function that processes Jinja2 templates arbitrarily, making an SSTI possible. | 2026-01-29 | not yet calculated | CVE-2025-69516 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/7c424367cc316fd7527f668ff076fece |
| Amidaware–Amidaware | An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator attempts to remove or shut down the affected agent, potentially leading to client-side attacks such as UI manipulation or phishing. NOTE: the Supplier’s position is that this has incorrect information. | 2026-01-28 | not yet calculated | CVE-2025-69517 | https://github.com/amidaware/tacticalrmm https://www.amidaware.com/ https://gist.github.com/NtGabrielGomes/fdabcd9e85d841c5490739686e0f8b72 |
| amir20–dozzle | Dozzle is a realtime log viewer for docker containers. Prior to version 9.0.3, a flaw in Dozzle’s agent-backed shell endpoints allows a user restricted by label filters (for example, `label=env=dev`) to obtain an interactive root shell in out of scope containers (for example, `env=prod`) on the same agent host by directly targeting their container IDs. Version 9.0.3 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24740 | https://github.com/amir20/dozzle/security/advisories/GHSA-m855-r557-5rc5 https://github.com/amir20/dozzle/commit/620e59aa246347ba8a27e68c532853b8a5137bc1 https://github.com/amir20/dozzle/releases/tag/v9.0.3 |
| anyrtcIO-Community–anyRTC-RTMP-OpenSource | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in anyrtcIO-Community anyRTC-RTMP-OpenSource (third_party/faad2-2.7/libfaad modules). This vulnerability is associated with program files bits.C, syntax.C. This issue affects anyRTC-RTMP-OpenSource: before 1.0. | 2026-01-27 | not yet calculated | CVE-2026-1465 | https://github.com/anyrtcIO-Community/anyRTC-RTMP-OpenSource/pull/166 |
| Apache Software Foundation–Apache Karaf | Deserialization of Untrusted Data vulnerability in Apache Karaf Decanter. The Decanter log socket collector exposes the port 4560, without authentication. If the collector exposes allowed classes property, this configuration can be bypassed. It means that the log socket collector is vulnerable to deserialization of untrusted data, eventually causing DoS. NB: Decanter log socket collector is not installed by default. Users who have not installed Decanter log socket are not impacted by this issue. This issue affects Apache Karaf Decanter before 2.12.0. Users are recommended to upgrade to version 2.12.0, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24656 | https://lists.apache.org/thread/dc5wmdn6hyc992olntkl75kk04ndzx34 |
| Apache Software Foundation–HDFS native client | Out-of-bounds Write vulnerability in Apache Hadoop HDFS native client. This issue affects Apache Hadoop: from 3.2.0 before 3.4.2. Users are recommended to upgrade to version 3.4.2, which fixes the issue. | 2026-01-26 | not yet calculated | CVE-2025-27821 | https://lists.apache.org/thread/kwjhyyx0wl2z9b0mw0styjk0hhdbyplh |
| Apple–iOS and iPadOS | The issue was addressed with improved bounds checks. This issue is fixed in macOS Tahoe 26, Keynote 15.1, iOS 26 and iPadOS 26. Processing a maliciously crafted Keynote file may disclose memory contents. | 2026-01-28 | not yet calculated | CVE-2025-46306 | https://support.apple.com/en-us/125108 https://support.apple.com/en-us/126254 https://support.apple.com/en-us/125110 |
| Apple–macOS | An out-of-bounds read was addressed with improved input validation. This issue is fixed in iOS 26.1 and iPadOS 26.1, Pages 15.1, macOS Tahoe 26.1. Processing a maliciously crafted Pages document may result in unexpected termination or disclosure of process memory. | 2026-01-28 | not yet calculated | CVE-2025-46316 | https://support.apple.com/en-us/125634 https://support.apple.com/en-us/126255 https://support.apple.com/en-us/125632 |
| askbot–askbot | All versions of askbot before and including 0.12.2 allow an attacker authenticated with normal user permissions to modify the profile picture of other application users. This issue affects askbot: 0.12.2. | 2026-01-27 | not yet calculated | CVE-2026-1213 | https://fluidattacks.com/advisories/ghost https://askbot.com/ https://github.com/ASKBOT/askbot-devel/commit/3da3d75f35204aa71633c7a315327ba39cb6295d |
| assertj–assertj | AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `DocumentBuilderFactory` with default settings, without disabling DTDs or external entities. This formatter is used by the `isXmlEqualTo(CharSequence)` assertion for `CharSequence` values. An application is vulnerable only when it uses untrusted XML input with either `isXmlEqualTo(CharSequence)` from `org.assertj.core.api.AbstractCharSequenceAssert` or `xmlPrettyFormat(String)` from `org.assertj.core.util.xml.XmlStringPrettyFormatter`. If untrusted XML input is processed by tone of these methods, an attacker couldnread arbitrary local files via `file://` URIs (e.g., `/etc/passwd`, application configuration files); perform Server-Side Request Forgery (SSRF) via HTTP/HTTPS URIs, and/or cause Denial of Service via “Billion Laughs” entity expansion attacks. `isXmlEqualTo(CharSequence)` has been deprecated in favor of XMLUnit in version 3.18.0 and will be removed in version 4.0. Users of affected versions should, in order of preference: replace `isXmlEqualTo(CharSequence)` with XMLUnit, upgrade to version 3.27.7, or avoid using `isXmlEqualTo(CharSequence)` or `XmlStringPrettyFormatter` with untrusted input. `XmlStringPrettyFormatter` has historically been considered a utility for `isXmlEqualTo(CharSequence)` rather than a feature for AssertJ users, so it is deprecated in version 3.27.7 and removed in version 4.0, with no replacement. | 2026-01-26 | not yet calculated | CVE-2026-24400 | https://github.com/assertj/assertj/security/advisories/GHSA-rqfh-9r24-8c9r https://github.com/assertj/assertj/commit/85ca7eb6609bb179c043b85ae7d290523b1ba79a https://cheatsheetseries.owasp.org/cheatsheets/XML_External_Entity_Prevention_Cheat_Sheet.html https://github.com/assertj/assertj/releases/tag/assertj-build-3.27.7 |
| Atlassian–Crowd Data Center | This High severity XXE (XML External Entity Injection) vulnerability was introduced in version 7.1.0 of Crowd Data Center and Server. This XXE (XML External Entity Injection) vulnerability, with a CVSS Score of 7.9, allows an authenticated attacker to access local and remote content which has high impact to confidentiality, low impact to integrity, high impact to availability, and requires no user interaction. Atlassian recommends that Crowd Data Center and Server customers upgrade to latest version, if you are unable to do so, upgrade your instance to one of the specified supported fixed versions: * Crowd Data Center and Server 7.1: Upgrade to a release greater than or equal to 7.1.3 See the release notes (https://confluence.atlassian.com/crowd/crowd-release-notes-199094.html). You can download the latest version of Crowd Data Center and Server from the download center (https://www.atlassian.com/software/crowd/download-archive). This vulnerability was reported via our Atlassian (Internal) program. | 2026-01-28 | not yet calculated | CVE-2026-21569 | https://confluence.atlassian.com/pages/viewpage.action?pageId=1712324819 https://jira.atlassian.com/browse/CWD-6453 |
| azerothcore–azerothcore-wotlk | Out-of-bounds Write, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in azerothcore azerothcore-wotlk (deps/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects azerothcore-wotlk: through v4.0.0. | 2026-01-27 | not yet calculated | CVE-2026-24793 | https://github.com/azerothcore/azerothcore-wotlk/pull/21599 |
| briandilley–jsonrpc4j | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in briandilley jsonrpc4j (src/main/java/com/googlecode/jsonrpc4j modules). This vulnerability is associated with program files NoCloseOutputStream.Java. This issue affects jsonrpc4j: through 1.6.0. | 2026-01-27 | not yet calculated | CVE-2026-24802 | https://github.com/briandilley/jsonrpc4j/pull/333 |
| Budibase–budibase | Budibase is a low code platform for creating internal tools, workflows, and admin panels. In versions up to and including 3.26.3, a Creator-level user, who normally has no UI permission to invite users, can manipulate API requests to invite new users with any role, including Admin, Creator, or App Viewer, and assign them to any group in the organization. This allows full privilege escalation, bypassing UI restrictions, and can lead to complete takeover of the workspace or organization. As of time of publication, no known fixed versions are available. | 2026-01-29 | not yet calculated | CVE-2026-25040 | https://github.com/Budibase/budibase/security/advisories/GHSA-4wfw-r86x-qxrm https://drive.google.com/file/d/1Dtn1WLJILRYUeoMjEbUfCbqQ3g2AW2Qz/view?usp=sharing https://github.com/user-attachments/files/22066135/budibase-privileged-esc-poc.txt |
| bytecodealliance–wasmtime | Wasmtime is a runtime for WebAssembly. Starting in version 29.0.0 and prior to version 36.0.5, 40.0.3, and 41.0.1, on x86-64 platforms with AVX, Wasmtime’s compilation of the `f64.copysign` WebAssembly instruction with Cranelift may load 8 more bytes than is necessary. When signals-based-traps are disabled this can result in a uncaught segfault due to loading from unmapped guard pages. With guard pages disabled it’s possible for out-of-sandbox data to be loaded, but unless there is another bug in Cranelift this data is not visible to WebAssembly guests. Wasmtime 36.0.5, 40.0.3, and 41.0.1 have been released to fix this issue. Users are recommended to upgrade to the patched versions of Wasmtime. Other affected versions are not patched and users should updated to supported major version instead. This bug can be worked around by enabling signals-based-traps. While disabling guard pages can be a quick fix in some situations, it’s not recommended to disabled guard pages as it is a key defense-in-depth measure of Wasmtime. | 2026-01-27 | not yet calculated | CVE-2026-24116 | https://github.com/bytecodealliance/wasmtime/security/advisories/GHSA-vc8c-j3xm-xj73 https://github.com/bytecodealliance/wasmtime/commit/728fa07184f8da2a046f48ef9b61f869dce133a6 https://github.com/bytecodealliance/wasmtime/commit/799585fc362fcb991de147dd1a9f2ba0861ed440 https://github.com/bytecodealliance/wasmtime/commit/ac92d9bb729ad3a6d93f0724c4c33a0c4a9c0227 https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.memory_guard_size https://docs.rs/wasmtime/latest/wasmtime/struct.Config.html#method.signals_based_traps https://docs.wasmtime.dev/stability-release.html https://rustsec.org/advisories/RUSTSEC-2026-0006.html |
| Cacti–Cacti | A HTML injection vulnerability exists in the file upload functionality of Cacti <= 1.2.29. When a file with an invalid format is uploaded, the application reflects the submitted filename back into an error popup without proper sanitization. As a result, attackers can inject arbitrary HTML elements (e.g., <h1>, <b>, <svg>) into the rendered page. | 2026-01-29 | not yet calculated | CVE-2025-45160 | https://github.com/Cacti/cacti https://gist.github.com/BEND0US/49d76897a5bb676d8c3f51425553cc32 |
| cadaver–turso3d | Out-of-bounds Write, Divide By Zero, NULL Pointer Dereference, Use of Uninitialized Resource, Out-of-bounds Read, Reachable Assertion vulnerability in cadaver turso3d. This issue affects . | 2026-01-27 | not yet calculated | CVE-2026-24826 | https://github.com/cadaver/turso3d/pull/11 |
| Canonical–juju | Vulnerable cross-model authorization in juju. If a charm’s cross-model permissions are revoked or expire, a malicious user who is able to update database records can mint an invalid macaroon that is incorrectly validated by the juju controller, enabling a charm to maintain otherwise revoked or expired permissions. This allows a charm to continue relating to another charm in a cross-model relation, and use their workload without their permission. No fix is available as of the time of writing. | 2026-01-28 | not yet calculated | CVE-2026-1237 | https://github.com/juju/juju/security/advisories/GHSA-j477-6vpg-6c8x |
| CardboardPowered–cardboard | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in CardboardPowered cardboard (src/main/java/org/cardboardpowered/impl/world modules). This vulnerability is associated with program files WorldImpl.Java. This issue affects cardboard: before 1.21.4. | 2026-01-27 | not yet calculated | CVE-2026-24794 | https://github.com/CardboardPowered/cardboard/pull/506 |
| ChurchCRM–CRM | ChurchCRM is an open-source church management system. Versions prior to 6.7.2 have a Stored Cross-Site Scripting (XSS) vulnerability occurs in Create Events in Church Calendar. Users with low privileges can create XSS payloads in the Description field. This payload is stored in the database, and when other users view that event (including the admin), the payload is triggered, leading to account takeover. Version 6.7.2 fixes the vulnerability. | 2026-01-30 | not yet calculated | CVE-2026-24855 | https://github.com/ChurchCRM/CRM/security/advisories/GHSA-49qp-cfqx-c767 https://github.com/ChurchCRM/CRM/commit/0cd0d211459b8c19509d36b3c1dfcd7f8c10d914 https://github.com/ChurchCRM/CRM/commit/ec4b16e9a3ca09c8a01a712bcb90579c42f2ba28 |
| CloverHackyColor–CloverBootloader | Out-of-bounds Write vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regcomp.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24795 | https://github.com/CloverHackyColor/CloverBootloader/pull/733 |
| CloverHackyColor–CloverBootloader | Out-of-bounds Read vulnerability in CloverHackyColor CloverBootloader (MdeModulePkg/Universal/RegularExpressionDxe/Oniguruma modules). This vulnerability is associated with program files regparse.C. This issue affects CloverBootloader: before 5162. | 2026-01-27 | not yet calculated | CVE-2026-24796 | https://github.com/CloverHackyColor/CloverBootloader/pull/732 |
| code-projects–code-projects | code-projects Computer Book Store 1.0 is vulnerable to File Upload in admin_add.php. | 2026-01-27 | not yet calculated | CVE-2025-69559 | https://gitee.com/Z_180yc/zyy/issues/IDBY27 https://gist.github.com/lih28984-commits/cd3a275dfd9c92a79b6a4a0e8801f4fa |
| code-projects–code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /insertmessage.php via the userid parameter. | 2026-01-27 | not yet calculated | CVE-2025-69562 | https://gitee.com/Z_180yc/zyy/issues/IDC5FU https://gist.github.com/lih28984-commits/a847a034c3bb626904dcc6ab7576257f |
| code-projects–code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExLogin.php via the Password parameter. | 2026-01-27 | not yet calculated | CVE-2025-69563 | https://gitee.com/Z_180yc/zyy/issues/IDC3IB https://gist.github.com/lih28984-commits/544eaaca3ea58563a807c43b521d76e6 |
| code-projects–code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to SQL Injection in /ExAddNewUser.php via the Name, Address, email, UserName, Password, confirm_password, Role, Branch, and Activate parameters. | 2026-01-27 | not yet calculated | CVE-2025-69564 | https://gitee.com/Z_180yc/zyy/issues/IDCEJP https://gist.github.com/lih28984-commits/87eacfc32186020a04e03a2af448723f |
| code-projects–code-projects | code-projects Mobile Shop Management System 1.0 is vulnerable to File Upload in /ExAddProduct.php. | 2026-01-27 | not yet calculated | CVE-2025-69565 | https://gitee.com/Z_180yc/zyy/issues/IDCFAQ https://gist.github.com/lih28984-commits/81d523afde3b122c652f652bab808e33 |
| coolsnowwolf–lede | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7615d/src/mt_wifi/embedded/security modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24803 | https://github.com/coolsnowwolf/lede/pull/13346 |
| coolsnowwolf–lede | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in coolsnowwolf lede (package/lean/mt/drivers/mt7603e/src/mt7603_wifi/common modules). This vulnerability is associated with program files bn_lib.C. This issue affects lede: through r25.10.1. | 2026-01-27 | not yet calculated | CVE-2026-24804 | https://github.com/coolsnowwolf/lede/pull/13368 |
| CPU-Z–CPU-Z | The kernel driver of CPUID CPU-Z v2.17 and earlier does not validate user-supplied values passed via its IOCTL interface, allowing an attacker to access sensitive information via a crafted request. | 2026-01-27 | not yet calculated | CVE-2025-65264 | https://www.cpuid.com/softwares/cpu-z.html https://github.com/cwjchoi01/CVE-2025-65264 |
| datavane–tis | Unrestricted Upload of File with Dangerous Type, Deserialization of Untrusted Data vulnerability in datavane tis (tis-plugin/src/main/java/com/qlangtech/tis/extension/impl modules). This vulnerability is associated with program files XmlFile.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24815 | https://github.com/datavane/tis/pull/443 |
| datavane–tis | Loop with Unreachable Exit Condition (‘Infinite Loop’) vulnerability in datavane tis (tis-console/src/main/java/com/qlangtech/tis/runtime/module/action modules). This vulnerability is associated with program files ChangeDomainAction.Java. This issue affects tis: before v4.3.0. | 2026-01-27 | not yet calculated | CVE-2026-24816 | https://github.com/datavane/tis/pull/444 |
| davisking–dlib | Out-of-bounds Write, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in davisking dlib (dlib/external/zlib modules). This vulnerability is associated with program files inflate.C. This issue affects dlib: before v19.24.9. | 2026-01-27 | not yet calculated | CVE-2026-24799 | https://github.com/davisking/dlib/pull/3063 |
| Delinea Inc.–Secret Server On-Prem | Improper Authentication vulnerability in Delinea Inc. Secret Server On-Prem (RPC Password Rotation modules). This issue affects Secret Server On-Prem: 11.8.1, 11.9.6, 11.9.25. A secret with “change password on check in” enabled automatically checks in even when the password change fails after reaching its retry limit. This leaves the secret in an inconsistent state with the wrong password. Remediation: Upgrade to 11.9.47 or later. The secret will remain checked out when the password change fails. | 2026-01-27 | not yet calculated | CVE-2025-12810 | https://docs.delinea.com/online-help/secret-server/release-notes/ss-rn-11-9-000047.htm https://trust.delinea.com/?tcuUid=48260de9-954d-45c2-9c66-2c9510798a0b |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, an endpoint lets any authenticated user bypass the ai_discover_persona access controls and gain ongoing DM access to personas that may be wired to staff-only categories, RAG document sets, or automated tooling, enabling unauthorized data disclosure. Because the controller also accepts arbitrary user_id, an attacker can impersonate other accounts to trigger unwanted AI conversations on their behalf, generating confusing or abusive PM traffic. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2025-68660 | https://github.com/discourse/discourse/security/advisories/GHSA-mrvm-rprq-jqqh |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, users archives are viewable by users with moderation privileges even though moderators should not have access to the archives. Private topic/post content made by the users are leaked through the archives leading to a breach of confidentiality. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. To work around this problem, a site admin can temporarily revoke the moderation role from all moderators until the Discourse instance has been upgraded to a version that has been patched. | 2026-01-28 | not yet calculated | CVE-2025-68666 | https://github.com/discourse/discourse/security/advisories/GHSA-xmvw-jjqq-25mv |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, moderators can access the `top_uploads` admin report which should be restricted to admins only. This report displays direct URLs to all uploaded files on the site, including sensitive content such as user data exports, admin backups, and other private attachments that moderators should not have access to. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. There is no workaround. Limit moderator privileges to trusted users until the patch is applied. | 2026-01-28 | not yet calculated | CVE-2025-69218 | https://github.com/discourse/discourse/security/advisories/GHSA-79f9-j8h4-3w6w |
| discourse–discourse | Discourse is an open source discussion platform. A privilege escalation vulnerability in versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0 allows a non-admin moderator to bypass email-change restrictions, allowing a takeover of non-staff accounts. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. As a workaround, ensure moderators are trusted or enable the “require_change_email_confirmation” setting. | 2026-01-28 | not yet calculated | CVE-2025-69289 | https://github.com/discourse/discourse/security/advisories/GHSA-p39j-x54c-rwqq |
| discourse–discourse | Discourse is an open source discussion platform. In versions prior to 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0, permalinks pointing to access-restricted resources (private topics, categories, posts, or hidden tags) were redirecting users to URLs containing the resource slug, even when the user didn’t have access to view the resource. This leaked potentially sensitive information (e.g., private topic titles) via the redirect Location header and the 404 page’s search box. This issue is patched in versions 3.5.4, 2025.11.2, 2025.12.1, and 2026.1.0. No known workarounds are available. | 2026-01-28 | not yet calculated | CVE-2026-23743 | https://github.com/discourse/discourse/security/advisories/GHSA-v5jw-rxc6-4cvv |
| DokuWiki–DokuWiki | aelsantex runcommand 2014-04-01, a plugin for DokuWiki, allows unauthenticated attackers to execute arbitrary system commands via lib/plugins/runcommand/postaction.php. | 2026-01-30 | not yet calculated | CVE-2025-51958 | https://www.dokuwiki.org/plugin:runcommand https://github.com/aelsantex/runcommand https://gist.github.com/NtustLin/f64528002e4f61874045799127dc49a4 |
| dormakaba–Access Manager 92xx-k5 | The exos 9300 application can be used to configure Access Managers (e.g. 92xx, 9230 and 9290). The configuration is done in a graphical user interface on the dormakaba exos server. As soon as the save button is clicked in exos 9300, the whole configuration is sent to the selected Access Manager via SOAP. The SOAP request is sent without any prior authentication or authorization by default. Though authentication and authorization can be configured using IPsec for 92xx-K5 devices and mTLS for 92xx-K7 devices, it is not enabled by default and must therefore be activated with additional steps. This insecure default allows an attacker with network level access to completely control the whole environment. An attacker is for example easily able to conduct the following tasks without prior authentication: – Re-configure Access Managers (e.g. remove alarming system requirements) – Freely re-configure the inputs and outputs – Open all connected doors permanently – Open all doors for a defined time interval – Change the admin password – and many more Network level access can be gained due to an insufficient network segmentation as well as missing LAN firewalls. Devices with an insecure configuration have been identified to be directly exposed to the internet. | 2026-01-26 | not yet calculated | CVE-2025-59097 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | The Access Manager is offering a trace functionality to debug errors and issues with the device. The trace functionality is implemented as a simple TCP socket. A tool called TraceClient.exe, provided by dormakaba via the Access Manager web interface, is used to connect to the socket and receive debug information. The data is permanently broadcasted on the TCP socket. The socket can be accessed without any authentication or encryption. The transmitted data is based on the set verbosity level. The verbosity level can be set using the http(s) endpoint with the service interface password or with the guessable identifier of the device via the SOAP interface. The transmitted data contains sensitive data like the Card ID as well as all button presses on Registration units. This allows an attacker with network level access to retrieve all entered PINs on a registration unit. | 2026-01-26 | not yet calculated | CVE-2025-59098 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | The Access Manager is using the open source web server CompactWebServer written in C#. This web server is affected by a path traversal vulnerability, which allows an attacker to directly access files via simple GET requests without prior authentication. Hence, it is possible to retrieve all files stored on the file system, including the SQLite database Database.sq3, containing badge information and the corresponding PIN codes. Additionally, when trying to access certain files, the web server crashes and becomes unreachable for about 60 seconds. This can be abused to continuously send the request and cause denial of service. | 2026-01-26 | not yet calculated | CVE-2025-59099 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | The web interface offers a functionality to export the internal SQLite database. After executing the database export, an automatic download is started and the device reboots. After rebooting, the exported database is deleted and cannot be accessed anymore. However, it was noticed that sometimes the device does not reboot and therefore the exported database is not deleted, or the device reboots and the export is not deleted for unknown reasons. The path where the database export is located can be accessed without prior authentication. This leads to the fact that an attacker might be able to get access to the exported database without prior authentication. The database includes sensitive data like passwords, card pins, encrypted Mifare sitekeys and much more. | 2026-01-26 | not yet calculated | CVE-2025-59100 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | Instead of typical session tokens or cookies, it is verified on a per-request basis if the originating IP address has once successfully logged in. As soon as an authentication request from a certain source IP is successful, the IP address is handled as authenticated. No other session information is stored. Therefore, it is possible to spoof the IP address of a logged-in user to gain access to the Access Manager web interface. | 2026-01-26 | not yet calculated | CVE-2025-59101 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | The web server of the Access Manager offers a functionality to download a backup of the local database stored on the device. This database contains the whole configuration. This includes encrypted MIFARE keys, card data, user PINs and much more. The PINs are even stored unencrypted. Combined with the fact that an attacker can easily get access to the backup functionality by abusing the session management issue (CVE-2025-59101), or by exploiting the weak default password (CVE-2025-59108), or by simply setting a new password without prior authentication via the SOAP API (CVE-2025-59097), it is easily possible to access the sensitive data on the device. | 2026-01-26 | not yet calculated | CVE-2025-59102 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | The Access Manager 92xx in hardware revision K7 is based on Linux instead of Windows CE embedded in older hardware revisions. In this new hardware revision it was noticed that an SSH service is exposed on port 22. By analyzing the firmware of the devices, it was noticed that there are two users with hardcoded and weak passwords that can be used to access the devices via SSH. The passwords can be also guessed very easily. The password of at least one user is set to a random value after the first deployment, with the restriction that the password is only randomized if the configured date is prior to 2022. Therefore, under certain circumstances, the passwords are not randomized. For example, if the clock is never set on the device, the battery of the clock module has been changed, the Access Manager has been factory reset and has not received a time yet. | 2026-01-26 | not yet calculated | CVE-2025-59103 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | With physical access to the device and enough time an attacker can desolder the flash memory, modify it and then reinstall it because of missing encryption. Thus, essential files, such as “/etc/passwd”, as well as stored certificates, cryptographic keys, stored PINs and so on can be modified and read, in order to gain SSH root access on the Linux-based K7 model. On the Windows CE based K5 model, the password for the Access Manager can additionally be read in plain text from the stored SQLite database. | 2026-01-26 | not yet calculated | CVE-2025-59105 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | Dormakaba provides the software FWServiceTool to update the firmware version of the Access Managers via the network. The firmware in some instances is provided in an encrypted ZIP file. Within this tool, the password used to decrypt the ZIP and extract the firmware is set statically and can be extracted. This password was valid for multiple observed firmware versions. | 2026-01-26 | not yet calculated | CVE-2025-59107 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k5 | By default, the password for the Access Manager’s web interface, is set to ‘admin’. In the tested version changing the password was not enforced. | 2026-01-26 | not yet calculated | CVE-2025-59108 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k7 | With physical access to the device and enough time an attacker is able to solder test leads to the debug footprint (or use the 6-Pin tag-connect cable). Thus, the attacker gains access to the bootloader, where the kernel command line can be changed. An attacker is able to gain a root shell through this vulnerability. | 2026-01-26 | not yet calculated | CVE-2025-59104 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Access Manager 92xx-k7 | The binary serving the web server and executing basically all actions launched from the Web UI is running with root privileges. This is against the least privilege principle. If an attacker is able to execute code on the system via other vulnerabilities it is possible to directly execute commands with highest privileges. | 2026-01-26 | not yet calculated | CVE-2025-59106 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–dormakaba registration unit 9002 | The dormakaba registration units 9002 (PIN Pad Units) have an exposed UART header on the backside. The PIN pad is sending every button press to the UART interface. An attacker can use the interface to exfiltrate PINs. As the devices are explicitly built as Plug-and-Play to be easily replaced, an attacker is easily able to remove the device, install a hardware implant which connects to the UART and exfiltrates the data exposed via UART to another system (e.g. via WiFi). | 2026-01-26 | not yet calculated | CVE-2025-59109 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkaccess https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | On the exos 9300 server, a SOAP API is reachable on port 8002. This API does not require any authentication prior to sending requests. Therefore, network access to the exos server allows e.g. the creation of arbitrary access log events as well as querying the 2FA PINs associated with the enrolled chip cards. | 2026-01-26 | not yet calculated | CVE-2025-59090 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | Multiple hardcoded credentials have been identified, which are allowed to sign-in to the exos 9300 datapoint server running on port 1004 and 1005. This server is used for relaying status information from and to the Access Managers. This information, among other things, is used to graphically visualize open doors and alerts. However, controlling the Access Managers via this interface is also possible. To send and receive status information, authentication is necessary. The Kaba exos 9300 application contains hard-coded credentials for four different users, which are allowed to login to the datapoint server and receive as well as send information, including commands to open arbitrary doors. | 2026-01-26 | not yet calculated | CVE-2025-59091 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | An RPC service, which is part of exos 9300, is reachable on port 4000, run by the process FSMobilePhoneInterface.exe. This service is used for interprocess communication between services and the Kaba exos 9300 GUI, containing status information about the Access Managers. Interacting with the service does not require any authentication. Therefore, it is possible to send arbitrary status information about door contacts etc. without prior authentication. | 2026-01-26 | not yet calculated | CVE-2025-59092 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | Exos 9300 instances are using a randomly generated database password to connect to the configured MSSQL server. The password is derived from static random values, which are concatenated to the hostname and a random string that can be read by every user from the registry. This allows an attacker to derive the database password and get authenticated access to the central exos 9300 database as the user Exos9300Common. The user has the roles ExosDialog and ExosDialogDotNet assigned, which are able to read most tables of the database as well as update and insert into many tables. | 2026-01-26 | not yet calculated | CVE-2025-59093 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | A local privilege escalation vulnerability has been identified in the Kaba exos 9300 System management application (d9sysdef.exe). Within this application it is possible to specify an arbitrary executable as well as the weekday and start time, when the specified executable should be run with SYSTEM privileges. | 2026-01-26 | not yet calculated | CVE-2025-59094 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | The program libraries (DLL) and binaries used by exos 9300 contain multiple hard-coded secrets. One notable example is the function “EncryptAndDecrypt” in the library Kaba.EXOS.common.dll. This algorithm uses a simple XOR encryption technique combined with a cryptographic key (cryptoKey) to transform each character of the input string. However, it’s important to note that this implementation does not provide strong encryption and should not be considered secure for sensitive data. It’s more of a custom encryption approach rather than a common algorithm used in cryptographic applications. The key itself is static and based on the founder’s name of the company. The functionality is for example used to encrypt the user PINs before storing them in the MSSQL database. | 2026-01-26 | not yet calculated | CVE-2025-59095 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| dormakaba–Kaba exos 9300 | The default password for the extended admin user mode in the application U9ExosAdmin.exe (“Kaba 9300 Administration”) is hard-coded in multiple locations as well as documented in the locally stored user documentation. | 2026-01-26 | not yet calculated | CVE-2025-59096 | https://r.sec-consult.com/dormakaba https://r.sec-consult.com/dkexos https://www.dormakabagroup.com/en/security-advisories |
| Drupal–Acquia Content Hub | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery. This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. | 2026-01-28 | not yet calculated | CVE-2025-14472 | https://www.drupal.org/sa-contrib-2025-125 |
| Drupal–AI (Artificial Intelligence) | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal AI (Artificial Intelligence) allows Cross-Site Scripting (XSS). This issue affects AI (Artificial Intelligence): from 0.0.0 before 1.0.7, from 1.1.0 before 1.1.7, from 1.2.0 before 1.2.4. | 2026-01-28 | not yet calculated | CVE-2025-13981 | https://www.drupal.org/sa-contrib-2025-119 |
| Drupal–CKEditor 5 Premium Features | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal CKEditor 5 Premium Features allows Functionality Bypass. This issue affects CKEditor 5 Premium Features: from 0.0.0 before 1.2.10, from 1.3.0 before 1.3.6, from 1.4.0 before 1.4.3, from 1.5.0 before 1.5.1, from 1.6.0 before 1.6.4. | 2026-01-28 | not yet calculated | CVE-2025-13980 | https://www.drupal.org/sa-contrib-2025-118 |
| Drupal–Disable Login Page | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Disable Login Page allows Functionality Bypass. This issue affects Disable Login Page: from 0.0.0 before 1.1.3. | 2026-01-28 | not yet calculated | CVE-2025-13986 | https://www.drupal.org/sa-contrib-2025-124 |
| Drupal–Drupal | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Drupal Form Builder allows Cross-Site Scripting (XSS). This issue affects Drupal: from 7.X-1.0 through 7.X-1.22. | 2026-01-28 | not yet calculated | CVE-2026-0749 | https://www.herodevs.com/vulnerability-directory/cve-2026-0749 https://d7es.tag1.com/security-advisories/form-builder-less-critical-cross-site-scripting |
| Drupal–Drupal Commerce Paybox | Improper Verification of Cryptographic Signature vulnerability in Drupal Drupal Commerce Paybox Commerce Paybox on Drupal 7.X allows Authentication Bypass. This issue affects Drupal Commerce Paybox: from 7-x-1.0 through 7.X-1.5. | 2026-01-28 | not yet calculated | CVE-2026-0750 | https://www.herodevs.com/vulnerability-directory/cve-2026-0750 https://d7es.tag1.com/security-advisories/commerce-paybox-moderately-critical-payment-bypass-vulnerability |
| Drupal–Entity Share | Incorrect Authorization vulnerability in Drupal Entity Share allows Forceful Browsing. This issue affects Entity Share: from 0.0.0 before 3.13.0. | 2026-01-28 | not yet calculated | CVE-2025-13985 | https://www.drupal.org/sa-contrib-2025-123 |
| Drupal–HTTP Client Manager | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal HTTP Client Manager allows Forceful Browsing. This issue affects HTTP Client Manager: from 0.0.0 before 9.3.13, from 10.0.0 before 10.0.2, from 11.0.0 before 11.0.1. | 2026-01-28 | not yet calculated | CVE-2025-14840 | https://www.drupal.org/sa-contrib-2025-126 |
| Drupal–Login Time Restriction | Cross-Site Request Forgery (CSRF) vulnerability in Drupal Login Time Restriction allows Cross Site Request Forgery. This issue affects Login Time Restriction: from 0.0.0 before 1.0.3. | 2026-01-28 | not yet calculated | CVE-2025-13982 | https://www.drupal.org/sa-contrib-2025-120 |
| Drupal–Mini site | Privilege Defined With Unsafe Actions vulnerability in Drupal Mini site allows Stored XSS. This issue affects Mini site: from 0.0.0 before 3.0.2. | 2026-01-28 | not yet calculated | CVE-2025-13979 | https://www.drupal.org/sa-contrib-2025-117 |
| Drupal–Next.js | Permissive Cross-domain Security Policy with Untrusted Domains vulnerability in Drupal Next.Js allows Cross-Site Scripting (XSS). This issue affects Next.Js: from 0.0.0 before 1.6.4, from 2.0.0 before 2.0.1. | 2026-01-28 | not yet calculated | CVE-2025-13984 | https://www.drupal.org/sa-contrib-2025-122 |
| Drupal–Tagify | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal Tagify allows Cross-Site Scripting (XSS). This issue affects Tagify: from 0.0.0 before 1.2.44. | 2026-01-28 | not yet calculated | CVE-2025-13983 | https://www.drupal.org/sa-contrib-2025-121 |
| Eclipse Foundation–Eclipse OMR | In the Eclipse OMR port library component since release 0.2.0, an API function to return the textual names of all supported processor features was not accounting for the separator inserted between processor features. If the output buffer supplied to this function was incorrectly sized, failing to account for the separator when determining when a write to the buffer was safe could lead to a buffer overflow. This issue is fixed in Eclipse OMR version 0.8.0. | 2026-01-29 | not yet calculated | CVE-2026-1188 | https://github.com/eclipse-omr/omr/pull/8082 |
| Eclipse Foundation–Eclipse ThreadX – NetX Duo | A denial-of-service vulnerability exists in the NetX IPv6 component functionality of Eclipse ThreadX NetX Duo. A specially crafted network packet of “Packet Too Big” with more than 15 different source address can lead to denial of service. An attacker can send a malicious packet to trigger this vulnerability. | 2026-01-27 | not yet calculated | CVE-2025-55102 | https://github.com/eclipse-threadx/netxduo/security/advisories/GHSA-f3rx-xrwm-q2rf |
| Edgemo (Danoffice IT)–Local Admin Service | Improper access control in the WCF endpoint in Edgemo (now owned by Danoffice IT) Local Admin Service 1.2.7.23180 on Windows allows a local user to escalate their privileges to local administrator via direct communication with the LocalAdminService.exe named pipe, bypassing client-side group membership restrictions. | 2026-01-30 | not yet calculated | CVE-2026-1680 | https://retest.dk/local-privilege-escalation-vulnerability-found-in-local-admin-service/ https://www.danofficeit.com/howwedoit/workplace/management/ |
| EGroupware–egroupware | EGroupware is a Web based groupware server written in PHP. A SQL Injection vulnerability exists in the core components of EGroupware prior to versions 23.1.20260113 and 26.0.20260113, specifically in the `Nextmatch` filter processing. The flaw allows authenticated attackers to inject arbitrary SQL commands into the `WHERE` clause of database queries. This is achieved by exploiting a PHP type juggling issue where JSON decoding converts numeric strings into integers, bypassing the `is_int()` security check used by the application. Versions 23.1.20260113 and 26.0.20260113 patch the vulnerability. | 2026-01-28 | not yet calculated | CVE-2026-22243 | https://github.com/EGroupware/egroupware/security/advisories/GHSA-rvxj-7f72-mhrx https://github.com/EGroupware/egroupware/releases/tag/23.1.20260113 https://github.com/EGroupware/egroupware/releases/tag/26.0.20260113 |
| ESET, spol. s.r.o–ESET Inspect Connector | Planting a custom configuration file in ESET Inspect Connector allow load a malicious DLL. | 2026-01-30 | not yet calculated | CVE-2025-13176 | https://support.eset.com/en/ca8910-eset-customer-advisory-local-privilege-escalation-vulnerability-fixed-in-eset-inspect-connector-for-windows |
| eslint–eslint | Stack overflow vulnerability in eslint before 9.26.0 when serializing objects with circular references in eslint/lib/shared/serialization.js. The exploit is triggered via the RuleTester.run() method, which validates test cases and checks for duplicates. During validation, the internal function checkDuplicateTestCase() is called, which in turn uses the isSerializable() function for serialization checks. When a circular reference object is passed in, isSerializable() enters infinite recursion, ultimately causing a stack overflow. | 2026-01-26 | not yet calculated | CVE-2025-50537 | https://github.com/eslint/eslint/issues/19646 https://gist.github.com/lyyffee/2ee1815e5c2da82c05e9838b9bfefbbc |
| Explorance–Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user input in a web application endpoint. An attacker can supply crafted input that is executed as part of backend database queries. The issue is exploitable without authentication, significantly raising the risk. | 2026-01-28 | not yet calculated | CVE-2025-57792 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57792 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0001.md |
| Explorance–Blue | Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. The issue is exploitable without authentication, significantly elevating the risk. | 2026-01-28 | not yet calculated | CVE-2025-57793 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57793 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0002.md |
| Explorance–Blue | Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables remote code execution under default configurations. | 2026-01-28 | not yet calculated | CVE-2025-57794 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57794 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0003.md |
| Explorance–Blue | Explorance Blue versions prior to 8.14.13 contain an authenticated remote file download vulnerability in a web service component. In default configurations, this flaw can be leveraged to achieve remote code execution. | 2026-01-28 | not yet calculated | CVE-2025-57795 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57795 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0004.md |
| Explorance–Blue | Explorance Blue versions prior to 8.14.12 use reversible symmetric encryption with a hardcoded static key to protect sensitive data, including user passwords and system configurations. This approach allows stored values to be decrypted offline if the encrypted data are obtained. | 2026-01-28 | not yet calculated | CVE-2025-57796 | https://www.explorance.com/products/blue https://online-help.explorance.com/blue/articles/security-advisories-(january-2026) https://online-help.explorance.com/blue/articles/security-advisory:-cve-2025-57796 https://github.com/mandiant/Vulnerability-Disclosures/blob/master/2026/MNDT-2026-0005.md |
| ExpressionEngine–ExpressionEngine | SQL Injection vulnerability in the Structure for Admin authenticated user | 2026-01-26 | not yet calculated | CVE-2025-59473 | https://hackerone.com/reports/3249794 |
| EZCast–EZCast Pro II | Multiple Buffer Overflows in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to cause a program crash and potential remote code execution | 2026-01-27 | not yet calculated | CVE-2026-24344 | https://hub.ntc.swiss/ntcf-2025-68873 |
| EZCast–EZCast Pro II | Cross-Site Request Forgery in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to bypass authorization checks and gain full access to the admin UI | 2026-01-27 | not yet calculated | CVE-2026-24345 | https://hub.ntc.swiss/ntcf-2025-32832 |
| EZCast–EZCast Pro II | Use of well-known default credentials in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to access protected areas in the web application | 2026-01-27 | not yet calculated | CVE-2026-24346 | https://hub.ntc.swiss/ntcf-2025-13993 |
| EZCast–EZCast Pro II | Improper input validation in Admin UI of EZCast Pro II version 1.17478.146 allows attackers to manipulate files in the /tmp directory | 2026-01-27 | not yet calculated | CVE-2026-24347 | https://hub.ntc.swiss/ntcf-2025-32806 |
| EZCast–EZCast Pro II | Multiple cross-site scripting vulnerabilities in Admin UI of EZCast Pro II version 1.17478.146 allow attackers to execute arbitrary JavaScript code in the browser of other Admin UI users. | 2026-01-27 | not yet calculated | CVE-2026-24348 | https://hub.ntc.swiss/ntcf-2025-145332 |
| FASTSHIFT–X-TRACK | Out-of-bounds Write, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in FASTSHIFT X-TRACK (Software/X-Track/USER/App/Utils/lv_img_png/PNGdec/src modules). This vulnerability is associated with program files inflate.C. This issue affects X-TRACK: through v2.7. | 2026-01-27 | not yet calculated | CVE-2026-24823 | https://github.com/FASTSHIFT/X-TRACK/pull/120 |
| Flexense–Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to change a user’s password or create users via ‘/setup_login?sid=’, affecting the ‘username’, ‘password’, and ‘cpassword’ parameters. | 2026-01-28 | not yet calculated | CVE-2025-59891 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete commands individually via ‘/delete_command?sid=’, using the ‘cid’ parameter. | 2026-01-28 | not yet calculated | CVE-2025-59892 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to rename commands via ‘/rename_command?sid=’, affecting the ‘command_name’ parameter. | 2026-01-28 | not yet calculated | CVE-2025-59893 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. This vulnerability is possible due to the lack of proper CSRF token implementation. Among other things, it is possible, using a POST request to delete all commands via ‘/delete_all_commands?sid=’. | 2026-01-28 | not yet calculated | CVE-2025-59894 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a remote denial-of-service (DoS) vulnerability in the configuration restore functionality. The issue is due to insufficient validation of user-supplied data during this process. An attacker could send malicious requests to alter the configuration file, causing the application to become unresponsive. In a successful scenario, the service may not recover on its own and require a complete reinstallation, as the configuration becomes corrupted and prevents the service from restarting, even manually. | 2026-01-28 | not yet calculated | CVE-2025-59895 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in ‘/add_command?sid=’, affecting the ‘command_name’ parameter. | 2026-01-28 | not yet calculated | CVE-2025-59896 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in ‘/edit_command?sid=’, affecting the ‘source_dir’ and ‘dest_dir’ parameters. | 2026-01-28 | not yet calculated | CVE-2025-59897 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in ‘/add_exclude_dir?sid=’, affecting the ‘exclude_dir’ parameter. | 2026-01-28 | not yet calculated | CVE-2025-59898 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in ‘/server_options?sid=’, affecting the ‘tasks_logs_dir’, ‘errors_logs_dir’, ‘error_notifications_address’, ‘status_notifications_address’, and ‘status_reports_address’ parameters. | 2026-01-28 | not yet calculated | CVE-2025-59899 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18 contain a persistent authenticated Cross-Site Scripting (XSS) vulnerability. An attacker could send malicious content to an authenticated user and steal information from their session due to insufficient validation of user input in ‘/server_options?sid=’, affecting the ‘tasks_logs_dir’, ‘errors_logs_dir’, ‘error_notifications_address’, ‘status_notifications_address’, and ‘status_reports_address’ parameters. | 2026-01-28 | not yet calculated | CVE-2025-59900 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| Flexense–Sync Breeze Enterprise Server | Disk Pulse Enterprise v10.4.18 has an authenticated reflected XSS vulnerability in the ‘/monitor_directory?sid=’ endpoint, caused by insufficient validation of the ‘monitor_directory’ parameter sent by POST. An attacker could exploit this weakness to send malicious content to an authenticated user and steal information from their session. | 2026-01-28 | not yet calculated | CVE-2025-59901 | https://www.incibe.es/en/incibe-cert/notices/aviso/multiple-vulnerabilities-flexense-products |
| FluentCMS–FluentCMS | FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. Attackers can upload malicious SVG files that execute JavaScript in the browser of any user accessing the uploaded file URL. | 2026-01-29 | not yet calculated | CVE-2025-15549 | GitHub Issue #2404 VulnCheck Advisory: FluentCMS 2026 Stored XSS via SVG Upload in File Management |
| foxinmy–weixin4j | Improperly Controlled Sequential Memory Allocation vulnerability in foxinmy weixin4j (weixin4j-base/src/main/java/com/foxinmy/weixin4j/util modules). This vulnerability is associated with program files CharArrayBuffer.Java, ClassUtil.Java. This issue affects weixin4j. | 2026-01-27 | not yet calculated | CVE-2026-24819 | https://github.com/foxinmy/weixin4j/pull/229 |
| FUJIFILM Business Innovation Corp.–beat-access for Windows | beat-access for Windows version 3.0.3 and prior contains an issue with the DLL search path, which may lead to insecurely loading Dynamic Link Libraries. As a result, arbitrary code may be executed with SYSTEM privileges. | 2026-01-27 | not yet calculated | CVE-2026-21408 | https://www.fujifilm.com/fbglobal/eng/company/news/notice/2026/0127_announce.html https://jvn.jp/en/jp/JVN03776126/ |
| Funambol–Cloud Server | Vulnerability that allows a Padding Oracle Attack to be performed on the Funambol v30.0.0.20 cloud server. The thumbnail display URL allows an attacker to decrypt and encrypt the parameters used by the application to generate ‘self-signed’ access URLs. | 2026-01-28 | not yet calculated | CVE-2025-41351 | https://www.incibe.es/en/incibe-cert/notices/aviso/weak-encryption-funambols-cloud-server |
| FunJSO–FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, exposes an HTTP server over the LAN interface of affected devices. This interface is vulnerable to unauthenticated arbitrary command injection through the funjsq_access_token parameter. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40619 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| FunJSO–FunJSO | FunJSQ, a third-party module integrated on some NETGEAR routers and Orbi WiFi Systems, does not properly validate TLS certificates when downloading update packages through its auto-update mechanism. An attacker (suitably positioned on the network) could intercept the update request and deliver a malicious update package in order to gain arbitrary code execution on affected devices. This affects R6230 before 1.1.0.112, R6260 before 1.1.0.88, R7000 before 1.0.11.134, R8900 before 1.0.5.42, R9000 before 1.0.5.42, and XR300 before 1.0.3.72 and Orbi RBR20 before 2.7.2.26, RBR50 before 2.7.4.26, RBS20 before 2.7.2.26, and RBS50 before 2.7.4.26. | 2026-01-28 | not yet calculated | CVE-2022-40620 | https://kb.netgear.com/000065132/Security-Advisory-for-Vulnerabilities-in-FunJSQ-on-Some-Routers-and-Orbi-WiFi-Systems-PSV-2022-0117 https://www.onekey.com/resource/security-advisory-netgear-routers-funjsq-vulnerabilities |
| GaijinEntertainment–DagorEngine | Improper Restriction of Operations within the Bounds of a Memory Buffer vulnerability in GaijinEntertainment DagorEngine (prog/3rdPartyLibs/miniupnpc modules). This vulnerability is associated with program files upnpreplyparse.C. This issue affects DagorEngine: through dagor_2025_01_15. | 2026-01-27 | not yet calculated | CVE-2026-24798 | https://github.com/GaijinEntertainment/DagorEngine/pull/136 |
| geopandas–geopandas | SQL injection vulnerability in geopandas before v.1.1.2 allows an attacker to obtain sensitive information via the to_postgis()` function being used to write GeoDataFrames to a PostgreSQL database. | 2026-01-30 | not yet calculated | CVE-2025-69662 | https://aydinnyunus.github.io/2025/12/27/sql-injection-geopandas/ https://github.com/geopandas/geopandas/pull/3681 |
| gmrtd–gmrtd | gmrtd is a Go library for reading Machine Readable Travel Documents (MRTDs). Prior to version 0.17.2, ReadFile accepts TLVs with lengths that can range up to 4GB, which can cause unconstrained resource consumption in both memory and cpu cycles. ReadFile can consume an extended TLV with lengths well outside what would be available in ICs. It can accept something all the way up to 4GB which would take too many iterations in 256 byte chunks, and would also try to allocate memory that might not be available in constrained environments like phones. Or if an API sends data to ReadFile, the same problem applies. The very small chunked read also locks the goroutine in accepting data for a very large number of iterations. projects using the gmrtd library to read files from NFCs can experience extreme slowdowns or memory consumption. A malicious NFC can just behave like the mock transceiver described above and by just sending dummy bytes as each chunk to be read, can make the receiving thread unresponsive and fill up memory on the host system. Version 0.17.2 patches the issue. | 2026-01-27 | not yet calculated | CVE-2026-24738 | https://github.com/gmrtd/gmrtd/security/advisories/GHSA-j49h-6577-5xwq https://github.com/gmrtd/gmrtd/commit/54469a95e5a20a8602ac1457b2110bfeb80c8891 https://github.com/gmrtd/gmrtd/releases/tag/v0.17.2 |
| Go standard library–archive/zip | archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. | 2026-01-28 | not yet calculated | CVE-2025-61728 | https://go.dev/cl/736713 https://go.dev/issue/77102 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4342 |
| Go standard library–crypto/tls | During the TLS 1.3 handshake if multiple messages are sent in records that span encryption level boundaries (for instance the Client Hello and Encrypted Extensions messages), the subsequent messages may be processed before the encryption level changes. This can cause some minor information disclosure if a network-local attacker can inject messages during the handshake. | 2026-01-28 | not yet calculated | CVE-2025-61730 | https://go.dev/cl/724120 https://go.dev/issue/76443 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4340 |
| Go standard library–net/url | The net/url package does not set a limit on the number of query parameters in a query. While the maximum size of query parameters in URLs is generally limited by the maximum request header size, the net/http.Request.ParseForm method can parse large URL-encoded forms. Parsing a large form containing many unique query parameters can cause excessive memory consumption. | 2026-01-28 | not yet calculated | CVE-2025-61726 | https://go.dev/cl/736712 https://go.dev/issue/77101 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4341 |
| Go toolchain–cmd/go | Building a malicious file with cmd/go can cause can cause a write to an attacker-controlled file with partial control of the file content. The “#cgo pkg-config:” directive in a Go source file provides command-line arguments to provide to the Go pkg-config command. An attacker can provide a “–log-file” argument to this directive, causing pkg-config to write to an attacker-controlled location. | 2026-01-28 | not yet calculated | CVE-2025-61731 | https://go.dev/cl/736711 https://go.dev/issue/77100 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4339 |
| Go toolchain–cmd/go | Downloading and building modules with malicious version strings can cause local code execution. On systems with Mercurial (hg) installed, downloading modules from non-standard sources (e.g., custom domains) can cause unexpected code execution due to how external VCS commands are constructed. This issue can also be triggered by providing a malicious version string to the toolchain. On systems with Git installed, downloading and building modules with malicious version strings can allow an attacker to write to arbitrary files on the filesystem. This can only be triggered by explicitly providing the malicious version strings to the toolchain and does not affect usage of @latest or bare module paths. | 2026-01-28 | not yet calculated | CVE-2025-68119 | https://go.dev/cl/736710 https://go.dev/issue/77099 https://groups.google.com/g/golang-announce/c/Vd2tYVM8eUc https://pkg.go.dev/vuln/GO-2026-4338 |
| Google–Chrome | Inappropriate implementation in Background Fetch API in Google Chrome prior to 144.0.7559.110 allowed a remote attacker to leak cross-origin data via a crafted HTML page. (Chromium security severity: High) | 2026-01-27 | not yet calculated | CVE-2026-1504 | https://chromereleases.googleblog.com/2026/01/stable-channel-update-for-desktop_27.html https://issues.chromium.org/issues/474435504 |
| gradle–gradle-completion | gradle-completion provides Bash and Zsh completion support for Gradle. A command injection vulnerability was found in gradle-completion up to and including 9.3.0 that allows arbitrary code execution when a user triggers Bash tab completion in a project containing a malicious Gradle build file. The `gradle-completion` script for Bash fails to adequately sanitize Gradle task names and task descriptions, allowing command injection via a malicious Gradle build file when the user completes a command in Bash (without them explicitly running any task in the build). For example, given a task description that includes a string between backticks, then that string would be evaluated as a command when presenting the task description in the completion list. While task execution is the core feature of Gradle, this inherent execution may lead to unexpected outcomes. The vulnerability does not affect zsh completion. The first patched version is 9.3.1. As a workaround, it is possible and effective to temporarily disable bash completion for Gradle by removing `gradle-completion` from `.bashrc` or `.bash_profile`. | 2026-01-29 | not yet calculated | CVE-2026-25063 | https://github.com/gradle/gradle-completion/security/advisories/GHSA-qggc-44r3-cjgv https://github.com/gradle/gradle-completion/commit/ecacc32bb882210e5d37cd79a74de1af0d0ccad7 |
| Hiawatha–Hiawatha Web server | Improper header parsing may lead to request smuggling has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to access restricted resources managed by Hiawatha webserver. | 2026-01-26 | not yet calculated | CVE-2025-57783 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/http.c?ref_type=heads#L205 |
| Hiawatha–Hiawatha Web server | Tomahawk auth timing attack due to usage of `strcmp` has been identified in Hiawatha webserver version 11.7 which allows a local attacker to access the management client. | 2026-01-26 | not yet calculated | CVE-2025-57784 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/tomahawk.c?ref_type=heads#L429 |
| Hiawatha–Hiawatha Web server | A Double Free in XSLT `show_index` has been identified in Hiawatha webserver version 11.7 which allows an unauthenticated attacker to corrupt data which may lead to arbitrary code execution. | 2026-01-26 | not yet calculated | CVE-2025-57785 | https://gitlab.com/hsleisink/hiawatha/-/blame/master/src/xslt.c?ref_type=heads#L675 |
| Hitachi Energy–SuprOS | Default credentials vulnerability exists in SuprOS product. If exploited, this could allow an authenticated local attacker to use an admin account created during product deployment. | 2026-01-28 | not yet calculated | CVE-2025-7740 | https://publisher.hitachienergy.com/preview?DocumentID=8DBD000223&LanguageCode=en&DocumentPartId=&Action=launch |
| honojs–hono | Hono is a Web application framework that provides support for any JavaScript runtime. Prior to version 4.11.7, Serve static Middleware for the Cloudflare Workers adapter contains an information disclosure vulnerability that may allow attackers to read arbitrary keys from the Workers environment. Improper validation of user-controlled paths can result in unintended access to internal asset keys. Version 4.11.7 contains a patch for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24473 | https://github.com/honojs/hono/security/advisories/GHSA-w332-q679-j88p https://github.com/honojs/hono/commit/cf9a78db4d0a19b117aee399cbe9d3a6d9bfd817 https://github.com/honojs/hono/releases/tag/v4.11.7 |
| iba Systems–ibaPDA | A security issue has been identified in ibaPDA that could allow unauthorized actions on the file system under certain conditions. This may impact the confidentiality, integrity, or availability of the system. | 2026-01-27 | not yet calculated | CVE-2025-14988 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-01 |
| Icinga–icinga-powershell-framework | The Icinga PowerShell Framework provides configuration and check possibilities to ensure integration and monitoring of Windows environments. In versions prior to 1.13.4, 1.12.4, and 1.11.2, permissions of the Icinga for Windows `certificate` directory grant every user read access, which results in the exposure of private key of the Icinga certificate for the given host. All installations are affected. Versions 1.13.4, 1.12.4, and 1.11.2 contains a patch. Please note that upgrading to a fixed version of Icinga for Windows will also automatically fix a similar issue present in Icinga 2, CVE-2026-24413. As a workaround, the permissions can be restricted manually by updating the ACL for the given folder `C:Program FilesWindowsPowerShellmodulesicinga-powershell-frameworkcertificate` (and `C:ProgramDataicinga2var` to fix the issue for the Icinga 2 agent as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24414 | https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| Icinga–icinga2 | Icinga 2 is an open source monitoring system. Starting in version 2.3.0 and prior to versions 2.13.14, 2.14.8, and 2.15.2, the Icinga 2 MSI did not set appropriate permissions for the `%ProgramData%icinga2var` folder on Windows. This resulted in the its contents – including the private key of the user and synced configuration – being readable by all local users. All installations on Windows are affected. Versions 2.13.14, 2.14.8, and 2.15.2 contains a fix. There are two possibilities to work around the issue without upgrading Icinga 2. Upgrade Icinga for Windows to at least version v1.13.4, v1.12.4, or v1.11.2. These version will automatically fix the ACLs for the Icinga 2 agent as well. Alternatively, manually update the ACL for the given folder `C:ProgramDataicinga2var` (and `C:Program FilesWindowsPowerShellmodulesicinga-powershell-frameworkcertificate` to fix the issue for the Icinga for Windows as well) including every sub-folder and item to restrict access for general users, only allowing the Icinga service user and administrators access. | 2026-01-29 | not yet calculated | CVE-2026-24413 | https://github.com/Icinga/icinga2/security/advisories/GHSA-vfjg-6fpv-4mmr https://github.com/Icinga/icinga-powershell-framework/security/advisories/GHSA-88h5-rrm6-5973 https://icinga.com/blog/releasing-icinga-2-v2-15-2-v2-14-8-v2-13-14-and-icinga-for-windows-v1-13-4-v1-12-4-v1-11-2 |
| inspektor-gadget–inspektor-gadget | Inspektor Gadget is a set of tools and framework for data collection and system inspection on Kubernetes clusters and Linux hosts using eBPF. The `ig` binary provides a subcommand for image building, used to generate custom gadget OCI images. A part of this functionality is implemented in the file `inspektor-gadget/cmd/common/image/build.go`. The `Makefile.build` file is the Makefile template employed during the building process. This file includes user-controlled data in an unsafe fashion, specifically some parameters are embedded without an adequate escaping in the commands inside the Makefile. Prior to version 0.48.1, this implementation is vulnerable to command injection: an attacker able to control values in the `buildOptions` structure would be able to execute arbitrary commands during the building process. An attacker able to exploit this vulnerability would be able to execute arbitrary command on the Linux host where the `ig` command is launched, if images are built with the `–local` flag or on the build container invoked by `ig`, if the `–local` flag is not provided. The `buildOptions` structure is extracted from the YAML gadget manifest passed to the `ig image build` command. Therefore, the attacker would need a way to control either the full `build.yml` file passed to the `ig image build` command, or one of its options. Typically, this could happen in a CI/CD scenario that builds untrusted gadgets to verify correctness. Version 0.48.1 fixes the issue. | 2026-01-29 | not yet calculated | CVE-2026-24905 | https://github.com/inspektor-gadget/inspektor-gadget/security/advisories/GHSA-79qw-g77v-2vfh https://github.com/inspektor-gadget/inspektor-gadget/commit/7c83ad84ff7a68565655253e2cf1c5d2da695c1a |
| Internet Information Co., Ltd–DreamMaker | A missing authentication for critical function vulnerability in the /servlet/baServer3 endpoint of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to access exposed administrative functionality without prior authentication. | 2026-01-30 | not yet calculated | CVE-2026-24728 | https://zuso.ai/advisory/za-2026-01 |
| Internet Information Co., Ltd–DreamMaker | An unrestricted upload of file with dangerous type vulnerability in the file upload function of Interinfo DreamMaker versions before 2025/10/22 allows remote attackers to execute arbitrary system commands via a malicious class file. | 2026-01-30 | not yet calculated | CVE-2026-24729 | https://zuso.ai/advisory/za-2026-02 |
| jmlepisto–clatter | Clatter is a no_std compatible, pure Rust implementation of the Noise protocol framework with post-quantum support. Versiosn prior to2.2.0 have a protocol compliance vulnerability. The library allowed post-quantum handshake patterns that violated the PSK validity rule (Noise Protocol Framework Section 9.3). This could allow PSK-derived keys to be used for encryption without proper randomization by self-chosen ephemeral randomness, weakening security guarantees and potentially allowing catastrophic key reuse. Affected default patterns include `noise_pqkk_psk0`, `noise_pqkn_psk0`, `noise_pqnk_psk0`, `noise_pqnn_psk0“, and some hybrid variants. Users of these patterns may have been using handshakes that do not meet the intended security properties. The issue is fully patched and released in Clatter v2.2.0. The fixed version includes runtime checks to detect offending handshake patterns. As a workaround, avoid using offending `*_psk0` variants of post-quantum patterns. Review custom handshake patterns carefully. | 2026-01-27 | not yet calculated | CVE-2026-24785 | https://github.com/jmlepisto/clatter/security/advisories/GHSA-253q-9q78-63×4 https://github.com/jmlepisto/clatter/commit/b65ae6e9b8019bed5407771e21f89ddff17c5a71 https://noiseprotocol.org/noise.html#validity-rule |
| Johnson Controls–iSTAR Configuration Utility (ICU) | Johnson Controls iSTAR Configuration Utility (ICU) has Stack-based Buffer Overflow vulnerability. This issue affects iSTAR Configuration Utility (ICU) version 6.9.7 and prior. Successful exploitation of this vulnerability could result in failure within the operating system of the machine hosting the ICU tool. | 2026-01-28 | not yet calculated | CVE-2025-26386 | https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories https://www.cisa.gov/news-events/ics-advisories/icsa-26-022-04 |
| Johnson Controls–Metasys | Johnson Controls Metasys component listed below have Improper Neutralization of Special Elements used in a Command (Command Injection) Vulnerability . Successful exploitation of this vulnerability could allow remote SQL execution This issue affects * Metasys: Application and Data Server (ADS) installed with SQL Express deployed as part of the Metasys 14.1 and prior installation, * Extended Application and Data Server (ADX) installed with SQL Express deployed as part of the Metasys 14.1 installation, * LCS8500 or NAE8500 installed with SQL Express deployed as part of the Metasys installation Releases 12.0 through 14.1, * System Configuration Tool (SCT) installed with SQL Express deployed as part of the SCT installation 17.1 and prior, * Controller Configuration Tool (CCT) installed with SQL Express deployed as part of the CCT installation 17.0 and prior. | 2026-01-30 | not yet calculated | CVE-2025-26385 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-027-04 https://www.johnsoncontrols.com/trust-center/cybersecurity/security-advisories |
| json–json | The value function in jsonpath 1.1.1 lib/index.js is vulnerable to Prototype Pollution. | 2026-01-28 | not yet calculated | CVE-2025-61140 | https://github.com/dchester/jsonpath https://gist.github.com/Dremig/8105c189774217222a8ebea3ed4d341d |
| kata-containers–kata-containers | Kata Containers is an open source project focusing on a standard implementation of lightweight Virtual Machines (VMs) that perform like containers. In versions prior to 3.26.0, when a container image is malformed or contains no layers, containerd falls back to bind-mounting an empty snapshotter directory for the container rootfs. When the Kata runtime attempts to mount the container rootfs, the bind mount causes the rootfs to be detected as a block device, leading to the underlying device being hotplugged to the guest. This can cause filesystem-level errors on the host due to double inode allocation, and may lead to the host’s block device being mounted as read-only. Version 3.26.0 contains a patch for the issue. | 2026-01-29 | not yet calculated | CVE-2026-24054 | https://github.com/kata-containers/kata-containers/security/advisories/GHSA-5fc8-gg7w-3g5c https://github.com/kata-containers/kata-containers/commit/20ca4d2d79aa5bf63aa1254f08915da84f19e92a https://github.com/containerd/containerd/blob/d939b6af5f8536c2cae85e919e7c40070557df0e/plugins/snapshots/overlay/overlay.go#L564-L581 https://github.com/kata-containers/kata-containers/blob/a164693e1afead84cd01d5bc3575e2cbfe64ce35/src/runtime/virtcontainers/container.go#L1122-L1126 https://github.com/kata-containers/kata-containers/blob/c7d0c270ee7dfaa6d978e6e07b99dabdaf2b9fda/src/runtime/virtcontainers/container.go#L1616-L1623 |
| libpng–libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via the pngimage with AddressSanitizer (ASan), the program leaks memory in various locations, eventually leading to high memory usage and causing the program to become unresponsive | 2026-01-27 | not yet calculated | CVE-2025-28162 | https://github.com/pnggroup/libpng/issues/656 https://gist.github.com/kittener/fbfdb9b5610c6b3db0d5dea045a07c60 |
| libpng–libpng | Buffer Overflow vulnerability in libpng 1.6.43-1.6.46 allows a local attacker to cause a denial of service via png_create_read_struct() function. | 2026-01-27 | not yet calculated | CVE-2025-28164 | https://github.com/pnggroup/libpng/issues/655 https://gist.github.com/kittener/506516f8c22178005b4379c8b2a7de20 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: counter: interrupt-cnt: Drop IRQF_NO_THREAD flag An IRQ handler can either be IRQF_NO_THREAD or acquire spinlock_t, as CONFIG_PROVE_RAW_LOCK_NESTING warns: ============================= [ BUG: Invalid wait context ] 6.18.0-rc1+git… #1 —————————– some-user-space-process/1251 is trying to lock: (&counter->events_list_lock){….}-{3:3}, at: counter_push_event [counter] other info that might help us debug this: context-{2:2} no locks held by some-user-space-process/…. stack backtrace: CPU: 0 UID: 0 PID: 1251 Comm: some-user-space-process 6.18.0-rc1+git… #1 PREEMPT Call trace: show_stack (C) dump_stack_lvl dump_stack __lock_acquire lock_acquire _raw_spin_lock_irqsave counter_push_event [counter] interrupt_cnt_isr [interrupt_cnt] __handle_irq_event_percpu handle_irq_event handle_simple_irq handle_irq_desc generic_handle_domain_irq gpio_irq_handler handle_irq_desc generic_handle_domain_irq gic_handle_irq call_on_irq_stack do_interrupt_handler el0_interrupt __el0_irq_handler_common el0t_64_irq_handler el0t_64_irq … and Sebastian correctly points out. Remove IRQF_NO_THREAD as an alternative to switching to raw_spinlock_t, because the latter would limit all potential nested locks to raw_spinlock_t only. | 2026-01-31 | not yet calculated | CVE-2025-71180 | https://git.kernel.org/stable/c/ef668c9a2261ec9287faba6e6ef05a98b391aa2b https://git.kernel.org/stable/c/51d2e5d6491447258cb39ff1deb93df15d3c23cb https://git.kernel.org/stable/c/1c5a3175aecf82cd86dfcbef2a23e8b26d8d8e7c https://git.kernel.org/stable/c/49a66829dd3653695e60d7cae13521d131362fcd https://git.kernel.org/stable/c/425886b1f8304621b3f16632b274357067d5f13f https://git.kernel.org/stable/c/23f9485510c338476b9735d516c1d4aacb810d46 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rust_binder: remove spin_lock() in rust_shrink_free_page() When forward-porting Rust Binder to 6.18, I neglected to take commit fb56fdf8b9a2 (“mm/list_lru: split the lock to per-cgroup scope”) into account, and apparently I did not end up running the shrinker callback when I sanity tested the driver before submission. This leads to crashes like the following: ============================================ WARNING: possible recursive locking detected 6.18.0-mainline-maybe-dirty #1 Tainted: G IO ——————————————– kswapd0/68 is trying to acquire lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: lock_list_lru_of_memcg+0x128/0x230 but task is already holding lock: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 other info that might help us debug this: Possible unsafe locking scenario: CPU0 —- lock(&l->lock); lock(&l->lock); *** DEADLOCK *** May be due to missing lock nesting notation 3 locks held by kswapd0/68: #0: ffffffff90d2e260 (fs_reclaim){+.+.}-{0:0}, at: kswapd+0x597/0x1160 #1: ffff956000fa18b0 (&l->lock){+.+.}-{2:2}, at: rust_helper_spin_lock+0xd/0x20 #2: ffffffff90cf3680 (rcu_read_lock){….}-{1:2}, at: lock_list_lru_of_memcg+0x2d/0x230 To fix this, remove the spin_lock() call from rust_shrink_free_page(). | 2026-01-31 | not yet calculated | CVE-2025-71181 | https://git.kernel.org/stable/c/30a98c97f7874031f2e1de19c777ce011143cba4 https://git.kernel.org/stable/c/361e0ff456a8daf9753c18030533256e4133ce7a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: j1939: make j1939_session_activate() fail if device is no longer registered syzbot is still reporting unregister_netdevice: waiting for vcan0 to become free. Usage count = 2 even after commit 93a27b5891b8 (“can: j1939: add missing calls in NETDEV_UNREGISTER notification handler”) was added. A debug printk() patch found that j1939_session_activate() can succeed even after j1939_cancel_active_session() from j1939_netdev_notify(NETDEV_UNREGISTER) has completed. Since j1939_cancel_active_session() is processed with the session list lock held, checking ndev->reg_state in j1939_session_activate() with the session list lock held can reliably close the race window. | 2026-01-31 | not yet calculated | CVE-2025-71182 | https://git.kernel.org/stable/c/ebb0dfd718dd31c8d3600612ca4b7207ec3d923a https://git.kernel.org/stable/c/c3a4316e3c746af415c0fd6c6d489ad13f53714d https://git.kernel.org/stable/c/46ca9dc978923c5e1247a9e9519240ba7ace413c https://git.kernel.org/stable/c/78d87b72cebe2a993fd5b017e9f14fb6278f2eae https://git.kernel.org/stable/c/ba6f0d1832eeb5eb3a6dc5cb30e0f720b3cb3536 https://git.kernel.org/stable/c/79dd3f1d9dd310c2af89b09c71f34d93973b200f https://git.kernel.org/stable/c/5d5602236f5db19e8b337a2cd87a90ace5ea776d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: always detect conflicting inodes when logging inode refs After rename exchanging (either with the rename exchange operation or regular renames in multiple non-atomic steps) two inodes and at least one of them is a directory, we can end up with a log tree that contains only of the inodes and after a power failure that can result in an attempt to delete the other inode when it should not because it was not deleted before the power failure. In some case that delete attempt fails when the target inode is a directory that contains a subvolume inside it, since the log replay code is not prepared to deal with directory entries that point to root items (only inode items). 1) We have directories “dir1” (inode A) and “dir2” (inode B) under the same parent directory; 2) We have a file (inode C) under directory “dir1” (inode A); 3) We have a subvolume inside directory “dir2” (inode B); 4) All these inodes were persisted in a past transaction and we are currently at transaction N; 5) We rename the file (inode C), so at btrfs_log_new_name() we update inode C’s last_unlink_trans to N; 6) We get a rename exchange for “dir1” (inode A) and “dir2” (inode B), so after the exchange “dir1” is inode B and “dir2” is inode A. During the rename exchange we call btrfs_log_new_name() for inodes A and B, but because they are directories, we don’t update their last_unlink_trans to N; 7) An fsync against the file (inode C) is done, and because its inode has a last_unlink_trans with a value of N we log its parent directory (inode A) (through btrfs_log_all_parents(), called from btrfs_log_inode_parent()). 8) So we end up with inode B not logged, which now has the old name of inode A. At copy_inode_items_to_log(), when logging inode A, we did not check if we had any conflicting inode to log because inode A has a generation lower than the current transaction (created in a past transaction); 9) After a power failure, when replaying the log tree, since we find that inode A has a new name that conflicts with the name of inode B in the fs tree, we attempt to delete inode B… this is wrong since that directory was never deleted before the power failure, and because there is a subvolume inside that directory, attempting to delete it will fail since replay_dir_deletes() and btrfs_unlink_inode() are not prepared to deal with dir items that point to roots instead of inodes. When that happens the mount fails and we get a stack trace like the following: [87.2314] BTRFS info (device dm-0): start tree-log replay [87.2318] BTRFS critical (device dm-0): failed to delete reference to subvol, root 5 inode 256 parent 259 [87.2332] ————[ cut here ]———— [87.2338] BTRFS: Transaction aborted (error -2) [87.2346] WARNING: CPU: 1 PID: 638968 at fs/btrfs/inode.c:4345 __btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2368] Modules linked in: btrfs loop dm_thin_pool (…) [87.2470] CPU: 1 UID: 0 PID: 638968 Comm: mount Tainted: G W 6.18.0-rc7-btrfs-next-218+ #2 PREEMPT(full) [87.2489] Tainted: [W]=WARN [87.2494] Hardware name: QEMU Standard PC (i440FX + PIIX, 1996), BIOS rel-1.16.2-0-gea1b7a073390-prebuilt.qemu.org 04/01/2014 [87.2514] RIP: 0010:__btrfs_unlink_inode+0x416/0x440 [btrfs] [87.2538] Code: c0 89 04 24 (…) [87.2568] RSP: 0018:ffffc0e741f4b9b8 EFLAGS: 00010286 [87.2574] RAX: 0000000000000000 RBX: ffff9d3ec8a6cf60 RCX: 0000000000000000 [87.2582] RDX: 0000000000000002 RSI: ffffffff84ab45a1 RDI: 00000000ffffffff [87.2591] RBP: ffff9d3ec8a6ef20 R08: 0000000000000000 R09: ffffc0e741f4b840 [87.2599] R10: ffff9d45dc1fffa8 R11: 0000000000000003 R12: ffff9d3ee26d77e0 [87.2608] R13: ffffc0e741f4ba98 R14: ffff9d4458040800 R15: ffff9d44b6b7ca10 [87.2618] FS: 00007f7b9603a840(0000) GS:ffff9d4658982000(0000) knlGS:0000000000000000 [87. —truncated— | 2026-01-31 | not yet calculated | CVE-2025-71183 | https://git.kernel.org/stable/c/c7f0207db68d5a1b4af23acbef1a8e8ddc431ebb https://git.kernel.org/stable/c/a63998cd6687c14b160dccb0bbcf281b2eb0dab3 https://git.kernel.org/stable/c/0c2413c69129f6ce60157f7b53d9ba880260400b https://git.kernel.org/stable/c/d52af58dd463821c5c516aebb031a58934f696ea https://git.kernel.org/stable/c/7ba0b6461bc4edb3005ea6e00cdae189bcf908a5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL dereference on root when tracing inode eviction When evicting an inode the first thing we do is to setup tracing for it, which implies fetching the root’s id. But in btrfs_evict_inode() the root might be NULL, as implied in the next check that we do in btrfs_evict_inode(). Hence, we either should set the ->root_objectid to 0 in case the root is NULL, or we move tracing setup after checking that the root is not NULL. Setting the rootid to 0 at least gives us the possibility to trace this call even in the case when the root is NULL, so that’s the solution taken here. | 2026-01-31 | not yet calculated | CVE-2025-71184 | https://git.kernel.org/stable/c/582ba48e4a4c06fef6bdcf4e57b7b9af660bbd0c https://git.kernel.org/stable/c/99e057f3d3ef24b99a7b1d84e01dd1bd890098da https://git.kernel.org/stable/c/f157dd661339fc6f5f2b574fe2429c43bd309534 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: ti: dma-crossbar: fix device leak on am335x route allocation Make sure to drop the reference taken when looking up the crossbar platform device during am335x route allocation. | 2026-01-31 | not yet calculated | CVE-2025-71185 | https://git.kernel.org/stable/c/6fdf168f57e331e148a1177a9b590a845c21b315 https://git.kernel.org/stable/c/f810132e825588fbad3cba940458c58bb7ec4d84 https://git.kernel.org/stable/c/30352277d8e09c972436f883a5efd1f1b763ac14 https://git.kernel.org/stable/c/4fc17b1c6d2e04ad13fd6c21cfbac68043ec03f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: stm32: dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71186 | https://git.kernel.org/stable/c/1a179ac01ff3993ab97e33cc77c316ed7415cda1 https://git.kernel.org/stable/c/2fb10259d4efb4367787b5ae9c94192e8a91c648 https://git.kernel.org/stable/c/3ef52d31cce8ba816739085a61efe07b63c6cf27 https://git.kernel.org/stable/c/dd6e4943889fb354efa3f700e42739da9bddb6ef |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: sh: rz-dmac: fix device leak on probe failure Make sure to drop the reference taken when looking up the ICU device during probe also on probe failures (e.g. probe deferral). | 2026-01-31 | not yet calculated | CVE-2025-71187 | https://git.kernel.org/stable/c/926d1666420c227eab50962a8622c1b8444720e8 https://git.kernel.org/stable/c/9fb490323997dcb6f749cd2660a17a39854600cd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: lpc18xx-dmamux: fix device leak on route allocation Make sure to drop the reference taken when looking up the DMA mux platform device during route allocation. Note that holding a reference to a device does not prevent its driver data from going away so there is no point in keeping the reference. | 2026-01-31 | not yet calculated | CVE-2025-71188 | https://git.kernel.org/stable/c/9fba97baa520c9446df51a64708daf27c5a7ed32 https://git.kernel.org/stable/c/992eb8055a6e5dbb808672d20d68e60d5a89b12b https://git.kernel.org/stable/c/1e47d80f6720f0224efd19bcf081d39637569c10 https://git.kernel.org/stable/c/d4d63059dee7e7cae0c4d9a532ed558bc90efb55 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: dw: dmamux: fix OF node leak on route allocation failure Make sure to drop the reference taken to the DMA master OF node also on late route allocation failures. | 2026-01-31 | not yet calculated | CVE-2025-71189 | https://git.kernel.org/stable/c/db7c79c1bbfb1b0184e78a17ac2bd0f2bc3134d1 https://git.kernel.org/stable/c/8f7a391211381ed2f6802032c78c7820d166bc49 https://git.kernel.org/stable/c/eabe40f8a53c29f531e92778ea243e379f4f7978 https://git.kernel.org/stable/c/ec25e60f9f95464aa11411db31d0906b3fb7b9f2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: bcm-sba-raid: fix device leak on probe Make sure to drop the reference taken when looking up the mailbox device during probe on probe failures and on driver unbind. | 2026-01-31 | not yet calculated | CVE-2025-71190 | https://git.kernel.org/stable/c/c80ca7bdff158401440741bdcf9175bd8608580b https://git.kernel.org/stable/c/db6f1d6d31711e73e6a214c73e6a8fb4cda0483d https://git.kernel.org/stable/c/2ed1a9de1f2d727ccae5bc9cc7c63ee3519c0c8b https://git.kernel.org/stable/c/7c3a46ebf15a9796b763a54272407fdbf945bed8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: at_hdmac: fix device leak on of_dma_xlate() Make sure to drop the reference taken when looking up the DMA platform device during of_dma_xlate() when releasing channel resources. Note that commit 3832b78b3ec2 (“dmaengine: at_hdmac: add missing put_device() call in at_dma_xlate()”) fixed the leak in a couple of error paths but the reference is still leaking on successful allocation. | 2026-01-31 | not yet calculated | CVE-2025-71191 | https://git.kernel.org/stable/c/987c71671367f42460689b78244d7b894c50999a https://git.kernel.org/stable/c/6a86cf2c09e149d5718a5b7090545f7566da9334 https://git.kernel.org/stable/c/f3c23b7e941349505c3d40de2cc0acd93d9ac057 https://git.kernel.org/stable/c/b9074b2d7a230b6e28caa23165e9d8bc0677d333 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: perf: Ensure swevent hrtimer is properly destroyed With the change to hrtimer_try_to_cancel() in perf_swevent_cancel_hrtimer() it appears possible for the hrtimer to still be active by the time the event gets freed. Make sure the event does a full hrtimer_cancel() on the free path by installing a perf_event::destroy handler. | 2026-01-28 | not yet calculated | CVE-2026-23014 | https://git.kernel.org/stable/c/deee9dfb111ab00f9dfd46c0c7e36656b80f5235 https://git.kernel.org/stable/c/ff5860f5088e9076ebcccf05a6ca709d5935cfa9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: mpsse: fix reference leak in gpio_mpsse_probe() error paths The reference obtained by calling usb_get_dev() is not released in the gpio_mpsse_probe() error paths. Fix that by using device managed helper functions. Also remove the usb_put_dev() call in the disconnect function since now it will be released automatically. | 2026-01-31 | not yet calculated | CVE-2026-23015 | https://git.kernel.org/stable/c/7ea26e6dcabc270433b6ded2a1aee85b215d1b28 https://git.kernel.org/stable/c/1e876e5a0875e71e34148c9feb2eedd3bf6b2b43 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: inet: frags: drop fraglist conntrack references Jakub added a warning in nf_conntrack_cleanup_net_list() to make debugging leaked skbs/conntrack references more obvious. syzbot reports this as triggering, and I can also reproduce this via ip_defrag.sh selftest: conntrack cleanup blocked for 60s WARNING: net/netfilter/nf_conntrack_core.c:2512 [..] conntrack clenups gets stuck because there are skbs with still hold nf_conn references via their frag_list. net.core.skb_defer_max=0 makes the hang disappear. Eric Dumazet points out that skb_release_head_state() doesn’t follow the fraglist. ip_defrag.sh can only reproduce this problem since commit 6471658dc66c (“udp: use skb_attempt_defer_free()”), but AFAICS this problem could happen with TCP as well if pmtu discovery is off. The relevant problem path for udp is: 1. netns emits fragmented packets 2. nf_defrag_v6_hook reassembles them (in output hook) 3. reassembled skb is tracked (skb owns nf_conn reference) 4. ip6_output refragments 5. refragmented packets also own nf_conn reference (ip6_fragment calls ip6_copy_metadata()) 6. on input path, nf_defrag_v6_hook skips defragmentation: the fragments already have skb->nf_conn attached 7. skbs are reassembled via ipv6_frag_rcv() 8. skb_consume_udp -> skb_attempt_defer_free() -> skb ends up in pcpu freelist, but still has nf_conn reference. Possible solutions: 1 let defrag engine drop nf_conn entry, OR 2 export kick_defer_list_purge() and call it from the conntrack netns exit callback, OR 3 add skb_has_frag_list() check to skb_attempt_defer_free() 2 & 3 also solve ip_defrag.sh hang but share same drawback: Such reassembled skbs, queued to socket, can prevent conntrack module removal until userspace has consumed the packet. While both tcp and udp stack do call nf_reset_ct() before placing skb on socket queue, that function doesn’t iterate frag_list skbs. Therefore drop nf_conn entries when they are placed in defrag queue. Keep the nf_conn entry of the first (offset 0) skb so that reassembled skb retains nf_conn entry for sake of TX path. Note that fixes tag is incorrect; it points to the commit introducing the ‘ip_defrag.sh reproducible problem’: no need to backport this patch to every stable kernel. | 2026-01-31 | not yet calculated | CVE-2026-23016 | https://git.kernel.org/stable/c/088ca99dbb039c444c3ff987c5412a73f4f0cbf8 https://git.kernel.org/stable/c/2ef02ac38d3c17f34a00c4b267d961a8d4b45d1a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix error handling in the init_task on load If the init_task fails during a driver load, we end up without vports and netdevs, effectively failing the entire process. In that state a subsequent reset will result in a crash as the service task attempts to access uninitialized resources. Following trace is from an error in the init_task where the CREATE_VPORT (op 501) is rejected by the FW: [40922.763136] idpf 0000:83:00.0: Device HW Reset initiated [40924.449797] idpf 0000:83:00.0: Transaction failed (op 501) [40958.148190] idpf 0000:83:00.0: HW reset detected [40958.161202] BUG: kernel NULL pointer dereference, address: 00000000000000a8 … [40958.168094] Workqueue: idpf-0000:83:00.0-vc_event idpf_vc_event_task [idpf] [40958.168865] RIP: 0010:idpf_vc_event_task+0x9b/0x350 [idpf] … [40958.177932] Call Trace: [40958.178491] <TASK> [40958.179040] process_one_work+0x226/0x6d0 [40958.179609] worker_thread+0x19e/0x340 [40958.180158] ? __pfx_worker_thread+0x10/0x10 [40958.180702] kthread+0x10f/0x250 [40958.181238] ? __pfx_kthread+0x10/0x10 [40958.181774] ret_from_fork+0x251/0x2b0 [40958.182307] ? __pfx_kthread+0x10/0x10 [40958.182834] ret_from_fork_asm+0x1a/0x30 [40958.183370] </TASK> Fix the error handling in the init_task to make sure the service and mailbox tasks are disabled if the error happens during load. These are started in idpf_vc_core_init(), which spawns the init_task and has no way of knowing if it failed. If the error happens on reset, following successful driver load, the tasks can still run, as that will allow the netdevs to attempt recovery through another reset. Stop the PTP callbacks either way as those will be restarted by the call to idpf_vc_core_init() during a successful reset. | 2026-01-31 | not yet calculated | CVE-2026-23017 | https://git.kernel.org/stable/c/a514c374edcd33581cdcccf8faa7cc606a600319 https://git.kernel.org/stable/c/4d792219fe6f891b5b557a607ac8a0a14eda6e38 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before initializing extent tree in btrfs_read_locked_inode() In btrfs_read_locked_inode() we are calling btrfs_init_file_extent_tree() while holding a path with a read locked leaf from a subvolume tree, and btrfs_init_file_extent_tree() may do a GFP_KERNEL allocation, which can trigger reclaim. This can create a circular lock dependency which lockdep warns about with the following splat: [6.1433] ====================================================== [6.1574] WARNING: possible circular locking dependency detected [6.1583] 6.18.0+ #4 Tainted: G U [6.1591] —————————————————— [6.1599] kswapd0/117 is trying to acquire lock: [6.1606] ffff8d9b6333c5b8 (&delayed_node->mutex){+.+.}-{3:3}, at: __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1625] but task is already holding lock: [6.1633] ffffffffa4ab8ce0 (fs_reclaim){+.+.}-{0:0}, at: balance_pgdat+0x195/0xc60 [6.1646] which lock already depends on the new lock. [6.1657] the existing dependency chain (in reverse order) is: [6.1667] -> #2 (fs_reclaim){+.+.}-{0:0}: [6.1677] fs_reclaim_acquire+0x9d/0xd0 [6.1685] __kmalloc_cache_noprof+0x59/0x750 [6.1694] btrfs_init_file_extent_tree+0x90/0x100 [6.1702] btrfs_read_locked_inode+0xc3/0x6b0 [6.1710] btrfs_iget+0xbb/0xf0 [6.1716] btrfs_lookup_dentry+0x3c5/0x8e0 [6.1724] btrfs_lookup+0x12/0x30 [6.1731] lookup_open.isra.0+0x1aa/0x6a0 [6.1739] path_openat+0x5f7/0xc60 [6.1746] do_filp_open+0xd6/0x180 [6.1753] do_sys_openat2+0x8b/0xe0 [6.1760] __x64_sys_openat+0x54/0xa0 [6.1768] do_syscall_64+0x97/0x3e0 [6.1776] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1784] -> #1 (btrfs-tree-00){++++}-{3:3}: [6.1794] lock_release+0x127/0x2a0 [6.1801] up_read+0x1b/0x30 [6.1808] btrfs_search_slot+0x8e0/0xff0 [6.1817] btrfs_lookup_inode+0x52/0xd0 [6.1825] __btrfs_update_delayed_inode+0x73/0x520 [6.1833] btrfs_commit_inode_delayed_inode+0x11a/0x120 [6.1842] btrfs_log_inode+0x608/0x1aa0 [6.1849] btrfs_log_inode_parent+0x249/0xf80 [6.1857] btrfs_log_dentry_safe+0x3e/0x60 [6.1865] btrfs_sync_file+0x431/0x690 [6.1872] do_fsync+0x39/0x80 [6.1879] __x64_sys_fsync+0x13/0x20 [6.1887] do_syscall_64+0x97/0x3e0 [6.1894] entry_SYSCALL_64_after_hwframe+0x76/0x7e [6.1903] -> #0 (&delayed_node->mutex){+.+.}-{3:3}: [6.1913] __lock_acquire+0x15e9/0x2820 [6.1920] lock_acquire+0xc9/0x2d0 [6.1927] __mutex_lock+0xcc/0x10a0 [6.1934] __btrfs_release_delayed_node.part.0+0x39/0x2f0 [6.1944] btrfs_evict_inode+0x20b/0x4b0 [6.1952] evict+0x15a/0x2f0 [6.1958] prune_icache_sb+0x91/0xd0 [6.1966] super_cache_scan+0x150/0x1d0 [6.1974] do_shrink_slab+0x155/0x6f0 [6.1981] shrink_slab+0x48e/0x890 [6.1988] shrink_one+0x11a/0x1f0 [6.1995] shrink_node+0xbfd/0x1320 [6.1002] balance_pgdat+0x67f/0xc60 [6.1321] kswapd+0x1dc/0x3e0 [6.1643] kthread+0xff/0x240 [6.1965] ret_from_fork+0x223/0x280 [6.1287] ret_from_fork_asm+0x1a/0x30 [6.1616] other info that might help us debug this: [6.1561] Chain exists of: &delayed_node->mutex –> btrfs-tree-00 –> fs_reclaim [6.1503] Possible unsafe locking scenario: [6.1110] CPU0 CPU1 [6.1411] —- —- [6.1707] lock(fs_reclaim); [6.1998] lock(btrfs-tree-00); [6.1291] lock(fs_reclaim); [6.1581] lock(&del —truncated— | 2026-01-31 | not yet calculated | CVE-2026-23018 | https://git.kernel.org/stable/c/92a5590851144f034adc51fee55e6878ccac716e https://git.kernel.org/stable/c/8731f2c50b0b1d2b58ed5b9671ef2c4bdc2f8347 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: marvell: prestera: fix NULL dereference on devlink_alloc() failure devlink_alloc() may return NULL on allocation failure, but prestera_devlink_alloc() unconditionally calls devlink_priv() on the returned pointer. This leads to a NULL pointer dereference if devlink allocation fails. Add a check for a NULL devlink pointer and return NULL early to avoid the crash. | 2026-01-31 | not yet calculated | CVE-2026-23019 | https://git.kernel.org/stable/c/8a4333b2818f0d853b43e139936c20659366e4a0 https://git.kernel.org/stable/c/325aea74be7e192b5c947c782da23b0d19a5fda2 https://git.kernel.org/stable/c/94e070cd50790317fba7787ae6006934b7edcb6f https://git.kernel.org/stable/c/3950054c9512add0cc79ab7e72b6d2f9f675e25b https://git.kernel.org/stable/c/326a4b7e61d01db3507f71c8bb5e85362f607064 https://git.kernel.org/stable/c/a428e0da1248c353557970848994f35fd3f005e2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: 3com: 3c59x: fix possible null dereference in vortex_probe1() pdev can be null and free_ring: can be called in 1297 with a null pdev. | 2026-01-31 | not yet calculated | CVE-2026-23020 | https://git.kernel.org/stable/c/053ac9e37eee435e999277c0f1ef890dad6064bf https://git.kernel.org/stable/c/6cff14b831dbdb32675b4c7904dcc3eeeaf47e9d https://git.kernel.org/stable/c/606872c8e8bf96066730f6a2317502c5633c37f1 https://git.kernel.org/stable/c/28b2a805609699be7b90020ae7dccfb234be1ceb https://git.kernel.org/stable/c/2f05f7737e16d9a40038cc1c38a96a3f7964898b https://git.kernel.org/stable/c/d82796a57cc0dac1dbef19d913c8f02a8cc7b1a7 https://git.kernel.org/stable/c/a4e305ed60f7c41bbf9aabc16dd75267194e0de3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: usb: pegasus: fix memory leak in update_eth_regs_async() When asynchronously writing to the device registers and if usb_submit_urb() fail, the code fail to release allocated to this point resources. | 2026-01-31 | not yet calculated | CVE-2026-23021 | https://git.kernel.org/stable/c/5397ea6d21c35a17707e201a60761bdee00bcc4e https://git.kernel.org/stable/c/a40af9a2904a1ab8ce61866ebe2a894ef30754ba https://git.kernel.org/stable/c/ac5d92d2826dec51e5d4c6854865bc5817277452 https://git.kernel.org/stable/c/93f18eaa190374e0f2d253e3b1a65cee19a7abe6 https://git.kernel.org/stable/c/471dfb97599eec74e0476046b3ef8e7037f27b34 https://git.kernel.org/stable/c/ce6eef731aba23a988decea1df3b08cf978f7b01 https://git.kernel.org/stable/c/afa27621a28af317523e0836dad430bec551eb54 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vc_core_deinit() Make sure to free hw->lan_regs. Reported by kmemleak during reset: unreferenced object 0xff1b913d02a936c0 (size 96): comm “kworker/u258:14”, pid 2174, jiffies 4294958305 hex dump (first 32 bytes): 00 00 00 c0 a8 ba 2d ff 00 00 00 00 00 00 00 00 ……-……… 00 00 40 08 00 00 00 00 00 00 25 b3 a8 ba 2d ff ..@…….%…-. backtrace (crc 36063c4f): __kmalloc_noprof+0x48f/0x890 idpf_vc_core_init+0x6ce/0x9b0 [idpf] idpf_vc_event_task+0x1fb/0x350 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23022 | https://git.kernel.org/stable/c/23391db8a00c23854915b8b72ec1aa10080aa540 https://git.kernel.org/stable/c/e111cbc4adf9f9974eed040aeece7e17460f6bff |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak in idpf_vport_rel() Free vport->rx_ptype_lkup in idpf_vport_rel() to avoid leaking memory during a reset. Reported by kmemleak: unreferenced object 0xff450acac838a000 (size 4096): comm “kworker/u258:5”, pid 7732, jiffies 4296830044 hex dump (first 32 bytes): 00 00 00 00 00 10 00 00 00 10 00 00 00 00 00 00 ……………. 00 00 00 00 00 00 00 00 00 10 00 00 00 00 00 00 ……………. backtrace (crc 3da81902): __kmalloc_cache_noprof+0x469/0x7a0 idpf_send_get_rx_ptype_msg+0x90/0x570 [idpf] idpf_init_task+0x1ec/0x8d0 [idpf] process_one_work+0x226/0x6d0 worker_thread+0x19e/0x340 kthread+0x10f/0x250 ret_from_fork+0x251/0x2b0 ret_from_fork_asm+0x1a/0x30 | 2026-01-31 | not yet calculated | CVE-2026-23023 | https://git.kernel.org/stable/c/a4212d6732e3f674c6cc7d0b642f276d827e8f94 https://git.kernel.org/stable/c/ec602a2a4071eb956d656ba968c58fee09f0622d https://git.kernel.org/stable/c/f6242b354605faff263ca45882b148200915a3f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix memory leak of flow steer list on rmmod The flow steering list maintains entries that are added and removed as ethtool creates and deletes flow steering rules. Module removal with active entries causes memory leak as the list is not properly cleaned up. Prevent this by iterating through the remaining entries in the list and freeing the associated memory during module removal. Add a spinlock (flow_steer_list_lock) to protect the list access from multiple threads. | 2026-01-31 | not yet calculated | CVE-2026-23024 | https://git.kernel.org/stable/c/1aedff70a5e97628eaaf17b169774cb6a45a1dc5 https://git.kernel.org/stable/c/f9841bd28b600526ca4f6713b0ca49bf7bb98452 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/page_alloc: prevent pcp corruption with SMP=n The kernel test robot has reported: BUG: spinlock trylock failure on UP on CPU#0, kcompactd0/28 lock: 0xffff888807e35ef0, .magic: dead4ead, .owner: kcompactd0/28, .owner_cpu: 0 CPU: 0 UID: 0 PID: 28 Comm: kcompactd0 Not tainted 6.18.0-rc5-00127-ga06157804399 #1 PREEMPT 8cc09ef94dcec767faa911515ce9e609c45db470 Call Trace: <IRQ> __dump_stack (lib/dump_stack.c:95) dump_stack_lvl (lib/dump_stack.c:123) dump_stack (lib/dump_stack.c:130) spin_dump (kernel/locking/spinlock_debug.c:71) do_raw_spin_trylock (kernel/locking/spinlock_debug.c:?) _raw_spin_trylock (include/linux/spinlock_api_smp.h:89 kernel/locking/spinlock.c:138) __free_frozen_pages (mm/page_alloc.c:2973) ___free_pages (mm/page_alloc.c:5295) __free_pages (mm/page_alloc.c:5334) tlb_remove_table_rcu (include/linux/mm.h:? include/linux/mm.h:3122 include/asm-generic/tlb.h:220 mm/mmu_gather.c:227 mm/mmu_gather.c:290) ? __cfi_tlb_remove_table_rcu (mm/mmu_gather.c:289) ? rcu_core (kernel/rcu/tree.c:?) rcu_core (include/linux/rcupdate.h:341 kernel/rcu/tree.c:2607 kernel/rcu/tree.c:2861) rcu_core_si (kernel/rcu/tree.c:2879) handle_softirqs (arch/x86/include/asm/jump_label.h:36 include/trace/events/irq.h:142 kernel/softirq.c:623) __irq_exit_rcu (arch/x86/include/asm/jump_label.h:36 kernel/softirq.c:725) irq_exit_rcu (kernel/softirq.c:741) sysvec_apic_timer_interrupt (arch/x86/kernel/apic/apic.c:1052) </IRQ> <TASK> RIP: 0010:_raw_spin_unlock_irqrestore (arch/x86/include/asm/preempt.h:95 include/linux/spinlock_api_smp.h:152 kernel/locking/spinlock.c:194) free_pcppages_bulk (mm/page_alloc.c:1494) drain_pages_zone (include/linux/spinlock.h:391 mm/page_alloc.c:2632) __drain_all_pages (mm/page_alloc.c:2731) drain_all_pages (mm/page_alloc.c:2747) kcompactd (mm/compaction.c:3115) kthread (kernel/kthread.c:465) ? __cfi_kcompactd (mm/compaction.c:3166) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork (arch/x86/kernel/process.c:164) ? __cfi_kthread (kernel/kthread.c:412) ret_from_fork_asm (arch/x86/entry/entry_64.S:255) </TASK> Matthew has analyzed the report and identified that in drain_page_zone() we are in a section protected by spin_lock(&pcp->lock) and then get an interrupt that attempts spin_trylock() on the same lock. The code is designed to work this way without disabling IRQs and occasionally fail the trylock with a fallback. However, the SMP=n spinlock implementation assumes spin_trylock() will always succeed, and thus it’s normally a no-op. Here the enabled lock debugging catches the problem, but otherwise it could cause a corruption of the pcp structure. The problem has been introduced by commit 574907741599 (“mm/page_alloc: leave IRQs enabled for per-cpu page allocations”). The pcp locking scheme recognizes the need for disabling IRQs to prevent nesting spin_trylock() sections on SMP=n, but the need to prevent the nesting in spin_lock() has not been recognized. Fix it by introducing local wrappers that change the spin_lock() to spin_lock_iqsave() with SMP=n and use them in all places that do spin_lock(&pcp->lock). [vbabka@suse.cz: add pcp_ prefix to the spin_lock_irqsave wrappers, per Steven] | 2026-01-31 | not yet calculated | CVE-2026-23025 | https://git.kernel.org/stable/c/4a04ff9cd816e7346fcc8126f00ed80481f6569d https://git.kernel.org/stable/c/df63d31e9ae02e2f6cd96147779e4ed7cd0e75f6 https://git.kernel.org/stable/c/3098f8f7c7b0686c74827aec42a2c45e69801ff8 https://git.kernel.org/stable/c/038a102535eb49e10e93eafac54352fcc5d78847 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: qcom: gpi: Fix memory leak in gpi_peripheral_config() Fix a memory leak in gpi_peripheral_config() where the original memory pointed to by gchan->config could be lost if krealloc() fails. The issue occurs when: 1. gchan->config points to previously allocated memory 2. krealloc() fails and returns NULL 3. The function directly assigns NULL to gchan->config, losing the reference to the original memory 4. The original memory becomes unreachable and cannot be freed Fix this by using a temporary variable to hold the krealloc() result and only updating gchan->config when the allocation succeeds. Found via static analysis and code review. | 2026-01-31 | not yet calculated | CVE-2026-23026 | https://git.kernel.org/stable/c/6bf4ef078fd11910988889a6c0b3698d2e0c89af https://git.kernel.org/stable/c/01b1d781394fc9b83015e3a3cd46b17bda842bd8 https://git.kernel.org/stable/c/55a67ba5ac4cebfd54cc8305d4d57a0f1dfe6a85 https://git.kernel.org/stable/c/3f747004bbd641131d9396d87b5d2d3d1e182728 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_pch_pic_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_pch_pic_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23027 | https://git.kernel.org/stable/c/fc53a66227af08d868face4b33fa8b2e1ba187ed https://git.kernel.org/stable/c/1cf342a7c3adc5877837b53bbceb5cc9eff60bbf |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_ipi_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_ipi_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23028 | https://git.kernel.org/stable/c/5defcc2f9c22e6e09b5be68234ad10f4ba0292b7 https://git.kernel.org/stable/c/0bf58cb7288a4d3de6d8ecbb3a65928a9362bf21 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: LoongArch: KVM: Fix kvm_device leak in kvm_eiointc_destroy() In kvm_ioctl_create_device(), kvm_device has allocated memory, kvm_device->destroy() seems to be supposed to free its kvm_device struct, but kvm_eiointc_destroy() is not currently doing this, that would lead to a memory leak. So, fix it. | 2026-01-31 | not yet calculated | CVE-2026-23029 | https://git.kernel.org/stable/c/e94ec9661c5820d157d2cc4b6cf4a6ab656a7b4d https://git.kernel.org/stable/c/7d8553fc75aefa7ec936af0cf8443ff90b51732e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: rockchip: inno-usb2: Fix a double free bug in rockchip_usb2phy_probe() The for_each_available_child_of_node() calls of_node_put() to release child_np in each success loop. After breaking from the loop with the child_np has been released, the code will jump to the put_child label and will call the of_node_put() again if the devm_request_threaded_irq() fails. These cause a double free bug. Fix by returning directly to avoid the duplicate of_node_put(). | 2026-01-31 | not yet calculated | CVE-2026-23030 | https://git.kernel.org/stable/c/ebae26dd15140b840cf65be5e1c0daee949ba70b https://git.kernel.org/stable/c/027d42b97e6eb827c3438ebc09bab7efaee9270d https://git.kernel.org/stable/c/efe92ee7a111fe0f4d75f3ed6b7e3f86322279d5 https://git.kernel.org/stable/c/e07dea3de508cd6950c937cec42de7603190e1ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak In gs_can_open(), the URBs for USB-in transfers are allocated, added to the parent->rx_submitted anchor and submitted. In the complete callback gs_usb_receive_bulk_callback(), the URB is processed and resubmitted. In gs_can_close() the URBs are freed by calling usb_kill_anchored_urbs(parent->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in gs_can_close(). Fix the memory leak by anchoring the URB in the gs_usb_receive_bulk_callback() to the parent->rx_submitted anchor. | 2026-01-31 | not yet calculated | CVE-2026-23031 | https://git.kernel.org/stable/c/f905bcfa971edb89e398c98957838d8c6381c0c7 https://git.kernel.org/stable/c/08624b7206ddb9148eeffc2384ebda2c47b6d1e9 https://git.kernel.org/stable/c/9f669a38ca70839229b7ba0f851820850a2fe1f7 https://git.kernel.org/stable/c/7352e1d5932a0e777e39fa4b619801191f57e603 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: null_blk: fix kmemleak by releasing references to fault configfs items When CONFIG_BLK_DEV_NULL_BLK_FAULT_INJECTION is enabled, the null-blk driver sets up fault injection support by creating the timeout_inject, requeue_inject, and init_hctx_fault_inject configfs items as children of the top-level nullbX configfs group. However, when the nullbX device is removed, the references taken to these fault-config configfs items are not released. As a result, kmemleak reports a memory leak, for example: unreferenced object 0xc00000021ff25c40 (size 32): comm “mkdir”, pid 10665, jiffies 4322121578 hex dump (first 32 bytes): 69 6e 69 74 5f 68 63 74 78 5f 66 61 75 6c 74 5f init_hctx_fault_ 69 6e 6a 65 63 74 00 88 00 00 00 00 00 00 00 00 inject………. backtrace (crc 1a018c86): __kmalloc_node_track_caller_noprof+0x494/0xbd8 kvasprintf+0x74/0xf4 config_item_set_name+0xf0/0x104 config_group_init_type_name+0x48/0xfc fault_config_init+0x48/0xf0 0xc0080000180559e4 configfs_mkdir+0x304/0x814 vfs_mkdir+0x49c/0x604 do_mkdirat+0x314/0x3d0 sys_mkdir+0xa0/0xd8 system_call_exception+0x1b0/0x4f0 system_call_vectored_common+0x15c/0x2ec Fix this by explicitly releasing the references to the fault-config configfs items when dropping the reference to the top-level nullbX configfs group. | 2026-01-31 | not yet calculated | CVE-2026-23032 | https://git.kernel.org/stable/c/1a3286edf4d48ce37f8982ff3c3b65159a5ecbb2 https://git.kernel.org/stable/c/d59ba448ccd595d5d65e197216cf781a87db2b28 https://git.kernel.org/stable/c/f1718da051282698aa8fa150bebb9724f6389fda https://git.kernel.org/stable/c/40b94ec7edbbb867c4e26a1a43d2b898f04b93c5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: omap-dma: fix dma_pool resource leak in error paths The dma_pool created by dma_pool_create() is not destroyed when dma_async_device_register() or of_dma_controller_register() fails, causing a resource leak in the probe error paths. Add dma_pool_destroy() in both error paths to properly release the allocated dma_pool resource. | 2026-01-31 | not yet calculated | CVE-2026-23033 | https://git.kernel.org/stable/c/88a9483f093bbb9263dcf21bc7fdb5132e5de88d https://git.kernel.org/stable/c/4b93712e96be17029bd22787f2e39feb0e73272c https://git.kernel.org/stable/c/829b00481734dd54e72f755fd6584bce6fbffbb0 https://git.kernel.org/stable/c/2e1136acf8a8887c29f52e35a77b537309af321f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: Fix fence reference leak on queue teardown v2 The user mode queue keeps a pointer to the most recent fence in userq->last_fence. This pointer holds an extra dma_fence reference. When the queue is destroyed, we free the fence driver and its xarray, but we forgot to drop the last_fence reference. Because of the missing dma_fence_put(), the last fence object can stay alive when the driver unloads. This leaves an allocated object in the amdgpu_userq_fence slab cache and triggers This is visible during driver unload as: BUG amdgpu_userq_fence: Objects remaining on __kmem_cache_shutdown() kmem_cache_destroy amdgpu_userq_fence: Slab cache still has objects Call Trace: kmem_cache_destroy amdgpu_userq_fence_slab_fini amdgpu_exit __do_sys_delete_module Fix this by putting userq->last_fence and clearing the pointer during amdgpu_userq_fence_driver_free(). This makes sure the fence reference is released and the slab cache is empty when the module exits. v2: Update to only release userq->last_fence with dma_fence_put() (Christian) (cherry picked from commit 8e051e38a8d45caf6a866d4ff842105b577953bb) | 2026-01-31 | not yet calculated | CVE-2026-23034 | https://git.kernel.org/stable/c/e1a30e1ab33fc522785d04bbf7e1b13a5c5c9175 https://git.kernel.org/stable/c/b2426a211dba6432e32a2e70e9183c6e134475c6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/mlx5e: Pass netdev to mlx5e_destroy_netdev instead of priv mlx5e_priv is an unstable structure that can be memset(0) if profile attaching fails. Pass netdev to mlx5e_destroy_netdev() to guarantee it will work on a valid netdev. On mlx5e_remove: Check validity of priv->profile, before attempting to cleanup any resources that might be not there. This fixes a kernel oops in mlx5e_remove when switchdev mode fails due to change profile failure. $ devlink dev eswitch set pci/0000:00:03.0 mode switchdev Error: mlx5_core: Failed setting eswitch to offloads. dmesg: workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: new profile init failed, -12 workqueue: Failed to create a rescuer kthread for wq “mlx5e”: -EINTR mlx5_core 0012:03:00.1: mlx5e_netdev_init_profile:6214:(pid 37199): mlx5e_priv_init failed, err=-12 mlx5_core 0012:03:00.1 gpu3rdma1: mlx5e_netdev_change_profile: failed to rollback to orig profile, -12 $ devlink dev reload pci/0000:00:03.0 ==> oops BUG: kernel NULL pointer dereference, address: 0000000000000370 PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP NOPTI CPU: 15 UID: 0 PID: 520 Comm: devlink Not tainted 6.18.0-rc5+ #115 PREEMPT(voluntary) Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.16.3-2.fc40 04/01/2014 RIP: 0010:mlx5e_dcbnl_dscp_app+0x23/0x100 RSP: 0018:ffffc9000083f8b8 EFLAGS: 00010286 RAX: ffff8881126fc380 RBX: ffff8881015ac400 RCX: ffffffff826ffc45 RDX: 0000000000000000 RSI: 0000000000000001 RDI: ffff8881035109c0 RBP: ffff8881035109c0 R08: ffff888101e3e838 R09: ffff888100264e10 R10: ffffc9000083f898 R11: ffffc9000083f8a0 R12: ffff888101b921a0 R13: ffff888101b921a0 R14: ffff8881015ac9a0 R15: ffff8881015ac400 FS: 00007f789a3c8740(0000) GS:ffff88856aa59000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000370 CR3: 000000010b6c0001 CR4: 0000000000370ef0 Call Trace: <TASK> mlx5e_remove+0x57/0x110 device_release_driver_internal+0x19c/0x200 bus_remove_device+0xc6/0x130 device_del+0x160/0x3d0 ? devl_param_driverinit_value_get+0x2d/0x90 mlx5_detach_device+0x89/0xe0 mlx5_unload_one_devl_locked+0x3a/0x70 mlx5_devlink_reload_down+0xc8/0x220 devlink_reload+0x7d/0x260 devlink_nl_reload_doit+0x45b/0x5a0 genl_family_rcv_msg_doit+0xe8/0x140 | 2026-01-31 | not yet calculated | CVE-2026-23035 | https://git.kernel.org/stable/c/a7625bacaa8c8c2bfcde6dd6d1397bd63ad82b02 https://git.kernel.org/stable/c/66a25f6b7c0bfd84e6d27b536f5d24116dbd52da https://git.kernel.org/stable/c/4ef8512e1427111f7ba92b4a847d181ff0aeec42 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: release path before iget_failed() in btrfs_read_locked_inode() In btrfs_read_locked_inode() if we fail to lookup the inode, we jump to the ‘out’ label with a path that has a read locked leaf and then we call iget_failed(). This can result in a ABBA deadlock, since iget_failed() triggers inode eviction and that causes the release of the delayed inode, which must lock the delayed inode’s mutex, and a task updating a delayed inode starts by taking the node’s mutex and then modifying the inode’s subvolume btree. Syzbot reported the following lockdep splat for this: ====================================================== WARNING: possible circular locking dependency detected syzkaller #0 Not tainted —————————————————— btrfs-cleaner/8725 is trying to acquire lock: ffff0000d6826a48 (&delayed_node->mutex){+.+.}-{4:4}, at: __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 but task is already holding lock: ffff0000dbeba878 (btrfs-tree-00){++++}-{4:4}, at: btrfs_tree_read_lock_nested+0x44/0x2ec fs/btrfs/locking.c:145 which lock already depends on the new lock. the existing dependency chain (in reverse order) is: -> #1 (btrfs-tree-00){++++}-{4:4}: __lock_release kernel/locking/lockdep.c:5574 [inline] lock_release+0x198/0x39c kernel/locking/lockdep.c:5889 up_read+0x24/0x3c kernel/locking/rwsem.c:1632 btrfs_tree_read_unlock+0xdc/0x298 fs/btrfs/locking.c:169 btrfs_tree_unlock_rw fs/btrfs/locking.h:218 [inline] btrfs_search_slot+0xa6c/0x223c fs/btrfs/ctree.c:2133 btrfs_lookup_inode+0xd8/0x38c fs/btrfs/inode-item.c:395 __btrfs_update_delayed_inode+0x124/0xed0 fs/btrfs/delayed-inode.c:1032 btrfs_update_delayed_inode fs/btrfs/delayed-inode.c:1118 [inline] __btrfs_commit_inode_delayed_items+0x15f8/0x1748 fs/btrfs/delayed-inode.c:1141 __btrfs_run_delayed_items+0x1ac/0x514 fs/btrfs/delayed-inode.c:1176 btrfs_run_delayed_items_nr+0x28/0x38 fs/btrfs/delayed-inode.c:1219 flush_space+0x26c/0xb68 fs/btrfs/space-info.c:828 do_async_reclaim_metadata_space+0x110/0x364 fs/btrfs/space-info.c:1158 btrfs_async_reclaim_metadata_space+0x90/0xd8 fs/btrfs/space-info.c:1226 process_one_work+0x7e8/0x155c kernel/workqueue.c:3263 process_scheduled_works kernel/workqueue.c:3346 [inline] worker_thread+0x958/0xed8 kernel/workqueue.c:3427 kthread+0x5fc/0x75c kernel/kthread.c:463 ret_from_fork+0x10/0x20 arch/arm64/kernel/entry.S:844 -> #0 (&delayed_node->mutex){+.+.}-{4:4}: check_prev_add kernel/locking/lockdep.c:3165 [inline] check_prevs_add kernel/locking/lockdep.c:3284 [inline] validate_chain kernel/locking/lockdep.c:3908 [inline] __lock_acquire+0x1774/0x30a4 kernel/locking/lockdep.c:5237 lock_acquire+0x14c/0x2e0 kernel/locking/lockdep.c:5868 __mutex_lock_common+0x1d0/0x2678 kernel/locking/mutex.c:598 __mutex_lock kernel/locking/mutex.c:760 [inline] mutex_lock_nested+0x2c/0x38 kernel/locking/mutex.c:812 __btrfs_release_delayed_node+0xa0/0x9b0 fs/btrfs/delayed-inode.c:290 btrfs_release_delayed_node fs/btrfs/delayed-inode.c:315 [inline] btrfs_remove_delayed_node+0x68/0x84 fs/btrfs/delayed-inode.c:1326 btrfs_evict_inode+0x578/0xe28 fs/btrfs/inode.c:5587 evict+0x414/0x928 fs/inode.c:810 iput_final fs/inode.c:1914 [inline] iput+0x95c/0xad4 fs/inode.c:1966 iget_failed+0xec/0x134 fs/bad_inode.c:248 btrfs_read_locked_inode+0xe1c/0x1234 fs/btrfs/inode.c:4101 btrfs_iget+0x1b0/0x264 fs/btrfs/inode.c:5837 btrfs_run_defrag_inode fs/btrfs/defrag.c:237 [inline] btrfs_run_defrag_inodes+0x520/0xdc4 fs/btrf —truncated— | 2026-01-31 | not yet calculated | CVE-2026-23036 | https://git.kernel.org/stable/c/65241e3ddda60b53a4ee3ae12721fc9ee21d5827 https://git.kernel.org/stable/c/1e1f2055ad5a7a5d548789b334a4473a7665c418 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: etas_es58x: allow partial RX URB allocation to succeed When es58x_alloc_rx_urbs() fails to allocate the requested number of URBs but succeeds in allocating some, it returns an error code. This causes es58x_open() to return early, skipping the cleanup label ‘free_urbs’, which leads to the anchored URBs being leaked. As pointed out by maintainer Vincent Mailhol, the driver is designed to handle partial URB allocation gracefully. Therefore, partial allocation should not be treated as a fatal error. Modify es58x_alloc_rx_urbs() to return 0 if at least one URB has been allocated, restoring the intended behavior and preventing the leak in es58x_open(). | 2026-01-31 | not yet calculated | CVE-2026-23037 | https://git.kernel.org/stable/c/611e839d2d552416b498ed5593e10670f61fcd4d https://git.kernel.org/stable/c/ba45e3d6b02c97dbb4578fbae7027fd66f3caa10 https://git.kernel.org/stable/c/6c5124a60989051799037834f0a1a4b428718157 https://git.kernel.org/stable/c/b1979778e98569c1e78c2c7f16bb24d76541ab00 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pnfs/flexfiles: Fix memory leak in nfs4_ff_alloc_deviceid_node() In nfs4_ff_alloc_deviceid_node(), if the allocation for ds_versions fails, the function jumps to the out_scratch label without freeing the already allocated dsaddrs list, leading to a memory leak. Fix this by jumping to the out_err_drain_dsaddrs label, which properly frees the dsaddrs list before cleaning up other resources. | 2026-01-31 | not yet calculated | CVE-2026-23038 | https://git.kernel.org/stable/c/869862056e100973e76ce9f5f1b01837771b7722 https://git.kernel.org/stable/c/86da7efd12295a7e2b4abde5e5984c821edd938f https://git.kernel.org/stable/c/ed5d3f2f6885eb99f729e6ffd946e3aa058bd3eb https://git.kernel.org/stable/c/0c728083654f0066f5e10a1d2b0bd0907af19a58 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/gud: fix NULL fb and crtc dereferences on USB disconnect On disconnect drm_atomic_helper_disable_all() is called which sets both the fb and crtc for a plane to NULL before invoking a commit. This causes a kernel oops on every display disconnect. Add guards for those dereferences. | 2026-01-31 | not yet calculated | CVE-2026-23039 | https://git.kernel.org/stable/c/a255ec07f91d4c73a361a28b7a3d82f5710245f1 https://git.kernel.org/stable/c/dc2d5ddb193e363187bae2ad358245642d2721fb |
| liuyueyi–quick-media | Improper Control of Generation of Code (‘Code Injection’) vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/png modules). This vulnerability is associated with program files PNGImageEncoder.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24806 | https://github.com/liuyueyi/quick-media/pull/122 |
| liuyueyi–quick-media | Improper Verification of Cryptographic Signature vulnerability in liuyueyi quick-media (plugins/svg-plugin/batik-codec-fix/src/main/java/org/apache/batik/ext/awt/image/codec/util modules). This vulnerability is associated with program files SeekableOutputStream.Java. This issue affects quick-media: before v1.0. | 2026-01-27 | not yet calculated | CVE-2026-24807 | https://github.com/liuyueyi/quick-media/pull/123 |
| LiveHelperChat–LiveHelperChat | Stored Cross-Site Scripting (XSS) vulnerability in the PDF file upload functionality of Live Helper Chat, versions prior to 4.72. An attacker can upload a malicious PDF file containing an XSS payload, which will be executed in the user’s context when they download and open the file via the link generated by the application. The vulnerability allows arbitrary JavaScript code to be executed in the user’s local context. | 2026-01-28 | not yet calculated | CVE-2026-0483 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-vulnerability-livehelperchat |
| lobehub–lobe-chat | LobeHub is an open source human-and-AI-agent network. Prior to version 1.143.3, the file upload feature in `Knowledge Base > File Upload` does not validate the integrity of the upload request, allowing users to intercept and modify the request parameters. As a result, it is possible to create arbitrary files in abnormal or unintended paths. In addition, since `lobechat.com` relies on the size parameter from the request to calculate file usage, an attacker can manipulate this value to misrepresent the actual file size, such as uploading a `1 GB` file while reporting it as `10 MB`, or falsely declaring a `10 MB` file as a `1 GB` file. By manipulating the size value provided in the client upload request, it is possible to bypass the monthly upload quota enforced by the server and continuously upload files beyond the intended storage and traffic limits. This abuse can result in a discrepancy between actual resource consumption and billing calculations, causing direct financial impact to the service operator. Additionally, exhaustion of storage or related resources may lead to degraded service availability, including failed uploads, delayed content delivery, or temporary suspension of upload functionality for legitimate users. A single malicious user can also negatively affect other users or projects sharing the same subscription plan, effectively causing an indirect denial of service (DoS). Furthermore, excessive and unaccounted-for uploads can distort monitoring metrics and overload downstream systems such as backup processes, malware scanning, and media processing pipelines, ultimately undermining overall operational stability and service reliability. Version 1.143.3 contains a patch for the issue. | 2026-01-30 | not yet calculated | CVE-2026-23835 | https://github.com/lobehub/lobehub/security/advisories/GHSA-wrrr-8jcv-wjf5 |
| Meta–react-server-dom-webpack | Multiple denial of service vulnerabilities exist in React Server Components, affecting the following packages: react-server-dom-parcel, react-server-dom-turbopack, react-server-dom-webpack. The vulnerabilities are triggered by sending specially crafted HTTP requests to Server Function endpoints, and could lead to server crashes, out-of-memory exceptions or excessive CPU usage; depending on the vulnerable code path being exercised, the application configuration and application code. Strongly consider upgrading to the latest package versions to reduce risk and prevent availability issues in applications using React Server Components. | 2026-01-26 | not yet calculated | CVE-2026-23864 | https://www.facebook.com/security/advisories/cve-2026-23864 |
| Micron Technology, Inc.–Crucial Storage Executive | Crucial Storage Executive installer versions prior to 11.08.082025.00 contain a DLL preloading vulnerability. During installation, the installer runs with elevated privileges and loads Windows DLLs using an uncontrolled search path, which can cause a malicious DLL placed alongside the installer to be loaded instead of the intended system library. A local attacker who can convince a victim to run the installer from a directory containing the attacker-supplied DLL can achieve arbitrary code execution with administrator privileges. | 2026-01-26 | not yet calculated | CVE-2025-71178 | https://eu.crucial.com/support/storage-executive https://www.vulncheck.com/advisories/crucial-storage-executive-installer-dll-preloading-lpe |
| Mintplex-Labs–anything-llm | AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated users via the `/api/setup-complete` endpoint. Leakage of QdrantApiKey allows an unauthenticated attacker full read/write access to the Qdrant vector database instance used by AnythingLLM. Since Qdrant often stores the core knowledge base for RAG in AnythingLLM, this can lead to complete compromise of the semantic search / retrieval functionality and indirect leakage of confidential uploaded documents. Version 1.10.0 patches the issue. | 2026-01-26 | not yet calculated | CVE-2026-24477 | https://github.com/Mintplex-Labs/anything-llm/security/advisories/GHSA-gm94-qc2p-xcwf |
| monkey–monkey | An out-of-bounds read in the http_parser_transfer_encoding_chunked function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted POST request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63649 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | An out-of-bounds read in the mk_ptr_to_buf in mk_core function (mk_memory.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63650 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | A use-after-free in the mk_string_char_search function (mk_core/mk_string.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63651 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | A use-after-free in the mk_http_request_end function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63652 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | An out-of-bounds read in the mk_vhost_fdt_close function (mk_server/mk_vhost.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63653 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | A NULL pointer dereference in the mk_http_range_parse function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63655 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | An out-of-bounds read in the header_cmp function (mk_server/mk_http_parser.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63656 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | An out-of-bounds read in the mk_mimetype_find function (mk_server/mk_mimetype.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63657 | https://github.com/monkey/monkey/issues/426 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| monkey–monkey | A stack overflow in the mk_http_index_lookup function (mk_server/mk_http.c) of monkey commit f37e984 allows attackers to cause a Denial of Service (DoS) via sending a crafted HTTP request to the server. | 2026-01-29 | not yet calculated | CVE-2025-63658 | https://github.com/monkey/monkey/issues/427 https://github.com/archersec/security-advisories/blob/master/monkey/monkey-advisory-2025.md |
| Mozilla–Firefox | Mitigation bypass in the Privacy: Anti-Tracking component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24868 | https://bugzilla.mozilla.org/show_bug.cgi?id=2007302 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla–Firefox | Use-after-free in the Layout: Scrolling and Overflow component. This vulnerability affects Firefox < 147.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24869 | https://bugzilla.mozilla.org/show_bug.cgi?id=2008698 https://www.mozilla.org/security/advisories/mfsa2026-06/ |
| Mozilla–Thunderbird | When a user explicitly requested Thunderbird to decrypt an inline OpenPGP message that was embedded in a text section of an email that was formatted and styled with HTML and CSS, then the decrypted contents were rendered in a context in which the CSS styles from the outer messages were active. If the user had additionally allowed loading of the remote content referenced by the outer email message, and the email was crafted by the sender using a combination of CSS rules and fonts and animations, then it was possible to extract the secret contents of the email. This vulnerability affects Thunderbird < 147.0.1 and Thunderbird < 140.7.1. | 2026-01-28 | not yet calculated | CVE-2026-0818 | https://bugzilla.mozilla.org/show_bug.cgi?id=1881530 https://www.mozilla.org/security/advisories/mfsa2026-07/ https://www.mozilla.org/security/advisories/mfsa2026-08/ |
| MuntashirAkon–AppManager | Integer Overflow or Wraparound vulnerability in MuntashirAkon AppManager (app/src/main/java/org/apache/commons/compress/archivers/tar modules). This vulnerability is associated with program files TarUtils.Java. This issue affects AppManager: before 4.0.4. | 2026-01-27 | not yet calculated | CVE-2026-1464 | https://github.com/MuntashirAkon/AppManager/pull/1598 |
| N3uron–N3uron | An issue in N3uron Web User Interface v.1.21.7-240207.1047 allows a remote attacker to escalate privileges via the password hashing on the client side using the MD5 algorithm over a predictable string format | 2026-01-29 | not yet calculated | CVE-2025-69929 | http://n3uron.com https://www.linkedin.com/in/joselabreu https://gist.github.com/JoseAbreu28/67f5d8bfc7ba1def526efeda5771a244 |
| NAVER–billboard.js | billboard.js before 3.18.0 allows an attacker to execute malicious JavaScript due to improper sanitization during chart option binding. | 2026-01-28 | not yet calculated | CVE-2026-1513 | https://cve.naver.com/detail/cve-2026-1513.html |
| neka-nat–cupoch | Out-of-bounds Write vulnerability in neka-nat cupoch (third_party/libjpeg-turbo/libjpeg-turbo modules). This vulnerability is associated with program files tjbench.C. This issue affects cupoch. | 2026-01-27 | not yet calculated | CVE-2026-24797 | https://github.com/neka-nat/cupoch/pull/138 |
| NETGEAR–NETGEAR products | Some end of service NETGEAR products provide “TelnetEnable” functionality, which allows a magic packet to activate telnet service on the box. | 2026-01-30 | not yet calculated | CVE-2026-24714 | https://www.netgear.com/about/eos/ https://jvn.jp/en/jp/JVN46722282/ |
| nocodb–nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, an unvalidated redirect (open redirect) vulnerability exists in NocoDB’s login flow due to missing validation of the `continueAfterSignIn` parameter. During authentication, NocoDB processes a user-controlled redirect value and conditionally performs client-side navigation without enforcing any restrictions on the destination’s origin, domain or protocol. This allows attackers to redirect authenticated users to arbitrary external websites after login. This vulnerability enables phishing attacks by leveraging user trust in the legitimate NocoDB login flow. While it does not directly expose credentials or bypass authentication, it increases the likelihood of credential theft through social engineering. The issue does not allow arbitrary code execution or privilege escalation, but it undermines authentication integrity. Version 0.301.0 fixes the issue. | 2026-01-28 | not yet calculated | CVE-2026-24768 | https://github.com/nocodb/nocodb/security/advisories/GHSA-3hmw-8mw3-rmpj |
| nocodb–nocodb | NocoDB is software for building databases as spreadsheets. Prior to version 0.301.0, a stored cross-site scripting (XSS) vulnerability exists in NocoDB’s attachment handling mechanism. Authenticated users can upload malicious SVG files containing embedded JavaScript, which are later rendered inline and executed in the browsers of other users who view the attachment. Because the malicious payload is stored server-side and executed under the application’s origin, successful exploitation can lead to account compromise, data exfiltration and unauthorized actions performed on behalf of affected users. Version 0.301.0 patches the issue. | 2026-01-28 | not yet calculated | CVE-2026-24769 | https://github.com/nocodb/nocodb/security/advisories/GHSA-q5c6-h22r-qpwr |
| Node.js–Node.js | The Node.js package browserstack-local 1.5.8 contains a command injection vulnerability. This occurs because the logfile variable is not properly sanitized in lib/Local.js. | 2026-01-28 | not yet calculated | CVE-2025-57283 | https://www.npmjs.com https://gist.github.com/Dremig/b639c61541dd1482007dc7a5cd7fefb1 |
| nvm-sh–nvm | A command injection vulnerability exists in nvm (Node Version Manager) versions 0.40.3 and below. The nvm_download() function uses eval to execute wget commands, and the NVM_AUTH_HEADER environment variable was not sanitized in the wget code path (though it was sanitized in the curl code path). An attacker who can set environment variables in a victim’s shell environment (e.g., via malicious CI/CD configurations, compromised dotfiles, or Docker images) can inject arbitrary shell commands that execute when the victim runs nvm commands that trigger downloads, such as ‘nvm install’ or ‘nvm ls-remote’. | 2026-01-29 | not yet calculated | CVE-2026-1665 | Fix commit Release v0.40.4 nvm GitHub repository https://github.com/nvm-sh/nvm/pull/3380 |
| OctoPrint–OctoPrint | OctoPrint provides a web interface for controlling consumer 3D printers. OctoPrint versions up to and including 1.11.5 are affected by a (theoretical) timing attack vulnerability that allows API key extraction over the network. Due to using character based comparison that short-circuits on the first mismatched character during API key validation, rather than a cryptographical method with static runtime regardless of the point of mismatch, an attacker with network based access to an affected OctoPrint could extract API keys valid on the instance by measuring the response times of the denied access responses and guess an API key character by character. The vulnerability is patched in version 1.11.6. The likelihood of this attack actually working is highly dependent on the network’s latency, noise and similar parameters. An actual proof of concept was not achieved so far. Still, as always administrators are advised to not expose their OctoPrint instance on hostile networks, especially not on the public Internet. | 2026-01-27 | not yet calculated | CVE-2026-23892 | https://github.com/OctoPrint/OctoPrint/security/advisories/GHSA-xg4x-w2j3-57h6 https://github.com/OctoPrint/OctoPrint/commit/249fd80ab01bc4b7dabedff768230a0fb5d01a8c https://github.com/OctoPrint/OctoPrint/releases/tag/1.11.6 |
| OneFlow–OneFlow | A shape mismatch vulnerability in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via supplying crafted tensor shapes. | 2026-01-28 | not yet calculated | CVE-2025-65886 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10666 |
| OneFlow–OneFlow | A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. | 2026-01-28 | not yet calculated | CVE-2025-65887 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10665 |
| OneFlow–OneFlow | A dimension validation flaw in the flow.empty() component of OneFlow 0.9.0 allows attackers to cause a Denial of Service (DoS) via a negative or excessively large dimension value. | 2026-01-28 | not yet calculated | CVE-2025-65888 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10664 |
| OneFlow–OneFlow | A type validation flaw in the flow.dstack() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-65889 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10663 |
| OneFlow–OneFlow | A device-ID validation flaw in OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) by calling flow.cuda.synchronize() with an invalid or out-of-range GPU device index. | 2026-01-28 | not yet calculated | CVE-2025-65890 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10662 |
| OneFlow–OneFlow | A GPU device-ID validation flaw in OneFlow v0.9.0 allows attackers to trigger a Denial of Dervice (DoS) by invoking flow.cuda.get_device_properties() with an invalid or negative device index. | 2026-01-28 | not yet calculated | CVE-2025-65891 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow https://github.com/Oneflow-Inc/oneflow/issues/10661 |
| OneFlow–OneFlow | A GPU device-ID validation flaw in the flow.cuda.get_device_capability() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted device ID. | 2026-01-28 | not yet calculated | CVE-2025-70999 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10660 |
| OneFlow–OneFlow | An issue in the flow.cuda.BoolTensor component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71000 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10659 |
| OneFlow–OneFlow | A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71001 | https://github.com/Daisy2ang http://oneflow.com https://github.com/Oneflow-Inc/oneflow/issues/10658 |
| OneFlow–OneFlow | A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71002 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10657 |
| OneFlow–OneFlow | An input validation vulnerability in the flow.arange() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71003 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10656 |
| OneFlow–OneFlow | A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71004 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10655 |
| OneFlow–OneFlow | A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71005 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10654 |
| OneFlow–OneFlow | A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71006 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10653 |
| OneFlow–OneFlow | An input validation vulnerability in the oneflow.index_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-28 | not yet calculated | CVE-2025-71007 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10652 |
| OneFlow–OneFlow | A segmentation violation in the oneflow._oneflow_internal.autograd.Function.FunctionCtx.mark_non_differentiable component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71008 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10651 |
| OneFlow–OneFlow | An input validation vulnerability in the flow.scatter/flow.scatter_add component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted indices. | 2026-01-29 | not yet calculated | CVE-2025-71009 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10649 |
| OneFlow–OneFlow | An input validation vulnerability in the flow.Tensor.new_empty/flow.Tensor.new_ones/flow.Tensor.new_zeros component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. | 2026-01-29 | not yet calculated | CVE-2025-71011 | https://github.com/Daisy2ang https://github.com/Oneflow-Inc/oneflow/issues/10648 |
| openemr–openemr | OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. Contents of Clinical Notes and Care Plan, where an encounter has Sensitivity=high, can be viewed and changed by users who do not have Sensitivities=high privilege. Version 7.0.4 fixes the issue. | 2026-01-27 | not yet calculated | CVE-2025-54373 | https://github.com/openemr/openemr/security/advisories/GHSA-739g-6m63-p7fr https://github.com/openemr/openemr/commit/aef3d1c85d9ff2f28d3d361d2818aee79b6dcd33 |
| OpenSSL–OpenSSL | Issue summary: PBMAC1 parameters in PKCS#12 files are missing validation which can trigger a stack-based buffer overflow, invalid pointer or NULL pointer dereference during MAC verification. Impact summary: The stack buffer overflow or NULL pointer dereference may cause a crash leading to Denial of Service for an application that parses untrusted PKCS#12 files. The buffer overflow may also potentially enable code execution depending on platform mitigations. When verifying a PKCS#12 file that uses PBMAC1 for the MAC, the PBKDF2 salt and keylength parameters from the file are used without validation. If the value of keylength exceeds the size of the fixed stack buffer used for the derived key (64 bytes), the key derivation will overflow the buffer. The overflow length is attacker-controlled. Also, if the salt parameter is not an OCTET STRING type this can lead to invalid or NULL pointer dereference. Exploiting this issue requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For this reason the issue was assessed as Moderate severity. The FIPS modules in 3.6, 3.5 and 3.4 are not affected by this issue, as PKCS#12 processing is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5 and 3.4 are vulnerable to this issue. OpenSSL 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue as they do not support PBMAC1 in PKCS#12. | 2026-01-27 | not yet calculated | CVE-2025-11187 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit |
| OpenSSL–OpenSSL | Issue summary: Parsing CMS AuthEnvelopedData message with maliciously crafted AEAD parameters can trigger a stack buffer overflow. Impact summary: A stack buffer overflow may lead to a crash, causing Denial of Service, or potentially remote code execution. When parsing CMS AuthEnvelopedData structures that use AEAD ciphers such as AES-GCM, the IV (Initialization Vector) encoded in the ASN.1 parameters is copied into a fixed-size stack buffer without verifying that its length fits the destination. An attacker can supply a crafted CMS message with an oversized IV, causing a stack-based out-of-bounds write before any authentication or tag verification occurs. Applications and services that parse untrusted CMS or PKCS#7 content using AEAD ciphers (e.g., S/MIME AuthEnvelopedData with AES-GCM) are vulnerable. Because the overflow occurs prior to authentication, no valid key material is required to trigger it. While exploitability to remote code execution depends on platform and toolchain mitigations, the stack-based write primitive represents a severe risk. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the CMS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3 and 3.0 are vulnerable to this issue. OpenSSL 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15467 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: If an application using the SSL_CIPHER_find() function in a QUIC protocol client or server receives an unknown cipher suite from the peer, a NULL dereference occurs. Impact summary: A NULL pointer dereference leads to abnormal termination of the running process causing Denial of Service. Some applications call SSL_CIPHER_find() from the client_hello_cb callback on the cipher ID received from the peer. If this is done with an SSL object implementing the QUIC protocol, NULL pointer dereference will happen if the examined cipher ID is unknown or unsupported. As it is not very common to call this function in applications using the QUIC protocol and the worst outcome is Denial of Service, the issue was assessed as Low severity. The vulnerable code was introduced in the 3.2 version with the addition of the QUIC protocol support. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the QUIC implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15468 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL–OpenSSL | Issue summary: The ‘openssl dgst’ command-line tool silently truncates input data to 16MB when using one-shot signing algorithms and reports success instead of an error. Impact summary: A user signing or verifying files larger than 16MB with one-shot algorithms (such as Ed25519, Ed448, or ML-DSA) may believe the entire file is authenticated while trailing data beyond 16MB remains unauthenticated. When the ‘openssl dgst’ command is used with algorithms that only support one-shot signing (Ed25519, Ed448, ML-DSA-44, ML-DSA-65, ML-DSA-87), the input is buffered with a 16MB limit. If the input exceeds this limit, the tool silently truncates to the first 16MB and continues without signaling an error, contrary to what the documentation states. This creates an integrity gap where trailing bytes can be modified without detection if both signing and verification are performed using the same affected codepath. The issue affects only the command-line tool behavior. Verifiers that process the full message using library APIs will reject the signature, so the risk primarily affects workflows that both sign and verify with the affected ‘openssl dgst’ command. Streaming digest algorithms for ‘openssl dgst’ and library users are unaffected. The FIPS modules in 3.5 and 3.6 are not affected by this issue, as the command-line tools are outside the OpenSSL FIPS module boundary. OpenSSL 3.5 and 3.6 are vulnerable to this issue. OpenSSL 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-15469 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit |
| OpenSSL–OpenSSL | Issue summary: A TLS 1.3 connection using certificate compression can be forced to allocate a large buffer before decompression without checking against the configured certificate size limit. Impact summary: An attacker can cause per-connection memory allocations of up to approximately 22 MiB and extra CPU work, potentially leading to service degradation or resource exhaustion (Denial of Service). In affected configurations, the peer-supplied uncompressed certificate length from a CompressedCertificate message is used to grow a heap buffer prior to decompression. This length is not bounded by the max_cert_list setting, which otherwise constrains certificate message sizes. An attacker can exploit this to cause large per-connection allocations followed by handshake failure. No memory corruption or information disclosure occurs. This issue only affects builds where TLS 1.3 certificate compression is compiled in (i.e., not OPENSSL_NO_COMP_ALG) and at least one compression algorithm (brotli, zlib, or zstd) is available, and where the compression extension is negotiated. Both clients receiving a server CompressedCertificate and servers in mutual TLS scenarios receiving a client CompressedCertificate are affected. Servers that do not request client certificates are not vulnerable to client-initiated attacks. Users can mitigate this issue by setting SSL_OP_NO_RX_CERTIFICATE_COMPRESSION to disable receiving compressed certificates. The FIPS modules in 3.6, 3.5, 3.4 and 3.3 are not affected by this issue, as the TLS implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4 and 3.3 are vulnerable to this issue. OpenSSL 3.0, 1.1.1 and 1.0.2 are not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-66199 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit |
| OpenSSL–OpenSSL | Issue summary: Writing large, newline-free data into a BIO chain using the line-buffering filter where the next BIO performs short writes can trigger a heap-based out-of-bounds write. Impact summary: This out-of-bounds write can cause memory corruption which typically results in a crash, leading to Denial of Service for an application. The line-buffering BIO filter (BIO_f_linebuffer) is not used by default in TLS/SSL data paths. In OpenSSL command-line applications, it is typically only pushed onto stdout/stderr on VMS systems. Third-party applications that explicitly use this filter with a BIO chain that can short-write and that write large, newline-free data influenced by an attacker would be affected. However, the circumstances where this could happen are unlikely to be under attacker control, and BIO_f_linebuffer is unlikely to be handling non-curated data controlled by an attacker. For that reason the issue was assessed as Low severity. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the BIO implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-68160 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: When using the low-level OCB API directly with AES-NI or<br>other hardware-accelerated code paths, inputs whose length is not a multiple<br>of 16 bytes can leave the final partial block unencrypted and unauthenticated.<br><br>Impact summary: The trailing 1-15 bytes of a message may be exposed in<br>cleartext on encryption and are not covered by the authentication tag,<br>allowing an attacker to read or tamper with those bytes without detection.<br><br>The low-level OCB encrypt and decrypt routines in the hardware-accelerated<br>stream path process full 16-byte blocks but do not advance the input/output<br>pointers. The subsequent tail-handling code then operates on the original<br>base pointers, effectively reprocessing the beginning of the buffer while<br>leaving the actual trailing bytes unprocessed. The authentication checksum<br>also excludes the true tail bytes.<br><br>However, typical OpenSSL consumers using EVP are not affected because the<br>higher-level EVP and provider OCB implementations split inputs so that full<br>blocks and trailing partial blocks are processed in separate calls, avoiding<br>the problematic code path. Additionally, TLS does not use OCB ciphersuites.<br>The vulnerability only affects applications that call the low-level<br>CRYPTO_ocb128_encrypt() or CRYPTO_ocb128_decrypt() functions directly with<br>non-block-aligned lengths in a single call on hardware-accelerated builds.<br>For these reasons the issue was assessed as Low severity.<br><br>The FIPS modules in 3.6, 3.5, 3.4, 3.3, 3.2, 3.1 and 3.0 are not affected<br>by this issue, as OCB mode is not a FIPS-approved algorithm.<br><br>OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue.<br><br>OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69418 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: Calling PKCS12_get_friendlyname() function on a maliciously crafted PKCS#12 file with a BMPString (UTF-16BE) friendly name containing non-ASCII BMP code point can trigger a one byte write before the allocated buffer. Impact summary: The out-of-bounds write can cause a memory corruption which can have various consequences including a Denial of Service. The OPENSSL_uni2utf8() function performs a two-pass conversion of a PKCS#12 BMPString (UTF-16BE) to UTF-8. In the second pass, when emitting UTF-8 bytes, the helper function bmp_to_utf8() incorrectly forwards the remaining UTF-16 source byte count as the destination buffer capacity to UTF8_putc(). For BMP code points above U+07FF, UTF-8 requires three bytes, but the forwarded capacity can be just two bytes. UTF8_putc() then returns -1, and this negative value is added to the output length without validation, causing the length to become negative. The subsequent trailing NUL byte is then written at a negative offset, causing write outside of heap allocated buffer. The vulnerability is reachable via the public PKCS12_get_friendlyname() API when parsing attacker-controlled PKCS#12 files. While PKCS12_parse() uses a different code path that avoids this issue, PKCS12_get_friendlyname() directly invokes the vulnerable function. Exploitation requires an attacker to provide a malicious PKCS#12 file to be parsed by the application and the attacker can just trigger a one zero byte write before the allocated buffer. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69419 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: A type confusion vulnerability exists in the TimeStamp Response verification code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing a malformed TimeStamp Response file. Impact summary: An application calling TS_RESP_verify_response() with a malformed TimeStamp Response can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The functions ossl_ess_get_signing_cert() and ossl_ess_get_signing_cert_v2() access the signing cert attribute value without validating its type. When the type is not V_ASN1_SEQUENCE, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed TimeStamp Response to an application that verifies timestamp responses. The TimeStamp protocol (RFC 3161) is not widely used and the impact of the exploit is just a Denial of Service. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the TimeStamp Response implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2025-69420 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: Processing a malformed PKCS#12 file can trigger a NULL pointer dereference in the PKCS12_item_decrypt_d2i_ex() function. Impact summary: A NULL pointer dereference can trigger a crash which leads to Denial of Service for an application processing PKCS#12 files. The PKCS12_item_decrypt_d2i_ex() function does not check whether the oct parameter is NULL before dereferencing it. When called from PKCS12_unpack_p7encdata() with a malformed PKCS#12 file, this parameter can be NULL, causing a crash. The vulnerability is limited to Denial of Service and cannot be escalated to achieve code execution or memory disclosure. Exploiting this issue requires an attacker to provide a malformed PKCS#12 file to an application that processes it. For that reason the issue was assessed as Low severity according to our Security Policy. The FIPS modules in 3.6, 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2025-69421 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: An invalid or NULL pointer dereference can happen in an application processing a malformed PKCS#12 file. Impact summary: An application processing a malformed PKCS#12 file can be caused to dereference an invalid or NULL pointer on memory read, resulting in a Denial of Service. A type confusion vulnerability exists in PKCS#12 parsing code where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid pointer read. The location is constrained to a 1-byte address space, meaning any attempted pointer manipulation can only target addresses between 0x00 and 0xFF. This range corresponds to the zero page, which is unmapped on most modern operating systems and will reliably result in a crash, leading only to a Denial of Service. Exploiting this issue also requires a user or application to process a maliciously crafted PKCS#12 file. It is uncommon to accept untrusted PKCS#12 files in applications as they are usually used to store private keys which are trusted by definition. For these reasons, the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS12 implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0 and 1.1.1 are vulnerable to this issue. OpenSSL 1.0.2 is not affected by this issue. | 2026-01-27 | not yet calculated | CVE-2026-22795 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenSSL–OpenSSL | Issue summary: A type confusion vulnerability exists in the signature verification of signed PKCS#7 data where an ASN1_TYPE union member is accessed without first validating the type, causing an invalid or NULL pointer dereference when processing malformed PKCS#7 data. Impact summary: An application performing signature verification of PKCS#7 data or calling directly the PKCS7_digest_from_attributes() function can be caused to dereference an invalid or NULL pointer when reading, resulting in a Denial of Service. The function PKCS7_digest_from_attributes() accesses the message digest attribute value without validating its type. When the type is not V_ASN1_OCTET_STRING, this results in accessing invalid memory through the ASN1_TYPE union, causing a crash. Exploiting this vulnerability requires an attacker to provide a malformed signed PKCS#7 to an application that verifies it. The impact of the exploit is just a Denial of Service, the PKCS7 API is legacy and applications should be using the CMS API instead. For these reasons the issue was assessed as Low severity. The FIPS modules in 3.5, 3.4, 3.3 and 3.0 are not affected by this issue, as the PKCS#7 parsing implementation is outside the OpenSSL FIPS module boundary. OpenSSL 3.6, 3.5, 3.4, 3.3, 3.0, 1.1.1 and 1.0.2 are vulnerable to this issue. | 2026-01-27 | not yet calculated | CVE-2026-22796 | OpenSSL Advisory 3.6.1 git commit 3.5.5 git commit 3.4.4 git commit 3.3.6 git commit 3.0.19 git commit |
| OpenText–Vertica | Cleartext Storage of Sensitive Information vulnerability in OpenTextâ„¢ Vertica allows Retrieve Embedded Sensitive Data. The vulnerability could read Vertica agent plaintext apikey. This issue affects Vertica versions: 23.X, 24.X, 25.X. | 2026-01-30 | not yet calculated | CVE-2024-9432 | https://portal.microfocus.com/s/article/KM000044937?language=en_US |
| OpenVPN–OpenVPN | Insufficient epoch key slot processing in OpenVPN 2.7_alpha1 through 2.7_rc5 allows remote authenticated users to trigger an assert resulting in a denial of service | 2026-01-30 | not yet calculated | CVE-2025-15497 | https://community.openvpn.net/Security%20Announcements/CVE-2025-15497 https://www.mail-archive.com/openvpn-announce@lists.sourceforge.net/msg00156.html |
| opf–openproject | OpenProject is an open-source, web-based project management software. Versions prior to 16.6.6 and 17.0.2 have an arbitrary file write vulnerability in OpenProject’s repository diff download endpoint (`/projects/:project_id/repository/diff.diff`) when rendering a single revision via git show. By supplying a specially crafted rev value (for example, `rev=–output=/tmp/poc.txt)`, an attacker can inject git show command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the `:browse_repository` permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git show output (commit metadata and patch), but overwriting application or configuration files still leads to data loss and denial of service, impacting integrity and availability. The issue has been fixed in OpenProject 17.0.2 and 16.6.6. | 2026-01-28 | not yet calculated | CVE-2026-24685 | https://github.com/opf/openproject/security/advisories/GHSA-74p5-9pr3-r6pw |
| orval-labs–orval | Orval generates type-safe JS clients (TypeScript) from any valid OpenAPI v3 or Swagger v2 specification. Versions starting with 7.19.0 and prior to 7.21.0 and 8.2.0 have an incomplete fix for CVE-2026-23947. While the jsStringEscape function properly handles single quotes (‘), double quotes (“) and so on, it is still possible to achieve code injection using only a limited set of characters that are currently not escaped. The vulnerability lies in the fact that the application can be forced to execute arbitrary JavaScript using characters such as []()!+. By using a technique known as JSFuck, an attacker can bypass the current sanitization logic and run arbitrary code without needing any alphanumeric characters or quotes. Version 7.21.0 and 8.2.0 contain an updated fix. | 2026-01-30 | not yet calculated | CVE-2026-25141 | https://github.com/orval-labs/orval/security/advisories/GHSA-gch2-phqh-fg9q https://github.com/orval-labs/orval/security/advisories/GHSA-h526-wf6g-67jv https://github.com/orval-labs/orval/blob/02211fc413524be340ba9ace866a2ef68845ca7c/packages/core/src/utils/string.ts#L227 https://github.com/orval-labs/orval/releases/tag/v7.21.0 https://github.com/orval-labs/orval/releases/tag/v8.2.0 |
| Phala-Network–dcap-qvl | dcap-qvl implements the quote verification logic for DCAP (Data Center Attestation Primitives). A vulnerability present in versions prior to 0.3.9 involves a critical gap in the cryptographic verification process within the dcap-qvl. The library fetches QE Identity collateral (including qe_identity, qe_identity_signature, and qe_identity_issuer_chain) from the PCCS. However, it skips to verify the QE Identity signature against its certificate chain and does not enforce policy constraints on the QE Report. An attacker can forge the QE Identity data to whitelist a malicious or non-Intel Quoting Enclave. This allows the attacker to forge the QE and sign untrusted quotes that the verifier will accept as valid. Effectively, this bypasses the entire remote attestation security model, as the verifier can no longer trust the entity responsible for signing the quotes. All deployments utilizing the dcap-qvl library for SGX or TDX quote verification are affected. The vulnerability has been patched in dcap-qvl version 0.3.9. The fix implements the missing cryptographic verification for the QE Identity signature and enforces the required checks for MRSIGNER, ISVPRODID, and ISVSVN against the QE Report. Users of the `@phala/dcap-qvl-node` and `@phala/dcap-qvl-web` packages should switch to the pure JavaScript implementation, `@phala/dcap-qvl`. There are no known workarounds for this vulnerability. Users must upgrade to the patched version to ensure that QE Identity collateral is properly verified. | 2026-01-26 | not yet calculated | CVE-2026-22696 | https://github.com/Phala-Network/dcap-qvl/security/advisories/GHSA-796p-j2gh-9m2q |
| pilgrimage233–Minecraft-Rcon-Manage | Improper Control of Generation of Code (‘Code Injection’) vulnerability in pilgrimage233 Minecraft-Rcon-Manage. This issue affects Minecraft-Rcon-Manage: before 3.0. | 2026-01-27 | not yet calculated | CVE-2026-24871 | https://github.com/pilgrimage233/Minecraft-Rcon-Manage/pull/13 |
| Pix-Link–LV-WR21Q | Pix-Link LV-WR21Q does not enforce any form of authentication for endpoint /goform/getHomePageInfo. Remote unauthenticated attacker is able to use this endpoint to e.g: retrieve cleartext password to the access point. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12386 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| Pix-Link–LV-WR21Q | A vulnerability in the Pix-Link LV-WR21Q router’s language module allows remote attackers to trigger a denial of service (DoS) by sending a specially crafted HTTP POST request containing non-existing language parameter. This renders the server unable to serve correct lang.js file, which causes administrator panel to not work, resulting in DoS until the language settings is reverted to a correct value. The Denial of Service affects only the administrator panel and does not affect other router functionalities. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version V108_108 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-01-27 | not yet calculated | CVE-2025-12387 | https://cert.pl/en/posts/2026/01/CVE-2025-12386 https://www.pix-link.com/lv-wr21q https://github.com/wcyb/security_research |
| pnpm–pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm installs a `file:` (directory) or `git:` dependency, it follows symlinks and reads their target contents without constraining them to the package root. A malicious package containing a symlink to an absolute path (e.g., `/etc/passwd`, `~/.ssh/id_rsa`) causes pnpm to copy that file’s contents into `node_modules`, leaking local data. The vulnerability only affects `file:` and `git:` dependencies. Registry packages (npm) have symlinks stripped during publish and are NOT affected. The issue impacts developers installing local/file dependencies andCI/CD pipelines installing git dependencies. It can lead to credential theft via symlinks to `~/.aws/credentials`, `~/.npmrc`, `~/.ssh/id_rsa`. Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24056 | https://github.com/pnpm/pnpm/security/advisories/GHSA-m733-5w8f-5ggw https://github.com/pnpm/pnpm/commit/b277b45bc35ae77ca72d7634d144bbd58a48b70f https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| pnpm–pnpm | pnpm is a package manager. Prior to version 10.28.2, when pnpm processes a package’s `directories.bin` field, it uses `path.join()` without validating the result stays within the package root. A malicious npm package can specify `”directories”: {“bin”: “../../../../tmp”}` to escape the package directory, causing pnpm to chmod 755 files at arbitrary locations. This issue only affects Unix/Linux/macOS. Windows is not affected (`fixBin` gated by `EXECUTABLE_SHEBANG_SUPPORTED`). Version 10.28.2 contains a patch. | 2026-01-26 | not yet calculated | CVE-2026-24131 | https://github.com/pnpm/pnpm/security/advisories/GHSA-v253-rj99-jwpq https://github.com/pnpm/pnpm/commit/17432ad5bbed5c2e77255ca6d56a1449bbcfd943 https://github.com/pnpm/pnpm/releases/tag/v10.28.2 |
| PodcastGenerator–PodcastGenerator | A Stored cross-site scripting (XSS) vulnerability in ‘Create New Live Item’ in PodcastGenerator 3.2.9 allows remote attackers to inject arbitrary script or HTML via the ‘TITLE’, ‘SHORT DESCRIPTION’ and ‘LONG DESCRIPTION’ parameters. The saved payload gets executed on ‘View All Live Items’ and ‘Live Stream’ pages. | 2026-01-28 | not yet calculated | CVE-2025-70336 | https://github.com/PodcastGenerator/PodcastGenerator https://github.com/aryasahil96-manu/CVE-Disclosures/blob/main/CVE-2025-70336 |
| podman-desktop–podman-desktop | Podman Desktop is a graphical tool for developing on containers and Kubernetes. A critical authentication bypass vulnerability in Podman Desktop prior to version 1.25.1 allows any extension to completely circumvent permission checks and gain unauthorized access to all authentication sessions. The `isAccessAllowed()` function unconditionally returns `true`, enabling malicious extensions to impersonate any user, hijack authentication sessions, and access sensitive resources without authorization. This vulnerability affects all versions of Podman Desktop. Version 1.25.1 contains a patch for the issue. | 2026-01-28 | not yet calculated | CVE-2026-24835 | https://github.com/podman-desktop/podman-desktop/security/advisories/GHSA-v3fx-qg34-6g9m https://drive.google.com/file/d/1ib4RG34mGHDlXeyib8L2j9L5rEDxuDM5/view?usp=sharing |
| praydog–REFramework | An issue from the component luaG_runerror in dependencies/lua/src/ldebug.c in praydog/REFramework version before 1.5.5 leads to a heap-buffer overflow when a recursive error occurs. | 2026-01-27 | not yet calculated | CVE-2026-24809 | https://github.com/praydog/REFramework/pull/1320 |
| praydog–UEVR | Out-of-bounds Write vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files ldebug.C, lvm.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24817 | https://github.com/praydog/UEVR/pull/336 |
| praydog–UEVR | Out-of-bounds Read vulnerability in praydog UEVR (dependencies/lua/src modules). This vulnerability is associated with program files lparser.C. This issue affects UEVR: before 1.05. | 2026-01-27 | not yet calculated | CVE-2026-24818 | https://github.com/praydog/UEVR/pull/337 |
| Progress Software–Chef Inspec | Chef InSpec up to version 5.23 creates named pipes with overly permissive default Windows access controls. A local attacker may interfere with the pipe connection process and exploit the insufficient access restrictions to assume the InSpec execution context, potentially resulting in elevated privileges or operational disruption. This issue affects Chef Inspec: through 5.23. | 2026-01-30 | not yet calculated | CVE-2025-6723 | https://docs.chef.io/inspec/ |
| pwncollege–dojo | pwn.college DOJO is an education platform for learning cybersecurity. Prior to commit e33da14449a5abcff507e554f66e2141d6683b0a, missing sandboxing on `/workspace/*` routes allows challenge authors to inject arbitrary javascript which runs on the same origin as `http[:]//dojo[.]website`. This is a sandbox escape leading to arbitrary javascript execution as the dojo’s origin. A challenge author can craft a page that executes any dangerous actions that the user could. Version e33da14449a5abcff507e554f66e2141d6683b0a patches the issue. | 2026-01-29 | not yet calculated | CVE-2026-25117 | https://github.com/pwncollege/dojo/security/advisories/GHSA-wvcf-9xm8-7mrg https://github.com/pwncollege/dojo/commit/e33da14449a5abcff507e554f66e2141d6683b0a |
| py-pdf–pypdf | pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually. | 2026-01-27 | not yet calculated | CVE-2026-24688 | https://github.com/py-pdf/pypdf/security/advisories/GHSA-2q4j-m29v-hq73 https://github.com/py-pdf/pypdf/pull/3610 https://github.com/py-pdf/pypdf/commit/b1282f8dcdc1a7b41ceab6740ffddfdf31b1fec1 https://github.com/py-pdf/pypdf/releases/tag/6.6.2 |
| qgis–QGIS | QGIS is a free, open source, cross platform geographical information system (GIS) The repository contains a GitHub Actions workflow called “pre-commit checks” that, before commit 76a693cd91650f9b4e83edac525e5e4f90d954e9, was vulnerable to remote code execution and repository compromise because it used the `pull_request_target` trigger and then checked out and executed untrusted pull request code in a privileged context. Workflows triggered by `pull_request_target` ran with the base repository’s credentials and access to secrets. If these workflows then checked out and executed code from the head of an external pull request (which could have been attacker controlled), the attacker could have executed arbitrary commands with elevated privileges. This insecure pattern has been documented as a security risk by GitHub and security researchers. Commit 76a693cd91650f9b4e83edac525e5e4f90d954e9 removed the vulnerable code. | 2026-01-27 | not yet calculated | CVE-2026-24480 | https://github.com/qgis/QGIS/security/advisories/GHSA-7h99-4f97-h6rw https://github.com/qgis/QGIS/commit/76a693cd91650f9b4e83edac525e5e4f90d954e9 |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘txAny’ in ‘/evaluacion_competencias_autoeval_list.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1472 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_competencias_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1473 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ and ‘Id_evaluacion’ en ‘/evaluacion_inicio.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1474 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_acciones_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1475 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_acciones_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1476 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ and ‘Id_evaluacion’ in ‘/evaluacion_competencias_evalua_old.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1477 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ and ‘Id_evaluacion’ in ‘/evaluacion_hca_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1478 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameters ‘Id_usuario’ and ‘Id_evaluacion’ in ‘/evaluacion_hca_ver_auto.asp’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1479 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_objetivos_anyo_sig_evalua.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1480 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_objetivos_anyo_sig_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1481 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_evaluacion’ in ‘/evaluacion_objetivos_evalua_definido.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1482 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Quatuor–Evaluacin de Desempeo (EDD) | An out-of-band SQL injection vulnerability (OOB SQLi) has been detected in the Performance Evaluation (EDD) application developed by Gabinete Técnico de Programación. Exploiting this vulnerability in the parameter ‘Id_usuario’ in ‘/evaluacion_objetivos_ver_auto.aspx’, could allow an attacker to extract sensitive information from the database through external channels, without the affected application returning the data directly, compromising the confidentiality of the stored information. | 2026-01-27 | not yet calculated | CVE-2026-1483 | https://www.incibe.es/en/incibe-cert/notices/aviso/out-band-sql-injection-quatuor-performance-evaluation |
| Rails–activestorage | # Active Storage allowed transformation methods potentially unsafe Active Storage attempts to prevent the use of potentially unsafe image transformation methods and parameters by default. The default allowed list contains three methods allow for the circumvention of the safe defaults which enables potential command injection vulnerabilities in cases where arbitrary user supplied input is accepted as valid transformation methods or parameters. Impact —— This vulnerability impacts applications that use Active Storage with the image_processing processing gem in addition to mini_magick as the image processor. Vulnerable code will look something similar to this: “` <%= image_tag blob.variant(params[:t] => params[:v]) %> “` Where the transformation method or its arguments are untrusted arbitrary input. All users running an affected release should either upgrade or use one of the workarounds immediately. Workarounds ———– Consuming user supplied input for image transformation methods or their parameters is unsupported behavior and should be considered dangerous. Strict validation of user supplied methods and parameters should be performed as well as having a strong [ImageMagick security policy](https://imagemagick.org/script/security-policy.php) deployed. Credits ——- Thank you [lio346](https://hackerone.com/lio346) for reporting this! | 2026-01-30 | not yet calculated | CVE-2025-24293 | https://github.com/advisories/GHSA-r4mg-4433-c7g3 |
| Ralim–IronOS | Vulnerability in Ralim IronOS (source/Core/BSP/Pinecilv2/bl_mcu_sdk/components/ble/ble_stack/common/tinycrypt/source modules). This vulnerability is associated with program files ecc_dsa.C. This issue affects IronOS: before v2.23-rc3. | 2026-01-27 | not yet calculated | CVE-2026-24801 | https://github.com/Ralim/IronOS/pull/2087 |
| RawTherapee–RawTherapee | Integer Overflow or Wraparound vulnerability in RawTherapee (rtengine modules). This vulnerability is associated with program files dcraw.Cc. This issue affects RawTherapee: through 5.11. | 2026-01-27 | not yet calculated | CVE-2026-24808 | https://github.com/RawTherapee/RawTherapee/pull/7359 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in NetworkManager. The NetworkManager package allows access to files that may belong to other users. NetworkManager allows non-root users to configure the system’s network. The daemon runs with root privileges and can access files owned by users different from the one who added the connection. | 2026-01-26 | not yet calculated | CVE-2025-9615 | https://access.redhat.com/security/cve/CVE-2025-9615 RHBZ#2391503 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/issues/1809 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2324 https://gitlab.freedesktop.org/NetworkManager/NetworkManager/-/merge_requests/2327 |
| rethinkdb–rethinkdb | Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in rethinkdb (src/cjson modules). This vulnerability is associated with program files cJSON.Cc. This issue affects rethinkdb: through v2.4.4. | 2026-01-27 | not yet calculated | CVE-2026-24810 | https://github.com/rethinkdb/rethinkdb/pull/7163 |
| RLE NOVA–PlanManager | Stored Cross-Site Scripting (XSS) in RLE NOVA’s PlanManager. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by injecting malicious payload through the ‘comment’ and ‘brand’ parameters in ‘/index.php’. The payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-01-29 | not yet calculated | CVE-2026-1469 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-rle-novas-planmanager |
| root-project–root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inffast.C. This issue affects root. | 2026-01-27 | not yet calculated | CVE-2026-24811 | https://github.com/root-project/root/pull/18526 |
| root-project–root | Vulnerability in root-project root (builtins/zlib modules). This vulnerability is associated with program files inftrees.C. This issue affects root: through 6.36.00-rc1. | 2026-01-27 | not yet calculated | CVE-2026-24812 | https://github.com/root-project/root/pull/18527 |
| Schneider Electric–EcoStruxure Process Expert | CWE-276: Incorrect Default Permissions vulnerability exists that could cause privilege escalation through the reverse shell when one or more executable service binaries are modified in the installation folder by a local user with normal privilege upon service restart. | 2026-01-29 | not yet calculated | CVE-2025-13905 | https://download.schneider-electric.com/files?p_Doc_Ref=SEVD-2026-013-02&p_enDocType=Security+and+Safety+Notice&p_File_Name=SEVD-2026-013-02.pdf |
| shaarli–Shaarli | Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `”` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue. | 2026-01-26 | not yet calculated | CVE-2026-24476 | https://github.com/shaarli/Shaarli/security/advisories/GHSA-g3xq-mj52-f8pg https://github.com/shaarli/Shaarli/commit/b854c789289c4b0dfbb7c1e5793bae7d8f94e063 |
| sharpred–deepHas | deepHas provides a test for the existence of a nested object key and optionally returns that key. A prototype pollution vulnerability exists in version 1.0.7 of the deephas npm package that allows an attacker to modify global object behavior. This issue was fixed in version 1.0.8. | 2026-01-29 | not yet calculated | CVE-2026-25047 | https://github.com/sharpred/deepHas/security/advisories/GHSA-2733-6c58-pf27 https://github.com/sharpred/deepHas/commit/8097fafd3776c613d8066546653e0d2c7b5fc465 |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain an authorization flaw in the user management API that allows a low-privileged authenticated user to change the administrator account password. By sending a crafted request directly to the backend endpoint, an attacker can bypass role-based restrictions enforced by the web interface and obtain full administrative privileges. | 2026-01-26 | not yet calculated | CVE-2026-24428 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-incorrect-authorization-allows-administrator-password-change |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) ship with a predefined default password for a built-in authentication account that is not required to be changed during initial configuration. An attacker can leverage these default credentials to gain authenticated access to the management interface. | 2026-01-26 | not yet calculated | CVE-2026-24429 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-hardcoded-default-password-for-built-in-account |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) disclose sensitive account credentials in cleartext within HTTP responses generated by the maintenance interface. Because the management interface is accessible over unencrypted HTTP by default, credentials may be exposed to network-based interception. | 2026-01-26 | not yet calculated | CVE-2026-24430 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-http-responses-expose-plaintext-credentials |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) display stored user account passwords in plaintext within the administrative web interface. Any user with access to the affected management pages can directly view credentials. | 2026-01-26 | not yet calculated | CVE-2026-24431 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) lack cross-site request forgery (CSRF) protections on administrative endpoints, including those used to change administrator account credentials. As a result, an attacker can craft malicious requests that, when triggered by an authenticated user’s browser, modify administrative passwords and other configuration settings. | 2026-01-26 | not yet calculated | CVE-2026-24432 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-csrf-protections-for-administrative-actions |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) contain a stored cross-site scripting vulnerability in the user creation functionality. Insufficient input validation allows attacker-controlled script content to be stored and later executed when administrative users access the affected management pages. | 2026-01-26 | not yet calculated | CVE-2026-24433 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-stored-xss-via-user-name-field |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) implement an insecure Cross-Origin Resource Sharing (CORS) policy on authenticated administrative endpoints. The device sets Access-Control-Allow-Origin: * in combination with Access-Control-Allow-Credentials: true, allowing attacker-controlled origins to issue credentialed cross-origin requests. | 2026-01-26 | not yet calculated | CVE-2026-24435 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-permissive-cors-allows-cross-origin-data-access |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) do not enforce rate limiting or account lockout mechanisms on authentication endpoints. This allows attackers to perform unrestricted brute-force attempts against administrative credentials. | 2026-01-26 | not yet calculated | CVE-2026-24436 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-rate-limiting-on-authentication |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) serve sensitive administrative content without appropriate cache-control directives. As a result, browsers may store credential-bearing responses locally, exposing them to subsequent unauthorized access. | 2026-01-26 | not yet calculated | CVE-2026-24437 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-missing-cache-controls-for-credential-bearing-pages |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) fail to include the X-Content-Type-Options: nosniff response header on web management interfaces. As a result, browsers that perform MIME sniffing may incorrectly interpret attacker-influenced responses as executable script. | 2026-01-26 | not yet calculated | CVE-2026-24439 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-lacks-x-content-type-options-header |
| Shenzhen Tenda Technology Co., Ltd.–W30E V2 | Shenzhen Tenda W30E V2 firmware versions up to and including V16.01.0.19(5037) allow account passwords to be changed through the maintenance interface without requiring verification of the existing password. This enables unauthorized password changes when access to the affected endpoint is obtained. | 2026-01-26 | not yet calculated | CVE-2026-24440 | https://www.tendacn.com/product/W30E https://www.vulncheck.com/advisories/tenda-w30e-v2-allows-password-change-without-verifying-current-password |
| Significant-Gravitas–AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.44, AutoGPT Platform’s block execution endpoints (both main web API and external API) allow executing blocks by UUID without checking the `disabled` flag. Any authenticated user can execute the disabled `BlockInstallationBlock`, which writes arbitrary Python code to the server filesystem and executes it via `__import__()`, achieving Remote Code Execution. In default self-hosted deployments where Supabase signup is enabled, an attacker can self-register; if signup is disabled (e.g., hosted), the attacker needs an existing account. autogpt-platform-beta-v0.6.44 contains a fix. | 2026-01-29 | not yet calculated | CVE-2026-24780 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r277-3xc5-c79v https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/external/v1/routes.py#L79-L93 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L1408-L1424 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/api/features/v1.py#L355-L395 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/blocks/block.py#L15-L78 https://github.com/Significant-Gravitas/AutoGPT/blob/master/autogpt_platform/backend/backend/data/block.py#L459 |
| sigstore–sigstore-python | sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique “state” and sends it as a parameter in the authentication request but the “state” in the server response seems not not be cross-checked with this value. Version 4.2.0 contains a patch for the issue. | 2026-01-26 | not yet calculated | CVE-2026-24408 | https://github.com/sigstore/sigstore-python/security/advisories/GHSA-hm8f-75xx-w2vr https://github.com/sigstore/sigstore-python/commit/5e77497fe8f0b202bdd118949074ec2f20da69aa https://github.com/sigstore/sigstore-python/releases/tag/v4.2.0 |
| silabs.com–Silicon Labs Zigbee Stack | After receiving a malformed 802.15.4 MAC Data Request the Zigbee Coordinator sends a ‘network leave’ request to Zigbee router resulting in the Zigbee Router getting stuck in a non-rejoinable state. If a suitable parent is not available, the end devices will be unable to rejoin. A manual recommissioning is required to recover the Zigbee Router. | 2026-01-30 | not yet calculated | CVE-2025-7964 | https://community.silabs.com/068Vm00000dspiL |
| simsong–bulk_extractor | `bulk_extractor` is a digital forensics exploitation tool. Starting in version 1.4, `bulk_extractor`’s embedded unrar code has a heap buffer overflow in the RAR PPM LZ decoding path. A crafted RAR inside a disk image causes an out of bounds write in `Unpack::CopyString`, leading to a crash under ASAN (and likely a crash or memory corruption in production builds). There’s potential for using this for RCE. As of time of publication, no known patches are available. | 2026-01-28 | not yet calculated | CVE-2026-24857 | https://github.com/simsong/bulk_extractor/security/advisories/GHSA-rh8m-9xrx-q64q |
| simsong–tcpflow | tcpflow is a TCP/IP packet demultiplexer. In versions up to and including 1.61, wifipcap parses 802.11 management frame elements and performs a length check on the wrong field when handling the TIM element. A crafted frame with a large TIM length can cause a 1-byte out-of-bounds write past `tim.bitmap[251]`. The overflow is small and DoS is the likely impact; code execution is potential, but still up in the air. The affected structure is stack-allocated in `handle_beacon()` and related handlers. As of time of publication, no known patches are available. | 2026-01-29 | not yet calculated | CVE-2026-25061 | https://github.com/simsong/tcpflow/security/advisories/GHSA-q5q6-frrv-9rj6 |
| SmarterTools–SmarterMail | SmarterTools SmarterMail versions prior to build 9518 contain an unauthenticated path coercion vulnerability in the background-of-the-day preview endpoint. The application base64-decodes attacker-supplied input and uses it as a filesystem path without validation. On Windows systems, this allows UNC paths to be resolved, causing the SmarterMail service to initiate outbound SMB authentication attempts to attacker-controlled hosts. This can be abused for credential coercion, NTLM relay attacks, and unauthorized network authentication. | 2026-01-29 | not yet calculated | CVE-2026-25067 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-unauthenticated-background-of-the-day-path-coercion |
| SpringBlade–SpringBlade | Incorrect access control in the importUser function of SpringBlade v4.5.0 allows attackers with low-level privileges to arbitrarily import sensitive user data. | 2026-01-26 | not yet calculated | CVE-2025-70982 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/34 https://gist.github.com/old6ma/ea60151aa40ddc1cfb51fbaa0c173117 |
| SunFounder–Pironman Dashboard (pm_dashboard) | SunFounder Pironman Dashboard (pm_dashboard) version 1.3.13 and prior contain a path traversal vulnerability in the log file API endpoints. An unauthenticated remote attacker can supply traversal sequences via the filename parameter to read and delete arbitrary files. Successful exploitation can disclose sensitive information and delete critical system files, resulting in data loss and potential system compromise or denial of service. | 2026-01-31 | not yet calculated | CVE-2026-25069 | https://github.com/sunfounder/pm_dashboard https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L62 https://github.com/sunfounder/pm_dashboard/blob/main/pm_dashboard/pm_dashboard.py#L440 https://www.vulncheck.com/advisories/sunfounder-pironman-dashboard-path-traversal-arbitrary-file-read-deletion https://gist.github.com/chapochapo/5db8702ede862af5c59a28b5d5a0aba3 |
| SuperDuper!–Super-Duper! | An issue in Shirt Pocket’s SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. | 2026-01-29 | not yet calculated | CVE-2025-69604 | http://shirt.com https://shirt-pocket.com/SuperDuper/SuperDuperDescription.html https://www.shirtpocket.com/blog/index.php/shadedgrey/comments/superduper_v312_now_available |
| swoole–swoole-src | Integer Overflow or Wraparound vulnerability in swoole swoole-src (thirdparty/hiredis modules). This vulnerability is associated with program files sds.C. This issue affects swoole-src: before 6.0.2. | 2026-01-27 | not yet calculated | CVE-2026-24814 | https://github.com/swoole/swoole-src/pull/5698 |
| tale–tale | Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. | 2026-01-29 | not yet calculated | CVE-2025-69749 | https://github.com/otale/tale https://github.com/milantgh/otalexss |
| The Wikimedia Foundation–Mediawiki – DiscussionTools Extension | Improper Neutralization of Special Elements used in an Expression Language Statement (‘Expression Language Injection’) vulnerability in The Wikimedia Foundation Mediawiki – DiscussionTools Extension allows Regular Expression Exponential Blowup. This issue affects Mediawiki – DiscussionTools Extension: 1.44, 1.43. | 2026-01-30 | not yet calculated | CVE-2025-11175 | https://phabricator.wikimedia.org/T396248 https://gerrit.wikimedia.org/r/q/I563219f3298a8740e158d130492bf3d2897784d7 https://phabricator.wikimedia.org/T364910 https://gerrit.wikimedia.org/r/q/I126203ab1d3ec8c1719cbb5460a887e4d0c2cc6d |
| tildearrow–furnace | Out-of-bounds Write, Buffer Copy without Checking Size of Input (‘Classic Buffer Overflow’) vulnerability in tildearrow furnace (extern/zlib modules). This vulnerability is associated with program files inflate.C. | 2026-01-27 | not yet calculated | CVE-2026-24800 | https://github.com/tildearrow/furnace/pull/2471 |
| TOTOLINK–X6000R | Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’) vulnerability in TOTOLINK X6000R allows OS Command Injection. This issue affects X6000R: through V9.4.0cu.1498_B20250826. | 2026-01-30 | not yet calculated | CVE-2026-1723 | https://www.totolink.net/home/menu/detail/menu_listtpl/download/id/247/ids/36.html https://github.com/PaloAltoNetworks/u42-vulnerability-disclosures/blob/main/2025/PANW-2026-0001/PANW-2026-0001.md |
| TP-Link Systems Inc.–Archer MR600 v5.0 | Command injection vulnerability was found in the admin interface component of TP-Link Archer MR600 v5 firmware, allowing authenticated attackers to execute system commands with a limited character length via crafted input in the browser developer console, possibly leading to service disruption or full compromise. | 2026-01-26 | not yet calculated | CVE-2025-14756 | https://www.tp-link.com/jp/support/download/archer-mr600/#Firmware https://www.tp-link.com/en/support/download/archer-mr600/#Firmware https://www.tp-link.com/us/support/faq/4916/ https://jvn.jp/en/vu/JVNVU94651499/ https://jvn.jp/vu/JVNVU94651499/ |
| TP-Link Systems Inc.–Archer RE605X | The backup restore function does not properly validate unexpected or unrecognized tags within the backup file. When such a crafted file is restored, the injected tag is interpreted by a shell, allowing execution of arbitrary commands with root privileges. Successful exploitation allows the attacker to gain root-level command execution, compromising confidentiality, integrity and availability. | 2026-01-29 | not yet calculated | CVE-2025-15545 | https://www.tp-link.com/en/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/download/re605x/v3/#Firmware https://www.tp-link.com/us/support/faq/4929/ https://nico-security.com/posts/cve-2025-15545 |
| TP-Link Systems Inc.–Omada Controller | An IDOR vulnerability exists in Omada Controllers that allows an attacker with Administrator permissions to manipulate requests and potentially hijack the Owner account. | 2026-01-26 | not yet calculated | CVE-2025-9520 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.–Omada Controller | Password Confirmation Bypass vulnerability in Omada Controllers, allowing an attacker with a valid session token to bypass secondary verification, and change the user’s password without proper confirmation, leading to weakened account security. | 2026-01-26 | not yet calculated | CVE-2025-9521 | https://support.omadanetworks.com/us/document/115200/ https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.–Omada Controller | Blind Server-Side Request Forgery (SSRF) in Omada Controllers through webhook functionality, enabling crafted requests to internal services, which may lead to enumeration of information. | 2026-01-26 | not yet calculated | CVE-2025-9522 | https://support.omadanetworks.com/us/document/115200/ https://https://support.omadanetworks.com/us/download/software/omada-controller/ |
| TP-Link Systems Inc.–Tapo C220 v1 | The Tapo C220 v1 and C520WS v2 cameras’ HTTP service does not safely handle POST requests containing an excessively large Content-Length header. The resulting failed memory allocation triggers a NULL pointer dereference, causing the main service process to crash. An unauthenticated attacker can repeatedly crash the service, causing temporary denial of service. The device restarts automatically, and repeated requests can keep it unavailable. | 2026-01-27 | not yet calculated | CVE-2026-0918 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.–Tapo C220 v1 | The HTTP parser of Tapo C220 v1 and C520WS v2 cameras improperly handles requests containing an excessively long URL path. An invalid URL error path continues into cleanup code that assumes allocated buffers exist, leading to a crash and service restart. An unauthenticated attacker can force repeated service crashes or device reboots, causing denial of service. | 2026-01-27 | not yet calculated | CVE-2026-0919 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.–Tapo C220 v1 | By sending crafted files to the firmware update endpoint of Tapo C220 v1 and C520WS v2, the device terminates core system services before verifying authentication or firmware integrity. An unauthenticated attacker can trigger a persistent denial of service, requiring a manual reboot or application initiated restart to restore normal device operation. | 2026-01-27 | not yet calculated | CVE-2026-1315 | https://www.tp-link.com/us/support/download/tapo-c220/v1.60/ https://www.tp-link.com/en/support/download/tapo-c220/v1/ https://www.tp-link.com/us/support/download/tapo-c520ws/v2/ https://www.tp-link.com/en/support/download/tapo-c520ws/v2/ https://www.tp-link.com/us/support/faq/4923/ |
| TP-Link Systems Inc.–VIGI C485 V1 | An authenticated buffer handling flaw in TP-Link VIGI C385 V1 Web API lacking input sanitization, may allow memory corruption leading to remote code execution. Authenticated attackers may trigger buffer overflow and potentially execute arbitrary code with elevated privileges. | 2026-01-29 | not yet calculated | CVE-2026-1457 | https://www.tp-link.com/en/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/kr/support/download/vigi-c385/v1/#Firmware https://www.tp-link.com/us/support/faq/4931/ |
| TP-Link Systems Inc.–VX800v v1.0 | A weakness in the web interface’s application layer encryption in VX800v v1.0 allows an adjacent attacker to brute force the weak AES key and decrypt intercepted traffic. Successful exploitation requires network proximity but no authentication, and may result in high impact to confidentiality, integrity, and availability of transmitted data. | 2026-01-29 | not yet calculated | CVE-2025-13399 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.–VX800v v1.0 | Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. | 2026-01-29 | not yet calculated | CVE-2025-15541 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.–VX800v v1.0 | Improper handling of exceptional conditions in VX800v v1.0 in SIP processing allows an attacker to flood the device with crafted INVITE messages, blocking all voice lines and causing a denial of service on incoming calls. | 2026-01-29 | not yet calculated | CVE-2025-15542 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.–VX800v v1.0 | Improper link resolution in USB HTTP access path in VX800v v1.0 allows a crafted USB device to expose root filesystem contents, giving an attacker with physical access read only access to system files. | 2026-01-29 | not yet calculated | CVE-2025-15543 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| TP-Link Systems Inc.–VX800v v1.0 | Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. | 2026-01-29 | not yet calculated | CVE-2025-15548 | https://www.tp-link.com/de/support/download/vx800v/#Firmware https://www.tp-link.com/us/support/faq/4930/ |
| ttttupup–wxhelper | Out-of-bounds Write, Heap-based Buffer Overflow vulnerability in ttttupup wxhelper (src modules). This vulnerability is associated with program files mongoose.C. This issue affects wxhelper: through 3.9.10.19-v1. | 2026-01-27 | not yet calculated | CVE-2026-24822 | https://github.com/ttttupup/wxhelper/pull/515 |
| turanszkij–WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files ldebug.C. This issue affects WickedEngine: before 0.71.705. | 2026-01-27 | not yet calculated | CVE-2026-24820 | https://github.com/turanszkij/WickedEngine/pull/1054 |
| turanszkij–WickedEngine | Out-of-bounds Read vulnerability in turanszkij WickedEngine (WickedEngine/LUA modules). This vulnerability is associated with program files lparser.C. This issue affects WickedEngine: through 0.71.727. | 2026-01-27 | not yet calculated | CVE-2026-24821 | https://github.com/turanszkij/WickedEngine/pull/1095 |
| umbraco–Umbraco.Forms.Issues | Umbraco Forms is a form builder that integrates with the Umbraco content management system. It’s possible for an authenticated backoffice-user to enumerate and traverse paths/files on the systems filesystem and read their contents, on Mac/Linux Umbraco installations using Forms. As Umbraco Cloud runs in a Windows environment, Cloud users aren’t affected. This issue affects versions 16 and 17 of Umbraco Forms and is patched in 16.4.1 and 17.1.1. If upgrading is not immediately possible, users can mitigate this vulnerability by configuring a WAF or reverse proxy to block requests containing path traversal sequences (`../`, `..`) in the `fileName` parameter of the export endpoint, restricting network access to the Umbraco backoffice to trusted IP ranges, and/or blocking the `/umbraco/forms/api/v1/export` endpoint entirely if the export feature is not required. However, upgrading to the patched version is strongly recommended. | 2026-01-29 | not yet calculated | CVE-2026-24687 | https://github.com/umbraco/Umbraco.Forms.Issues/security/advisories/GHSA-hm5p-82g6-m3xh |
| vendurehq–vendure | Vendure is an open-source headless commerce platform. Prior to version 3.5.3, the `NativeAuthenticationStrategy.authenticate()` method is vulnerable to a timing attack that allows attackers to enumerate valid usernames (email addresses). In `packages/core/src/config/auth/native-authentication-strategy.ts`, the authenticate method returns immediately if a user is not found. The significant timing difference (~200-400ms for bcrypt vs ~1-5ms for DB miss) allows attackers to reliably distinguish between existing and non-existing accounts. Version 3.5.3 fixes the issue. | 2026-01-30 | not yet calculated | CVE-2026-25050 | https://github.com/vendurehq/vendure/security/advisories/GHSA-6f65-4fv2-wwch https://github.com/vendurehq/vendure/releases/tag/v3.5.3 |
| visualfc–liteide | NULL Pointer Dereference vulnerability in visualfc liteide (liteidex/src/3rdparty/libvterm/src modules). This vulnerability is associated with program files screen.C, state.C, vterm.C. This issue affects liteide: before x38.4. | 2026-01-27 | not yet calculated | CVE-2026-24805 | https://github.com/visualfc/liteide/pull/1326 |
| WatchGuard–Fireware OS | An LDAP Injection vulnerability in WatchGuard Fireware OS may allow a remote unauthenticated attacker to retrieve sensitive information from a connected LDAP authentication server through an exposed authentication or management web interface. This vulnerability may also allow a remote attacker to authenticate as an LDAP user with a partial identifier if they additionally have that user’s valid passphrase. This issue affects Fireware OS: from 12.0 through 12.11.6, from 12.5 through 12.5.15, from 2025.1 through 2026.0. | 2026-01-30 | not yet calculated | CVE-2026-1498 | https://www.watchguard.com/wgrd-psirt/advisory/wgsa-2026-00001 |
| Western Digital–WD Discovery | DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer’s search path. | 2026-01-26 | not yet calculated | CVE-2025-30248 | https://www.westerndigital.com/support/product-security/wdc-25008-wd-discovery-desktop-app-version-5-3 |
| WordPress–Custom Login Page Customizer | The Custom Login Page Customizer WordPress plugin before 2.5.4 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-01-29 | not yet calculated | CVE-2025-14975 | https://wpscan.com/vulnerability/a1403186-51aa-4eae-a3fe-0c559570eb93/ |
| WordPress–Recipe Card Blocks Lite | The Recipe Card Blocks Lite WordPress plugin before 3.4.13 does not sanitize and escape a parameter before using it in a SQL statement, allowing contributors and above to perform SQL injection attacks. | 2026-01-26 | not yet calculated | CVE-2025-14973 | https://wpscan.com/vulnerability/76f7d5d4-ba45-4bfd-bda9-ab0769e81107/ |
| WordPress–User Activity Log | The User Activity Log WordPress plugin through 2.2 does not properly handle failed login attempts in some cases, allowing unauthenticated users to set arbitrary options to 1 (for example to enable User Registration when it has been turned off) | 2026-01-28 | not yet calculated | CVE-2025-13471 | https://wpscan.com/vulnerability/cc8743f5-b1b9-4f88-b440-db044034bbfc/ |
| Worklenz–Worklenz | Worklenz version 2.1.5 contains a Stored Cross-Site Scripting (XSS) vulnerability in the Project Updates feature. An attacker can submit a malicious payload in the Updates text field which is then rendered in the reporting view without proper sanitization. Malicious JavaScript may be executed in a victim’s browser when they browse to the page containing the vulnerable field. | 2026-01-26 | not yet calculated | CVE-2025-70368 | https://github.com/Worklenz/worklenz https://github.com/Stolichnayer/CVE-2025-70368 |
| Xen–Xen | Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. That size can be larger than the variable, and bounding of the writes was missing. | 2026-01-28 | not yet calculated | CVE-2025-58150 | https://xenbits.xenproject.org/xsa/advisory-477.html |
| Xen–Xen | In the context switch logic Xen attempts to skip an IBPB in the case of a vCPU returning to a CPU on which it was the previous vCPU to run. While safe for Xen’s isolation between vCPUs, this prevents the guest kernel correctly isolating between tasks. Consider: 1) vCPU runs on CPU A, running task 1. 2) vCPU moves to CPU B, idle gets scheduled on A. Xen skips IBPB. 3) On CPU B, guest kernel switches from task 1 to 2, issuing IBPB. 4) vCPU moves back to CPU A. Xen skips IBPB again. Now, task 2 is running on CPU A with task 1’s training still in the BTB. | 2026-01-28 | not yet calculated | CVE-2026-23553 | https://xenbits.xenproject.org/xsa/advisory-479.html |
| yacy–yacy_search_server | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in yacy yacy_search_server (source/net/yacy/http/servlets modules). This vulnerability is associated with program files YaCyDefaultServlet.Java. This issue affects yacy_search_server. | 2026-01-27 | not yet calculated | CVE-2026-24824 | https://github.com/yacy/yacy_search_server/pull/722 |
| ydb-platform–ydb | Missing Release of Memory after Effective Lifetime vulnerability in ydb-platform ydb (contrib/libs/yajl modules). This vulnerability is associated with program files yail_tree.C. This issue affects ydb: through 24.4.4.2. | 2026-01-27 | not yet calculated | CVE-2026-24825 | https://github.com/ydb-platform/ydb/pull/17570 |
| zhblue–hustoj | HUSTOF is an open source online judge based on PHP/C++/MySQL/Linux for ACM/ICPC and NOIP training. Prior to version 26.01.24, the problem_import_qduoj.php and problem_import_hoj.php modules fail to properly sanitize filenames within uploaded ZIP archives. Attackers can craft a malicious ZIP file containing files with path traversal sequences (e.g., ../../shell.php). When extracted by the server, this allows writing files to arbitrary locations in the web root, leading to Remote Code Execution (RCE). Version 26.01.24 contains a fix for the issue. | 2026-01-27 | not yet calculated | CVE-2026-24479 | https://github.com/zhblue/hustoj/security/advisories/GHSA-xmgg-2rw4-7fxj https://github.com/zhblue/hustoj/commit/902bd09e6d0011fe89cd84d4236899314b33101f |