High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Insaat–Fikir Odalari AdminPando | A SQL injection vulnerability exists in the login functionality of Fikir Odalari AdminPando 1.0.1 before 2026-01-26. The username and password parameters are vulnerable to SQL injection, allowing unauthenticated attackers to bypass authentication completely. Successful exploitation grants full administrative access to the application, including the ability to manipulate the public-facing website content (HTML/DOM manipulation). | 2026-02-03 | 10 | CVE-2025-10878 | https://onurcangenc.com.tr/posts/cve-2025-10878-sql-authentication-bypass-in-fikir-odalar%C4%B1-adminpando/ https://github.com/onurcangnc/CVE-2025-10878-AdminPandov1.0.1-SQLi |
| Zenitel–TCIS-3+ | This vulnerability allows authenticated attackers to execute arbitrary commands on the underlying system using the file name of an uploaded file. | 2026-02-04 | 10 | CVE-2025-59818 | Zenitel Release Notes Turbine Zenitel Security Advisory Zenitel Release Notes Fortitude8 Zenitel Release Notes ZIPS Zenitel Release Notes Fortitude6 Zenitel Release Notes Display Series |
| n/a–Docan[.]co | Dokans Multi-Tenancy Based eCommerce Platform SaaS 3.9.2 allows unauthenticated remote attackers to obtain sensitive application configuration data via direct request to /script/.env file. The exposed file contains Laravel application encryption key (APP_KEY), database credentials, SMTP/SendGrid API credentials, and internal configuration parameters, enabling complete system compromise including authentication bypass via session token forgery, direct database access to all tenant data, and email infrastructure takeover. Due to the multi-tenancy architecture, this vulnerability affects all tenants in the system. | 2026-02-03 | 10 | CVE-2025-70841 | https://codecanyon.net/item/dokans-multitenancy-based-ecommerce-platform-saas/31122915 https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-70841.md |
| Synectix–LAN 232 TRIO | The Synectix LAN 232 TRIO 3-Port serial to ethernet adapter exposes its web management interface without requiring authentication, allowing unauthenticated users to modify critical device settings or factory reset the device. | 2026-02-03 | 10 | CVE-2026-1633 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-04 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-04.json |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 1.5.0, a command injection vulnerability allows authenticated users with write permissions to execute arbitrary shell commands on the Signal K server when the set-system-time plugin is enabled. Unauthenticated users can also exploit this vulnerability if security is disabled on the Signal K server. This occurs due to unsafe construction of shell commands when processing navigation.datetime values received via WebSocket delta messages. This vulnerability is fixed in 1.5.0. | 2026-02-02 | 10 | CVE-2026-23515 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-p8gp-2w28-mhwg https://github.com/SignalK/set-system-time/commit/75b11eae2de528bf89ede3fb1f7ed057ddbb4d24 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.27, SanboxJS does not properly restrict __lookupGetter__ which can be used to obtain prototypes, which can be used for escaping the sandbox / remote code execution. This vulnerability is fixed in 0.8.27. | 2026-02-02 | 10 | CVE-2026-25142 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-9p4w-fq8m-2hp7 https://github.com/nyariv/SandboxJS/commit/75c8009db32e6829b0ad92ca13bf458178442bd3 https://github.com/nyariv/SandboxJS/blob/f212a38fb5a6d4bc2bc2e2466c0c011ce8d41072/src/executor.ts#L368-L398 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, an authenticated user with file editor permissions can achieve Remote Code Execution (RCE) by leveraging the file creation and save endpoints, an attacker can upload and execute arbitrary PHP code on the server. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 10 | CVE-2026-25510 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-gp56-f67f-m4px https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, The return values of functions aren’t wrapped. Object.values/Object.entries can be used to get an Array containing the host’s Function constructor, by using Array.prototype.at you can obtain the hosts Function constructor, which can be used to execute arbitrary code outside of the sandbox. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25520 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-58jh-xv4v-pcx4 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, a sandbox escape is possible by shadowing hasOwnProperty on a sandbox object, which disables prototype whitelist enforcement in the property-access path. This permits direct access to __proto__ and other blocked prototype properties, enabling host Object.prototype pollution and persistent cross-sandbox impact. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25586 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-jjpw-65fv-8g48 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, as Map is in SAFE_PROTOYPES, it’s prototype can be obtained via Map.prototype. By overwriting Map.prototype.has the sandbox can be escaped. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25587 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-66h4-qj4x-38xp https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 |
| microsoft–semantic-kernel | Semantic Kernel is an SDK used to build, orchestrate, and deploy AI agents and multi-agent systems. Prior to 1.70.0, an Arbitrary File Write vulnerability has been identified in Microsoft’s Semantic Kernel .NET SDK, specifically within the SessionsPythonPlugin. The problem has been fixed in Microsoft.SemanticKernel.Core version 1.70.0. As a mitigation, users can create a Function Invocation Filter which checks the arguments being passed to any calls to DownloadFileAsync or UploadFileAsync and ensures the provided localFilePath is allow listed. | 2026-02-06 | 10 | CVE-2026-25592 | https://github.com/microsoft/semantic-kernel/security/advisories/GHSA-2ww3-72rp-wpp4 https://github.com/microsoft/semantic-kernel/pull/13478/changes#diff-88d3cacba2bfa84eef8f2aa171b34f9940338cbb784a3ffc49f5fe3af1b8943d https://github.com/microsoft/semantic-kernel/blob/main/dotnet/samples/Demos/CodeInterpreterPlugin/Program.cs#L61-L64 |
| WaterFutures–EPyT-Flow | EPyT-Flow is a Python package designed for the easy generation of hydraulic and water quality scenario data of water distribution networks. Prior to 0.16.1, EPyT-Flow’s REST API parses attacker-controlled JSON request bodies using a custom deserializer (my_load_from_json) that supports a type field. When type is present, the deserializer dynamically imports an attacker-specified module/class and instantiates it with attacker-supplied arguments. This allows invoking dangerous classes such as subprocess.Popen, which can lead to OS command execution during JSON parsing. This also affects the loading of JSON files. This vulnerability is fixed in 0.16.1. | 2026-02-06 | 10 | CVE-2026-25632 | https://github.com/WaterFutures/EPyT-Flow/security/advisories/GHSA-74vm-8frp-7w68 https://github.com/WaterFutures/EPyT-Flow/commit/3fff9151494c7dbc72073830b734f0a7e550e385 https://github.com/WaterFutures/EPyT-Flow/releases/tag/v0.16.1 |
| nyariv–SandboxJS | SandboxJS is a JavaScript sandboxing library. Prior to 0.8.29, there is a sandbox escape vulnerability due to a mismatch between the key on which the validation is performed and the key used for accessing properties. Even though the key used in property accesses is annotated as string, this is never enforced. So, attackers can pass malicious objects that coerce to different string values when used, e.g., one for the time the key is sanitized using hasOwnProperty(key) and a different one for when the key is used for the actual property access. This vulnerability is fixed in 0.8.29. | 2026-02-06 | 10 | CVE-2026-25641 | https://github.com/nyariv/SandboxJS/security/advisories/GHSA-7x3h-rm86-3342 https://github.com/nyariv/SandboxJS/commit/67cb186c41c78c51464f70405504e8ef0a6e43c3 https://github.com/nyariv/SandboxJS/blob/6103d7147c4666fe48cfda58a4d5f37005b43754/src/executor.ts#L304-L304 |
| StreamRipper–StreamRipper32 | StreamRipper32 version 2.6 contains a buffer overflow vulnerability in the Station/Song Section that allows attackers to overwrite memory by manipulating the SongPattern input. Attackers can craft a malicious payload exceeding 256 bytes to potentially execute arbitrary code and compromise the application. | 2026-02-03 | 9.8 | CVE-2020-37065 | ExploitDB-48517 StreamRipper Vendor Homepage VulnCheck Advisory: StreamRipper32 2.6 – Buffer Overflow |
| GoldWave–GoldWave | GoldWave 5.70 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by crafting malicious input in the File Open URL dialog. Attackers can generate a specially crafted text file with Unicode-encoded shellcode to trigger a stack-based overflow and execute commands when the file is opened. | 2026-02-03 | 9.8 | CVE-2020-37066 | ExploitDB-48510 Official Vendor Homepage VulnCheck Advisory: GoldWave 5.70 – Buffer Overflow (SEH Unicode) |
| Utillyty–Filetto | Filetto 1.0 FTP server contains a denial of service vulnerability in the FEAT command processing that allows attackers to crash the service. Attackers can send an oversized FEAT command with 11,008 bytes of repeated characters to trigger a buffer overflow and terminate the FTP service. | 2026-02-03 | 9.8 | CVE-2020-37067 | ExploitDB-48503 Vendor Homepage Software Project Repository VulnCheck Advisory: Filetto 1.0 – ‘FEAT’ Denial of Service |
| Konica Minolta–FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the LIST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 ‘A’ characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37068 | ExploitDB-48501 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 – ‘LIST’ Denial of Service |
| Konica Minolta–FTP Utility | Konica Minolta FTP Utility 1.0 contains a buffer overflow vulnerability in the NLST command that allows attackers to overwrite system registers. Attackers can send an oversized buffer of 1500 ‘A’ characters to crash the FTP server and potentially execute unauthorized code. | 2026-02-03 | 9.8 | CVE-2020-37069 | ExploitDB-48502 Konica Minolta FTP Utility Download Page Konica Minolta Vendor Homepage VulnCheck Advisory: Konica Minolta FTP Utility 1.0 – ‘NLST’ Denial of Service |
| CloudMe–CloudMe | CloudMe 1.11.2 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code through crafted network packets. Attackers can exploit the vulnerability by sending a specially crafted payload to the CloudMe service running on port 8888, enabling remote code execution. | 2026-02-03 | 9.8 | CVE-2020-37070 | ExploitDB-48499 CloudMe Official Homepage VulnCheck Advisory: CloudMe 1.11.2 – Buffer Overflow (SEH,DEP,ASLR) |
| CraftCMS–CraftCMS | CraftCMS 3 vCard Plugin 1.0.0 contains a deserialization vulnerability that allows unauthenticated attackers to execute arbitrary PHP code through a crafted payload. Attackers can generate a malicious serialized payload that triggers remote code execution by exploiting the plugin’s vCard download functionality with a specially crafted request. | 2026-02-03 | 9.8 | CVE-2020-37071 | ExploitDB-48492 Official CraftCMS Vendor Homepage CraftCMS vCard Plugin Page Researcher Exploit Disclosure VulnCheck Advisory: CraftCMS 3 vCard Plugin 1.0.0 – Remote Code Execution |
| LizardSystems–Remote Desktop Audit | Remote Desktop Audit 2.3.0.157 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code during the Add Computers Wizard file import process. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) bypass and execute shellcode when importing computer lists. | 2026-02-03 | 9.8 | CVE-2020-37074 | ExploitDB-48465 Remote Desktop Audit Product Webpage VulnCheck Advisory: Remote Desktop Audit 2.3.0.157 – Buffer Overflow (SEH) |
| LizardSystems–LanSend | LanSend 3.2 contains a buffer overflow vulnerability in the Add Computers Wizard file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious payload file to trigger a structured exception handler (SEH) overwrite and execute shellcode when importing computers from a file. | 2026-02-03 | 9.8 | CVE-2020-37075 | ExploitDB-48461 LanSend Product Webpage VulnCheck Advisory: LanSend 3.2 – Buffer Overflow (SEH) |
| luiswang–webTareas | webTareas 2.0.p8 contains a file deletion vulnerability in the print_layout.php administration component that allows authenticated attackers to delete arbitrary files. Attackers can exploit the vulnerability by manipulating the ‘atttmp1’ parameter to specify and delete files on the server through an unauthenticated file deletion mechanism. | 2026-02-03 | 9.8 | CVE-2020-37080 | ExploitDB-48430 webTareas Project Homepage VulnCheck Advisory: webTareas 2.0.p8 – Arbitrary File Deletion |
| Weberp–webERP | webERP 4.15.1 contains an unauthenticated file access vulnerability that allows remote attackers to download database backup files without authentication. Attackers can directly access generated backup files in the companies/weberp/ directory by requesting the Backup_[timestamp].sql.gz file. | 2026-02-03 | 9.8 | CVE-2020-37082 | ExploitDB-48420 Official webERP Vendor Homepage webERP SourceForge Project Page VulnCheck Advisory: webERP 4.15.1 – Unauthenticated Backup File Access |
| Arox–School ERP Pro | School ERP Pro 1.0 contains a file upload vulnerability that allows students to upload arbitrary PHP files to the messaging system. Attackers can upload malicious PHP scripts through the message attachment feature, enabling remote code execution on the server. | 2026-02-03 | 9.8 | CVE-2020-37090 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 – Remote Code Execution |
| EspoCRM–EspoCRM | EspoCRM 5.8.5 contains an authentication vulnerability that allows attackers to access other user accounts by manipulating authorization headers. Attackers can decode and modify Basic Authorization and Espo-Authorization tokens to gain unauthorized access to administrative user information and privileges. | 2026-02-03 | 9.8 | CVE-2020-37094 | ExploitDB-48376 EspoCRM Official Vendor Homepage VulnCheck Advisory: EspoCRM 5.8.5 – Privilege Escalation |
| Cyberoam–Cyberoam Authentication Client | Cyberoam Authentication Client 2.1.2.7 contains a buffer overflow vulnerability that allows remote attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) memory. Attackers can craft a malicious input in the ‘Cyberoam Server Address’ field to trigger a bind TCP shell on port 1337 with system-level access. | 2026-02-06 | 9.8 | CVE-2020-37095 | ExploitDB-48148 Archived Cyberoam Authentication Client Software VulnCheck Advisory: Cyberoam Authentication Client 2.1.2.7 – Buffer Overflow (SEH) |
| Nsasoft–Nsauditor | Nsauditor 3.0.28 and 3.2.1.0 contains a buffer overflow vulnerability in the DNS Lookup tool that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious DNS query payload to trigger a three-byte overwrite, bypass ASLR, and execute shellcode through a carefully constructed exploit. | 2026-02-05 | 9.8 | CVE-2020-37119 | ExploitDB-48350 Nsauditor Homepage VulnCheck Advisory: Nsauditor 3.2.1.0 – Buffer Overflow (SEH+ASLR bypass (3 bytes overwrite)) |
| Rubo Medical Imaging–Rubo DICOM Viewer | Rubo DICOM Viewer 2.0 contains a buffer overflow vulnerability in the DICOM server name input field that allows attackers to overwrite Structured Exception Handler (SEH). Attackers can craft a malicious text file with carefully constructed payload to execute arbitrary code by overwriting SEH and triggering remote code execution. | 2026-02-05 | 9.8 | CVE-2020-37120 | ExploitDB-48351 Archived Rubo DICOM Viewer Product Page VulnCheck Advisory: Rubo DICOM Viewer 2.0 – Buffer Overflow (SEH) |
| wcchandler–Pinger | Pinger 1.0 contains a remote code execution vulnerability that allows attackers to inject shell commands through the ping and socket parameters. Attackers can exploit the unsanitized input in ping.php to write arbitrary PHP files and execute system commands by appending shell metacharacters. | 2026-02-05 | 9.8 | CVE-2020-37123 | ExploitDB-48323 Pinger GitHub Repository VulnCheck Advisory: Pinger 1.0 – Remote Code Execution |
| 4Mhz–B64dec | B64dec 1.1.2 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler (SEH) with crafted input. Attackers can leverage an egg hunter technique and carefully constructed payload to inject and execute malicious code during base64 decoding process. | 2026-02-05 | 9.8 | CVE-2020-37124 | ExploitDB-48317 Product Webpage VulnCheck Advisory: B64dec 1.1.2 – Buffer Overflow (SEH Overflow + Egg Hunter) |
| EDIMAX Technology–EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 contains a remote code execution vulnerability that allows unauthenticated attackers to execute arbitrary commands through the /goform/mp endpoint. Attackers can exploit the vulnerability by sending crafted POST requests with command injection payloads to download and execute malicious scripts on the device. | 2026-02-05 | 9.8 | CVE-2020-37125 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 – Remote Code Execution |
| Drive Software Company–Free Desktop Clock | Free Desktop Clock 3.0 contains a stack overflow vulnerability in the Time Zones display name input that allows attackers to overwrite Structured Exception Handler (SEH) registers. Attackers can exploit the vulnerability by crafting a malicious Unicode input that triggers an access violation and potentially execute arbitrary code. | 2026-02-05 | 9.8 | CVE-2020-37126 | ExploitDB-48314 Vendor Homepage VulnCheck Advisory: Free Desktop Clock x86 Venetian Blinds Zipper 3.0 – Unicode Stack Overflow (SEH) |
| Microvirt–Memu Play | Memu Play 7.1.3 contains an insecure folder permissions vulnerability that allows low-privileged users to modify the MemuService.exe executable. Attackers can replace the service executable with a malicious file during system restart to gain SYSTEM-level privileges by exploiting unrestricted file modification permissions. | 2026-02-05 | 9.8 | CVE-2020-37129 | ExploitDB-48283 Memu Play Official Homepage VulnCheck Advisory: Memu Play 7.1.3 – Insecure Folder Permissions |
| 10-Strike Software–Network Inventory Explorer | 10-Strike Network Inventory Explorer 9.03 contains a buffer overflow vulnerability in the file import functionality that allows remote attackers to execute arbitrary code. Attackers can craft a malicious text file with carefully constructed payload to trigger a stack-based buffer overflow and bypass data execution prevention through a ROP chain. | 2026-02-05 | 9.8 | CVE-2020-37138 | ExploitDB-48264 10-Strike Software Homepage 10-Strike Network Inventory Explorer Product Page VulnCheck Advisory: 10-Strike Network Inventory Explorer 9.03 – ‘Read from File’ Buffer Overflow (SEH)(ROP) |
| Parallaxis–Cuckoo Clock | Parallaxis Cuckoo Clock 5.0 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting memory registers in the alarm scheduling feature. Attackers can craft a malicious payload exceeding 260 bytes to overwrite EIP and EBP, enabling shellcode execution with potential remote code execution. | 2026-02-06 | 9.8 | CVE-2020-37159 | ExploitDB-48087 Vendor Homepage VulnCheck Advisory: Cuckoo Clock 5.0 – Buffer Overflow |
| Wedding Slideshow Studio–Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting the registration name field with malicious payload. Attackers can craft a specially designed payload to trigger remote code execution, demonstrating the ability to run system commands like launching the calculator. | 2026-02-06 | 9.8 | CVE-2020-37161 | ExploitDB-48050 Wedding Slideshow Studio Official Homepage VulnCheck Advisory: Wedding Slideshow Studio 1.36 – ‘Name’ Buffer Overflow |
| Wedding Slideshow Studio–Wedding Slideshow Studio | Wedding Slideshow Studio 1.36 contains a buffer overflow vulnerability in the registration key input that allows attackers to execute arbitrary code by overwriting memory. Attackers can craft a malicious payload of 1608 bytes to trigger a stack-based buffer overflow and execute commands through the registration key field. | 2026-02-06 | 9.8 | CVE-2020-37162 | ExploitDB-48028 Archived Wedding Slideshow Studio Webpage VulnCheck Advisory: Wedding Slideshow Studio 1.36 – ‘Key’ Buffer Overflow |
| Innomic–VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker can gain full access on the affected devices as they are shipped without a password by default and setting one is not enforced. | 2026-02-02 | 9.8 | CVE-2022-50981 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM–Common Cryptographic Architecture | IBM Common Cryptographic Architecture (CCA) 7.5.52 and 8.4.82 could allow an unauthenticated user to execute arbitrary commands with elevated privileges on the system. | 2026-02-04 | 9.8 | CVE-2025-13375 | https://www.ibm.com/support/pages/node/7259625 |
| jayarsiech–JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the ‘jay_login_register_ajax_create_final_user’ function. This makes it possible for unauthenticated attackers to elevate their privileges to that of an administrator. | 2026-02-08 | 9.8 | CVE-2025-15027 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b08198a6-10e8-44ca-a1c5-8d987d85c469?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.5.01/includes/jay-login-register-ajax-handler.php#L788 |
| Emit Informatics and Communication Technologies Industry and Trade Ltd. Co.–DIGITA Efficiency Management System | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Emit Informatics and Communication Technologies Industry and Trade Ltd. Co. DIGITA Efficiency Management System allows SQL Injection. This issue affects DIGITA Efficiency Management System: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 9.8 | CVE-2025-5319 | https://www.usom.gov.tr/bildirim/tr-26-0016 |
| Martcode Software Inc.–Delta Course Automation | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Martcode Software Inc. Delta Course Automation allows SQL Injection. This issue affects Delta Course Automation: through 04022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 9.8 | CVE-2025-5329 | https://www.usom.gov.tr/bildirim/tr-26-0018 |
| Unstructured-IO–unstructured | The unstructured library provides open-source components for ingesting and pre-processing images and text documents, such as PDFs, HTML, Word docs, and many more. Prior to version 0.18.18, a path traversal vulnerability in the partition_msg function allows an attacker to write or overwrite arbitrary files on the filesystem when processing malicious MSG files with attachments. This issue has been patched in version 0.18.18. | 2026-02-04 | 9.8 | CVE-2025-64712 | https://github.com/Unstructured-IO/unstructured/security/advisories/GHSA-gm8q-m8mv-jj5m https://github.com/Unstructured-IO/unstructured/commit/b01d35b2373fd087d2e15162b9c021663c97155d |
| wildfirechat–im-server | Wildfire IM is an instant messaging and real-time audio/video solution. Prior to 1.4.3, a critical vulnerability exists in the im-server component related to the file upload functionality found in com.xiaoleilu.loServer.action.UploadFileAction. The application exposes an endpoint (/fs) that handles multipart file uploads but fails to properly sanitize the filename provided by the user. Specifically, the writeFileUploadData method directly concatenates the configured storage directory with the filename extracted from the upload request without stripping directory traversal sequences (e.g., ../../). This vulnerability allows an attacker to write arbitrary files to any location on the server’s filesystem where the application process has write permissions. By uploading malicious files (such as scripts, executables, or overwriting configuration files like authorized_keys or cron jobs), an attacker can achieve Remote Code Execution (RCE) and completely compromise the server. This vulnerability is fixed in 1.4.3. | 2026-02-02 | 9.8 | CVE-2025-66480 | https://github.com/wildfirechat/im-server/security/advisories/GHSA-74hq-jhx2-fq6c https://github.com/wildfirechat/im-server/commit/2f9c4e028c01c64913cab32e7248bcca183a5230 https://github.com/wildfirechat/im-server/releases/tag/1.4.3 |
| revmakx–WP Duplicate WordPress Migration Plugin | The WP Duplicate plugin for WordPress is vulnerable to Missing Authorization leading to Arbitrary File Upload in all versions up to and including 1.1.8. This is due to a missing capability check on the `process_add_site()` AJAX action combined with path traversal in the file upload functionality. This makes it possible for authenticated (subscriber-level) attackers to set the internal `prod_key_random_id` option, which can then be used by an unauthenticated attacker to bypass authentication checks and write arbitrary files to the server via the `handle_upload_single_big_file()` function, ultimately leading to remote code execution. | 2026-02-06 | 9.8 | CVE-2026-1499 | https://www.wordfence.com/threat-intel/vulnerabilities/id/11bb7190-023b-45e1-99a5-7313c489ef45?source=cve https://cwe.mitre.org/data/definitions/862.html https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-admin.php#L422 https://plugins.trac.wordpress.org/browser/local-sync/trunk/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/includes/class-local-sync-handle-server-requests.php#L389 https://plugins.trac.wordpress.org/browser/local-sync/trunk/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/browser/local-sync/tags/1.1.8/admin/class-local-sync-files-op.php#L843 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3452904%40local-sync&old=3400317%40local-sync&sfp_email=&sfph_mail= |
| Rapid7–Vulnerability Management | Rapid7 InsightVM versions before 8.34.0 contain a signature verification issue on the Assertion Consumer Service (ACS) cloud endpoint that could allow an attacker to gain unauthorized access to InsightVM accounts setup via “Security Console” installations, resulting in full account takeover. The issue occurs due to the application processing these unsigned assertions and issuing session cookies that granted access to the targeted user accounts. This has been fixed in version 8.34.0 of InsightVM. | 2026-02-03 | 9.6 | CVE-2026-1568 | https://docs.rapid7.com/insight/command-platform-release-notes/ |
| RISS SRL–MOMA Seismic Station | MOMA Seismic Station Version v2.4.2520 and prior exposes its web management interface without requiring authentication, which could allow an unauthenticated attacker to modify configuration settings, acquire device data or remotely reset the device. | 2026-02-03 | 9.1 | CVE-2026-1632 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-034-03.json |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in Keylime. The Keylime registrar, since version 7.12.0, does not enforce client-side Transport Layer Security (TLS) authentication. This authentication bypass vulnerability allows unauthenticated clients with network access to perform administrative operations, including listing agents, retrieving public Trusted Platform Module (TPM) data, and deleting agents, by connecting without presenting a client certificate. | 2026-02-06 | 9.4 | CVE-2026-1709 | RHSA-2026:2224 RHSA-2026:2225 RHSA-2026:2298 https://access.redhat.com/security/cve/CVE-2026-1709 RHBZ#2435514 |
| IP-COM–W30AP | A vulnerability was detected in IP-COM W30AP up to 1.0.0.11(1340). Affected by this issue is the function R7WebsSecurityHandler of the file /goform/wx3auth of the component POST Request Handler. The manipulation of the argument data results in stack-based buffer overflow. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 9.8 | CVE-2026-2017 | VDB-344599 | IP-COM W30AP POST Request wx3auth R7WebsSecurityHandler stack-based overflow VDB-344599 | CTI Indicators (IOB, IOC, IOA) Submit #744062 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow Submit #744063 | IP-COM W30APv4.0 <= v1.0.0.11(1340) Stack-based Buffer Overflow (Duplicate) https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md https://gitee.com/GXB0_0/iot-vul/blob/master/IP-COM/W30AP/wx3auth-sprintf.md#poc |
| Fortinet–FortiClientEMS | An improper neutralization of special elements used in an sql command (‘sql injection’) vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests. | 2026-02-06 | 9.1 | CVE-2026-21643 | https://fortiguard.fortinet.com/psirt/FG-IR-25-1142 |
| vllm-project–vllm | vLLM is an inference and serving engine for large language models (LLMs). From 0.8.3 to before 0.14.1, when an invalid image is sent to vLLM’s multimodal endpoint, PIL throws an error. vLLM returns this error to the client, leaking a heap address. With this leak, we reduce ASLR from 4 billion guesses to ~8 guesses. This vulnerability can be chained a heap overflow with JPEG2000 decoder in OpenCV/FFmpeg to achieve remote code execution. This vulnerability is fixed in 0.14.1. | 2026-02-02 | 9.8 | CVE-2026-22778 | https://github.com/vllm-project/vllm/security/advisories/GHSA-4r2x-xpjr-7cvv https://github.com/vllm-project/vllm/pull/31987 https://github.com/vllm-project/vllm/pull/32319 https://github.com/vllm-project/vllm/releases/tag/v0.14.1 |
| Microsoft–Azure Front Door | Azure Front Door Elevation of Privilege Vulnerability | 2026-02-05 | 9.8 | CVE-2026-24300 | Azure Front Door Elevation of Privilege Vulnerability |
| NixOS–nixpkgs | The NixOs Odoo package is an open source ERP and CRM system. From 21.11 to before 25.11 and 26.05, every NixOS based Odoo setup publicly exposes the database manager without any authentication. This allows unauthorized actors to delete and download the entire database, including Odoos file store. Unauthorized access is evident from http requests. If kept, searching access logs and/or Odoos log for requests to /web/database can give indicators, if this has been actively exploited. The database manager is a featured intended for development and not meant to be publicly reachable. On other setups, a master password acts as 2nd line of defence. However, due to the nature of NixOS, Odoo is not able to modify its own configuration file and thus unable to persist the auto-generated password. This also applies when manually setting a master password in the web-UI. This means, the password is lost when restarting Odoo. When no password is set, the user is prompted to set one directly via the database manager. This requires no authentication or action by any authorized user or the system administrator. Thus, the database is effectively world readable by anyone able to reach Odoo. This vulnerability is fixed in 25.11 and 26.05. | 2026-02-02 | 9.1 | CVE-2026-25137 | https://github.com/NixOS/nixpkgs/security/advisories/GHSA-cwmq-6wv5-f3px https://github.com/NixOS/nixpkgs/pull/485310 https://github.com/NixOS/nixpkgs/pull/485454 |
| QwikDev–qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a prototype pollution vulnerability exists in the formToObj() function within @builder.io/qwik-city middleware. The function processes form field names with dot notation (e.g., user.name) to create nested objects, but fails to sanitize dangerous property names like __proto__, constructor, and prototype. This allows unauthenticated attackers to pollute Object.prototype by sending crafted HTTP POST requests, potentially leading to privilege escalation, authentication bypass, or denial of service. This issue has been patched in version 1.19.0. | 2026-02-03 | 9.3 | CVE-2026-25150 | https://github.com/QwikDev/qwik/security/advisories/GHSA-xqg6-98cw-gxhq https://github.com/QwikDev/qwik/commit/5f65bae2bc33e6ca0c21e4cfcf9eae05077716f7 |
| AlistGo–alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application disables TLS certificate verification by default for all outgoing storage driver communications, making the system vulnerable to Man-in-the-Middle (MitM) attacks. This enables the complete decryption, theft, and manipulation of all data transmitted during storage operations, severely compromising the confidentiality and integrity of user data. This issue has been patched in version 3.57.0. | 2026-02-04 | 9.1 | CVE-2026-25160 | https://github.com/AlistGo/alist/security/advisories/GHSA-8jmm-3xwx-w974 https://github.com/AlistGo/alist/commit/69629ca76a8f2c8c973ede3b616f93aa26ff23fb |
| Samsung Electronics–MagicINFO 9 Server | A vulnerability in MagicInfo9 Server allows authorized users to upload HTML files without authentication, leading to Stored XSS, which can result in account takeover This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25200 | https://security.samsungtv.com/securityUpdates |
| Samsung Electronics–MagicINFO 9 Server | The database account and password are hardcoded, allowing login with the account to manipulate the database in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 9.8 | CVE-2026-25202 | https://security.samsungtv.com/securityUpdates |
| maziggy–bambuddy | Bambuddy is a self-hosted print archive and management system for Bambu Lab 3D printers. Prior to version 0.1.7, a hardcoded secret key used for signing JWTs is checked into source code and ManyAPI routes do not check authentication. This issue has been patched in version 0.1.7. | 2026-02-04 | 9.8 | CVE-2026-25505 | https://github.com/maziggy/bambuddy/security/advisories/GHSA-gc24-px2r-5qmf https://github.com/maziggy/bambuddy/pull/225 https://github.com/maziggy/bambuddy/commit/a82f9278d2d587b7042a0858aab79fd8b6e3add9 https://github.com/maziggy/bambuddy/commit/c31f2968889c855f1ffacb700c2c9970deb2a6fb https://github.com/maziggy/bambuddy/blob/a9bb8ed8239602bf08a9914f85a09eeb2bf13d15/backend/app/core/auth.py#L28 https://github.com/maziggy/bambuddy/blob/main/CHANGELOG.md https://github.com/maziggy/bambuddy/releases/tag/v0.1.7 |
| HubSpot–jinjava | JinJava is a Java-based template engine based on django template syntax, adapted to render jinja templates. Prior to versions 2.7.6 and 2.8.3, JinJava is vulnerable to arbitrary Java execution via bypass through ForTag. This allows arbitrary Java class instantiation and file access bypassing built-in sandbox restrictions. This issue has been patched in versions 2.7.6 and 2.8.3. | 2026-02-04 | 9.8 | CVE-2026-25526 | https://github.com/HubSpot/jinjava/security/advisories/GHSA-gjx9-j8f8-7j74 https://github.com/HubSpot/jinjava/commit/3d02e504d8bbb13bf3fe019e9ca7b51dfce7a998 https://github.com/HubSpot/jinjava/commit/c7328dce6030ac718f88974196035edafef24441 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.7.6 https://github.com/HubSpot/jinjava/releases/tag/jinjava-2.8.3 |
| siyuan-note–siyuan | SiYuan is a personal knowledge management system. Prior to version 3.5.5, the /api/file/copyFile endpoint does not validate the dest parameter, allowing authenticated users to write files to arbitrary locations on the filesystem. This can lead to Remote Code Execution (RCE) by writing to sensitive locations such as cron jobs, SSH authorized_keys, or shell configuration files. This issue has been patched in version 3.5.5. | 2026-02-04 | 9.1 | CVE-2026-25539 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-c4jr-5q7w-f6r9 https://github.com/siyuan-note/siyuan/commit/d7f790755edf8c78d2b4176171e5a0cdcd720feb |
| payloadcms–payload | Payload is a free and open source headless content management system. Prior to 3.73.0, when querying JSON or richText fields, user input was directly embedded into SQL without escaping, enabling blind SQL injection attacks. An unauthenticated attacker could extract sensitive data (emails, password reset tokens) and achieve full account takeover without password cracking. This vulnerability is fixed in 3.73.0. | 2026-02-06 | 9.8 | CVE-2026-25544 | https://github.com/payloadcms/payload/security/advisories/GHSA-xx6w-jxg9-2wh8 |
| blakeblackshear–frigate | Frigate is a network video recorder (NVR) with realtime local object detection for IP cameras. Prior to 0.16.4, a critical Remote Command Execution (RCE) vulnerability has been identified in the Frigate integration with go2rtc. The application does not sanitize user input in the video stream configuration (config.yaml), allowing direct injection of system commands via the exec: directive. The go2rtc service executes these commands without restrictions. This vulnerability is only exploitable by an administrator or users who have exposed their Frigate install to the open internet with no authentication which allows anyone full administrative control. This vulnerability is fixed in 0.16.4. | 2026-02-06 | 9.1 | CVE-2026-25643 | https://github.com/blakeblackshear/frigate/security/advisories/GHSA-4c97-5jmr-8f6x https://github.com/blakeblackshear/frigate/releases/tag/v0.16.4 |
| denpiligrim–3dp-manager | 3DP-MANAGER is an inbound generator for 3x-ui. In version 2.0.1 and prior, the application automatically creates an administrative account with known default credentials (admin/admin) upon the first initialization. Attackers with network access to the application’s login interface can gain full administrative control, managing VPN tunnels and system settings. This issue will be patched in version 2.0.2. | 2026-02-06 | 9.8 | CVE-2026-25803 | https://github.com/denpiligrim/3dp-manager/security/advisories/GHSA-5×57-h7cw-9jmw https://github.com/denpiligrim/3dp-manager/commit/f568de41de97dd1b70a963708a1ee18e52b9d248 |
| OXID-eSales–OXID eShop | OXID eShop versions 6.x prior to 6.3.4 contains a SQL injection vulnerability in the ‘sorting’ parameter that allows attackers to insert malicious database content. Attackers can exploit the vulnerability by manipulating the sorting parameter to inject PHP code into the database and execute arbitrary code through crafted URLs. | 2026-02-03 | 8.2 | CVE-2019-25260 | ExploitDB-48527 Official OXID eShop Vendor Homepage OXID eShop Community Edition GitHub Repository Archived Researcher Disclosure Archived RIPSTech Security Blog OXID eShop Bug Tracking Entry VulnCheck Advisory: OXID eShop 6.3.4 – ‘sorting’ SQL Injection |
| VictorAlagwu–CMSsite | Victor CMS 1.0 contains an authenticated file upload vulnerability that allows administrators to upload PHP files with arbitrary content through the user_image parameter. Attackers can upload a malicious PHP shell to the /img/ directory and execute system commands by accessing the uploaded file with a ‘cmd’ parameter. | 2026-02-03 | 8.8 | CVE-2020-37073 | ExploitDB-48490 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 – Authenticated Arbitrary File Upload |
| VictorAlagwu–CMSsite | Victor CMS version 1.0 contains a SQL injection vulnerability in the ‘post’ parameter on post.php that allows remote attackers to manipulate database queries. Attackers can exploit this vulnerability by sending crafted UNION SELECT payloads to extract database information through boolean-based, error-based, and time-based injection techniques. | 2026-02-03 | 8.2 | CVE-2020-37076 | ExploitDB-48451 Victor CMS GitHub Repository VulnCheck Advisory: Victor CMS 1.0 – ‘post’ SQL Injection |
| i-doit GmbH–i-doit Open Source CMDB | i-doit Open Source CMDB 1.14.1 contains a file deletion vulnerability in the import module that allows authenticated attackers to delete arbitrary files by manipulating the delete_import parameter. Attackers can send a POST request to the import module with a crafted filename to remove files from the server’s filesystem. | 2026-02-03 | 8.8 | CVE-2020-37078 | ExploitDB-48427 Official Vendor Homepage i-doit SourceForge Project VulnCheck Advisory: i-doit Open Source CMDB 1.14.1 – Arbitrary File Deletion |
| chatelao–PHP Address Book | PHP AddressBook 9.0.0.1 contains a time-based blind SQL injection vulnerability that allows remote attackers to manipulate database queries through the ‘id’ parameter. Attackers can inject crafted SQL statements with time delays to extract information by observing response times in the photo.php endpoint. | 2026-02-03 | 8.2 | CVE-2020-37083 | ExploitDB-48416 SourceForge Product Page VulnCheck Advisory: addressbook 9.0.0.1 – ‘id’ SQL Injection |
| Arox–School ERP Pro | School ERP Pro 1.0 contains a SQL injection vulnerability in the ‘es_messagesid’ parameter that allows attackers to manipulate database queries through GET requests. Attackers can exploit the vulnerable parameter by injecting crafted SQL statements to potentially extract, modify, or delete database information. | 2026-02-03 | 8.2 | CVE-2020-37089 | ExploitDB-48390 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 – ‘es_messagesid’ SQL Injection |
| Davidvg–60CycleCMS | 60CycleCMS 2.5.2 contains an SQL injection vulnerability in news.php and common/lib.php that allows attackers to manipulate database queries through unvalidated user input. Attackers can exploit vulnerable query parameters like ‘title’ to inject malicious SQL code and potentially extract or modify database contents. This issue does not involve cross-site scripting. | 2026-02-03 | 8.2 | CVE-2020-37110 | ExploitDB-48177 Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 – ‘news.php’ SQL Injection Vulnerability |
| Openeclass–GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows authenticated users to bypass file extension restrictions when uploading files. By renaming a PHP file to .php3 or .PhP, an attacker can upload a web shell and execute arbitrary code on the server. This vulnerability enables remote code execution by bypassing the intended file type checks in the exercise submission feature. | 2026-02-03 | 8.8 | CVE-2020-37113 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform – File Upload Extension Bypass |
| Openeclass–GUnet OpenEclass | GUnet OpenEclass 1.7.3 includes phpMyAdmin 2.10.0.2 by default, which allows remote logins. Attackers with access to the platform can remotely access phpMyAdmin and, after uploading a shell, view the config.php file to obtain the MySQL password, leading to full database compromise. | 2026-02-03 | 8.8 | CVE-2020-37116 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform – phpMyAdmin Remote Access |
| jizhiCMS–jizhiCMS | jizhiCMS 1.6.7 contains a file download vulnerability in the admin plugins update endpoint that allows authenticated administrators to download arbitrary files. Attackers can exploit the vulnerability by sending crafted POST requests with malicious filepath and download_url parameters to trigger unauthorized file downloads. | 2026-02-05 | 8.8 | CVE-2020-37117 | ExploitDB-48361 Official Vendor Homepage VulnCheck Advisory: jizhiCMS 1.6.7 – Arbitrary File Download |
| Odin-Secure-Ftp-Expert–Odin Secure FTP Expert | Odin Secure FTP Expert 7.6.3 contains a local denial of service vulnerability that allows attackers to crash the application by manipulating site information fields. Attackers can generate a buffer overflow by pasting 108 bytes of repeated characters into connection fields, causing the application to crash. | 2026-02-05 | 8.4 | CVE-2020-37139 | ExploitDB-48262 Archived Software Download VulnCheck Advisory: Odin Secure FTP Expert 7.6.3 – ‘Site Info’ Denial of Service |
| AMSS++–AMSS++ | AMSS++ version 4.31 contains a SQL injection vulnerability in the mail module’s maildetail.php script through the ‘id’ parameter. Attackers can manipulate the ‘id’ parameter in /modules/mail/main/maildetail.php to inject malicious SQL queries and potentially access or modify database contents. | 2026-02-06 | 8.2 | CVE-2020-37141 | ExploitDB-48109 VulnCheck Advisory: AMSS++ v 4.31 – ‘id’ SQL Injection |
| 10-Strike Software–Network Inventory Explorer | 10-Strike Network Inventory Explorer 8.54 contains a structured exception handler buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting SEH records. Attackers can craft a malicious payload targeting the ‘Computer’ parameter during the ‘Add’ function to trigger remote code execution. | 2026-02-05 | 8.4 | CVE-2020-37142 | ExploitDB-48253 10-Strike Software Homepage Archived Researcher Blog VulnCheck Advisory: 10-Strike Network Inventory Explorer 8.54 – ‘Add’ Local Buffer Overflow (SEH) |
| EDIMAX Technology–EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 is vulnerable to cross-site request forgery (CSRF) that can lead to command execution. An attacker can trick an authenticated user into submitting a crafted form to the /goform/mp endpoint, resulting in arbitrary command execution on the device with the user’s privileges. | 2026-02-05 | 8.1 | CVE-2020-37149 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 – Cross-Site Request Forgery (CSRF) to Command Execution |
| Ciprianmp–phpMyChat Plus | phpMyChat Plus 1.98 contains a SQL injection vulnerability in the deluser.php page through the pmc_username parameter that allows attackers to manipulate database queries. Attackers can exploit boolean-based, error-based, and time-based blind SQL injection techniques to extract sensitive database information by crafting malicious payloads in the username field. | 2026-02-05 | 8.2 | CVE-2020-37151 | ExploitDB-48066 Vendor Homepage VulnCheck Advisory: phpMyChat Plus 1.98 ‘deluser.php’ SQL Injection |
| QuickDate–QuickDate | QuickDate 1.3.2 contains a SQL injection vulnerability that allows remote attackers to manipulate database queries through the ‘_located’ parameter in the find_matches endpoint. Attackers can inject UNION-based SQL statements to extract database information including user credentials, database name, and system version. | 2026-02-06 | 8.2 | CVE-2020-37163 | ExploitDB-48022 Archived QuickDate Script Webpage VulnCheck Advisory: QuickDate 1.3.2 – SQL Injection |
| Innomic–VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker is able to use an existing session id of a logged in user and gain full access to the device if configuration via ethernet is enabled. | 2026-02-02 | 8.8 | CVE-2022-50975 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Mitsubishi Electric Corporation–FREQSHIP-mini for Windows | Incorrect Default Permissions vulnerability in Mitsubishi Electric Corporation FREQSHIP-mini for Windows versions 8.0.0 to 8.0.2 allows a local attacker to execute arbitrary code with system privileges by replacing service executable files (EXE) or DLLs in the installation directory with specially crafted files. As a result, the attacker may be able to disclose, tamper with, delete, or destroy information stored on the PC where the affected product is installed, or cause a Denial of Service (DoS) condition on the affected system. | 2026-02-05 | 8.8 | CVE-2025-10314 | https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-019_en.pdf https://jvn.jp/jp/JVN64883963/ https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-01 |
| roxnor–Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers | The Popup builder with Gamification, Multi-Step Popups, Page-Level Targeting, and WooCommerce Triggers plugin for WordPress is vulnerable to generic SQL Injection via the multiple REST API endpoints in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. Vulnerability was patched in version 2.2.1 for unauthenticated users, and fully patched in version 2.2.3 for Administrator+ level users. | 2026-02-04 | 8.2 | CVE-2025-13192 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9db1dfde-0cba-41b2-ab7a-a1640e5fd96b?source=cve https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L50 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Popup.php#L133 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L382 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Helpers/DataBase.php#L413 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L99 https://plugins.trac.wordpress.org/browser/popup-builder-block/tags/2.1.5/includes/Routes/Subscribers.php#L133 |
| IBM–Aspera Console | IBM Aspera Console 3.4.0 through 3.4.8 is vulnerable to SQL injection. A remote attacker could send specially crafted SQL statements, which could allow the attacker to view, add, modify, or delete information in the back-end database. | 2026-02-05 | 8.6 | CVE-2025-13379 | https://www.ibm.com/support/pages/node/7259448 |
| jayarsiech–JAY Login & Register | The JAY Login & Register plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 2.6.03. This is due to the plugin allowing a user to update arbitrary user meta through the ‘jay_panel_ajax_update_profile’ function. This makes it possible for authenticated attackers, with Subscriber-level access and above, to elevate their privileges to that of an administrator. | 2026-02-08 | 8.8 | CVE-2025-15100 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fb900810-23a2-4920-a5e8-4388c4474de0?source=cve https://plugins.trac.wordpress.org/browser/jay-login-register/tags/2.6.01/includes/user-panel/jay-login-register-ajax-handler-user-panel.php#L624 |
| Tanium–Deploy | Tanium addressed an improper input validation vulnerability in Deploy. | 2026-02-05 | 8.8 | CVE-2025-15330 | TAN-2025-012 |
| themeboy–SportsPress Sports Club & League Manager | The SportsPress plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 2.7.26 via shortcodes ‘template_name’ attribute. This makes it possible for authenticated attackers, with contributor-level and above permissions, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files. This can be used to bypass access controls, obtain sensitive data, or achieve code execution in cases where php file type can be uploaded and included. | 2026-02-04 | 8.8 | CVE-2025-15368 | https://www.wordfence.com/threat-intel/vulnerabilities/id/27e40af7-5697-4482-a96d-9216886c363b?source=cve https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L32 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/class-sp-shortcodes.php#L182 https://plugins.trac.wordpress.org/browser/sportspress/tags/2.7.26/includes/sp-core-functions.php#L68 |
| Kubernetes–ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-proxy-set-headers` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-06 | 8.8 | CVE-2025-15566 | https://github.com/kubernetes/kubernetes/issues/136789 |
| Ankara Hosting Website Design–Website Software | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Ankara Hosting Website Design Website Software allows Reflected XSS. This issue affects Website Software: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.6 | CVE-2025-6397 | https://www.usom.gov.tr/bildirim/tr-26-0014 |
| n/a–n/a | An arbitrary file upload vulnerability in the AddFont() function of FPDF v1.86 and earlier allows attackers to execute arbitrary code via uploading a crafted PHP file. | 2026-02-03 | 8.8 | CVE-2025-65875 | http://www.fpdf.org https://github.com/Setasign/FPDF https://advisories.gitlab.com/pkg/composer/tecnickcom/tc-lib-pdf-font/CVE-2024-56520/ |
| N/A–Moodle[.]org | A flaw was found in Moodle. This authentication bypass vulnerability allows suspended users to authenticate through the Learning Tools Interoperability (LTI) Provider. The issue arises from the LTI authentication handlers failing to enforce the user’s suspension status, enabling unauthorized access to the system. This can lead to information disclosure or other unauthorized actions by users who should be restricted. | 2026-02-03 | 8.1 | CVE-2025-67848 | https://access.redhat.com/security/cve/CVE-2025-67848 RHBZ#2423831 https://moodle.org/mod/forum/discuss.php?d=471298 |
| AKCE Software Technology R&D Industry and Trade Inc.–SKSPro | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows SQL Injection. This issue affects SKSPro: through 07012026. | 2026-02-02 | 8.6 | CVE-2025-8587 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Insecure Direct Object References (IDOR) in all versions up to, and including, 3.9.5. This is due to missing object-level authorization checks in the `course_list_bulk_action()`, `bulk_delete_course()`, and `update_course_status()` functions. This makes it possible for authenticated attackers, with Tutor Instructor-level access and above, to modify or delete arbitrary courses they do not own by manipulating course IDs in bulk action requests. | 2026-02-03 | 8.1 | CVE-2026-1375 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4e95b32b-c050-41eb-8fce-461257420eb6?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L289 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L437 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/classes/Course_List.php#L463 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/classes/Course_List.php?contextall=1&old=3339576&old_path=%2Ftutor%2Ftrunk%2Fclasses%2FCourse_List.php |
| Red Hat–Red Hat Satellite 6 | A flaw was found in fog-kubevirt. This vulnerability allows a remote attacker to perform a Man-in-the-Middle (MITM) attack due to disabled certificate validation. This enables the attacker to intercept and potentially alter sensitive communications between Satellite and OpenShift, resulting in information disclosure and data integrity compromise. | 2026-02-02 | 8.1 | CVE-2026-1530 | https://access.redhat.com/security/cve/CVE-2026-1530 RHBZ#2433784 |
| Red Hat–Red Hat Satellite 6 | A flaw was found in foreman_kubevirt. When configuring the connection to OpenShift, the system disables SSL verification if a Certificate Authority (CA) certificate is not explicitly set. This insecure default allows a remote attacker, capable of intercepting network traffic between Satellite and OpenShift, to perform a Man-in-the-Middle (MITM) attack. Such an attack could lead to the disclosure or alteration of sensitive information. | 2026-02-02 | 8.1 | CVE-2026-1531 | https://access.redhat.com/security/cve/CVE-2026-1531 RHBZ#2433786 |
| Kubernetes–ingress-nginx | A security issue was discovered in ingress-nginx where the `nginx.ingress.kubernetes.io/auth-method` Ingress annotation can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-1580 | https://github.com/kubernetes/kubernetes/issues/136677 |
| skirridsystems–OS DataHub Maps | The OS DataHub Maps plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the ‘OS_DataHub_Maps_Admin::add_file_and_ext’ function in all versions up to, and including, 1.8.3. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-02-03 | 8.8 | CVE-2026-1730 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c32ba2a0-a9a7-4f17-8169-912cecc40b7b?source=cve https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L67 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/include/osmap-admin.php?rev=3449192#L51 https://plugins.trac.wordpress.org/browser/os-datahub-maps/trunk/os-datahub-maps.php?rev=3449192#L87 https://plugins.trac.wordpress.org/changeset/3452323/os-datahub-maps |
| seezee–WP FOFT Loader | The WP FOFT Loader plugin for WordPress is vulnerable to arbitrary file uploads due to incorrect file type validation in the ‘WP_FOFT_Loader_Mimes::file_and_ext’ function in all versions up to, and including, 2.1.39. This makes it possible for authenticated attackers, with Author-level access and above, to upload arbitrary files on the affected site’s server which may make remote code execution possible. | 2026-02-04 | 8.8 | CVE-2026-1756 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cede8ff5-f739-4eb3-9672-5adb5d2ae0a9?source=cve https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L45 https://plugins.trac.wordpress.org/browser/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php?rev=3449144#L31 https://plugins.trac.wordpress.org/changeset/3453101/wp-foft-loader/trunk/includes/class-wp-foft-loader-mimes.php |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup. This stack-based buffer overflow vulnerability occurs during the parsing of multipart HTTP responses due to an incorrect length calculation. A remote attacker can exploit this by sending a specially crafted multipart HTTP response, which can lead to memory corruption. This issue may result in application crashes or arbitrary code execution in applications that process untrusted server responses, and it does not require authentication or user interaction. | 2026-02-02 | 8.6 | CVE-2026-1761 | RHSA-2026:1948 RHSA-2026:2005 RHSA-2026:2006 RHSA-2026:2007 RHSA-2026:2008 RHSA-2026:2049 RHSA-2026:2182 RHSA-2026:2214 RHSA-2026:2215 RHSA-2026:2216 https://access.redhat.com/security/cve/CVE-2026-1761 RHBZ#2435961 |
| Ziroom–ZHOME A0101 | A weakness has been identified in Ziroom ZHOME A0101 1.0.1.0. Impacted is an unknown function of the component Dropbear SSH Service. This manipulation causes use of default credentials. Remote exploitation of the attack is possible. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 8.1 | CVE-2026-1803 | VDB-343976 | Ziroom ZHOME A0101 Dropbear SSH Service default credentials VDB-343976 | CTI Indicators (IOB, IOC) Submit #745497 | Ziroom Smart Ziroom Smart Gateway (ZH-A0101) ZH-A0101 1.0.1.0 Backdoor Submit #745529 | Ziroom Smart Smart Gateway ZH-A0101 ZH-A0101 1.0.1.0 Credentials Management (Duplicate) https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md https://github.com/Blackhole23-Lab/-/blob/main/vulns/ssh-backdoor.md#proof-of-concept |
| Karel Electronics Industry and Trade Inc.–ViPort | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Karel Electronics Industry and Trade Inc. ViPort allows Stored XSS. This issue affects ViPort: through 23012026. | 2026-02-04 | 8.8 | CVE-2026-1819 | https://www.usom.gov.tr/bildirim/tr-26-0017 |
| Cisco–Cisco Meeting Management | A vulnerability in the Certificate Management feature of Cisco Meeting Management could allow an authenticated, remote attacker to upload arbitrary files, execute arbitrary commands, and elevate privileges to root on an affected system. This vulnerability is due to improper input validation in certain sections of the web-based management interface. An attacker could exploit this vulnerability by sending a crafted HTTP request to an affected system. A successful exploit could allow the attacker to upload arbitrary files to the affected system. The malicious files could overwrite system files that are processed by the root system account and allow arbitrary command execution with root privileges. To exploit this vulnerability, the attacker must have valid credentials for a user account with at least the role of video operator. | 2026-02-04 | 8.8 | CVE-2026-20098 | cisco-sa-cmm-file-up-kY47n8kK |
| UTT– 520W | A weakness has been identified in UTT 进取 520W 1.7.7-180627. This affects the function strcpy of the file /goform/formIpGroupConfig. Executing a manipulation of the argument groupName can lead to buffer overflow. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2066 | VDB-344633 | UTT 进取 520W formIpGroupConfig strcpy buffer overflow VDB-344633 | CTI Indicators (IOB, IOC, IOA) Submit #745260 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/36.md https://github.com/cymiao1978/cve/blob/main/new/36.md#poc |
| UTT– 520W | A security vulnerability has been detected in UTT 进取 520W 1.7.7-180627. This vulnerability affects the function strcpy of the file /goform/formTimeGroupConfig. The manipulation of the argument year1 leads to buffer overflow. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2067 | VDB-344634 | UTT 进取 520W formTimeGroupConfig strcpy buffer overflow VDB-344634 | CTI Indicators (IOB, IOC, IOA) Submit #745261 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/37.md https://github.com/cymiao1978/cve/blob/main/new/37.md#poc |
| UTT– 520W | A vulnerability was detected in UTT 进取 520W 1.7.7-180627. This issue affects the function strcpy of the file /goform/formSyslogConf. The manipulation of the argument ServerIp results in buffer overflow. The attack may be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2068 | VDB-344635 | UTT 进取 520W formSyslogConf strcpy buffer overflow VDB-344635 | CTI Indicators (IOB, IOC, IOA) Submit #745262 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/38.md https://github.com/cymiao1978/cve/blob/main/new/38.md#poc |
| UTT– 520W | A vulnerability has been found in UTT 进取 520W 1.7.7-180627. The affected element is the function strcpy of the file /goform/formPolicyRouteConf. Such manipulation of the argument GroupName leads to buffer overflow. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 8.8 | CVE-2026-2070 | VDB-344637 | UTT 进取 520W formPolicyRouteConf strcpy buffer overflow VDB-344637 | CTI Indicators (IOB, IOC, IOA) Submit #745264 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/39.md |
| UTT– 520W | A vulnerability was found in UTT 进取 520W 1.7.7-180627. The impacted element is the function strcpy of the file /goform/formP2PLimitConfig. Performing a manipulation of the argument except results in buffer overflow. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2071 | VDB-344638 | UTT 进取 520W formP2PLimitConfig strcpy buffer overflow VDB-344638 | CTI Indicators (IOB, IOC, IOA) Submit #745265 | UTT 进取 520W v3v1.7.7-180627 Buffer Overflow https://github.com/cymiao1978/cve/blob/main/new/40.md |
| UTT–HiPER 810G | A vulnerability was detected in UTT HiPER 810G up to 1.7.7-171114. Affected by this vulnerability is the function strcpy of the file /goform/formFireWall of the component Management Interface. The manipulation of the argument GroupName results in buffer overflow. The attack can be launched remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 8.8 | CVE-2026-2086 | VDB-344653 | UTT HiPER 810G Management formFireWall strcpy buffer overflow VDB-344653 | CTI Indicators (IOB, IOC, IOA) Submit #746502 | UTT (AiTai) HiPER 810G <= v3v1.7.7-171114 Buffer Overflow https://github.com/alc9700jmo/CVE/issues/22 https://github.com/alc9700jmo/CVE/issues/22#issue-3851242657 |
| Tenda–TX3 | A vulnerability has been found in Tenda TX3 up to 16.03.13.11_multi. This impacts an unknown function of the file /goform/SetIpMacBind. The manipulation of the argument list leads to buffer overflow. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2137 | VDB-344772 | Tenda TX3 SetIpMacBind buffer overflow VDB-344772 | CTI Indicators (IOB, IOC, IOA) Submit #747239 | Tenda TX3 V16.03.13.11_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx3/fromSetIpMacBind.md#poc https://www.tenda.com.cn/ |
| Tenda–TX9 | A vulnerability was found in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2138 | VDB-344773 | Tenda TX9 SetStaticRouteCfg sub_42D03C buffer overflow VDB-344773 | CTI Indicators (IOB, IOC, IOA) Submit #747249 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/SetStaticRouteCfg.md#poc https://www.tenda.com.cn/ |
| Tenda–TX9 | A vulnerability was determined in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 8.8 | CVE-2026-2139 | VDB-344774 | Tenda TX9 fast_setting_wifi_set sub_432580 buffer overflow VDB-344774 | CTI Indicators (IOB, IOC, IOA) Submit #747250 | Tenda TX9 V22.03.02.10_multi Buffer Overflow https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/fast_setting_wifi_set.md#poc https://www.tenda.com.cn/ |
| Tenda–TX9 | A vulnerability was identified in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2140 | VDB-344775 | Tenda TX9 setMacFilterCfg sub_4223E0 buffer overflow VDB-344775 | CTI Indicators (IOB, IOC, IOA) Submit #747251 | Tenda TX9 V22.03.02.10_multi Buffer Overflow Submit #749747 | Tenda TX9 V22.03.02.18 Stack-based Buffer Overflow (Duplicate) https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md https://github.com/MRAdera/IoT-Vuls/blob/main/tenda/tx9%20pro/setMacFilterCfg.md#poc https://www.tenda.com.cn/ |
| Microsoft–Azure Functions | Azure Function Information Disclosure Vulnerability | 2026-02-05 | 8.2 | CVE-2026-21532 | Azure Function Information Disclosure Vulnerability |
| Tenda–RX3 | A vulnerability was identified in Tenda RX3 16.03.13.11. Affected is an unknown function of the file /goform/fast_setting_wifi_set. Such manipulation of the argument ssid_5g leads to stack-based buffer overflow. The attack can be launched remotely. The exploit is publicly available and might be used. | 2026-02-08 | 8.8 | CVE-2026-2180 | VDB-344883 | Tenda RX3 fast_setting_wifi_set stack-based overflow VDB-344883 | CTI Indicators (IOB, IOC, IOA) Submit #749703 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/4 https://www.tenda.com.cn/ |
| Tenda–RX3 | A security flaw has been discovered in Tenda RX3 16.03.13.11. Affected by this vulnerability is an unknown functionality of the file /goform/openSchedWifi. Performing a manipulation of the argument schedStartTime/schedEndTime results in stack-based buffer overflow. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 8.8 | CVE-2026-2181 | VDB-344884 | Tenda RX3 openSchedWifi stack-based overflow VDB-344884 | CTI Indicators (IOB, IOC, IOA) Submit #749710 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/5 https://www.tenda.com.cn/ |
| Tenda–RX3 | A flaw has been found in Tenda RX3 16.03.13.11. This issue affects the function set_device_name of the file /goform/setBlackRule of the component MAC Filtering Configuration Endpoint. This manipulation of the argument devName/mac causes stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been published and may be used. | 2026-02-08 | 8.8 | CVE-2026-2185 | VDB-344888 | Tenda RX3 MAC Filtering Configuration Endpoint setBlackRule set_device_name stack-based overflow VDB-344888 | CTI Indicators (IOB, IOC, IOA) Submit #749715 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/6 https://www.tenda.com.cn/ |
| Tenda–RX3 | A vulnerability has been found in Tenda RX3 16.03.13.11. Impacted is the function fromSetIpMacBind of the file /goform/SetIpMacBind. Such manipulation of the argument list leads to stack-based buffer overflow. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 8.8 | CVE-2026-2186 | VDB-344889 | Tenda RX3 SetIpMacBind fromSetIpMacBind stack-based overflow VDB-344889 | CTI Indicators (IOB, IOC, IOA) Submit #749718 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/7 https://www.tenda.com.cn/ |
| Tenda–RX3 | A vulnerability was found in Tenda RX3 16.03.13.11. The affected element is the function set_qosMib_list of the file /goform/formSetQosBand. Performing a manipulation of the argument list results in stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-08 | 8.8 | CVE-2026-2187 | VDB-344890 | Tenda RX3 formSetQosBand set_qosMib_list stack-based overflow VDB-344890 | CTI Indicators (IOB, IOC, IOA) Submit #749721 | Tenda RX3 V16.03.13.11 Stack-based Buffer Overflow https://github.com/LX-66-LX/cve-new/issues/8 https://www.tenda.com.cn/ |
| Significant-Gravitas–AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.46, the AutoGPT platform’s Stagehand integration blocks log API keys and authentication secrets in plaintext using logger.info() statements. This occurs in three separate block implementations (StagehandObserveBlock, StagehandActBlock, and StagehandExtractBlock) where the code explicitly calls api_key.get_secret_value() and logs the result. This issue has been patched in autogpt-platform-beta-v0.6.46. | 2026-02-04 | 8.1 | CVE-2026-22038 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-rc89-6g7g-v5v7 https://github.com/Significant-Gravitas/AutoGPT/commit/1eabc604842fa876c09d69af43d2d1e8fb9b8eb9 |
| opencloud-eu–reva | REVA is an interoperability platform. Prior to 2.42.3 and 2.40.3, a bug in the GRPC authorization middleware of the “Reva” component of OpenCloud allows a malicious user to bypass the scope verification of a public link. By exploiting this via the the “archiver” service this can be leveraged to create an archive (zip or tar-file) containing all resources that this creator of the public link has access to. This vulnerability is fixed in 2.42.3 and 2.40.3. | 2026-02-06 | 8.2 | CVE-2026-23989 | https://github.com/opencloud-eu/reva/security/advisories/GHSA-9j2f-3rj3-wgpg https://github.com/opencloud-eu/reva/commit/95aa2bc5d980eaf6cc134d75782b4f5ac7b36ae1 |
| NeoRazorX–facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. In 2025.71 and earlier, a Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Observations field. The flaw occurs in the History view, where historical data is rendered without proper HTML entity encoding. This allows an attacker to execute arbitrary JavaScript in the browser of viewing the history by administrators. | 2026-02-02 | 8 | CVE-2026-23997 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-4v7v-7v7r-3r5h |
| Microsoft–Azure ARC | Azure Arc Elevation of Privilege Vulnerability | 2026-02-05 | 8.6 | CVE-2026-24302 | Azure Arc Elevation of Privilege Vulnerability |
| Kubernetes–ingress-nginx | A security issue was discovered in ingress-nginx cthe `rules.http.paths.path` Ingress field can be used to inject configuration into nginx. This can lead to arbitrary code execution in the context of the ingress-nginx controller, and disclosure of Secrets accessible to the controller. (Note that in the default installation, the controller can access all Secrets cluster-wide.) | 2026-02-03 | 8.8 | CVE-2026-24512 | https://github.com/kubernetes/kubernetes/issues/136678 |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into uploaded assignment files, which is executed when instructors view the submission. This issue has been patched in version 4.2. | 2026-02-03 | 8.7 | CVE-2026-24665 | https://github.com/gunet/openeclass/security/advisories/GHSA-2qgm-m7fm-m888 |
| parallax–jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of properties and methods of the Acroform module allows users to inject arbitrary PDF objects, such as JavaScript actions. If given the possibility to pass unsanitized input to one of the following methods or properties, a user can inject arbitrary PDF objects, such as JavaScript actions, which are executed when the victim opens the document. The vulnerable API members are AcroformChoiceField.addOption, AcroformChoiceField.setOptions, AcroFormCheckBox.appearanceState, and AcroFormRadioButton.appearanceState. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | 8.1 | CVE-2026-24737 | https://github.com/parallax/jsPDF/security/advisories/GHSA-pqxr-3g65-p328 https://github.com/parallax/jsPDF/commit/da291a5f01b96282545c9391996702cdb8879f79 https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| clawdbot–clawdbot | OpenClaw (formerly Clawdbot) is a personal AI assistant you run on your own devices. Prior to 2026.1.29, a command injection vulnerability existed in OpenClaw’s Docker sandbox execution mechanism due to unsafe handling of the PATH environment variable when constructing shell commands. An authenticated user able to control environment variables could influence command execution within the container context. This vulnerability is fixed in 2026.1.29. | 2026-02-02 | 8.8 | CVE-2026-24763 | https://github.com/openclaw/openclaw/security/advisories/GHSA-mc68-q9jw-2h3v https://github.com/openclaw/openclaw/commit/771f23d36b95ec2204cc9a0054045f5d8439ea75 https://github.com/openclaw/openclaw/releases/tag/v2026.1.29 |
| chainguard-dev–melange | melange allows users to build apk packages using declarative pipelines. In version 0.11.3 to before 0.40.3, an attacker who can influence the tar stream from a QEMU guest VM could write files outside the intended workspace directory on the host. The retrieveWorkspace function extracts tar entries without validating that paths stay within the workspace, allowing path traversal via ../ sequences. This issue has been patched in version 0.40.3. | 2026-02-04 | 8.2 | CVE-2026-24843 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-qxx2-7h4c-83f4 https://github.com/chainguard-dev/melange/commit/6e243d0d46699f837d7c392397a694d2bcc7612b |
| node-modules–compressing | Compressing is a compressing and uncompressing lib for node. In version 2.0.0 and 1.10.3 and prior, Compressing extracts TAR archives while restoring symbolic links without validating their targets. By embedding symlinks that resolve outside the intended extraction directory, an attacker can cause subsequent file entries to be written to arbitrary locations on the host file system. Depending on the extractor’s handling of existing files, this behavior may allow overwriting sensitive files or creating new files in security-critical locations. This issue has been patched in versions 1.10.4 and 2.0.1. | 2026-02-04 | 8.4 | CVE-2026-24884 | https://github.com/node-modules/compressing/security/advisories/GHSA-cc8f-xg8v-72m3 https://github.com/node-modules/compressing/commit/8d16c196c7f1888fc1af957d9ff36117247cea6c https://github.com/node-modules/compressing/commit/ce1c0131c401c071c77d5a1425bf8c88cfc16361 |
| Huawei–HarmonyOS | Out-of-bounds write vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24926 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei–HarmonyOS | UAF concurrency vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 8.4 | CVE-2026-24930 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| OpenListTeam–OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, the application contains path traversal vulnerability in multiple file operation handlers in server/handles/fsmanage.go. Filename components in req.Names are directly concatenated with validated directories using stdpath.Join. This allows “..” sequences to bypass path restrictions, enabling users to access other users’ files within the same storage mount and perform unauthorized actions such as deletion, renaming, or copying of files. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal and copying across user boundaries within the same storage mount. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.8 | CVE-2026-25059 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-qmj2-8r24-xxcq https://github.com/OpenListTeam/OpenList/commit/7b78fed106382430c69ef351d43f5d09928fff14 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| OpenListTeam–OpenList | OpenList Frontend is a UI component for OpenList. Prior to 4.1.10, certificate verification is disabled by default for all storage driver communications. The TlsInsecureSkipVerify setting is default to true in the DefaultConfig() function in internal/conf/config.go. This vulnerability enables Man-in-the-Middle (MitM) attacks by disabling TLS certificate verification, allowing attackers to intercept and manipulate all storage communications. Attackers can exploit this through network-level attacks like ARP spoofing, rogue Wi-Fi access points, or compromised internal network equipment to redirect traffic to malicious endpoints. Since certificate validation is skipped, the system will unknowingly establish encrypted connections with attacker-controlled servers, enabling full decryption, data theft, and manipulation of all storage operations without triggering any security warnings. This vulnerability is fixed in 4.1.10. | 2026-02-02 | 8.1 | CVE-2026-25060 | https://github.com/OpenListTeam/OpenList/security/advisories/GHSA-wf93-3ghh-h389 https://github.com/OpenListTeam/OpenList/commit/e3c664f81d0584fbbdb86ffe6644be16259371c1 https://github.com/OpenListTeam/OpenList/releases/tag/v4.1.10 |
| AlistGo–alist | Alist is a file list program that supports multiple storages, powered by Gin and Solidjs. Prior to version 3.57.0, the application contains path traversal vulnerability in multiple file operation handlers. An authenticated attacker can bypass directory-level authorisation by injecting traversal sequences into filename components, enabling unauthorised file removal, movement and copying across user boundaries within the same storage mount. This issue has been patched in version 3.57.0. | 2026-02-04 | 8.8 | CVE-2026-25161 | https://github.com/AlistGo/alist/security/advisories/GHSA-x4q4-7phh-42j9 https://github.com/AlistGo/alist/commit/b188288525b9a35c76535139311e7c036dab057e |
| Samsung Electronics–MagicINFO 9 Server | An unauthenticated user can upload arbitrary files to execute remote code, leading to privilege escalation in MagicInfo9 Server. This issue affects MagicINFO 9 Server: less than 21.1090.1. | 2026-02-02 | 8.8 | CVE-2026-25201 | https://security.samsungtv.com/securityUpdates |
| OpenSlides–OpenSlides | OpenSlides is a free, web based presentation and assembly system for managing and projecting agenda, motions and elections of an assembly. Prior to version 4.2.29, OpenSlides supports local logins with username and password or an optionally configurable single sign on with SAML via an external IDP. For users synced to OpenSlides via an external IDP, there is an incorrect access control regarding the local login of these users. Users can successfully login using the local login form and the OpenSlides username of a SAML user and a trivial password. This password is valid for all SAML users. This issue has been patched in version 4.2.29. | 2026-02-04 | 8.1 | CVE-2026-25519 | https://github.com/OpenSlides/OpenSlides/security/advisories/GHSA-vv4h-8wfc-pf8c https://github.com/OpenSlides/openslides-auth-service/pull/889 https://github.com/OpenSlides/openslides-auth-service/commit/70c1aa9f5e1db59ec120ecce98d1c1169350a4ee https://github.com/OpenSlides/OpenSlides/releases/tag/4.2.29 |
| pydantic–pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 0.0.26 to before 1.56.0, aServer-Side Request Forgery (SSRF) vulnerability exists in Pydantic AI’s URL download functionality. When applications accept message history from untrusted sources, attackers can include malicious URLs that cause the server to make HTTP requests to internal network resources, potentially accessing internal services or cloud credentials. This vulnerability only affects applications that accept message history from external users. This vulnerability is fixed in 1.56.0. | 2026-02-06 | 8.6 | CVE-2026-25580 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-2jrp-274c-jhv3 https://github.com/pydantic/pydantic-ai/commit/d398bc9d39aecca6530fa7486a410d5cce936301 |
| openclaw–openclaw | OpenClaw is a personal AI assistant. Prior to 2026.1.20, an unauthenticated local client could use the Gateway WebSocket API to write config via config.apply and set unsafe cliPath values that were later used for command discovery, enabling command injection as the gateway user. This vulnerability is fixed in 2026.1.20. | 2026-02-06 | 8.4 | CVE-2026-25593 | https://github.com/openclaw/openclaw/security/advisories/GHSA-g55j-c2v4-pjcg |
| qdrant–qdrant | Qdrant is a vector similarity search engine and vector database. From 1.9.3 to before 1.16.0, it is possible to append to arbitrary files via /logger endpoint using an attacker-controlled on_disk.log_file path. Minimal privileges are required (read-only access). This vulnerability is fixed in 1.16.0. | 2026-02-06 | 8.6 | CVE-2026-25628 | https://github.com/qdrant/qdrant/security/advisories/GHSA-f632-vm87-2m2f https://github.com/qdrant/qdrant/commit/32b7fdfb7f542624ecd1f7c8d3e2b13c4e36a2c1 https://github.com/qdrant/qdrant/blob/48203e414e4e7f639a6d394fb6e4df695f808e51/src/actix/api/service_api.rs#L195 |
| kovidgoyal–calibre | calibre is an e-book manager. Prior to 9.2.0, Calibre’s CHM reader contains a path traversal vulnerability that allows arbitrary file writes anywhere the user has write permissions. On Windows (haven’t tested on other OS’s), this can lead to Remote Code Execution by writing a payload to the Startup folder, which executes on next login. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.6 | CVE-2026-25635 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-32vh-whvh-9fxr https://github.com/kovidgoyal/calibre/commit/9739232fcb029ac15dfe52ccd4fdb4a07ebb6ce9 |
| kovidgoyal–calibre | calibre is an e-book manager. In 9.1.0 and earlier, a path traversal vulnerability in Calibre’s EPUB conversion allows a malicious EPUB file to corrupt arbitrary existing files writable by the Calibre process. During conversion, Calibre resolves CipherReference URI from META-INF/encryption.xml to an absolute filesystem path and opens it in read-write mode, even when it points outside the conversion extraction directory. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 8.2 | CVE-2026-25636 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-8r26-m7j5-hm29 https://github.com/kovidgoyal/calibre/commit/9484ea82c6ab226c18e6ca5aa000fa16de598726 |
| Anydesk–AnyDesk | AnyDesk 5.4.0 contains an unquoted service path vulnerability in its Windows service configuration that allows local attackers to potentially inject malicious executables. Attackers can exploit the unquoted binary path to place malicious files in service executable locations, potentially gaining elevated system privileges. | 2026-02-03 | 7.8 | CVE-2019-25261 | ExploitDB-47883 Official Vendor Homepage VulnCheck Advisory: AnyDesk 5.4.0 – Unquoted Service Path |
| Wondershare–Wondershare Application Framework Service | Wondershare Application Framework Service 2.4.3.231 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted service path by placing malicious executables in specific directory locations to hijack the service’s execution context. | 2026-02-06 | 7.8 | CVE-2019-25266 | ExploitDB-47617 Vendor Homepage Software Product Page VulnCheck Advisory: Wondershare Application Framework Service 2.4.3.231 – ‘WsAppService’ Unquote Service Path |
| Wftpserver–Wing FTP Server | Wing FTP Server 6.0.7 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25267 | ExploitDB-47818 Wing FTP Server Official Homepage VulnCheck Advisory: Wing FTP Server 6.0.7 – Unquoted Service Path |
| Netgate–Amiti Antivirus | Amiti Antivirus 25.0.640 contains an unquoted service path vulnerability in its Windows service configurations. Attackers can exploit the unquoted path to inject and execute malicious code with elevated LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25269 | ExploitDB-47747 Vendor Homepage VulnCheck Advisory: Amiti Antivirus 25.0.640 – Unquoted Service Path Vulnerability |
| NETGATE–Data Backup | NETGATE Data Backup 3.0.620 contains an unquoted service path vulnerability in its NGDatBckpSrv Windows service configuration. Attackers can exploit the unquoted path to inject and execute malicious code with LocalSystem privileges by placing executable files in specific directory locations. | 2026-02-04 | 7.8 | CVE-2019-25271 | ExploitDB-47746 Vendor Homepage VulnCheck Advisory: NETGATE Data Backup 3.0.620 – ‘NGDatBckpSrv’ Unquoted Service Path |
| Tenaxsoft–TexasSoft CyberPlanet | TexasSoft CyberPlanet 6.4.131 contains an unquoted service path vulnerability in the CCSrvProxy service that allows local attackers to execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program Files (x86)TenaxSoftCyberPlanetSrvProxy.exe’ to inject malicious executables and gain elevated system privileges. | 2026-02-04 | 7.8 | CVE-2019-25272 | ExploitDB-47724 Vendor Homepage VulnCheck Advisory: TexasSoft CyberPlanet 6.4.131 – ‘CCSrvProxy’ Unquoted Service Path |
| Easy-Hide-Ip–IP | Easy-Hide-IP 5.0.0.3 contains an unquoted service path vulnerability in the EasyRedirect service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesEasy-Hide-IPrdrEasyRedirect.exe’ to inject malicious executables and escalate privileges. | 2026-02-04 | 7.8 | CVE-2019-25273 | ExploitDB-47712 Vendor Homepage VulnCheck Advisory: Easy-Hide-IP 5.0.0.3 – ‘EasyRedirect’ Unquoted Service Path |
| Photodex–ProShow Producer | ProShow Producer 9.0.3797 contains an unquoted service path vulnerability in the ScsiAccess service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25274 | ExploitDB-47705 Vendor Homepage VulnCheck Advisory: ProShow Producer 9.0.3797 – Unquoted Service Path |
| FileHorse–BartVPN | BartVPN 1.2.2 contains an unquoted service path vulnerability in the BartVPNService that allows local attackers to potentially execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service’s execution context. | 2026-02-04 | 7.8 | CVE-2019-25275 | ExploitDB-47675 Vendor Homepage VulnCheck Advisory: BartVPN 1.2.2 – ‘BartVPNService’ Unquoted Service Path |
| Rockwellautomation–Studio | Studio 5000 Logix Designer 30.01.00 contains an unquoted service path vulnerability in the FactoryTalk Activation Service that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)Rockwell SoftwareFactoryTalk Activation to inject malicious code that would execute with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25276 | ExploitDB-47676 Rockwell Automation Homepage VulnCheck Advisory: Studio 5000 Logix Designer 30.01.00 – ‘FactoryTalk Activation Service’ Unquoted Service Path |
| ncp-e–NCP_Secure_Entry_Client | NCP Secure Entry Client 9.2 contains an unquoted service path vulnerability in multiple Windows services that allows local users to potentially execute arbitrary code. Attackers can exploit the unquoted paths in services like ncprwsnt, rwsrsu, ncpclcfg, and NcpSec to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25281 | ExploitDB-47668 NCP Software Vendor Homepage VulnCheck Advisory: NCP_Secure_Entry_Client 9.2 – Unquoted Service Paths |
| shrew–Shrew Soft VPN Client | Shrew Soft VPN Client 2.2.2 contains an unquoted service path vulnerability that allows local users to execute arbitrary code with elevated system privileges. Attackers can place malicious executables in the unquoted service path to gain elevated access during service startup or system reboot. | 2026-02-04 | 7.8 | CVE-2019-25283 | ExploitDB-47660 Vendor Homepage VulnCheck Advisory: Shrew Soft VPN Client 2.2.2 – ‘iked’ Unquoted Service Path |
| Alps–device Controller | Alps Pointing-device Controller 8.1202.1711.04 contains an unquoted service path vulnerability in the ApHidMonitorService that allows local attackers to execute code with elevated privileges. Attackers can place a malicious executable in the service path and gain system-level access when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25285 | ExploitDB-47637 Official Alps Homepage VulnCheck Advisory: Alps Pointing-device Controller 8.1202.1711.04 – ‘ApHidMonitorService’ Unquoted Service Path |
| Gcafe–_GCaf | GCafé 3.0 contains an unquoted service path vulnerability in the gbClientService that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be run with LocalSystem permissions. | 2026-02-04 | 7.8 | CVE-2019-25286 | ExploitDB-47604 GCafé Official Vendor Homepage VulnCheck Advisory: _GCafé 3.0 – ‘gbClienService’ Unquoted Service Path |
| Webcompanion–Adaware Web Companion version | Adaware Web Companion version 4.8.2078.3950 contains an unquoted service path vulnerability in the WCAssistantService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)LavasoftWeb CompanionApplication to inject malicious code that would execute with LocalSystem privileges during service startup. | 2026-02-04 | 7.8 | CVE-2019-25287 | ExploitDB-47597 Adaware Web Companion Official Website VulnCheck Advisory: Adaware Web Companion version 4.8.2078.3950 – ‘WCAssistantService’ Unquoted Service Path |
| Wacom–Wacom WTabletService | Wacom WTabletService 6.6.7-3 contains an unquoted service path vulnerability that allows local attackers to execute malicious code with elevated privileges. Attackers can insert an executable file in the service path to run unauthorized code when the service restarts or the system reboots. | 2026-02-04 | 7.8 | CVE-2019-25288 | ExploitDB-47593 Wacom Official Homepage VulnCheck Advisory: Wacom WTabletService 6.6.7-3 – ‘WTabletServicePro’ Unquoted Service Path |
| Alps–Alps HID Monitor Service | Alps HID Monitor Service 8.1.0.10 contains an unquoted service path vulnerability that allows local attackers to potentially execute arbitrary code with elevated privileges. Attackers can exploit the unquoted path in C:Program FilesApoint2KHidMonitorSvc.exe to inject malicious executables and gain system-level access. | 2026-02-06 | 7.8 | CVE-2019-25292 | ExploitDB-47605 Official Product Homepage VulnCheck Advisory: Alps HID Monitor Service 8.1.0.10 – ‘ApHidMonitorService’ Unquote Service Path |
| bluestacks–Blue Stacks App Player | BlueStacks App Player 2.4.44.62.57 contains an unquoted service path vulnerability in the BstHdLogRotatorSvc service that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in C:Program Files (x86)BluestacksHD-LogRotatorService.exe to inject malicious executables and escalate privileges. | 2026-02-06 | 7.8 | CVE-2019-25293 | ExploitDB-47582 Official Product Homepage VulnCheck Advisory: Blue Stacks App Player 2.4.44.62.57 – “BstHdLogRotatorSvc” Unquote Service Path |
| lolypop55–html5_snmp | html5_snmp 1.11 contains multiple SQL injection vulnerabilities that allow attackers to manipulate database queries through Router_ID and Router_IP parameters. Attackers can exploit error-based, time-based, and union-based injection techniques to potentially extract or modify database information by sending crafted payloads. | 2026-02-06 | 7.1 | CVE-2019-25298 | ExploitDB-47588 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 – ‘Router_ID’ SQL Injection |
| rimbalinux–AhadPOS | RimbaLinux AhadPOS 1.11 contains a SQL injection vulnerability in the ‘alamatCustomer’ parameter that allows attackers to manipulate database queries through crafted POST requests. Attackers can exploit time-based and boolean-based blind SQL injection techniques to extract information or potentially interact with the underlying database. | 2026-02-06 | 7.1 | CVE-2019-25299 | ExploitDB-47585 Vendor Homepage VulnCheck Advisory: rimbalinux AhadPOS 1.11 – ‘alamatCustomer’ SQL Injection |
| thejshen–Globitek CMS | thejshen Globitek CMS 1.4 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the ‘id’ GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2019-25300 | ExploitDB-47581 Vendor Homepage VulnCheck Advisory: thejshen Globitek CMS 1.4 – ‘id’ SQL Injection |
| Acer–Launch Manager | Acer Launch Manager 6.1.7600.16385 contains an unquoted service path vulnerability in the DsiWMIService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)Launch Managerdsiwmis.exe to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25302 | ExploitDB-47577 Acer Official Website VulnCheck Advisory: Acer Launch Manager 6.1.7600.16385 – ‘DsiWMIService’ Unquoted Service Path |
| thejshen–contentManagementSystem | TheJshen ContentManagementSystem 1.04 contains a SQL injection vulnerability that allows attackers to manipulate database queries through the ‘id’ GET parameter. Attackers can exploit boolean-based, time-based, and UNION-based SQL injection techniques to extract or manipulate database information by crafting malicious query payloads. | 2026-02-06 | 7.1 | CVE-2019-25303 | ExploitDB-47569 Vendor Homepage VulnCheck Advisory: TheJshen contentManagementSystem 1.04 – ‘id’ SQL Injection |
| Issivs–Intelligent Security System SecurOS Enterprise | SecurOS Enterprise 10.2 contains an unquoted service path vulnerability in the SecurosCtrlService that allows local users to potentially execute code with elevated privileges. Attackers can exploit the unquoted path in C:Program Files (x86)ISSSecurOS to insert malicious code that would execute with system-level permissions during service startup. | 2026-02-06 | 7.8 | CVE-2019-25304 | ExploitDB-47556 Vendor Product Homepage Company Website VulnCheck Advisory: Intelligent Security System SecurOS Enterprise 10.2 – ‘SecurosCtrlService’ Unquoted Service Path |
| Inforprograma–JumpStart | JumpStart 0.6.0.0 contains an unquoted service path vulnerability in the jswpbapi service running with LocalSystem privileges. Attackers can exploit the unquoted path containing spaces to inject and execute malicious code with elevated system permissions. | 2026-02-06 | 7.8 | CVE-2019-25305 | ExploitDB-47549 Official Product Homepage VulnCheck Advisory: JumpStart 0.6.0.0 – ‘jswpbapi’ Unquoted Service Path |
| VictorAlagwu–CMSsite | Victor CMS 1.0 contains a stored cross-site scripting vulnerability in the ‘comment_author’ POST parameter that allows attackers to inject malicious scripts. Attackers can submit crafted JavaScript payloads through the comment submission form to execute arbitrary code in victim browsers. | 2026-02-03 | 7.2 | CVE-2020-37072 | ExploitDB-48484 Victor CMS Project Repository VulnCheck Advisory: Victor CMS 1.0 – ‘comment_author’ Persistent Cross-Site Scripting |
| Fishing Reservation System–Fishing Reservation System | Fishing Reservation System 7.5 contains multiple remote SQL injection vulnerabilities in admin.php, cart.php, and calendar.php that allow attackers to inject malicious SQL commands. Attackers can exploit vulnerable parameters like uid, pid, type, m, y, and code to compromise the database management system and web application without user interaction. | 2026-02-03 | 7.1 | CVE-2020-37081 | ExploitDB-48417 Vulnerability-Lab Researcher Disclosure Fishing Reservation System Homepage VulnCheck Advisory: Fishing Reservation System 7.5 – ‘uid’ SQL Injection |
| SunnySideSoft–VirtualTablet Server | VirtualTablet Server 3.0.2 contains a denial of service vulnerability that allows attackers to crash the service by sending oversized string payloads through the Thrift protocol. Attackers can exploit the vulnerability by sending a long string to the send_say() method, causing the server to become unresponsive. | 2026-02-03 | 7.5 | CVE-2020-37085 | ExploitDB-48402 Official Product Homepage VulnCheck Advisory: VirtualTablet Server 3.0.2 – Denial of Service (PoC) |
| Arox–School ERP Pro | School ERP Pro 1.0 contains a file disclosure vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the ‘document’ parameter in download.php. Attackers can access sensitive configuration files by supplying directory traversal paths to retrieve system credentials and configuration information. | 2026-02-03 | 7.5 | CVE-2020-37088 | ExploitDB-48394 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 – Arbitrary File Read |
| Netis Systems Co., Ltd.–Netis E1+ | Netis E1+ version 1.2.32533 contains a hardcoded root account vulnerability that allows unauthenticated attackers to access the device with predefined credentials. Attackers can leverage the embedded root account with a crackable password to gain full administrative access to the network device. | 2026-02-03 | 7.5 | CVE-2020-37092 | ExploitDB-48382 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 – Backdoor Account (root) |
| Netis Systems Co., Ltd.–Netis E1+ | Netis E1+ 1.2.32533 contains an information disclosure vulnerability that allows unauthenticated attackers to retrieve WiFi passwords through the netcore_get.cgi endpoint. Attackers can send a GET request to the endpoint to extract sensitive network credentials including SSID and WiFi passwords in plain text. | 2026-02-03 | 7.5 | CVE-2020-37093 | ExploitDB-48384 Netis Systems Official Homepage VulnCheck Advisory: Netis E1+ 1.2.32533 – Unauthenticated WiFi Password Leak |
| EDIMAX Technology Co., Ltd.–EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains an information disclosure vulnerability that exposes WiFi network configuration details through the wlencrypt_wiz.asp file. Attackers can access the script to retrieve sensitive information including WiFi network name and plaintext password stored in device configuration variables. | 2026-02-03 | 7.5 | CVE-2020-37097 | ExploitDB-48365 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn 1.13 – Information Disclosure (WiFi Password) |
| DiskSorter–Disk Sorter Enterprise | Disk Sorter Enterprise 12.4.16 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted path in the service configuration to inject malicious executables that will be launched with LocalSystem permissions. | 2026-02-03 | 7.8 | CVE-2020-37098 | ExploitDB-48048 Vendor Homepage VulnCheck Advisory: Disk Sorter Enterprise 12.4.16 – Unquoted Service Path |
| DiskSavvy–Disk Savvy Enterprise | Disk Savvy Enterprise 12.3.18 contains an unquoted service path vulnerability in its service configuration that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted path in ‘C:Program FilesDisk Savvy Enterprisebindisksvs.exe’ to inject malicious executables and escalate privileges. | 2026-02-03 | 7.8 | CVE-2020-37099 | ExploitDB-48049 Vendor Homepage VulnCheck Advisory: Disk Savvy Enterprise 12.3.18 – ‘disksvs.exe’ Unquoted Service Path |
| SyncBreeze–Sync Breeze Enterprise | Sync Breeze Enterprise 12.4.18 contains an unquoted service path vulnerability that allows local attackers to execute arbitrary code with elevated system privileges. Attackers can exploit the unquoted binary path by placing malicious executables in specific file system locations to hijack the service startup process. | 2026-02-03 | 7.8 | CVE-2020-37100 | ExploitDB-48045 Vendor Homepage VulnCheck Advisory: Sync Breeze Enterprise 12.4.18 – Unquoted Service Path |
| Vpnunlimitedapp–VPN unlimited | VPN Unlimited 6.1 contains an unquoted service path vulnerability that allows local attackers to inject malicious executables into the service binary path. Attackers can exploit the unquoted path in ‘C:Program Files (x86)VPN Unlimited’ to replace the service executable and gain elevated system privileges. | 2026-02-03 | 7.8 | CVE-2020-37101 | ExploitDB-47916 VPN Unlimited Official Homepage VulnCheck Advisory: VPN unlimited 6.1 – Unquoted Service Path |
| Lavasoft–Web Companion | Adaware Web Companion 4.9.2159 contains an unquoted service path vulnerability in the WCAssistantService that allows local attackers to potentially execute arbitrary code. Attackers can exploit the unquoted binary path to inject malicious executables that will be run with LocalSystem privileges during service startup. | 2026-02-03 | 7.8 | CVE-2020-37102 | ExploitDB-47852 Vendor Homepage Software Download Link VulnCheck Advisory: Adaware Web Companion 4.9.2159 – ‘WCAssistantService’ Unquoted Service Path |
| redmine–PMB | PMB 5.6 contains a SQL injection vulnerability in the administration download script that allows authenticated attackers to execute arbitrary SQL commands through the ‘logid’ parameter. Attackers can leverage this vulnerability by sending crafted requests to the /admin/sauvegarde/download.php endpoint with manipulated logid values to interact with the database. | 2026-02-03 | 7.1 | CVE-2020-37105 | ExploitDB-48356 Vendor Homepage Software Download Repository VulnCheck Advisory: PMB 5.6 – ‘logid’ SQL Injection |
| Core FTP–Core FTP LE | Core FTP LE 2.2 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the account field with a large buffer. Attackers can create a text file with 20,000 repeated characters and paste it into the account field to cause the application to become unresponsive and require reinstallation. | 2026-02-06 | 7.5 | CVE-2020-37107 | ExploitDB-48137 Core FTP Vendor Homepage Core FTP Download Page VulnCheck Advisory: Core FTP LE 2.2 – Denial of Service |
| AllHandsMarketing–PhpIX 2012 Professional | PhpIX 2012 Professional contains a SQL injection vulnerability in the ‘id’ parameter of product_detail.php that allows remote attackers to manipulate database queries. Attackers can inject malicious SQL code through the ‘id’ parameter to potentially extract or modify database information. | 2026-02-03 | 7.1 | CVE-2020-37108 | ExploitDB-48138 Vendor Homepage Demonstration Website VulnCheck Advisory: PhpIX 2012 Professional – ‘id’ SQL Injection |
| asc Applied Software Consultants–aSc TimeTables | aSc TimeTables 2020.11.4 contains a denial of service vulnerability that allows attackers to crash the application by overwriting the Subject title field with a large buffer. Attackers can generate a 1000-character buffer and paste it into the Subject title to trigger an application crash and potential instability. | 2026-02-06 | 7.5 | CVE-2020-37109 | ExploitDB-48133 Vendor Homepage VulnCheck Advisory: aSc TimeTables 2020.11.4 – Denial of Service |
| Openeclass–GUnet OpenEclass | GUnet OpenEclass 1.7.3 contains multiple SQL injection vulnerabilities that allow authenticated attackers to manipulate database queries through unvalidated parameters. Attackers can exploit the ‘month’ parameter in the agenda module and other endpoints to extract sensitive database information using error-based or time-based injection techniques. | 2026-02-03 | 7.1 | CVE-2020-37112 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform – ‘month’ SQL Injection |
| Nsauditor–FTP Password Recover | SpotFTP-FTP Password Recover 2.4.8 contains a denial of service vulnerability that allows attackers to crash the application by generating a large buffer overflow. Attackers can create a text file with 1000 ‘Z’ characters and input it as a registration code to trigger the application crash. | 2026-02-06 | 7.5 | CVE-2020-37122 | ExploitDB-48132 Vendor Homepage Software Download Page VulnCheck Advisory: SpotFTP-FTP Password Recover 2.4.8 – Denial of Service |
| Nsauditor–Nsauditor | Nsauditor 3.2.0.0 contains a denial of service vulnerability in the registration name input field that allows attackers to crash the application. Attackers can create a malicious payload of 1000 bytes of repeated characters to trigger an application crash when pasted into the registration name field. | 2026-02-05 | 7.5 | CVE-2020-37130 | ExploitDB-48286 Vendor Homepage VulnCheck Advisory: Nsauditor 3.2.0.0 – ‘Name’ Denial of Service |
| UltraVNC Team–UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in the Repeater Host configuration field that allows attackers to crash the application. Attackers can paste an overly long string of 300 characters into the Repeater Host property to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37133 | ExploitDB-48288 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 – ‘RepeaterHost’ Denial of Service |
| UltraVNC Team–UltraVNC Viewer | UltraVNC Viewer 1.2.4.0 contains a denial of service vulnerability that allows attackers to crash the application by manipulating VNC Server input. Attackers can generate a malformed 256-byte payload and paste it into the VNC Server connection dialog to trigger an application crash. | 2026-02-05 | 7.5 | CVE-2020-37134 | ExploitDB-48291 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Viewer 1.2.4.0 – ‘VNCServer’ Denial of Service |
| Amssplus–AMSS++ | AMSS++ 4.7 contains an authentication bypass vulnerability that allows attackers to access administrative accounts using hardcoded credentials. Attackers can log in with the default admin username and password ‘1234’ to gain unauthorized administrative access to the system. | 2026-02-06 | 7.5 | CVE-2020-37135 | ExploitDB-48114 VulnCheck Advisory: AMSS++ 4.7 – Backdoor Admin Account |
| EmTec–ZOC Terminal | ZOC Terminal 7.25.5 contains a denial of service vulnerability in the private key file input field that allows attackers to crash the application. Attackers can overwrite the private key file input with a 2000-byte buffer, causing the application to become unresponsive when attempting to create SSH key files. | 2026-02-05 | 7.5 | CVE-2020-37136 | ExploitDB-48292 Vendor Homepage VulnCheck Advisory: ZOC Terminal v7.25.5 – ‘Private key file’ Denial of Service |
| GE Intelligent Platforms, Inc.–ProficySCADA for iOS | ProficySCADA for iOS 5.0.25920 contains a denial of service vulnerability that allows attackers to crash the application by manipulating the password input field. Attackers can overwrite the password field with 257 bytes of repeated characters to trigger an application crash and prevent successful authentication. | 2026-02-05 | 7.5 | CVE-2020-37143 | ExploitDB-48236 Archived App Software VulnCheck Advisory: ProficySCADA for iOS 5.0.25920 – ‘Password’ Denial of Service |
| ACE SECURITY–Aptina AR0130 960P 1.3MP Camera | ACE Security WiP-90113 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive configuration files. Attackers can access the camera’s configuration backup by sending a GET request to the /config_backup.bin endpoint, exposing credentials and system settings. | 2026-02-06 | 7.5 | CVE-2020-37146 | ExploitDB-48127 Vendor Homepage Product Support Page VulnCheck Advisory: Aptina AR0130 960P 1.3MP Camera – Remote Configuration Disclosure |
| Atutor–ATutor | ATutor 2.2.4 contains a SQL injection vulnerability in the admin user deletion page that allows authenticated attackers to manipulate database queries through the ‘id’ parameter. Attackers can exploit the vulnerability by injecting malicious SQL code into the ‘id’ parameter of the admin_delete.php script to potentially extract or modify database information. | 2026-02-06 | 7.1 | CVE-2020-37147 | ExploitDB-48117 ATutor Official Homepage VulnCheck Advisory: ATutor 2.2.4 – ‘id’ SQL Injection |
| EDIMAX Technology–EW-7438RPn Mini | Edimax EW-7438RPn-v3 Mini 1.27 allows unauthenticated attackers to access the /wizard_reboot.asp page in unsetup mode, which discloses the Wi-Fi SSID and security key. Attackers can retrieve the wireless password by sending a GET request to this endpoint, exposing sensitive information without authentication. | 2026-02-05 | 7.5 | CVE-2020-37150 | ExploitDB-48318 Edimax EW-7438RPn Mini Product Page VulnCheck Advisory: Edimax Technology EW-7438RPn-v3 Mini 1.27 – Unauthorized Access: Wi-Fi Password Disclosure |
| Tripath Project–eLection | eLection 2.0 contains an authenticated SQL injection vulnerability in the candidate management endpoint that allows attackers to manipulate database queries through the ‘id’ parameter. Attackers can leverage SQLMap to exploit the vulnerability, potentially gaining remote code execution by uploading backdoor files to the web application directory. | 2026-02-06 | 7.1 | CVE-2020-37154 | ExploitDB-48122 eLection Project Vendor Homepage Researcher Exploit Disclosure VulnCheck Advisory: eLection 2.0 – ‘id’ SQL Injection |
| Core FTP–Core FTP Lite | Core FTP Lite 1.3 contains a buffer overflow vulnerability in the username input field that allows attackers to crash the application by supplying oversized input. Attackers can generate a 7000-byte payload of repeated ‘A’ characters to trigger an application crash without requiring additional interaction. | 2026-02-06 | 7.5 | CVE-2020-37155 | ExploitDB-48100 Core FTP Official Homepage VulnCheck Advisory: Core FTP Lite 1.3 – Denial of Service (PoC) |
| DBPower–DBPower C300 HD Camera | DBPower C300 HD Camera contains a configuration disclosure vulnerability that allows unauthenticated attackers to retrieve sensitive credentials through an unprotected configuration backup endpoint. Attackers can download the configuration file and extract hardcoded username and password by accessing the /tmpfs/config_backup.bin resource. | 2026-02-06 | 7.5 | CVE-2020-37157 | ExploitDB-48095 Archived Researcher Blog VulnCheck Advisory: DBPower C300 HD Camera – Remote Configuration Disclosure |
| Innomic–VibroLine Configurator 5.0 | A local attacker could cause a full device reset by resetting the device passwords using an invalid reset file via USB. | 2026-02-02 | 7.7 | CVE-2022-50976 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic–VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via HTTP. | 2026-02-02 | 7.5 | CVE-2022-50977 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic–VibroLine VLX1 HD 5.0 | An unauthenticated remote attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (TCP). | 2026-02-02 | 7.5 | CVE-2022-50978 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Talemy–Spirit Framework | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in Talemy Spirit Framework allows PHP Local File Inclusion. This issue affects Spirit Framework: from n/a through 1.2.13. | 2026-02-02 | 7.5 | CVE-2024-54263 | https://patchstack.com/database/wordpress/plugin/spirit-framework/vulnerability/wordpress-spirit-framework-plugin-1-2-13-local-file-inclusion-vulnerability?_s_id=cve |
| Zyxel–ATP series firmware | A post‑authentication command injection vulnerability in the Dynamic DNS (DDNS) configuration CLI command in Zyxel ATP series firmware versions from V5.35 through V5.41, USG FLEX series firmware versions from V5.35 through V5.41, USG FLEX 50(W) series firmware versions from V5.35 through V5.41, and USG20(W)-VPN series firmware versions from V5.35 through V5.41 could allow an authenticated attacker with administrator privileges to execute operating system (OS) commands on an affected device by supplying a specially crafted string as an argument to the CLI command. | 2026-02-05 | 7.2 | CVE-2025-11730 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-post-authentication-command-injection-vulnerability-in-the-ddns-configuration-cli-command-of-zld-firewalls-02-05-2026 |
| IBM–Business Automation Workflow containers | IBM Business Automation Workflow containers V25.0.0 through V25.0.0-IF007, V24.0.1 – V24.0.1-IF007, V24.0.0 – V24.0.0-IF007 and IBM Business Automation Workflow traditional V25.0.0, V24.0.1, V24.0.0 is vulnerable to an XML external entity injection (XXE) attack when processing XML data. A remote attacker could exploit this vulnerability to expose sensitive information or consume memory resources. | 2026-02-02 | 7.1 | CVE-2025-13096 | https://www.ibm.com/support/pages/node/7259321 |
| Mattermost–Mattermost Confluence Plugin | Mattermost Confluence plugin version <1.7.0 fails to properly escape user-controlled display names in HTML template rendering which allows authenticated Confluence users with malicious display names to execute arbitrary JavaScript in victim browsers via sending a specially crafted OAuth2 connection link that, when visited, renders the attacker’s display name without proper sanitization. Mattermost Advisory ID: MMSA-2025-00557 | 2026-02-06 | 7.7 | CVE-2025-13523 | MMSA-2025-00557 |
| IBM–WebSphere Application Server Liberty | IBM WebSphere Application Server Liberty 17.0.0.3 through 26.0.0.1 could allow a privileged user to upload a zip archive containing path traversal sequences resulting in an overwrite of files leading to arbitrary code execution. | 2026-02-02 | 7.6 | CVE-2025-14914 | https://www.ibm.com/support/pages/node/7258224 |
| infility–Infility Global | The Infility Global plugin for WordPress is vulnerable to unauthenticated SQL Injection via the ‘infility_get_data’ API action in all versions up to, and including, 2.14.46. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append – with certain server configurations – additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 7.5 | CVE-2025-15268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/648941b8-d1ab-4587-bd87-f23008ac9a00?source=cve https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/db.class.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/infility-global/trunk/infility_global.php?marks=626#L626 https://plugins.trac.wordpress.org/browser/infility-global/trunk/include/class/str.class.php?marks=21#L21 |
| lupsonline–SEO Flow by LupsOnline | The SEO Flow by LupsOnline plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the checkBlogAuthentication() and checkCategoryAuthentication() functions in all versions up to, and including, 2.2.1. These authorization functions only implement basic API key authentication but fail to implement WordPress capability checks. This makes it possible for unauthenticated attackers to create, modify, and delete blog posts and categories. | 2026-02-04 | 7.5 | CVE-2025-15285 | https://www.wordfence.com/threat-intel/vulnerabilities/id/526837cc-ed1d-4d3d-8f75-a2098445dd1d?source=cve https://plugins.trac.wordpress.org/browser/lupsonline-link-netwerk/tags/2.2.1/includes/class-linknetwerk-api.php?marks=83-99,101-117#L83 |
| Tanium–Tanium Appliance | Tanium addressed an unauthorized code execution vulnerability in Tanium Appliance. | 2026-02-05 | 7.8 | CVE-2025-15311 | TAN-2025-002 |
| n/a–Open5GS | A security flaw has been discovered in Open5GS up to 2.7.6. Affected by this vulnerability is the function hss_ogs_diam_cx_mar_cb of the file src/hss/hss-cx-path.c of the component VoLTE Cx-Test. The manipulation of the argument OGS_KEY_LEN results in stack-based buffer overflow. The attack may be launched remotely. The patch is identified as 54dda041211098730221d0ae20a2f9f9173e7a21. A patch should be applied to remediate this issue. | 2026-02-04 | 7.3 | CVE-2025-15555 | VDB-343795 | Open5GS VoLTE Cx-Test hss-cx-path.c hss_ogs_diam_cx_mar_cb stack-based overflow VDB-343795 | CTI Indicators (IOB, IOC, IOA) Submit #741901 | Open5GS v2.7.6 Buffer Over-read https://github.com/open5gs/open5gs/issues/4177 https://github.com/open5gs/open5gs/issues/4177#event-21256395700 https://github.com/open5gs/open5gs/commit/54dda041211098730221d0ae20a2f9f9173e7a21 https://github.com/open5gs/open5gs/ |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when user space address is modified and passed to mem_free API, causing kernel memory to be freed inadvertently. | 2026-02-02 | 7.8 | CVE-2025-47358 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when multiple threads simultaneously access a memory free API. | 2026-02-02 | 7.8 | CVE-2025-47359 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Cryptographic issue when a Trusted Zone with outdated code is triggered by a HLOS providing incorrect input. | 2026-02-02 | 7.1 | CVE-2025-47366 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption when initiating GPU memory mapping using scatter-gather lists due to unchecked IOMMU mapping errors. | 2026-02-02 | 7.8 | CVE-2025-47397 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption while deallocating graphics processing unit memory buffers due to improper handling of memory pointers. | 2026-02-02 | 7.8 | CVE-2025-47398 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory Corruption while processing IOCTL call to update sensor property settings with invalid input parameters. | 2026-02-02 | 7.8 | CVE-2025-47399 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| n8n-io–n8n | n8n is an open source workflow automation platform. From version 1.65.0 to before 1.114.3, the use of Buffer.allocUnsafe() and Buffer.allocUnsafeSlow() in the task runner allowed untrusted code to allocate uninitialized memory. Such uninitialized buffers could contain residual data from within the same Node.js process (for example, data from prior requests, tasks, secrets, or tokens), resulting in potential information disclosure. This issue has been patched in version 1.114.3. | 2026-02-04 | 7.7 | CVE-2025-61917 | https://github.com/n8n-io/n8n/security/advisories/GHSA-49mx-fj45-q3p6 https://github.com/n8n-io/n8n/commit/2c4c2953199733c791f739a40879ae31ca129aba |
| N/A–Moodle[.]org | A flaw was found in Moodle. This cross-site scripting (XSS) vulnerability, caused by improper sanitization of AI prompt responses, allows attackers to inject malicious HTML or script into web pages. When other users view these compromised pages, their sessions could be stolen, or the user interface could be manipulated. | 2026-02-03 | 7.3 | CVE-2025-67849 | https://access.redhat.com/security/cve/CVE-2025-67849 RHBZ#2423835 |
| N/A–Moodle[.]org | A flaw was found in moodle. This vulnerability, known as Cross-Site Scripting (XSS), occurs due to insufficient checks on user-provided data in the formula editor’s arithmetic expression fields. A remote attacker could inject malicious code into these fields. When other users view these expressions, the malicious code would execute in their web browsers, potentially compromising their data or leading to unauthorized actions. | 2026-02-03 | 7.3 | CVE-2025-67850 | https://access.redhat.com/security/cve/CVE-2025-67850 RHBZ#2423838 |
| N/A–Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a lack of proper rate limiting in the confirmation email service. This vulnerability allows attackers to more easily enumerate or guess user credentials, facilitating brute-force attacks against user accounts. | 2026-02-03 | 7.5 | CVE-2025-67853 | https://access.redhat.com/security/cve/CVE-2025-67853 RHBZ#2423847 |
| TriliumNext–Trilium | Trilium Notes is an open-source, cross-platform hierarchical note taking application with focus on building large personal knowledge bases. Prior to 0.101.0, a critical timing attack vulnerability in Trilium’s sync authentication endpoint allows unauthenticated remote attackers to recover HMAC authentication hashes byte-by-byte through statistical timing analysis. This enables complete authentication bypass without password knowledge, granting full read/write access to victim’s knowledge base. This vulnerability is fixed in 0.101.0. | 2026-02-06 | 7.4 | CVE-2025-68621 | https://github.com/TriliumNext/Trilium/security/advisories/GHSA-hxf6-58cx-qq3x https://github.com/TriliumNext/Trilium/pull/8129 |
| Ofisimo Web-Based Software Technologies–Association Web Package Flora | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Ofisimo Web-Based Software Technologies Association Web Package Flora allows XSS Through HTTP Headers. This issue affects Association Web Package Flora: from v3.0 through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-7760 | https://www.usom.gov.tr/bildirim/tr-26-0015 |
| Kod8 Software Technologies Trade Ltd. Co.–Kod8 Individual and SME Website | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Kod8 Software Technologies Trade Ltd. Co. Kod8 Individual and SME Website allows Reflected XSS. This issue affects Kod8 Individual and SME Website: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8456 | https://www.usom.gov.tr/bildirim/tr-26-0012 |
| Seres Software–syWEB | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Seres Software syWEB allows Reflected XSS. This issue affects syWEB: through 03022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.6 | CVE-2025-8461 | https://www.usom.gov.tr/bildirim/tr-26-0013 |
| AKCE Software Technology R&D Industry and Trade Inc.–SKSPro | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Reflected XSS. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.6 | CVE-2025-8589 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| AKCE Software Technology R&D Industry and Trade Inc.–SKSPro | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in AKCE Software Technology R&D Industry and Trade Inc. SKSPro allows Directory Indexing. This issue affects SKSPro: through 07012026. | 2026-02-03 | 7.5 | CVE-2025-8590 | https://www.usom.gov.tr/bildirim/tr-26-0011 |
| Autodesk–3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0536 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk–3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0537 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk–3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0538 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| latepoint–LatePoint Calendar Booking Plugin for Appointments and Events | The LatePoint – Calendar Booking Plugin for Appointments and Events plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the customer profile fields in all versions up to, and including, 5.2.5 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views the customer’s activity history. | 2026-02-03 | 7.2 | CVE-2026-0617 | https://www.wordfence.com/threat-intel/vulnerabilities/id/22bcfd36-ecf9-4d2c-ac94-94ffa0340c4c?source=cve https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/views/activities/view.php#L27 https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/controllers/activities_controller.php https://plugins.trac.wordpress.org/browser/latepoint/tags/5.2.5/lib/models/activity_model.php https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3449263%40latepoint%2Ftrunk&old=3408660%40latepoint%2Ftrunk&sfp_email=&sfph_mail= |
| Autodesk–USD for Arnold | A maliciously crafted USD file, when loaded or imported into Autodesk Arnold or Autodesk 3ds Max, can force an Out-of-Bounds Write vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0659 | https://www.autodesk.com/products/autodesk-access/overview https://github.com/Autodesk/arnold-usd https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0003 |
| Autodesk–3ds Max | A maliciously crafted GIF file, when parsed through Autodesk 3ds Max, can cause a Stack-Based Buffer Overflow vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0660 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk–3ds Max | A maliciously crafted RGB file, when parsed through Autodesk 3ds Max, can force a Memory Corruption vulnerability. A malicious actor can leverage this vulnerability to execute arbitrary code in the context of the current process. | 2026-02-04 | 7.8 | CVE-2026-0661 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| Autodesk–3ds Max | A maliciously crafted project directory, when opening a max file in Autodesk 3ds Max, could lead to execution of arbitrary code in the context of the current process due to an Untrusted Search Path being utilized. | 2026-02-04 | 7.8 | CVE-2026-0662 | https://www.autodesk.com/products/autodesk-access/overview https://www.autodesk.com/trust/security-advisories/adsk-sa-2026-0002 |
| 10web–Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker plugin for WordPress is vulnerable to Stored Cross-Site Scripting via hidden field values in all versions up to, and including, 1.15.35. This is due to insufficient output escaping when displaying hidden field values in the admin submissions list. The plugin uses html_entity_decode() on user-supplied hidden field values without subsequent escaping before output, which converts HTML entity-encoded payloads back into executable JavaScript. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in the admin submissions view that will execute whenever an administrator accesses the submissions list. | 2026-02-03 | 7.1 | CVE-2026-1058 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e0ec0027-2792-4069-b413-8fdd951f5fe7?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/admin/views/Submissions_fm.php#L759 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| 10web–Form Maker by 10Web Mobile-Friendly Drag & Drop Contact Form Builder | The Form Maker by 10Web plugin for WordPress is vulnerable to Stored Cross-Site Scripting in all versions up to, and including, 1.15.35. This is due to the plugin’s default file upload allowlist including SVG files combined with weak substring-based extension validation. This makes it possible for unauthenticated attackers to upload malicious SVG files containing JavaScript code that will execute when viewed by administrators or site visitors via file upload fields in forms granted they can submit forms. | 2026-02-03 | 7.2 | CVE-2026-1065 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8230d5f8-01d9-465a-8a43-e9852248bb3d?source=cve https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/js/add_field.js#L2364 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1744 https://plugins.trac.wordpress.org/browser/form-maker/tags/1.15.34/frontend/models/form_maker.php#L1855 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3447011%40form-maker%2Ftrunk&old=3440395%40form-maker%2Ftrunk&sfp_email=&sfph_mail= |
| bplugins–All In One Image Viewer Block Gutenberg block to create image viewer with hyperlink | The All In One Image Viewer Block plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 1.0.2 due to missing authorization and URL validation on the image-proxy REST API endpoint. This makes it possible for unauthenticated attackers to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. | 2026-02-05 | 7.2 | CVE-2026-1294 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7c3f7108-eb32-425a-a705-4f032e7da6b0?source=cve https://plugins.trac.wordpress.org/browser/image-viewer/tags/1.0.2/image-viewer-block.php#L10 https://plugins.trac.wordpress.org/changeset/3449642/image-viewer/tags/1.0.3/image-viewer-block.php?old=3405983&old_path=image-viewer%2Ftags%2F1.0.2%2Fimage-viewer-block.php |
| pgadmin.org–pgAdmin 4 | pgAdmin versions 9.11 are affected by a Restore restriction bypass via key disclosure vulnerability that occurs when running in server mode and performing restores from PLAIN-format dump files. An attacker with access to the pgAdmin web interface can observe an active restore operation, extract the `restrict` key in real time, and race the restore process by overwriting the restore script with a payload that re-enables meta-commands using `unrestrict <key>`. This results in reliable command execution on the pgAdmin host during the restore operation. | 2026-02-05 | 7.4 | CVE-2026-1707 | https://github.com/pgadmin-org/pgadmin4/issues/9518 |
| EFM–ipTIME A8004T | A vulnerability was found in EFM ipTIME A8004T 14.18.2. This impacts the function httpcon_check_session_url of the file /cgi/timepro.cgi of the component Hidden Hiddenloginsetup Interface. The manipulation results in improper authentication. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 7.3 | CVE-2026-1740 | VDB-343639 | EFM ipTIME A8004T Hidden Hiddenloginsetup timepro.cgi httpcon_check_session_url improper authentication VDB-343639 | CTI Indicators (IOB, IOC, IOA) Submit #741422 | IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary Password Reset https://github.com/LX-LX88/cve/issues/27 |
| AWS–SageMaker Python SDK | The Amazon SageMaker Python SDK before v3.2.0 and v2.256.0 includes the ModelBuilder HMAC signing key in the cleartext response elements of the DescribeTrainingJob function. A third party with permissions to both call this API and permissions to modify objects in the Training Jobs S3 output location may have the ability to upload arbitrary artifacts which are executed the next time the Training Job is invoked. | 2026-02-02 | 7.2 | CVE-2026-1777 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-rjrp-m2jw-pv9c https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.2.0 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Ziroom–ZHOME A0101 | A security flaw has been discovered in Ziroom ZHOME A0101 1.0.1.0. This issue affects the function macAddrClone of the file lucicontrollerapizrMacClone.lua. The manipulation of the argument macType results in command injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-03 | 7.3 | CVE-2026-1802 | VDB-343975 | Ziroom ZHOME A0101 zrMacClone.lua macAddrClone command injection VDB-343975 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741842 | https://sh.ziroom.com/ ZHOME A0101 Command Injection https://github.com/jinhao118/cve/blob/main/ziru_router_command_injection.md |
| itsourcecode–Student Management System | A vulnerability was found in itsourcecode Student Management System 1.0. The affected element is an unknown function of the file /ramonsys/enrollment/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2011 | VDB-344593 | itsourcecode Student Management System controller.php sql injection VDB-344593 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743498 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/1 https://itsourcecode.com/ |
| Cisco–Cisco RoomOS Software | A vulnerability in the text rendering subsystem of Cisco TelePresence Collaboration Endpoint (CE) Software and Cisco RoomOS Software could allow an unauthenticated, remote attacker to cause a denial of service (DoS) condition on an affected device. This vulnerability is due to insufficient validation of input received by an affected device. An attacker could exploit this vulnerability by getting the affected device to render crafted text, for example, a crafted meeting invitation. As indicated in the CVSS score, no user interaction is required, such as accepting the meeting invitation. A successful exploit could allow the attacker to cause the affected device to reload, resulting in a DoS condition. | 2026-02-04 | 7.5 | CVE-2026-20119 | cisco-sa-tce-roomos-dos-9V9jrC2q |
| itsourcecode–Student Management System | A vulnerability was determined in itsourcecode Student Management System 1.0. The impacted element is an unknown function of the file /ramonsys/facultyloading/index.php. This manipulation of the argument ID causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 7.3 | CVE-2026-2012 | VDB-344594 | itsourcecode Student Management System index.php sql injection VDB-344594 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743499 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/2 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A vulnerability was identified in itsourcecode Student Management System 1.0. This affects an unknown function of the file /ramonsys/soa/index.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit is publicly available and might be used. | 2026-02-06 | 7.3 | CVE-2026-2013 | VDB-344595 | itsourcecode Student Management System index.php sql injection VDB-344595 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743500 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/tianrenu/CVE-Discoveries/issues/3 https://itsourcecode.com/ |
| itsourcecode–Student Management System | A security flaw has been discovered in itsourcecode Student Management System 1.0. This impacts an unknown function of the file /ramonsys/billing/index.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 7.3 | CVE-2026-2014 | VDB-344596 | itsourcecode Student Management System index.php sql injection VDB-344596 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744048 | itsourcecode Student Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/35 https://itsourcecode.com/ |
| itsourcecode–School Management System | A flaw has been found in itsourcecode School Management System 1.0. This affects an unknown part of the file /ramonsys/settings/controller.php. This manipulation of the argument ID causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 7.3 | CVE-2026-2018 | VDB-344600 | itsourcecode School Management System controller.php sql injection VDB-344600 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744075 | itsourcecode School Management System V1.0 SQL Injection https://github.com/ltranquility/CVE/issues/36 https://itsourcecode.com/ |
| SourceCodester–Medical Center Portal Management System | A vulnerability was detected in SourceCodester Medical Center Portal Management System 1.0. This affects an unknown function of the file /login.php. The manipulation of the argument User results in sql injection. The attack can be executed remotely. The exploit is now public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2057 | VDB-344617 | SourceCodester Medical Center Portal Management System login.php sql injection VDB-344617 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744233 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/1 https://www.sourcecodester.com/ |
| mathurvishal–CloudClassroom-PHP-Project | A flaw has been found in mathurvishal CloudClassroom-PHP-Project up to 5dadec098bfbbf3300d60c3494db3fb95b66e7be. This impacts an unknown function of the file /postquerypublic.php of the component Post Query Details Page. This manipulation of the argument gnamex causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 7.3 | CVE-2026-2058 | VDB-344618 | mathurvishal CloudClassroom-PHP-Project Post Query Details postquerypublic.php sql injection VDB-344618 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744236 | https://github.com/mathurvishal/CloudClassroom-PHP-Project CloudClassroom PHP Project 1.0 SQL Injection https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0 https://github.com/carlosalbertotuma/CLOUD-CLASSROOMS-php-1.0#impact |
| SourceCodester–Medical Center Portal Management System | A vulnerability has been found in SourceCodester Medical Center Portal Management System 1.0. Affected is an unknown function of the file /emp_edit1.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. | 2026-02-06 | 7.3 | CVE-2026-2059 | VDB-344619 | SourceCodester Medical Center Portal Management System emp_edit1.php sql injection VDB-344619 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744261 | SourceCodester Medical Center Portal Management System 1.0 SQL Injection https://github.com/Roger-Adventures/CVE/issues/2 https://www.sourcecodester.com/ |
| code-projects–Simple Blood Donor Management System | A vulnerability was found in code-projects Simple Blood Donor Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /simpleblooddonor/editcampaignform.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. | 2026-02-06 | 7.3 | CVE-2026-2060 | VDB-344620 | code-projects Simple Blood Donor Management System editcampaignform.php sql injection VDB-344620 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744262 | code-projects Simple Blood Donor Management System V1.0 SQL Injection https://github.com/kyxh001/CVE/issues/1 https://code-projects.org/ |
| itsourcecode–School Management System | A vulnerability was determined in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/user/index.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2073 | VDB-344639 | itsourcecode School Management System index.php sql injection VDB-344639 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745482 | itsourcecode School Management System V1.0 SQL Injection https://github.com/Sherlocksbs/CVE/issues/1 https://itsourcecode.com/ |
| UTT–HiPER 810 | A vulnerability has been found in UTT HiPER 810 1.7.4-141218. This issue affects the function setSysAdm of the file /goform/formUser. The manipulation of the argument passwd1 leads to command injection. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 7.2 | CVE-2026-2080 | VDB-344646 | UTT HiPER 810 formUser setSysAdm command injection VDB-344646 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745521 | UTT HiPER 810 / nv810v4 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/README.md https://github.com/cha0yang1/UTT810CVE/blob/main/README.md#reproduction-steps |
| code-projects–Social Networking Site | A security flaw has been discovered in code-projects Social Networking Site 1.0. This affects an unknown function of the file /delete_post.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-07 | 7.3 | CVE-2026-2083 | VDB-344650 | code-projects Social Networking Site delete_post.php sql injection VDB-344650 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745937 | code-projects Social Networking Site V1.0 SQL Injection https://github.com/6Justdododo6/CVE/issues/1 https://code-projects.org/ |
| D-Link–DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This impacts an unknown function of the file /goform/set_language. Executing a manipulation of the argument langSelection can lead to os command injection. It is possible to launch the attack remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-07 | 7.2 | CVE-2026-2084 | VDB-344651 | D-Link DIR-823X set_language os command injection VDB-344651 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746379 | D-Link DIR 250416 OS Command Injection Submit #746380 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/24 https://www.dlink.com/ |
| D-Link–DWR-M921 | A security vulnerability has been detected in D-Link DWR-M921 1.1.50. Affected is the function sub_419F20 of the file /boafrm/formUSSDSetup of the component USSD Configuration Endpoint. The manipulation of the argument ussdValue leads to command injection. The attack can be initiated remotely. The exploit has been disclosed publicly and may be used. | 2026-02-07 | 7.2 | CVE-2026-2085 | VDB-344652 | D-Link DWR-M921 USSD Configuration Endpoint formUSSDSetup sub_419F20 command injection VDB-344652 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746400 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/1 https://github.com/LX-66-LX/cve-new/issues/1#issue-3851345029 https://www.dlink.com/ |
| SourceCodester–Online Class Record System | A flaw has been found in SourceCodester Online Class Record System 1.0. Affected by this issue is some unknown functionality of the file /admin/login.php. This manipulation of the argument user_email causes sql injection. The attack may be initiated remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2087 | VDB-344654 | SourceCodester Online Class Record System login.php sql injection VDB-344654 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746510 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/1 https://www.sourcecodester.com/ |
| PHPGurukul–Beauty Parlour Management System | A vulnerability has been found in PHPGurukul Beauty Parlour Management System 1.1. This affects an unknown part of the file /admin/accepted-appointment.php. Such manipulation of the argument delid leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2088 | VDB-344655 | PHPGurukul Beauty Parlour Management System accepted-appointment.php sql injection VDB-344655 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746520 | PHPgurukul Beauty Parlour Management System V1.1 SQL Injection https://github.com/Shaon-Xis/cve/issues/1 https://phpgurukul.com/ |
| SourceCodester–Online Class Record System | A vulnerability was found in SourceCodester Online Class Record System 1.0. This vulnerability affects unknown code of the file /admin/subject/controller.php. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the attack is possible. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2089 | VDB-344656 | SourceCodester Online Class Record System controller.php sql injection VDB-344656 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746550 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/2 https://www.sourcecodester.com/ |
| SourceCodester–Online Class Record System | A vulnerability was determined in SourceCodester Online Class Record System 1.0. This issue affects some unknown processing of the file /admin/message/search.php. Executing a manipulation of the argument term can lead to sql injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 7.3 | CVE-2026-2090 | VDB-344657 | SourceCodester Online Class Record System search.php sql injection VDB-344657 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746551 | SourceCodester Online Class Record System 1.0 SQL Injection https://github.com/xiaoccm07/cve/issues/3 https://www.sourcecodester.com/ |
| Infor–SyteLine ERP | Infor SyteLine ERP uses hard-coded static cryptographic keys to encrypt stored credentials, including user passwords, database connection strings, and API keys. The encryption keys are identical across all installations. An attacker with access to the application binary and database can decrypt all stored credentials. | 2026-02-06 | 7.1 | CVE-2026-2103 | https://blog.blacklanternsecurity.com/p/cve-2026-2103-infor-syteline-erp |
| yuan1994–tpadmin | A security vulnerability has been detected in yuan1994 tpadmin up to 1.3.12. This affects an unknown part in the library /public/static/admin/lib/webuploader/0.1.5/server/preview.php of the component WebUploader. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-07 | 7.3 | CVE-2026-2113 | VDB-344688 | yuan1994 tpadmin WebUploader preview.php deserialization VDB-344688 | CTI Indicators (IOB, IOC, IOA) Submit #746795 | https://github.com/yuan1994/tpadmin cms v1.3 RCE https://github.com/sTy1H/CVE-Report/blob/main/Remote%20Code%20Execution%20Vulnerability%20in%20Tpadmin%20System.md |
| itsourcecode–Society Management System | A vulnerability was detected in itsourcecode Society Management System 1.0. This vulnerability affects unknown code of the file /admin/edit_admin.php. The manipulation of the argument admin_id results in sql injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2114 | VDB-344689 | itsourcecode Society Management System edit_admin.php sql injection VDB-344689 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746796 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/3 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A flaw has been found in itsourcecode Society Management System 1.0. This issue affects some unknown processing of the file /admin/delete_expenses.php. This manipulation of the argument expenses_id causes sql injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-07 | 7.3 | CVE-2026-2115 | VDB-344690 | itsourcecode Society Management System delete_expenses.php sql injection VDB-344690 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746797 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/2 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A vulnerability has been found in itsourcecode Society Management System 1.0. Impacted is an unknown function of the file /admin/edit_expenses.php. Such manipulation of the argument expenses_id leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-07 | 7.3 | CVE-2026-2116 | VDB-344691 | itsourcecode Society Management System edit_expenses.php sql injection VDB-344691 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746798 | itsourcecode Society Management System V1.0 SQL injection https://github.com/zpf7029/oblong/issues/1 https://itsourcecode.com/ |
| itsourcecode–Society Management System | A vulnerability was found in itsourcecode Society Management System 1.0. The affected element is an unknown function of the file /admin/edit_activity.php. Performing a manipulation of the argument activity_id results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-07 | 7.3 | CVE-2026-2117 | VDB-344692 | itsourcecode Society Management System edit_activity.php sql injection VDB-344692 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746884 | itsourcecode Society Management System V1.0 SQL injection https://github.com/ZooNJarway/CVE/issues/4 https://itsourcecode.com/ |
| UTT–HiPER 810 | A vulnerability was determined in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_4407D4 of the file /goform/formReleaseConnect of the component rehttpd. Executing a manipulation of the argument Isp_Name can lead to command injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2118 | VDB-344693 | UTT HiPER 810 rehttpd formReleaseConnect sub_4407D4 command injection VDB-344693 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746802 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme1.md#poc |
| D-Link–DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. This affects an unknown function of the file /goform/set_server_settings of the component Configuration Parameter Handler. The manipulation of the argument terminal_addr/server_ip/server_port leads to os command injection. The attack may be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.2 | CVE-2026-2120 | VDB-344694 | D-Link DIR-823X Configuration Parameter set_server_settings os command injection VDB-344694 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746916 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/26 https://www.dlink.com/ |
| D-Link–DIR-823X | A vulnerability was found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.2 | CVE-2026-2129 | VDB-344764 | D-Link DIR-823X set_ac_status os command injection VDB-344764 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746935 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/23 https://www.dlink.com/ |
| code-projects–Online Music Site | A security flaw has been discovered in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2132 | VDB-344767 | code-projects Online Music Site AdminUpdateCategory.php sql injection VDB-344767 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747210 | code-projects ONLINE MUSIC SITE V1.0 SQL Injection https://github.com/Volije/AdminUpdateCategory/issues/1 https://code-projects.org/ |
| code-projects–Online Music Site | A weakness has been identified in code-projects Online Music Site 1.0. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2133 | VDB-344768 | code-projects Online Music Site AdminUpdateCategory.php unrestricted upload VDB-344768 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747213 | code-projects ONLINE MUSIC SITE V1.0 Arbitrary file upload vulnerability https://github.com/Volije/cve2/issues/1 https://code-projects.org/ |
| projectworlds–Online Food Ordering System | A flaw has been found in projectworlds Online Food Ordering System 1.0. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 7.3 | CVE-2026-2136 | VDB-344771 | projectworlds Online Food Ordering System view-ticket.php sql injection VDB-344771 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747230 | projectworlds Online Food Ordering System Project in PHP V1.0 SQL Injection https://github.com/hater-us/CVE/issues/4 |
| D-Link–DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2142 | VDB-344777 | D-Link DIR-823X set_qos sub_420688 os command injection VDB-344777 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747428 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/29 https://www.dlink.com/ |
| D-Link–DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the argument ddnsType/ddnsDomainName/ddnsUserName/ddnsPwd leads to os command injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2143 | VDB-344778 | D-Link DIR-823X DDNS Service set_ddns os command injection VDB-344778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747492 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/25 https://www.dlink.com/ |
| D-Link–DIR-615 | A vulnerability has been found in D-Link DIR-615 4.10. This affects an unknown part of the file adv_firewall.php of the component DMZ Host Feature. Such manipulation of the argument dmz_ipaddr leads to os command injection. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2151 | VDB-344853 | D-Link DIR-615 DMZ Host Feature adv_firewall.php os command injection VDB-344853 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748031 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-OS-Command-Injection-2f6e5dd4c5a58053b2b4f166c2a503ba https://www.dlink.com/ |
| D-Link–DIR-615 | A vulnerability was found in D-Link DIR-615 4.10. This vulnerability affects unknown code of the file adv_routing.php of the component Web Configuration Interface. Performing a manipulation of the argument dest_ip/ submask/ gw results in os command injection. The attack may be initiated remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 7.2 | CVE-2026-2152 | VDB-344854 | D-Link DIR-615 Web Configuration adv_routing.php os command injection VDB-344854 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748032 | Dlink DIR-615 v4.10 OS Command Injection https://pentagonal-time-3a7.notion.site/DIR-615-routing-command-injection-2f6e5dd4c5a580089587f5e78a1bbf70?pvs=74 https://www.dlink.com/ |
| D-Link–DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. The affected element is the function sub_4208A0 of the file /goform/set_dmz of the component Configuration Handler. The manipulation of the argument dmz_host/dmz_enable results in os command injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2155 | VDB-344857 | D-Link DIR-823X Configuration set_dmz sub_4208A0 os command injection VDB-344857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748236 | D-Link DIR-823X 250416 OS Command Injection Submit #750038 | D-Link DIR-823X 250416 OS Command Injection (Duplicate) https://github.com/master-abc/cve/issues/32 https://www.dlink.com/ |
| D-Link–DIR-823X | A security vulnerability has been detected in D-Link DIR-823X 250416. This affects the function sub_4175CC of the file /goform/set_static_route_table. Such manipulation of the argument interface/destip/netmask/gateway/metric leads to os command injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2157 | VDB-344859 | D-Link DIR-823X set_static_route_table sub_4175CC os command injection VDB-344859 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748376 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/28 https://www.dlink.com/ |
| code-projects–Student Web Portal | A vulnerability was detected in code-projects Student Web Portal 1.0. This impacts an unknown function of the file /check_user.php. Performing a manipulation of the argument Username results in sql injection. It is possible to initiate the attack remotely. | 2026-02-08 | 7.3 | CVE-2026-2158 | VDB-344860 | code-projects Student Web Portal check_user.php sql injection VDB-344860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748816 | code-projects.org STUDENT WEB PORTAL IN PHP WITH SOURCE CODE 1.0 SQL Injection https://github.com/Qing-420/cve/blob/main/sql.md https://code-projects.org/ |
| itsourcecode–Directory Management System | A vulnerability was found in itsourcecode Directory Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/forget-password.php. The manipulation of the argument email results in sql injection. The attack can be launched remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2161 | VDB-344863 | itsourcecode Directory Management System forget-password.php sql injection VDB-344863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751082 | itsourcecode Directory Management System V1.0 SQL Injection https://github.com/Wzl731/test/issues/1 https://itsourcecode.com/ |
| detronetdip–E-commerce | A security flaw has been discovered in detronetdip E-commerce 1.0.0. This issue affects some unknown processing of the file /seller/assets/backend/profile/addadhar.php. Performing a manipulation of the argument File results in unrestricted upload. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2164 | VDB-344866 | detronetdip E-commerce addadhar.php unrestricted upload VDB-344866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751853 | detronetdip E-commerce 1.0 Remote Code Execution https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/PHP-Unrestricted-Upload-RCE https://github.com/detronetdip/E-commerce/ |
| detronetdip–E-commerce | A weakness has been identified in detronetdip E-commerce 1.0.0. Impacted is an unknown function of the file /Admin/assets/backend/seller/add_seller.php of the component Account Creation Endpoint. Executing a manipulation of the argument email can lead to missing authentication. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 7.3 | CVE-2026-2165 | VDB-344867 | detronetdip E-commerce Account Creation Endpoint add_seller.php missing authentication VDB-344867 | CTI Indicators (IOB, IOC, IOA) Submit #751857 | detronetdip E-commerce 1.0 Access Control Violation https://github.com/detronetdip/E-commerce/issues/23 https://github.com/Nixon-H/Unauthenticated-Admin-Account-Creation https://github.com/detronetdip/E-commerce/ |
| code-projects–Online Reviewer System | A security vulnerability has been detected in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /login/index.php of the component Login. The manipulation of the argument username/password leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.3 | CVE-2026-2166 | VDB-344868 | code-projects Online Reviewer System Login index.php sql injection VDB-344868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751858 | code-projects OnlineReviewerSystem 1.0 SQL Injection Submit #750018 | code-projects ONLINE REVIEWER SYSTEM V1.0 SQL Injection (Duplicate) https://github.com/liaoliao-hla/cve/issues/2 https://code-projects.org/ |
| code-projects–Online Student Management System | A vulnerability was found in code-projects Online Student Management System 1.0. Affected is an unknown function of the file accounts.php of the component Login. Performing a manipulation of the argument username/password results in sql injection. The attack can be initiated remotely. The exploit has been made public and could be used. | 2026-02-08 | 7.3 | CVE-2026-2171 | VDB-344872 | code-projects Online Student Management System Login accounts.php sql injection VDB-344872 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749233 | code-projects Online Student Management System in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects–Online Application System for Admission | A vulnerability was determined in code-projects Online Application System for Admission 1.0. Affected by this vulnerability is an unknown functionality of the file enrollment/index.php of the component Login Endpoint. Executing a manipulation can lead to sql injection. The attack can be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.3 | CVE-2026-2172 | VDB-344873 | code-projects Online Application System for Admission Login Endpoint index.php sql injection VDB-344873 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749253 | code-projects Online Application System for Admission in PHP unknown SQL Injection https://code-projects.org/ |
| code-projects–Online Examination System | A vulnerability was identified in code-projects Online Examination System 1.0. Affected by this issue is some unknown functionality of the file login.php. The manipulation of the argument username/password leads to sql injection. The attack may be initiated remotely. | 2026-02-08 | 7.3 | CVE-2026-2173 | VDB-344874 | code-projects Online Examination System login.php sql injection VDB-344874 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749255 | code-projects Online Examination System in PHP unknown sql https://code-projects.org/ |
| code-projects–Contact Management System | A security flaw has been discovered in code-projects Contact Management System 1.0. This affects an unknown part of the component CRUD Endpoint. The manipulation of the argument ID results in improper authentication. The attack may be launched remotely. | 2026-02-08 | 7.3 | CVE-2026-2174 | VDB-344875 | code-projects Contact Management System CRUD Endpoint improper authentication VDB-344875 | CTI Indicators (IOB, IOC, IOA) Submit #749262 | code-projects Contact Management System in PHP unknown Authentication Bypass Issues https://code-projects.org/ |
| D-Link–DIR-823X | A weakness has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420618 of the file /goform/set_upnp. This manipulation of the argument upnp_enable causes os command injection. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2175 | VDB-344876 | D-Link DIR-823X set_upnp sub_420618 os command injection VDB-344876 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749263 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/31 https://www.dlink.com/ |
| SourceCodester–Prison Management System | A vulnerability has been found in SourceCodester Prison Management System 1.0. The impacted element is an unknown function of the component Login. The manipulation leads to session fixiation. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2177 | VDB-344880 | SourceCodester Prison Management System Login session fixiation VDB-344880 | CTI Indicators (IOB, IOC) Submit #749485 | SourceCodester Prison Management System Using PHP V1.0 Session Fixiation https://github.com/hater-us/CVE/issues/10 https://www.sourcecodester.com/ |
| UTT– 521G | A weakness has been identified in UTT 进取 521G 3.1.1-190816. Affected by this issue is the function doSystem of the file /goform/setSysAdm. Executing a manipulation of the argument passwd1 can lead to command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2182 | VDB-344885 | UTT 进取 521G setSysAdm doSystem command injection VDB-344885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749712 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md https://github.com/cha0yang1/UTT521G/blob/main/RCE1.md#poc |
| Great Developers–Certificate Generation System | A vulnerability was detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This vulnerability affects unknown code of the file /restructured/csv.php. The manipulation of the argument photo results in os command injection. The attack can be executed remotely. This product implements a rolling release for ongoing delivery, which means version information for affected or updated releases is unavailable. The code repository of the project has not been active for many years. | 2026-02-08 | 7.3 | CVE-2026-2184 | VDB-344887 | Great Developers Certificate Generation System csv.php os command injection VDB-344887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749714 | Great Developers Certificate Generator System 1.0 Improper Neutralization of Special Elements https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate2.md |
| UTT– 521G | A vulnerability was determined in UTT 进取 521G 3.1.1-190816. The impacted element is the function sub_446B18 of the file /goform/formPdbUpConfig. Executing a manipulation of the argument policyNames can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 7.2 | CVE-2026-2188 | VDB-344891 | UTT 进取 521G formPdbUpConfig sub_446B18 os command injection VDB-344891 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749733 | UTT (艾泰) UTT521G NV521Gv2v3.1.1-190816 Command Injection https://github.com/cha0yang1/UTT521G/blob/main/RCE2.md |
| itsourcecode–School Management System | A vulnerability was identified in itsourcecode School Management System 1.0. This affects an unknown function of the file /ramonsys/report/index.php. The manipulation of the argument ay leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. | 2026-02-08 | 7.3 | CVE-2026-2189 | VDB-344892 | itsourcecode School Management System index.php sql injection VDB-344892 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749746 | itsourcecode School Management System V1.0 SQL Injection https://github.com/angtas/cve/issues/1 https://itsourcecode.com/ |
| itsourcecode–School Management System | A security flaw has been discovered in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-08 | 7.3 | CVE-2026-2190 | VDB-344893 | itsourcecode School Management System controller.php sql injection VDB-344893 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749783 | itsourcecode School Management System V1.0 SQL Injection https://github.com/yyue02/cve/issues/2 https://itsourcecode.com/ |
| Tenda–AC9 | A weakness has been identified in Tenda AC9 15.03.06.42_multi. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 7.2 | CVE-2026-2191 | VDB-344894 | Tenda AC9 formGetDdosDefenceList stack-based overflow VDB-344894 | CTI Indicators (IOB, IOC, IOA) Submit #749800 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda3.md https://www.tenda.com.cn/ |
| Tenda–AC9 | A security vulnerability has been detected in Tenda AC9 15.03.06.42_multi. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 7.2 | CVE-2026-2192 | VDB-344895 | Tenda AC9 formGetRebootTimer stack-based overflow VDB-344895 | CTI Indicators (IOB, IOC, IOA) Submit #749801 | Tenda AC9 v1.0/V3.0 V15.03.06.42_multi Stack-based Buffer Overflow https://github.com/glkfc/IoT-Vulnerability/blob/main/Tenda/tenda4.md https://www.tenda.com.cn/ |
| code-projects–Online Reviewer System | A vulnerability has been found in code-projects Online Reviewer System 1.0. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 7.3 | CVE-2026-2195 | VDB-344898 | code-projects Online Reviewer System questions-view.php sql injection VDB-344898 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750005 | code-projects Online Reviewer System V1 SQL Injection https://github.com/tiancesec/CVE/issues/16 https://code-projects.org/ |
| TeamViewer–Remote | Improper access control in the TeamViewer Full and Host clients (Windows, macOS, Linux) prior version 15.74.5 allows an authenticated user to bypass additional access controls with ”Allow after confirmation” configuration in a remote session. An exploit could result in unauthorized access prior to local confirmation. The user needs to be authenticated for the remote session via ID/password, Session Link, or Easy Access as a prerequisite to exploit this vulnerability. | 2026-02-05 | 7.2 | CVE-2026-23572 | https://www.teamviewer.com/en/resources/trust-center/security-bulletins/tv-2026-1003/ |
| apollographql–apollo-server | Apollo Server is an open-source, spec-compliant GraphQL server that’s compatible with any GraphQL client, including Apollo Client. In versions from 2.0.0 to 3.13.0, 4.2.0 to before 4.13.0, and 5.0.0 to before 5.4.0, the default configuration of startStandaloneServer from @apollo/server/standalone is vulnerable to denial of service (DoS) attacks through specially crafted request bodies with exotic character set encodings. This issue does not affect users that use @apollo/server as a dependency for integration packages, like @as-integrations/express5 or @as-integrations/next, only direct usage of startStandaloneServer. | 2026-02-04 | 7.5 | CVE-2026-23897 | https://github.com/apollographql/apollo-server/security/advisories/GHSA-mp6q-xf9x-fwf7 https://github.com/apollographql/apollo-server/commit/d25a5bdc377826ad424fcf7f8d1d062055911643 https://github.com/apollographql/apollo-server/commit/e9d49d163a86b8a33be56ed27c494b9acd5400a4 |
| open-telemetry–opentelemetry-go | OpenTelemetry-Go is the Go implementation of OpenTelemetry. The OpenTelemetry Go SDK in version v1.20.0-1.39.0 is vulnerable to Path Hijacking (Untrusted Search Paths) on macOS/Darwin systems. The resource detection code in sdk/resource/host_id.go executes the ioreg system command using a search path. An attacker with the ability to locally modify the PATH environment variable can achieve Arbitrary Code Execution (ACE) within the context of the application. A fix was released with v1.40.0. | 2026-02-02 | 7 | CVE-2026-24051 | https://github.com/open-telemetry/opentelemetry-go/security/advisories/GHSA-9h8m-3fm2-qjrq https://github.com/open-telemetry/opentelemetry-go/commit/d45961bcda453fcbdb6469c22d6e88a1f9970a53 |
| NVIDIA–Megatron-LM | NVIDIA Megatron-LM for all platforms contains a vulnerability in a script, where malicious data created by an attacker may cause a code injection issue. A successful exploit of this vulnerability may lead to code execution, escalation of privileges, information disclosure, data tampering. | 2026-02-03 | 7.8 | CVE-2026-24149 | NVD Mitre |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an insecure password reset mechanism allows local attackers to reuse a valid password reset token after it has already been used, enabling unauthorized password changes and potential account takeover. This issue has been patched in version 4.2. | 2026-02-03 | 7.8 | CVE-2026-24669 | https://github.com/gunet/openeclass/security/advisories/GHSA-gcqq-fxw6-f866 |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated students to inject malicious JavaScript into user profile fields, which is executed when users with viewing privileges access affected application pages. This issue has been patched in version 4.2. | 2026-02-03 | 7.3 | CVE-2026-24672 | https://github.com/gunet/openeclass/security/advisories/GHSA-3p2x-qgxw-qvxh |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, an Insecure Direct Object Reference (IDOR) vulnerability allows unauthenticated remote attackers to access personal files of other users by directly requesting predictable user identifiers. This issue has been patched in version 4.2. | 2026-02-03 | 7.5 | CVE-2026-24773 | https://github.com/gunet/openeclass/security/advisories/GHSA-63pm-pff4-xc9c |
| chainguard-dev–melange | melange allows users to build apk packages using declarative pipelines. From version 0.3.0 to before 0.40.3, an attacker who can provide build input values, but not modify pipeline definitions, could execute arbitrary shell commands if the pipeline uses ${{vars.*}} or ${{inputs.*}} substitutions in working-directory. The field is embedded into shell scripts without proper quote escaping. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-24844 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-vqqr-rmpc-hhg2 https://github.com/chainguard-dev/melange/commit/e51ca30cfb63178f5a86997d23d3fff0359fa6c8 |
| Huawei–HarmonyOS | Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 7.3 | CVE-2026-24925 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, a path traversal vulnerability was discovered in apko’s dirFS filesystem abstraction. An attacker who can supply a malicious APK package (e.g., via a compromised or typosquatted repository) could create directories or symlinks outside the intended installation root. The MkdirAll, Mkdir, and Symlink methods in pkg/apk/fs/rwosfs.go use filepath.Join() without validating that the resulting path stays within the base directory. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25121 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-5g94-c2wx-8pxw https://github.com/chainguard-dev/apko/commit/d8b7887a968a527791b3c591ae83928cb49a9f14 |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.1, an attacker who controls or compromises an APK repository used by apko could cause resource exhaustion on the build host. The ExpandApk function in pkg/apk/expandapk/expandapk.go expands .apk streams without enforcing decompression limits, allowing a malicious repository to serve a small, highly-compressed .apk that inflates into a large tar stream, consuming excessive disk space and CPU time, causing build failures or denial of service. This issue has been patched in version 1.1.1. | 2026-02-04 | 7.5 | CVE-2026-25140 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-f4w5-5xv9-85f6 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| chainguard-dev–melange | melange allows users to build apk packages using declarative pipelines. From version 0.10.0 to before 0.40.3, an attacker who can influence inputs to the patch pipeline could execute arbitrary shell commands on the build host. The patch pipeline in pkg/build/pipelines/patch.yaml embeds input-derived values (series paths, patch filenames, and numeric parameters) into shell scripts without proper quoting or validation, allowing shell metacharacters to break out of their intended context. The vulnerability affects the built-in patch pipeline which can be invoked through melange build and melange license-check operations. An attacker who can control patch-related inputs (e.g., through pull request-driven CI, build-as-a-service, or by influencing melange configurations) can inject shell metacharacters such as backticks, command substitutions $(…), semicolons, pipes, or redirections to execute arbitrary commands with the privileges of the melange build process. This issue has been patched in version 0.40.3. | 2026-02-04 | 7.8 | CVE-2026-25143 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-rf4g-89h5-crcr https://github.com/chainguard-dev/melange/commit/bd132535cd9f57d4bd39d9ead0633598941af030 |
| openclaw–openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.29, there is an OS command injection vulnerability via the Project Root Path in sshNodeCommand. The sshNodeCommand function constructed a shell script without properly escaping the user-supplied project path in an error message. When the cd command failed, the unescaped path was interpolated directly into an echo statement, allowing arbitrary command execution on the remote SSH host. The parseSSHTarget function did not validate that SSH target strings could not begin with a dash. An attacker-supplied target like -oProxyCommand=… would be interpreted as an SSH configuration flag rather than a hostname, allowing arbitrary command execution on the local machine. This issue has been patched in version 2026.1.29. | 2026-02-04 | 7.8 | CVE-2026-25157 | https://github.com/openclaw/openclaw/security/advisories/GHSA-q284-4pvr-m585 |
| fastify–fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.2, a validation bypass vulnerability exists in Fastify where request body validation schemas specified by Content-Type can be completely circumvented. By appending a tab character (t) followed by arbitrary content to the Content-Type header, attackers can bypass body validation while the server still processes the body as the original content type. This issue has been patched in version 5.7.2. | 2026-02-03 | 7.5 | CVE-2026-25223 | https://github.com/fastify/fastify/security/advisories/GHSA-jx2c-rxcm-jvmq https://github.com/fastify/fastify/commit/32d7b6add39ddf082d92579a58bea7018c5ac821 https://hackerone.com/reports/3464114 https://fastify.dev/docs/latest/Reference/Validation-and-Serialization https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/content-type-parser.js#L125 https://github.com/fastify/fastify/blob/759e9787b5669abf953068e42a17bffba7521348/lib/validation.js#L272 |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, stack-based buffer overflow in icFixXml() function when processing malformed ICC profiles, allows potential arbitrary code execution through crafted NamedColor2 tags. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.8 | CVE-2026-25502 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-c2qq-jf7w-rm27 https://github.com/InternationalColorConsortium/iccDEV/issues/537 https://github.com/InternationalColorConsortium/iccDEV/pull/545 https://github.com/InternationalColorConsortium/iccDEV/commit/be5d7ec5cc137c084c08006aee8cd3ed378c7ac2 |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.2, type confusion allowed malformed ICC profiles to trigger undefined behavior when loading invalid icImageEncodingType values causing denial of service. This issue has been patched in version 2.3.1.2. | 2026-02-03 | 7.1 | CVE-2026-25503 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pf84-4c7q-x764 https://github.com/InternationalColorConsortium/iccDEV/issues/539 https://github.com/InternationalColorConsortium/iccDEV/pull/547 https://github.com/InternationalColorConsortium/iccDEV/commit/353e6517a31cb6ac9fdd44ac0103bc2fadb25175 |
| modelcontextprotocol–typescript-sdk | MCP TypeScript SDK is the official TypeScript SDK for Model Context Protocol servers and clients. From version 1.10.0 to 1.25.3, cross-client response data leak when a single McpServer/Server and transport instance is reused across multiple client connections, most commonly in stateless StreamableHTTPServerTransport deployments. This issue has been patched in version 1.26.0. | 2026-02-04 | 7.1 | CVE-2026-25536 | https://github.com/modelcontextprotocol/typescript-sdk/security/advisories/GHSA-345p-7cg4-v4c7 https://github.com/modelcontextprotocol/typescript-sdk/issues/204 https://github.com/modelcontextprotocol/typescript-sdk/issues/243 |
| Coding-Solo–godot-mcp | Godot MCP is a Model Context Protocol (MCP) server for interacting with the Godot game engine. Prior to version 0.1.1, a command injection vulnerability in godot-mcp allows remote code execution. The executeOperation function passed user-controlled input (e.g., projectPath) directly to exec(), which spawns a shell. An attacker could inject shell metacharacters like $(command) or &calc to execute arbitrary commands with the privileges of the MCP server process. This affects any tool that accepts projectPath, including create_scene, add_node, load_sprite, and others. This issue has been patched in version 0.1.1. | 2026-02-04 | 7.8 | CVE-2026-25546 | https://github.com/Coding-Solo/godot-mcp/security/advisories/GHSA-8jx2-rhfh-q928 https://github.com/Coding-Solo/godot-mcp/issues/64 https://github.com/Coding-Solo/godot-mcp/pull/67 https://github.com/Coding-Solo/godot-mcp/commit/21c785d923cfdb471ea60323c13807d62dfecc5a |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow (read) vulnerability in CIccIO::WriteUInt16Float() when converting malformed XML to ICC profiles via iccFromXml tool. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25582 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-46hq-fphp-jggf https://github.com/InternationalColorConsortium/iccDEV/issues/559 https://github.com/InternationalColorConsortium/iccDEV/pull/561 https://github.com/InternationalColorConsortium/iccDEV/commit/b5e5dd238f609ec1a4efb25674e7fa4bd29d894a |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a heap buffer overflow vulnerability in CIccFileIO::Read8() when processing malformed ICC profile files via unchecked fread operation. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25583 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-5ffg-r52h-fgw3 https://github.com/InternationalColorConsortium/iccDEV/issues/558 https://github.com/InternationalColorConsortium/iccDEV/pull/562 https://github.com/InternationalColorConsortium/iccDEV/commit/8a6df2d8dac1e971a18be66fa36e3a0d6584f919 |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a stack-buffer-overflow vulnerability in CIccTagFloatNum<>::GetValues(). This is triggered when processing a malformed ICC profile. The vulnerability allows an out-of-bounds write on the stack, potentially leading to memory corruption, information disclosure, or code execution when processing specially crafted ICC files. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25584 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-xjr3-v3vr-5794 https://github.com/InternationalColorConsortium/iccDEV/issues/551 https://github.com/InternationalColorConsortium/iccDEV/pull/565 https://github.com/InternationalColorConsortium/iccDEV/commit/c9cb108f58683bd87afca616dea3e4cdb884c23f |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to version 2.3.1.3, there is a vulnerability IccCmm.cpp:5793 when reading through index during ICC profile processing. The malformed ICC profile triggers improper array bounds validation in the color management module, resulting in an out-of-bounds read that can lead to memory disclosure or segmentation fault from accessing memory beyond the array boundary. This issue has been patched in version 2.3.1.3. | 2026-02-04 | 7.8 | CVE-2026-25585 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-pmqx-q624-jg6w https://github.com/InternationalColorConsortium/iccDEV/issues/552 https://github.com/InternationalColorConsortium/iccDEV/pull/563 https://github.com/InternationalColorConsortium/iccDEV/commit/ba81cd94b9c82b1d3905d45427badbd9d8adfa15 |
| Blesta–Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5680. | 2026-02-03 | 7.5 | CVE-2026-25614 | https://www.blesta.com/2026/01/28/security-advisory/ |
| Blesta–Blesta | Blesta 3.x through 5.x before 5.13.3 allows object injection, aka CORE-5668. | 2026-02-03 | 7.2 | CVE-2026-25615 | https://www.blesta.com/2026/01/28/security-advisory/ |
| InternationalColorConsortium–iccDEV | iccDEV provides a set of libraries and tools that allow for the interaction, manipulation, and application of ICC color management profiles. Prior to 2.3.1.4, SrcPixel and DestPixel stack buffers overlap in CIccTagMultiProcessElement::Apply() int IccTagMPE.cpp. This vulnerability is fixed in 2.3.1.4. | 2026-02-06 | 7.8 | CVE-2026-25634 | https://github.com/InternationalColorConsortium/iccDEV/security/advisories/GHSA-35rg-jcmp-583h https://github.com/InternationalColorConsortium/iccDEV/issues/577 https://github.com/InternationalColorConsortium/iccDEV/pull/579 https://github.com/InternationalColorConsortium/iccDEV/commit/9206e0b8684e4cf4186d9ae768f16760bc1af9ff https://github.com/InternationalColorConsortium/iccDEV/releases/tag/v2.3.1.4 |
| pydantic–pydantic-ai | Pydantic AI is a Python agent framework for building applications and workflows with Generative AI. From 1.34.0 to before 1.51.0, a path traversal vulnerability in the Pydantic AI web UI allows an attacker to serve arbitrary JavaScript in the context of the application by crafting a malicious URL. In affected versions, the CDN URL is constructed using a version query parameter from the request URL. This parameter is not validated, allowing path traversal sequences that cause the server to fetch and serve attacker-controlled HTML/JavaScript from an arbitrary source on the same CDN, instead of the legitimate chat UI package. If a victim clicks the link or visits it via an iframe, attacker-controlled code executes in their browser, enabling theft of chat history and other client-side data. This vulnerability only affects applications that use Agent.to_web to serve a chat interface and clai web to serve a chat interface from the CLI. These are typically run locally (on localhost), but may also be deployed on a remote server. This vulnerability is fixed in 1.51.0. | 2026-02-06 | 7.1 | CVE-2026-25640 | https://github.com/pydantic/pydantic-ai/security/advisories/GHSA-wjp5-868j-wqv7 https://github.com/pydantic/pydantic-ai/releases/tag/v1.51.0 |
| datahub-project–datahub | DataHub is an open-source metadata platform. Prior to version 1.3.1.8, the LDAP ingestion source is vulnerable to MITM attack through TLS downgrade. This issue has been patched in version 1.3.1.8. | 2026-02-06 | 7.5 | CVE-2026-25644 | https://github.com/datahub-project/datahub/security/advisories/GHSA-j34h-x7qg-4qw5 |
| kovidgoyal–calibre | calibre is an e-book manager. Prior to 9.2.0, a Server-Side Template Injection (SSTI) vulnerability in Calibre’s Templite templating engine allows arbitrary code execution when a user converts an ebook using a malicious custom template file via the –template-html or –template-html-index command-line options. This vulnerability is fixed in 9.2.0. | 2026-02-06 | 7.8 | CVE-2026-25731 | https://github.com/kovidgoyal/calibre/security/advisories/GHSA-xrh9-w7qx-3gcc https://github.com/kovidgoyal/calibre/commit/f0649b27512e987b95fcab2e1e0a3bcdafc23379 |
| zauberzeug–nicegui | NiceGUI is a Python-based UI framework. Prior to 3.7.0, NiceGUI’s FileUpload.name property exposes client-supplied filename metadata without sanitization, enabling path traversal when developers use the pattern UPLOAD_DIR / file.name. Malicious filenames containing ../ sequences allow attackers to write files outside intended directories, with potential for remote code execution through application file overwrites in vulnerable deployment patterns. This design creates a prevalent security footgun affecting applications following common community patterns. Note: Exploitation requires application code incorporating file.name into filesystem paths without sanitization. Applications using fixed paths, generated filenames, or explicit sanitization are not affected. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 7.5 | CVE-2026-25732 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-9ffm-fxg3-xrhh https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L110-L115 https://github.com/zauberzeug/nicegui/blob/main/nicegui/elements/upload_files.py#L79-L82 |
| adonisjs–core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a prototype pollution vulnerability in AdonisJS multipart form-data parsing may allow a remote attacker to manipulate object prototypes at runtime. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.2 | CVE-2026-25754 | https://github.com/adonisjs/core/security/advisories/GHSA-f5x2-vj4h-vg4c https://github.com/adonisjs/bodyparser/commit/40e1c71f958cffb74f6b91bed6630dca979062ed https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
| adonisjs–core | AdonisJS is a TypeScript-first web framework. Prior to versions 10.1.3 and 11.0.0-next.9, a denial of service (DoS) vulnerability exists in the multipart file handling logic of @adonisjs/bodyparser. When processing file uploads, the multipart parser may accumulate an unbounded amount of data in memory while attempting to detect file types, potentially leading to excessive memory consumption and process termination. This issue has been patched in versions 10.1.3 and 11.0.0-next.9. | 2026-02-06 | 7.5 | CVE-2026-25762 | https://github.com/adonisjs/core/security/advisories/GHSA-xx9g-fh25-4q64 https://github.com/adonisjs/bodyparser/releases/tag/v10.1.3 https://github.com/adonisjs/bodyparser/releases/tag/v11.0.0-next.9 |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Sweethawk–Zendesk App SweetHawk Survey | Zendesk SweetHawk Survey 1.6 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through support ticket submissions. Attackers can insert XSS payloads like script tags into ticket text that automatically execute when survey pages are loaded by other users. | 2026-02-03 | 6.4 | CVE-2019-25263 | ExploitDB-47781 SweetHawk Survey App Vendor Homepage Zendesk Survey App Software Page VulnCheck Advisory: Zendesk App SweetHawk Survey 1.6 – Persistent Cross-Site Scripting |
| Snipeitapp–IT Open Source Asset Management | Snipe-IT 4.7.5 contains a persistent cross-site scripting vulnerability that allows authorized users to upload malicious SVG files with embedded JavaScript. Attackers can craft SVG files with script tags to execute arbitrary JavaScript when the accessory is viewed by other users. | 2026-02-03 | 6.4 | CVE-2019-25264 | ExploitDB-47756 Official Vendor Homepage Snipe-IT Software Release v4.7.5 VulnCheck Advisory: Snipe-IT Open Source Asset Management 4.7.5 – Persistent Cross-Site Scripting |
| Bigprof–Online Inventory Manager | Online Inventory Manager 3.2 contains a stored cross-site scripting vulnerability in the group description field of the admin edit groups section. Attackers can inject malicious JavaScript through the description field that will execute when the groups page is viewed, allowing potential cookie theft and client-side script execution. | 2026-02-03 | 6.4 | CVE-2019-25265 | ExploitDB-47725 Vendor Homepage Software Download Page VulnCheck Advisory: Online Inventory Manager 3.2 – Persistent Cross-Site Scripting |
| lolypop55–html5_snmp | html5_snmp 1.11 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts through the ‘Remark’ parameter in add_router_operation.php. Attackers can craft a POST request with a script payload in the Remark field to execute arbitrary JavaScript in victim browsers when the page is loaded. | 2026-02-06 | 6.4 | CVE-2019-25294 | ExploitDB-47587 Vendor Homepage VulnCheck Advisory: html5_snmp 1.11 – ‘Remark’ Persistent Cross-Site Scripting |
| thrsrossi–Millhouse Project | Millhouse-Project 1.414 contains a persistent cross-site scripting vulnerability in the comment submission functionality that allows attackers to inject malicious scripts. Attackers can post comments with embedded JavaScript through the ‘content’ parameter in add_comment_sql.php to execute arbitrary scripts in victim browsers. | 2026-02-06 | 6.4 | CVE-2019-25301 | ExploitDB-47583 Vendor Homepage VulnCheck Advisory: thrsrossi Millhouse-Project 1.414 – ‘content’ Persistent Cross-Site Scripting |
| Twinkle Toes Software–Booked Scheduler | Booked Scheduler 2.7.7 contains a directory traversal vulnerability in the manage_email_templates.php script that allows authenticated administrators to access unauthorized files. Attackers can exploit the vulnerable ‘tn’ parameter to read files outside the intended directory by manipulating directory path traversal techniques. | 2026-02-03 | 6.5 | CVE-2020-37077 | ExploitDB-48428 Booked Scheduler Official Website Archived Booked Scheduler SourceForge Page VulnCheck Advisory: Booked Scheduler 2.7.7 – Authenticated Directory Traversal |
| Rubikon Teknoloji–Easy Transfer | Easy Transfer 1.7 iOS mobile application contains a directory traversal vulnerability that allows remote attackers to access unauthorized file system paths without authentication. Attackers can exploit the vulnerability by manipulating path parameters in GET and POST requests to list or download sensitive system files and inject malicious scripts into application parameters. | 2026-02-03 | 6.2 | CVE-2020-37086 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS – Directory Traversal |
| Dnnsoftware–DotNetNuke | DotNetNuke 9.5 contains a persistent cross-site scripting vulnerability that allows normal users to upload malicious XML files with executable scripts through journal tools. Attackers can upload XML files with XHTML namespace scripts to execute arbitrary JavaScript in users’ browsers, potentially bypassing CSRF protections and performing more damaging attacks. | 2026-02-03 | 6.4 | CVE-2020-37103 | ExploitDB-48124 DotNetNuke Official Vendor Homepage Vulnerability Analysis Blog Post VulnCheck Advisory: DotNetNuke 9.5 – Persistent Cross-Site Scripting |
| Davidvg–60CycleCMS | 60CycleCMS 2.5.2 contains a cross-site scripting (XSS) vulnerability in news.php that allows attackers to inject malicious scripts through GET parameters. Attackers can craft malicious URLs with XSS payloads targeting the ‘etsu’ and ‘ltsu’ parameters to execute arbitrary scripts in victim’s browsers. This issue does not involve SQL injection. | 2026-02-03 | 6.1 | CVE-2020-37111 | ExploitDB-48177 Vendor Homepage Software Download Link VulnCheck Advisory: 60CycleCMS 2.5.2 – ‘news.php’ Cross-site Scripting (XSS) Vulnerability |
| Openeclass–GUnet OpenEclass | GUnet OpenEclass 1.7.3 stores user credentials in plaintext, allowing administrators to view all registered users’ usernames and passwords without encryption. This vulnerability exposes sensitive information and increases the risk of credential theft and unauthorized access. | 2026-02-03 | 6.5 | CVE-2020-37115 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform – Plaintext Password Storage |
| EmTec–ZOC Terminal | ZOC Terminal 7.25.5 contains a script processing vulnerability that allows local attackers to crash the application by loading a maliciously crafted REXX script file. Attackers can generate an oversized script with 20,000 repeated characters to trigger an application crash and cause a denial of service. | 2026-02-05 | 6.2 | CVE-2020-37128 | ExploitDB-48302 Vendor Homepage VulnCheck Advisory: ZOC Terminal 7.25.5 – ‘Script’ Denial of Service |
| Nsauditor–Product Key Explorer | Nsauditor Product Key Explorer 4.2.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by inputting a specially crafted registration key. Attackers can generate a payload of 1000 bytes of repeated characters and paste it into the ‘Key’ input field to trigger the application crash. | 2026-02-05 | 6.2 | CVE-2020-37131 | ExploitDB-48284 Vendor Homepage VulnCheck Advisory: Product Key Explorer 4.2.2.0 – ‘Key’ Denial of Service |
| UltraVNC Team–UltraVNC Launcher | UltraVNC Launcher 1.2.4.0 contains a denial of service vulnerability in its password configuration properties that allows local attackers to crash the application. Attackers can paste an overly long 300-character string into the password field to trigger an application crash and prevent normal launcher functionality. | 2026-02-05 | 6.2 | CVE-2020-37132 | ExploitDB-48290 UltraVNC Official Homepage VulnCheck Advisory: UltraVNC Launcher 1.2.4.0 – ‘Password’ Denial of Service |
| PHP Fusion–PHP Fusion | PHP-Fusion 9.03.50 contains a remote code execution vulnerability in the ‘add_panel_form()’ function that allows attackers to execute arbitrary code through an eval() function with unsanitized POST data. Attackers can exploit the vulnerability by sending crafted panel_content POST parameters to the panels.php administration endpoint to execute malicious code. | 2026-02-05 | 6.1 | CVE-2020-37137 | ExploitDB-48278 PHP Fusion Official Website VulnCheck Advisory: PHP-Fusion 9.03.50 – ‘panels.php’ Eval Injection |
| Veridium–SprintWork | SprintWork 2.3.1 contains multiple local privilege escalation vulnerabilities through insecure file, service, and folder permissions on Windows systems. Local unprivileged users can exploit missing executable files and weak service configurations to create a new administrative user and gain complete system access. | 2026-02-06 | 6.2 | CVE-2020-37160 | ExploitDB-48070 Vendor Homepage Product Information Page VulnCheck Advisory: SprintWork 2.3.1 – Local Privilege Escalation |
| Celestial Software–AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license entry field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37164 | ExploitDB-48005 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 – “license entry” Denial of Service |
| Celestial Software–AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an oversized license name. Attackers can generate a 2500-character payload and paste it into the license name field to trigger an application crash. | 2026-02-06 | 6.2 | CVE-2020-37165 | ExploitDB-48006 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 – “license name” Denial of Service |
| Celestial Software–AbsoluteTelnet | AbsoluteTelnet 11.12 contains a denial of service vulnerability in the SSH2 username input field that allows local attackers to crash the application. Attackers can overwrite the username field with a 1000-byte buffer, causing the application to become unresponsive and terminate. | 2026-02-06 | 6.2 | CVE-2020-37166 | ExploitDB-48010 Vendor Homepage VulnCheck Advisory: AbsoluteTelnet 11.12 – ‘SSH2/username’ Denial of Service |
| Raimersoft–TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy address configuration that allows local attackers to crash the application. Attackers can overwrite the address field with 3000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37170 | ExploitDB-48011 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 – ‘address’ Denial of Service |
| Raimersoft–TapinRadio | TapinRadio 2.12.3 contains a denial of service vulnerability in the application proxy username configuration that allows local attackers to crash the application. Attackers can overwrite the username field with 10,000 bytes of arbitrary data to trigger an application crash and prevent normal program functionality. | 2026-02-06 | 6.2 | CVE-2020-37171 | ExploitDB-48013 TapinRadio Product Webpage VulnCheck Advisory: TapinRadio 2.12.3 – ‘username’ Denial of Service |
| Innomic–VibroLine VLX1 HD 5.0 | An unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via Modbus (RS485). | 2026-02-02 | 6.5 | CVE-2022-50979 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| Innomic–VibroLine VLX1 HD 5.0 | A unauthenticated adjacent attacker could potentially disrupt operations by switching between multiple configuration presets via CAN. | 2026-02-02 | 6.5 | CVE-2022-50980 | https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.html https://www.innomic.com/.well-known/csaf/white/2026/ids-2026-0001.json |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 does not invalidate session after logout which could allow an authenticated user to impersonate another user on the system. | 2026-02-04 | 6.3 | CVE-2024-43181 | https://www.ibm.com/support/pages/node/7257006 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 is vulnerable to HTTP header injection, caused by improper validation of input by the HOST headers. This could allow an attacker to conduct various attacks against the vulnerable system, including cross-site scripting, cache poisoning or session hijacking. | 2026-02-04 | 6.5 | CVE-2024-51451 | https://www.ibm.com/support/pages/node/7257006 |
| boldthemes–Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s bt_bb_raw_content shortcode in all versions up to, and including, 5.4.8 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12159 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f492dcb6-0aa7-476d-bb85-c81a136d02a6?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_raw_content/bt_bb_raw_content.php#L25 |
| boldthemes–Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin ‘bt_bb_tabs’ shortcode in all versions up to, and including, 5.5.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-12803 | https://www.wordfence.com/threat-intel/vulnerabilities/id/64f30329-ecf2-4e30-bc23-9d447e239e08?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.4.8/content_elements/bt_bb_tabs/bt_bb_tabs.php#L65 |
| boldthemes–Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Post Grid component in all versions up to, and including, 5.5.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-13463 | https://www.wordfence.com/threat-intel/vulnerabilities/id/865ff4bf-608e-45f0-a160-35581b82cc2b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.php#L46 https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.3/content_elements/bt_bb_css_post_grid/bt_bb_css_post_grid.js#L8 |
| IBM–webMethods Integration (on prem) – Integration Server | IBM webMethods Integration (on prem) – Integration Server 10.15 through IS_10.15_Core_Fix2411.1 to IS_11.1_Core_Fix8 IBM webMethods Integration could disclose sensitive user information in server responses. | 2026-02-05 | 6.5 | CVE-2025-14150 | https://www.ibm.com/support/pages/node/7259518 |
| Docker Inc.–Docker Desktop | Docker Desktop for Windows contains multiple incorrect permission assignment vulnerabilities in the installer’s handling of the C:ProgramDataDockerDesktop directory. The installer creates this directory without proper ownership verification, creating two exploitation scenarios: Scenario 1 (Persistent Attack): If a low-privileged attacker pre-creates C:ProgramDataDockerDesktop before Docker Desktop installation, the attacker retains ownership of the directory even after the installer applies restrictive ACLs. At any time after installation completes, the attacker can modify the directory ACL (as the owner) and tamper with critical configuration files such as install-settings.json to specify a malicious credentialHelper, causing arbitrary code execution when any user runs Docker Desktop. Scenario 2 (TOCTOU Attack): During installation, there is a time-of-check-time-of-use (TOCTOU) race condition between when the installer creates C:ProgramDataDockerDesktop and when it sets secure ACLs. A low-privileged attacker actively monitoring for the installation can inject malicious files (such as install-settings.json) with attacker-controlled ACLs during this window, achieving the same code execution outcome. | 2026-02-04 | 6.7 | CVE-2025-14740 | https://docs.docker.com/security/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28542/ https://www.zerodayinitiative.com/advisories/ZDI-CAN-28190/ |
| lwsdevelopers–MyRewards Loyalty Points and Rewards for WooCommerce Reward orders, referrals, product reviews and more | The MyRewards – Loyalty Points and Rewards for WooCommerce plugin for WordPress is vulnerable to missing authorization in all versions up to, and including, 5.6.0. This is due to the plugin not properly verifying that a user is authorized to perform an action in the ‘ajax’ function. This makes it possible for authenticated attackers, with subscriber level access and above, to modify, add, or delete loyalty program earning rules, including manipulating point multipliers to arbitrary values. | 2026-02-04 | 6.5 | CVE-2025-15260 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2591f473-44ff-4319-8b17-b0f793a29d66?source=cve https://plugins.trac.wordpress.org/browser/woorewards/tags/5.6.0/assets/lws-adminpanel/include/internal/editlistcontroler.php#L76 |
| boldthemes–Bold Page Builder | The Bold Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s bt_bb_accordion_item shortcode in all versions up to, and including, 5.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2025-15267 | https://www.wordfence.com/threat-intel/vulnerabilities/id/38a3b3bf-9538-4ae8-9da4-d4b48805763b?source=cve https://plugins.trac.wordpress.org/browser/bold-page-builder/tags/5.5.7/content_elements/bt_bb_accordion_item/bt_bb_accordion_item.php?marks=28#L28 |
| Tanium–Tanium Appliance | Tanium addressed an improper output sanitization vulnerability in Tanium Appliance. | 2026-02-05 | 6.6 | CVE-2025-15312 | TAN-2025-003 |
| Tanium–Engage | Tanium addressed a documentation issue in Engage. | 2026-02-05 | 6.6 | CVE-2025-15324 | TAN-2025-004 |
| Tanium–Discover | Tanium addressed an improper input validation vulnerability in Discover. | 2026-02-05 | 6.3 | CVE-2025-15325 | TAN-2025-005 |
| Tanium–Performance | Tanium addressed an incorrect default permissions vulnerability in Performance. | 2026-02-05 | 6.5 | CVE-2025-15336 | TAN-2025-029 |
| Tanium–Patch | Tanium addressed an incorrect default permissions vulnerability in Patch. | 2026-02-05 | 6.5 | CVE-2025-15337 | TAN-2025-029 |
| Tanium–Partner Integration | Tanium addressed an incorrect default permissions vulnerability in Partner Integration. | 2026-02-05 | 6.5 | CVE-2025-15338 | TAN-2025-029 |
| Tanium–Discover | Tanium addressed an incorrect default permissions vulnerability in Discover. | 2026-02-05 | 6.5 | CVE-2025-15339 | TAN-2025-029 |
| Tanium–Comply | Tanium addressed an incorrect default permissions vulnerability in Comply. | 2026-02-05 | 6.5 | CVE-2025-15340 | TAN-2025-029 |
| Tanium–Benchmark | Tanium addressed an incorrect default permissions vulnerability in Benchmark. | 2026-02-05 | 6.5 | CVE-2025-15341 | TAN-2025-029 |
| Tanium–Enforce | Tanium addressed an incorrect default permissions vulnerability in Enforce. | 2026-02-05 | 6.5 | CVE-2025-15343 | TAN-2025-032 |
| simonfairbairn–The Bucketlister | The Bucketlister plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode `category` and `id` attributes in all versions up to, and including, 0.1.5 due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Contributor-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-07 | 6.5 | CVE-2025-15477 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fba36ebc-a396-4eb8-8cb6-afc50b9c974e?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L19 |
| HCLSoftware–HCL DevOps Velocity | Rate limiting for certain API calls is not being enforced, making HCL Velocity vulnerable to Denial of Service (DoS) attacks. An attacker could flood the system with a large number of requests, overwhelming its resources and causing it to become unresponsive to legitimate users. This vulnerability is fixed in 5.1.7. | 2026-02-07 | 6.8 | CVE-2025-31990 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0128585 |
| IBM–PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 could allow a local user with administration privileges to obtain sensitive information from a Virtual TPM through a series of PowerVM service procedures. | 2026-02-02 | 6 | CVE-2025-36238 | https://www.ibm.com/support/pages/node/7257556 |
| IBM–Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-02 | 6.4 | CVE-2025-36436 | https://www.ibm.com/support/pages/node/7259318 |
| Qualcomm, Inc.–Snapdragon | Memory corruption when calculating oversized partition sizes without proper checks. | 2026-02-02 | 6.8 | CVE-2025-47363 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Memory corruption while calculating offset from partition start point. | 2026-02-02 | 6.8 | CVE-2025-47364 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| Qualcomm, Inc.–Snapdragon | Transient DOS when processing a received frame with an excessively large authentication information element. | 2026-02-02 | 6.5 | CVE-2025-47402 | https://docs.qualcomm.com/product/publicresources/securitybulletin/february-2026-bulletin.html |
| N/A–Moodle[.]org | A flaw was found in moodle. This formula injection vulnerability occurs when data fields are exported without proper escaping. A remote attacker could exploit this by providing malicious data that, when exported and opened in a spreadsheet, allows arbitrary formulas to execute. This can lead to compromised data integrity and unintended operations within the spreadsheet. | 2026-02-03 | 6.1 | CVE-2025-67851 | https://access.redhat.com/security/cve/CVE-2025-67851 RHBZ#2423841 https://moodle.org/mod/forum/discuss.php?d=471301 |
| nanomq–nanomq | NanoMQ MQTT Broker (NanoMQ) is an all-around Edge Messaging Platform. In version 0.24.6, NanoMQ has a protocol parsing / forwarding inconsistency when handling shared subscriptions ($share/). A malformed SUBSCRIBE topic such as $share/ab (missing the second /) is not strictly validated during the subscription stage, so the invalid Topic Filter is stored into the subscription table. Later, when any PUBLISH matches this subscription, the broker send path (nmq_pipe_send_start_v4/v5) performs a second $share/ parsing using strchr() and increments the returned pointer without NULL checks. If the second strchr() returns NULL, sub_topic++ turns the pointer into an invalid address (e.g. 0x1). This invalid pointer is then passed into topic_filtern(), which triggers strlen() and crashes with SIGSEGV. The crash is stable and remotely triggerable. This issue has been patched in version 0.24.7. | 2026-02-04 | 6.5 | CVE-2025-68699 | https://github.com/nanomq/nanomq/security/advisories/GHSA-qv5f-c6v2-2f8h https://github.com/nanomq/nanomq/commit/89d68d678e7f841ae7baa45cba8d9bc7ddc9ef4b |
| Microsoft–Microsoft Edge (Chromium-based) | User interface (ui) misrepresentation of critical information in Microsoft Edge for Android allows an unauthorized attacker to perform spoofing over a network. | 2026-02-05 | 6.5 | CVE-2026-0391 | Microsoft Edge (Chromium-based) for Android Spoofing Vulnerability |
| premmerce–Premmerce | The Premmerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘premmerce_wizard_actions’ AJAX endpoint in all versions up to, and including, 1.3.20. This is due to missing capability checks and insufficient input sanitization and output escaping on the `state` parameter. This makes it possible for authenticated attackers, with subscriber level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page (the Premmerce Wizard admin page). | 2026-02-07 | 6.4 | CVE-2026-0555 | https://www.wordfence.com/threat-intel/vulnerabilities/id/90b2a644-19a0-43a1-8ff6-7486d7ef29b3?source=cve https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Admin.php?marks=41#L41 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Admin/Handlers/WizardHandler.php?marks=42,50,52#L42 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/src/Api/WizardApi.php?marks=38#L38 https://plugins.trac.wordpress.org/browser/premmerce/tags/1.3.20/views/admin/tabs/wizard.php?marks=30#L30 |
| webpurify–WebPurify Profanity Filter | The WebPurify Profanity Filter plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ‘webpurify_save_options’ function in all versions up to, and including, 4.0.2. This makes it possible for unauthenticated attackers to change plugin settings. | 2026-02-04 | 6.5 | CVE-2026-0572 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9283f6ea-8bc4-4fdd-a0b9-05de127f34e4?source=cve https://plugins.trac.wordpress.org/browser/webpurifytextreplace/trunk/webpurifytextreplace-options.php?rev=2343695#L92 |
| zealopensource–Smart Appointment & Booking | The Smart Appointment & Booking plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the saab_save_form_data AJAX action in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 6.4 | CVE-2026-0742 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bf332c0d-5481-412d-b44a-b3de346d7b60?source=cve https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/admin/class.saab.admin.action.php#L1203 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/trunk/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/browser/smart-appointment-booking/tags/1.0.7/inc/front/class.saab.front.action.php#L2189 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3450387%40smart-appointment-booking&new=3450387%40smart-appointment-booking&sfp_email=&sfph_mail= |
| catchthemes–Essential Widgets | The Essential Widgets plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ew-author, ew-archive, ew-category, ew-page, and ew-menu shortcodes in all versions up to, and including, 3.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. NOTE: This vulnerability was partially fixed in version 3.0. | 2026-02-05 | 6.4 | CVE-2026-0867 | https://www.wordfence.com/threat-intel/vulnerabilities/id/08d4ed49-1338-422f-b55f-a102f2d1d6c8?source=cve https://plugins.trac.wordpress.org/changeset/3440541/essential-widgets https://plugins.trac.wordpress.org/changeset/3447282/essential-widgets |
| thehappymonster–Happy Addons for Elementor | The Happy Addons for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_elementor_data’ meta field in all versions up to, and including, 3.20.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1210 | https://www.wordfence.com/threat-intel/vulnerabilities/id/df4b554a-0336-404c-b06c-2bc98c99997d?source=cve https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/svg-draw/widget.php#L732 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2055 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/trunk/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/browser/happy-elementor-addons/tags/3.20.4/widgets/age-gate/widget.php#L2120 https://plugins.trac.wordpress.org/changeset/3451894/happy-elementor-addons/trunk/widgets/svg-draw/widget.php?old=3312461&old_path=happy-elementor-addons%2Ftrunk%2Fwidgets%2Fsvg-draw%2Fwidget.php |
| jackdewey–Events Listing Widget | The Events Listing Widget plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Event URL’ parameter in all versions up to, and including, 1.3.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1252 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f3b13a5-0711-4ad3-b11c-f8556e1ca9f9?source=cve https://plugins.trac.wordpress.org/browser/events-listing-widget/trunk/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/browser/events-listing-widget/tags/1.3.4/events-listing-widget.php#L266 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451446%40events-listing-widget&new=3451446%40events-listing-widget&sfp_email=&sfph_mail= |
| brechtvds–Dynamic Widget Content | The Dynamic Widget Content plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the widget content field in the Gutenberg editor sidebar in all versions up to, and including, 1.3.6 due to insufficient input sanitization and output escaping on user-supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1268 | https://www.wordfence.com/threat-intel/vulnerabilities/id/5324ca6d-37cb-41e4-8355-80ca113f855e?source=cve https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L64 https://plugins.trac.wordpress.org/browser/dynamic-widget-content/tags/1.3.6/helpers/blocks.php#L70 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3444655%40dynamic-widget-content&new=3444655%40dynamic-widget-content&sfp_email=&sfph_mail= |
| cyberlord92–Employee Directory Staff Directory and Listing | The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘form_title’ parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1279 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f0d3b54c-6244-4776-be3c-afe3a28a2b8a?source=cve https://plugins.trac.wordpress.org/browser/employee-staff-directory/trunk/handler/mo-empdir-search_handler.php#L29 https://wordpress.org/plugins/employee-staff-directory https://plugins.trac.wordpress.org/browser/employee-staff-directory/tags/1.2.1/handler/mo-empdir-search_handler.php#L29 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448620%40employee-staff-directory&new=3448620%40employee-staff-directory |
| yoast–Yoast SEO Advanced SEO with real-time guidance and built-in AI | The Yoast SEO – Advanced SEO with real-time guidance and built-in AI plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the the `yoast-schema` block attribute in all versions up to, and including, 26.8 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1293 | https://www.wordfence.com/threat-intel/vulnerabilities/id/8b2e7c2d-ed2f-439b-9cee-f2e5d46121b6?source=cve https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/presenters/schema-presenter.php#L49 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/inc/class-wpseo-utils.php#L915 https://plugins.trac.wordpress.org/browser/wordpress-seo/tags/26.8/src/generators/schema-generator.php#L188 |
| themeisle–Robin Image Optimizer Unlimited Image Optimization & WebP Converter | The Robin Image Optimizer – Unlimited Image Optimization & WebP Converter plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Alternative Text’ field of a Media Library image in all versions up to, and including, 2.0.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-05 | 6.4 | CVE-2026-1319 | https://www.wordfence.com/threat-intel/vulnerabilities/id/288cd86b-8d13-46bf-99ef-76698cd62a41?source=cve https://plugins.trac.wordpress.org/changeset/3445467/robin-image-optimizer/tags/2.0.3/libs/addons/includes/classes/webp/vendor/rosell-dk/dom-util-for-webp/src/PictureTags.php |
| jackdewey–Tune Library | The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subscriber-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses the injected page. The vulnerability exists because the CSV import functionality lacks authorization checks and doesn’t sanitize imported data, which is later rendered without escaping through the [tune-library] shortcode. | 2026-02-06 | 6.4 | CVE-2026-1401 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cd600810-b1bc-4025-b441-5c90da7240de?source=cve https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L219 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/tune-library.php#L235 https://plugins.trac.wordpress.org/browser/tune-library/tags/1.6.3/writeNodes.php#L113 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3451457%40tune-library&new=3451457%40tune-library&sfp_email=&sfph_mail= |
| dannycarlton–Simple Bible Verse via Shortcode | The Simple Bible Verse via Shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `verse` shortcode in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1570 | https://www.wordfence.com/threat-intel/vulnerabilities/id/098b979f-337d-4fbd-bfcc-0e8a281e6982?source=cve https://plugins.trac.wordpress.org/browser/simple-bible-verse-via-shortcode/trunk/index.php#L40 |
| omi-mexico–OMIGO | The OMIGO plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `omigo_donate_button` shortcode in all versions up to, and including, 3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1573 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f2cf46e6-a732-45c4-ad18-607009d7a586?source=cve https://plugins.trac.wordpress.org/browser/omigo/trunk/omigo.php?rev=2778497#L386 |
| Foxit Software Inc.–pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the file upload feature. A malicious username is embedded into the upload file list without proper escaping, allowing arbitrary JavaScript execution when the list is displayed. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1591 | https://www.foxit.com/support/security-bulletins.html |
| Foxit Software Inc.–pdfonline.foxit.com | Foxit PDF Editor Cloud (pdfonline) contains a stored cross-site scripting vulnerability in the Create New Layer feature. Unsanitized user input is embedded into the HTML output, allowing arbitrary JavaScript execution when the layer is referenced. This issue affects pdfonline.foxit.com: before 2026‑02‑03. | 2026-02-03 | 6.3 | CVE-2026-1592 | https://www.foxit.com/support/security-bulletins.html |
| tigor4eg–Video Onclick | The Video Onclick plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `youtube` shortcode in all versions up to, and including, 0.4.7 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1608 | https://www.wordfence.com/threat-intel/vulnerabilities/id/73ddf729-da69-4d0b-866f-34a92ec72800?source=cve https://plugins.trac.wordpress.org/browser/video-onclick/tags/0.4.7/video-onclick.php#L109 |
| jmrukkers–Wikiloops Track Player | The Wikiloops Track Player plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `wikiloops` shortcode in all versions up to, and including, 1.0.1 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1611 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cb472bdb-de35-45e4-bcea-04f27d425817?source=cve https://plugins.trac.wordpress.org/browser/wikiloops-track-player/tags/1.0.1/Wikiloops-Track-Player.php#L19 |
| mrlister1–Wonka Slide | The Wonka Slide plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s `list_class` shortcode in all versions up to, and including, 1.3.3 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-07 | 6.4 | CVE-2026-1613 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f15f0211-724d-45b5-bf2f-7482f77c474d?source=cve https://plugins.trac.wordpress.org/browser/wonka-slide/trunk/admin/class-wonka-slide-build.php#L65 |
| alexdtn–Subitem AL Slider | The Subitem AL Slider plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 1.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1634 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4bfeff72-27de-46a9-b947-f60255b5d062?source=cve https://wordpress.org/plugins/subitem-al-slider/ https://plugins.trac.wordpress.org/browser/subitem-al-slider/trunk/templates/tab1_block1.tpl#L11 https://plugins.trac.wordpress.org/browser/subitem-al-slider/tags/1.0.0/templates/tab1_block1.tpl#L11 |
| ariagle–MP-Ukagaka | The MP-Ukagaka plugin for WordPress is vulnerable to Reflected Cross-Site Scripting in all versions up to, and including, 1.5.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-07 | 6.1 | CVE-2026-1643 | https://www.wordfence.com/threat-intel/vulnerabilities/id/14c3b53c-ba98-4e93-ba65-6da11816d7a6?source=cve https://wordpress.org/plugins/mp-ukagaka/ https://plugins.trac.wordpress.org/browser/mp-ukagaka/trunk/options.php#L160 https://plugins.trac.wordpress.org/browser/mp-ukagaka/tags/1.5.2/options.php#L160 |
| pkthree–Peters Date Countdown | The Peter’s Date Countdown plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the `$_SERVER[‘PHP_SELF’]` parameter in all versions up to, and including, 2.0.0 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-02-05 | 6.1 | CVE-2026-1654 | https://www.wordfence.com/threat-intel/vulnerabilities/id/f8f8e436-2679-4ecb-831e-2b22dd99be32?source=cve https://plugins.trac.wordpress.org/browser/peters-date-countdown/tags/2.0.0/datecountdown.php#L246 https://plugins.trac.wordpress.org/changeset/3450122/ |
| EFM–ipTIME A8004T | A vulnerability was determined in EFM ipTIME A8004T 14.18.2. Affected is the function httpcon_check_session_url of the file /sess-bin/d.cgi of the component Debug Interface. This manipulation of the argument cmd causes backdoor. It is possible to initiate the attack remotely. The complexity of an attack is rather high. The exploitability is told to be difficult. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.6 | CVE-2026-1741 | VDB-343640 | EFM ipTIME A8004T Debug d.cgi httpcon_check_session_url backdoor VDB-343640 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741423 | EFM IPTIME A8004T 14.18.2 Command Injection https://github.com/LX-LX88/cve/issues/28 |
| n/a–JeecgBoot | A vulnerability was identified in JeecgBoot 3.9.0. This vulnerability affects unknown code of the file /JeecgBoot/sys/api/loadDictItemByKeyword of the component Online Report API. Such manipulation of the argument keyword leads to sql injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 6.3 | CVE-2026-1746 | VDB-343677 | JeecgBoot Online Report API loadDictItemByKeyword sql injection VDB-343677 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741647 | Beijing Guoju Information Technology Co., Ltd JeecgBoot 3.9.0 SQL Injection https://www.yuque.com/meizhiyuwai/sks4nu/clircmda9b8q66lo?singleDoc |
| themeisle–Menu Icons by ThemeIsle | The Menu Icons by ThemeIsle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘_wp_attachment_image_alt’ post meta in all versions up to, and including, 0.13.20 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Author-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 6.4 | CVE-2026-1755 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30bfa616-c7f3-4ff0-85b3-468debc8a73e?source=cve https://plugins.trac.wordpress.org/browser/menu-icons/tags/0.13.20/includes/front.php#L497 https://plugins.trac.wordpress.org/changeset/3452685/menu-icons |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was identified in the interactive shell of the xmllint utility, part of the libxml2 project, where memory allocated for user input is not properly released under certain conditions. When a user submits input consisting only of whitespace, the program skips command execution but fails to free the allocated buffer. Repeating this action causes memory to continuously accumulate. Over time, this can exhaust system memory and terminate the xmllint process, creating a denial-of-service condition on the local system. | 2026-02-02 | 6.2 | CVE-2026-1757 | https://access.redhat.com/security/cve/CVE-2026-1757 RHBZ#2435940 |
| ravanh–Orange Comfort+ accessibility toolbar for WordPress | The Orange Confort+ accessibility toolbar for WordPress plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘style’ parameter of the ocplus_button shortcode in all versions up to, and including, 0.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1808 | https://www.wordfence.com/threat-intel/vulnerabilities/id/89cb81c3-25d7-4a4e-beed-558ea8ce721d?source=cve https://plugins.trac.wordpress.org/browser/orange-confort-plus/trunk/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/browser/orange-confort-plus/tags/0.7/inc/class-shortcode.php#L50 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3453313%40orange-confort-plus&new=3453313%40orange-confort-plus&sfp_email=&sfph_mail= |
| bolo-blog–bolo-solo | A vulnerability was detected in bolo-blog bolo-solo up to 2.6.4. The impacted element is the function unpackFilteredZip of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component ZIP File Handler. Performing a manipulation of the argument File results in path traversal. The attack is possible to be carried out remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1810 | VDB-343978 | bolo-blog bolo-solo ZIP File BackupService.java unpackFilteredZip path traversal VDB-343978 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742422 | https://github.com/bolo-blog/bolo-solo/ bolo-solo V2.6.4 Write any file https://github.com/bolo-blog/bolo-solo/issues/326 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog–bolo-solo | A flaw has been found in bolo-blog bolo-solo up to 2.6.4. This affects the function importFromMarkdown of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. Executing a manipulation of the argument File can lead to path traversal. The attack may be performed from remote. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1811 | VDB-343979 | bolo-blog bolo-solo Filename BackupService.java importFromMarkdown path traversal VDB-343979 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742437 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and Remote Code Execution https://github.com/bolo-blog/bolo-solo/issues/327 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog–bolo-solo | A vulnerability has been found in bolo-blog bolo-solo up to 2.6.4. This impacts the function importFromCnblogs of the file src/main/java/org/b3log/solo/bolo/prop/BackupService.java of the component Filename Handler. The manipulation of the argument File leads to path traversal. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1812 | VDB-343980 | bolo-blog bolo-solo Filename BackupService.java importFromCnblogs path traversal VDB-343980 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742582 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary file write https://github.com/bolo-blog/bolo-solo/issues/328 https://github.com/bolo-blog/bolo-solo/ |
| bolo-blog–bolo-solo | A vulnerability was found in bolo-blog bolo-solo up to 2.6.4. Affected is an unknown function of the file src/main/java/org/b3log/solo/bolo/pic/PicUploadProcessor.java of the component FreeMarker Template Handler. The manipulation of the argument File results in unrestricted upload. It is possible to launch the attack remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-03 | 6.3 | CVE-2026-1813 | VDB-343981 | bolo-blog bolo-solo FreeMarker Template PicUploadProcessor.java unrestricted upload VDB-343981 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743402 | https://github.com/bolo-blog/bolo-solo bolo-solo V2.6.4 Arbitrary File Write and RCE https://github.com/bolo-blog/bolo-solo/issues/329 https://github.com/bolo-blog/bolo-solo/ |
| htplugins–Docus YouTube Video Playlist | The Docus – YouTube Video Playlist plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘docusplaylist’ shortcode in all versions up to, and including, 1.0.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1888 | https://www.wordfence.com/threat-intel/vulnerabilities/id/16c6fec8-81ec-477a-9942-10fd3adb8fa4?source=cve https://plugins.trac.wordpress.org/browser/docus/trunk/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/browser/docus/tags/1.0.6/includes/class.shortcode.php#L55 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454510%40docus&new=3454510%40docus&sfp_email=&sfph_mail= |
| n/a–WeKan | A vulnerability was detected in WeKan up to 8.20. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. The patch is named 251d49eea94834cf351bb395808f4a56fb4dbb44. Upgrading the affected component is recommended. | 2026-02-04 | 6.3 | CVE-2026-1894 | VDB-344266 | WeKan REST API checklistItems.js Checklist REST Bleed improper authorization VDB-344266 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742663 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/251d49eea94834cf351bb395808f4a56fb4dbb44 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A flaw has been found in WeKan up to 8.20. Affected is the function applyWipLimit of the file models/lists.js of the component Attachment Storage Handler. Executing a manipulation can lead to improper access controls. The attack can be executed remotely. Upgrading to version 8.21 is able to address this issue. This patch is called 8c0b4f79d8582932528ec2fdf2a4487c86770fb9. It is recommended to upgrade the affected component. | 2026-02-04 | 6.3 | CVE-2026-1895 | VDB-344267 | WeKan Attachment Storage lists.js applyWipLimit ListWIPBleed access control VDB-344267 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742666 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/8c0b4f79d8582932528ec2fdf2a4487c86770fb9 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A vulnerability has been found in WeKan up to 8.20. Affected by this vulnerability is the function ComprehensiveBoardMigration of the file server/migrations/comprehensiveBoardMigration.js of the component Migration Operation Handler. The manipulation of the argument boardId leads to improper access controls. The attack is possible to be carried out remotely. Upgrading to version 8.21 addresses this issue. The identifier of the patch is cc35dafef57ef6e44a514a523f9a8d891e74ad8f. Upgrading the affected component is advised. | 2026-02-04 | 6.3 | CVE-2026-1896 | VDB-344268 | WeKan Migration Operation comprehensiveBoardMigration.js ComprehensiveBoardMigration MigrationBleed access control VDB-344268 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742670 | Wekan <8.21 Improper access control on administrative migration methods (CWE https://github.com/wekan/wekan/commit/cc35dafef57ef6e44a514a523f9a8d891e74ad8f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A vulnerability was determined in WeKan up to 8.20. This affects an unknown part of the file packages/wekan-ldap/server/syncUser.js of the component LDAP User Sync. This manipulation causes improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to mitigate this issue. Patch name: 146905a459106b5d00b4f09453a6554255e6965a. You should upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1898 | VDB-344270 | WeKan LDAP User Sync syncUser.js SyncLDAPBleed access control VDB-344270 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742676 | Wekan <8.21 Missing authorization on admin function (CWE-284) https://github.com/wekan/wekan/commit/146905a459106b5d00b4f09453a6554255e6965a https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| x-raym–WaveSurfer-WP | The WaveSurfer-WP plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s audio shortcode in all versions up to, and including, 2.8.3 due to insufficient input sanitization and output escaping on the ‘src’ attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-06 | 6.4 | CVE-2026-1909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b507462d-1ce2-4463-93bf-635ee78274f6?source=cve https://plugins.trac.wordpress.org/browser/wavesurfer-wp/trunk/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/browser/wavesurfer-wp/tags/2.8.3/wavesurfer-wp.php#L739 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3454006%40wavesurfer-wp&new=3454006%40wavesurfer-wp&sfp_email=&sfph_mail= |
| n/a–WeKan | A vulnerability has been found in WeKan up to 8.20. The impacted element is an unknown function of the file server/attachmentMigration.js of the component Attachment Migration. The manipulation leads to improper access controls. The attack may be initiated remotely. Upgrading to version 8.21 is sufficient to resolve this issue. The identifier of the patch is 053bf1dfb76ef230db162c64a6ed50ebedf67eee. It is recommended to upgrade the affected component. | 2026-02-05 | 6.3 | CVE-2026-1962 | VDB-344484 | WeKan Attachment Migration attachmentMigration.js AttachmentMigrationBleed access control VDB-344484 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742677 | Wekan <8.21 Improper access control on migration endpoints (CWE-284) https://github.com/wekan/wekan/commit/053bf1dfb76ef230db162c64a6ed50ebedf67eee https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A vulnerability was found in WeKan up to 8.20. This affects an unknown function of the file models/attachments.js of the component Attachment Storage. The manipulation results in improper access controls. The attack may be launched remotely. Upgrading to version 8.21 mitigates this issue. The patch is identified as c413a7e860bc4d93fe2adcf82516228570bf382d. Upgrading the affected component is advised. | 2026-02-05 | 6.3 | CVE-2026-1963 | VDB-344485 | WeKan Attachment Storage attachments.js MoveStorageBleed access control VDB-344485 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742678 | Wekan <8.21 Improper access control (CWE-284) https://github.com/wekan/wekan/commit/c413a7e860bc4d93fe2adcf82516228570bf382d https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| isaacwasserman–mcp-vegalite-server | A security vulnerability has been detected in isaacwasserman mcp-vegalite-server up to 16aefed598b8cd897b78e99b907f6e2984572c61. Affected by this vulnerability is the function eval of the component visualize_data. Such manipulation of the argument vegalite_specification leads to code injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-1977 | VDB-344499 | isaacwasserman mcp-vegalite-server visualize_data eval code injection VDB-344499 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743246 | GitHub mcp-vegalite-server master Code Injection https://github.com/isaacwasserman/mcp-vegalite-server/issues/9 https://github.com/isaacwasserman/mcp-vegalite-server/ |
| abhiphile–fermat-mcp | A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 6.3 | CVE-2026-2008 | VDB-344590 | abhiphile fermat-mcp eqn_chart.py eqn_chart code injection VDB-344590 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743458 | GitHub fermat-mcp master Code Injection https://github.com/abhiphile/fermat-mcp/issues/9 https://github.com/abhiphile/fermat-mcp/issues/9#issue-3837794397 https://github.com/abhiphile/fermat-mcp/ |
| SourceCodester–Gas Agency Management System | A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-06 | 6.3 | CVE-2026-2009 | VDB-344591 | SourceCodester Gas Agency Management System createUser.php access control VDB-344591 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743459 | SourceCodester Gas Agency Management System 1.0 Improper Access Controls https://github.com/Asim-QAZi/Improper-Access-Control-in-SourceCodester-Gas-Agency-Management-System https://www.sourcecodester.com/ |
| Portabilis–i-Educar | A weakness has been identified in Portabilis i-Educar up to 2.10. Affected is an unknown function of the file FinalStatusImportService.php of the component Final Status Import. Executing a manipulation of the argument school_id can lead to improper authorization. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2015 | VDB-344597 | Portabilis i-Educar Final Status Import FinalStatusImportService.php improper authorization VDB-344597 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743760 | Portabilis i-Educar 2.0 2.1 2.2 2.3 2.4 2.5 2.6 2.7 2.8 2.9 2.10 Improper Authorization https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import https://github.com/ViniCastro2001/Security_Reports/tree/main/i-educar/BFLA-Final-Status-Import#proof-of-concept-poc |
| Flycatcher Toys–smART Pixelator | A security flaw has been discovered in Flycatcher Toys smART Pixelator 2.0. Affected by this issue is some unknown functionality of the component Bluetooth Low Energy Interface. Performing a manipulation results in missing authentication. The attack can only be performed from the local network. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 6.3 | CVE-2026-2065 | VDB-344632 | Flycatcher Toys smART Pixelator Bluetooth Low Energy missing authentication VDB-344632 | CTI Indicators (IOB, IOC) Submit #745129 | Flycatcher Toys smART Pixelator 2.0 2.0 Missing Authentication https://github.com/davidrxchester/smart-pixelator-upload https://github.com/davidrxchester/smart-pixelator-upload/blob/main/poc.py |
| n/a–O2OA | A vulnerability was identified in O2OA up to 9.0.0. This impacts an unknown function of the file /x_program_center/jaxrs/mpweixin/check of the component HTTP POST Request Handler. The manipulation leads to xml external entity reference. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 6.3 | CVE-2026-2074 | VDB-344640 | O2OA HTTP POST Request check xml external entity reference VDB-344640 | CTI Indicators (IOB, IOC, IOA) Submit #745486 | 浙江兰德纵横网络技术股份有限公司 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 Submit #745489 | O2OA开发平台 O2OA v6.1.0 至 v9.0.0 XML实体注入漏洞 (Duplicate) https://github.com/SourByte05/SourByte-Lab/issues/7 |
| yeqifu–warehouse | A security flaw has been discovered in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected is the function saveRolePermission of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerRoleController.java of the component Role-Permission Binding Handler. The manipulation results in improper access controls. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2075 | VDB-344641 | yeqifu warehouse Role-Permission Binding RoleController.java saveRolePermission access control VDB-344641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745508 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Im https://github.com/yeqifu/warehouse/issues/52 https://github.com/yeqifu/warehouse/issues/52#issue-3846645856 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A weakness has been identified in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this vulnerability is the function addUser/updateUser/deleteUser of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerUserController.java of the component User Management Endpoint. This manipulation causes improper authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2076 | VDB-344642 | yeqifu warehouse User Management Endpoint UserController.java deleteUser improper authorization VDB-344642 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745509 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/53 https://github.com/yeqifu/warehouse/issues/53#issue-3846651070 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A security vulnerability has been detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function addRole/updateRole/deleteRole of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerRoleController.java of the component Role Management Handler. Such manipulation leads to improper authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2077 | VDB-344643 | yeqifu warehouse Role Management RoleController.java deleteRole improper authorization VDB-344643 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745512 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/54 https://github.com/yeqifu/warehouse/issues/54#issue-3846654129 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A vulnerability was detected in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function addPermission/updatePermission/deletePermission of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerPermissionController.java of the component Permission Management. Performing a manipulation results in improper authorization. The attack may be initiated remotely. The exploit is now public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2078 | VDB-344644 | yeqifu warehouse Permission Management PermissionController.java deletePermission improper authorization VDB-344644 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745513 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/55 https://github.com/yeqifu/warehouse/issues/55#issue-3846656775 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This vulnerability affects the function addMenu/updateMenu/deleteMenu of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerMenuController.java of the component Menu Management. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2079 | VDB-344645 | yeqifu warehouse Menu Management MenuController.java deleteMenu improper authorization VDB-344645 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745514 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/56 https://github.com/yeqifu/warehouse/issues/56#issue-3846659524 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A flaw has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The affected element is the function addDept/updateDept/deleteDept of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerDeptController.java of the component Department Management. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been published and may be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2105 | VDB-344681 | yeqifu warehouse Department Management DeptController.java deleteDept improper authorization VDB-344681 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745515 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/57 https://github.com/yeqifu/warehouse/issues/57#issue-3846662068 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. The impacted element is the function addNotice/updateNotice/deleteNotice/batchDeleteNotice of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerNoticeController.java of the component Notice Management. The manipulation leads to improper authorization. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2106 | VDB-344682 | yeqifu warehouse Notice Management NoticeController.java batchDeleteNotice improper authorization VDB-344682 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745516 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/58 https://github.com/yeqifu/warehouse/issues/58#issue-3846664260 https://github.com/yeqifu/warehouse/ |
| yeqifu–warehouse | A vulnerability was found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. This affects the function loadAllLoginfo/deleteLoginfo/batchDeleteLoginfo of the file datasetreposwarehousesrcmainjavacomyeqifusyscontrollerLoginfoController.java of the component Log Info Handler. The manipulation results in improper authorization. The attack can be launched remotely. The exploit has been made public and could be used. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 6.3 | CVE-2026-2107 | VDB-344683 | yeqifu warehouse Log Info LoginfoController.java batchDeleteLoginfo improper authorization VDB-344683 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745517 | yeqifu warehouse latest(git commit aaf29962ba407d22d991781de28796ee7b4670e4) Improper Access Controls https://github.com/yeqifu/warehouse/issues/59 https://github.com/yeqifu/warehouse/issues/59#issue-3846665806 https://github.com/yeqifu/warehouse/ |
| Xiaopi–Panel | A security flaw has been discovered in Xiaopi Panel up to 20260126. This impacts an unknown function of the file /demo.php of the component WAF Firewall. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2122 | VDB-344695 | Xiaopi Panel WAF Firewall demo.php sql injection VDB-344695 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746917 | Xiaopi Web Application Firewall V1.0.0 Bypass https://github.com/ltranquility/CVE/issues/37 |
| BurtTheCoder–mcp-maigret | A vulnerability was determined in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The attack may be launched remotely. Upgrading to version 1.0.13 is able to mitigate this issue. This patch is called b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a. Upgrading the affected component is advised. | 2026-02-08 | 6.3 | CVE-2026-2130 | VDB-344765 | BurtTheCoder mcp-maigret search_username index.ts command injection VDB-344765 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747171 | GitHub mcp-maigret v1.0.12 Command Injection https://github.com/BurtTheCoder/mcp-maigret/issues/9 https://github.com/BurtTheCoder/mcp-maigret/pull/10 https://github.com/BurtTheCoder/mcp-maigret/commit/b1ae073c4b3e789ab8de36dc6ca8111ae9399e7a https://github.com/BurtTheCoder/mcp-maigret/releases/tag/v1.0.13 https://github.com/BurtTheCoder/mcp-maigret/ |
| XixianLiang–HarmonyOS-mcp-server | A vulnerability was identified in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 6.3 | CVE-2026-2131 | VDB-344766 | XixianLiang HarmonyOS-mcp-server input_text os command injection VDB-344766 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747209 | GitHub HarmonyOS-mcp-server v0.1.0 Command Injection https://github.com/scanleale/MCP_sec/blob/main/HarmonyOS-mcp-server%20RCE%20vulnerability.md |
| UTT–HiPER 810 | A vulnerability was detected in UTT HiPER 810 1.7.4-141218. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. It is possible to initiate the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2135 | VDB-344770 | UTT HiPER 810 formPdbUpConfig sub_43F020 command injection VDB-344770 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747222 | UTT (艾泰) HiPER 810 nv810v4v1.7.4-141218 Command Injection https://github.com/cha0yang1/UTT810CVE/blob/main/CVEreadme2.md |
| WuKongOpenSource–WukongCRM | A security flaw has been discovered in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-08 | 6.3 | CVE-2026-2141 | VDB-344776 | WuKongOpenSource WukongCRM URL PermissionServiceImpl.java improper authorization VDB-344776 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747264 | 郑州卡卡罗特软件科技有限公司 WukongCRM WukongCRM-11.x-JAVA logical flaw vulnerability https://github.com/SourByte05/SourByte-Lab/issues/8 |
| guchengwuyue–yshopmall | A security flaw has been discovered in guchengwuyue yshopmall up to 1.9.1. This affects the function updateAvatar of the file /api/users/updateAvatar of the component co.yixiang.utils.FileUtil. Performing a manipulation of the argument File results in unrestricted upload. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 6.3 | CVE-2026-2146 | VDB-344848 | guchengwuyue yshopmall co.yixiang.utils.FileUtil updateAvatar unrestricted upload VDB-344848 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747409 | https://github.com/guchengwuyue/yshopmall yshopmall V1.9.1 Incomplete Identification of Uploaded File Variables https://github.com/guchengwuyue/yshopmall/issues/40 https://github.com/guchengwuyue/yshopmall/issues/40#issue-3860542812 https://github.com/guchengwuyue/yshopmall/ |
| Totolink–WA300 | A vulnerability was detected in Totolink WA300 5.2cu.7112_B20190227. The impacted element is the function setAPNetwork of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument Ipaddr results in os command injection. The attack may be performed from remote. The exploit is now public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2167 | VDB-344869 | Totolink WA300 cstecgi.cgi setAPNetwork os command injection VDB-344869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752063 | TOTOLINK WA300 V5.2cu.7112_B20190227 OS Command Injection https://github.com/master-abc/cve/issues/36 https://www.totolink.net/ |
| D-Link–DWR-M921 | A flaw has been found in D-Link DWR-M921 1.1.50. This affects the function sub_419920 of the file /boafrm/formLtefotaUpgradeQuectel. This manipulation of the argument fota_url causes command injection. It is possible to initiate the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2168 | VDB-344870 | D-Link DWR-M921 formLtefotaUpgradeQuectel sub_419920 command injection VDB-344870 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748838 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/2 https://www.dlink.com/ |
| D-Link–DWR-M921 | A vulnerability has been found in D-Link DWR-M921 1.1.50. This impacts an unknown function of the file /boafrm/formLtefotaUpgradeFibocom. Such manipulation of the argument fota_url leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 6.3 | CVE-2026-2169 | VDB-344871 | D-Link DWR-M921 formLtefotaUpgradeFibocom command injection VDB-344871 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748930 | D-Link DWR-M921 V1.1.50 Command Injection https://github.com/LX-66-LX/cve-new/issues/3 https://www.dlink.com/ |
| code-projects–Contact Management System | A security vulnerability has been detected in code-projects Contact Management System 1.0. This issue affects some unknown processing of the file index.py. Such manipulation of the argument selecteditem[0] leads to sql injection. The attack can be executed remotely. | 2026-02-08 | 6.3 | CVE-2026-2176 | VDB-344877 | code-projects Contact Management System index.py sql injection VDB-344877 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749264 | code-projects Contact Management System in Python unknown SQL Injection https://code-projects.org/ |
| r-huijts–xcode-mcp-server | A vulnerability was found in r-huijts xcode-mcp-server up to f3419f00117aa9949e326f78cc940166c88f18cb. This affects the function registerXcodeTools of the file src/tools/xcode/index.ts of the component run_lldb. The manipulation of the argument args results in command injection. It is possible to launch the attack remotely. The exploit has been made public and could be used. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. The patch is identified as 11f8d6bacadd153beee649f92a78a9dad761f56f. Applying a patch is advised to resolve this issue. | 2026-02-08 | 6.3 | CVE-2026-2178 | VDB-344881 | r-huijts xcode-mcp-server run_lldb index.ts registerXcodeTools command injection VDB-344881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749569 | GitHub xcode-mcp-server master Command Injection https://github.com/r-huijts/xcode-mcp-server/issues/13 https://github.com/r-huijts/xcode-mcp-server/issues/13#issue-3878065790 https://github.com/r-huijts/xcode-mcp-server/commit/11f8d6bacadd153beee649f92a78a9dad761f56f https://github.com/r-huijts/xcode-mcp-server/ |
| Great Developers–Certificate Generation System | A security vulnerability has been detected in Great Developers Certificate Generation System up to 97171bb0e5e22e52eacf4e4fa81773e5f3cffb73. This affects an unknown part of the file /restructured/csv.php. The manipulation leads to unrestricted upload. Remote exploitation of the attack is possible. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The code repository of the project has not been active for many years. | 2026-02-08 | 6.3 | CVE-2026-2183 | VDB-344886 | Great Developers Certificate Generation System csv.php unrestricted upload VDB-344886 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749713 | Great Developers Certificate Generator System 1.0 Unrestricted Upload https://github.com/lakshayyverma/CVE-Discovery/blob/main/Certificate.md |
| D-Link–DI-7100G C1 | A vulnerability was detected in D-Link DI-7100G C1 24.04.18D1. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. Remote exploitation of the attack is possible. | 2026-02-08 | 6.3 | CVE-2026-2193 | VDB-344896 | D-Link DI-7100G C1 set_jhttpd_info command injection VDB-344896 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749803 | D-Link DI-7100G C1, 24.04.18D1 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_4.md https://www.dlink.com/ |
| D-Link–DI-7100G C1 | A flaw has been found in D-Link DI-7100G C1 24.04.18D1. This affects the function start_proxy_client_email. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been published and may be used. | 2026-02-08 | 6.3 | CVE-2026-2194 | VDB-344897 | D-Link DI-7100G C1 start_proxy_client_email command injection VDB-344897 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749804 | D-Link DI-7100G C1: 2020/02/21, 24.04.18D1: 2024/04/18 Command Injection https://github.com/glkfc/IoT-Vulnerability/blob/main/D-Link/Dlink_3.md https://www.dlink.com/ |
| glpi-project–glpi | GLPI is a free asset and IT management software package. From version 0.85 to before 10.0.23, an authenticated user can perform a SQL injection. This issue has been patched in version 10.0.23. | 2026-02-04 | 6.5 | CVE-2026-22044 | https://github.com/glpi-project/glpi/security/advisories/GHSA-569q-j526-w385 https://github.com/glpi-project/glpi/releases/tag/10.0.23 |
| n/a–WeKan | A security flaw has been discovered in WeKan up to 8.20. This vulnerability affects unknown code of the file server/methods/fixDuplicateLists.js of the component Administrative Repair Handler. Performing a manipulation results in improper access controls. It is possible to initiate the attack remotely. Upgrading to version 8.21 is able to resolve this issue. The patch is named 4ce181d17249778094f73d21515f7f863f554743. It is advisable to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2206 | VDB-344920 | WeKan Administrative Repair fixDuplicateLists.js FixDuplicateBleed access control VDB-344920 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752162 | Wekan <8.21 Improper access control on administrative repair method https://github.com/wekan/wekan/commit/4ce181d17249778094f73d21515f7f863f554743 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A vulnerability was detected in WeKan up to 8.18. The affected element is the function setCreateTranslation of the file client/components/settings/translationBody.js of the component Custom Translation Handler. The manipulation results in improper authorization. The attack can be launched remotely. Upgrading to version 8.19 is sufficient to fix this issue. The patch is identified as f244a43771f6ebf40218b83b9f46dba6b940d7de. It is suggested to upgrade the affected component. | 2026-02-08 | 6.3 | CVE-2026-2209 | VDB-344923 | WeKan Custom Translation translationBody.js setCreateTranslation improper authorization VDB-344923 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752269 | Wekan <8.20 IDOR in setCreateTranslation. Non-admin could change Custom Tran https://github.com/wekan/wekan/commit/f244a43771f6ebf40218b83b9f46dba6b940d7de https://github.com/wekan/wekan/releases/tag/v8.19 https://github.com/wekan/wekan/ |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, an authenticated user can cause a DOS attack. If one of the repo files is deleted before synchronization, it will cause the application to crash. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-22592 | https://github.com/gogs/gogs/security/advisories/GHSA-cr88-6mqm-4g57 |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, the endpoint “PUT /repos/:owner/:repo/contents/*” does not require write permissions and allows access with read permission only via repoAssignment(). After passing the permission check, PutContents() invokes UpdateRepoFile(), which results in commit creation and the execution of git push. As a result, a token with read-only permission can be used to modify repository contents. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23632 | https://github.com/gogs/gogs/security/advisories/GHSA-5qhx-gwfj-6jqr |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, there is an arbitrary file read/write via path traversal in Git hook editing. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | 6.5 | CVE-2026-23633 | https://github.com/gogs/gogs/security/advisories/GHSA-mrph-w4hh-gx3g |
| Kubernetes–ingress-nginx | A security issue was discovered in ingress-nginx where the validating admission controller feature is subject to a denial of service condition. By sending large requests to the validating admission controller, an attacker can cause memory consumption, which may result in the ingress-nginx controller pod being killed or the node running out of memory. | 2026-02-03 | 6.5 | CVE-2026-24514 | https://github.com/kubernetes/kubernetes/issues/136680 |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Cross-Site Request Forgery (CSRF) vulnerability in multiple teacher-restricted endpoints allows attackers to induce authenticated teachers to perform unintended actions, such as modifying assignment grades, via crafted requests. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24666 | https://github.com/gunet/openeclass/security/advisories/GHSA-cgmh-73qg-28fm |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to add content to existing course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24668 | https://github.com/gunet/openeclass/security/advisories/GHSA-22cq-9fr7-fq6v |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a broken access control vulnerability allows authenticated students to create new course units, an action normally restricted to higher-privileged roles. This issue has been patched in version 4.2. | 2026-02-03 | 6.5 | CVE-2026-24670 | https://github.com/gunet/openeclass/security/advisories/GHSA-4jf5-636r-hv9v |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Stored Cross-Site Scripting (XSS) vulnerability allows authenticated high-privileged users (teachers or administrators) to inject malicious JavaScript into multiple user-controllable input fields across the application, which is executed when other users access affected pages. This issue has been patched in version 4.2. | 2026-02-03 | 6.1 | CVE-2026-24671 | https://github.com/gunet/openeclass/security/advisories/GHSA-2×83-4fh2-fcw7 |
| Huawei–HarmonyOS | Out-of-bounds read issue in the media subsystem. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 6.2 | CVE-2026-24915 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei–HarmonyOS | UAF vulnerability in the security module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.5 | CVE-2026-24917 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei–HarmonyOS | Address read vulnerability in the communication module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.8 | CVE-2026-24918 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei–HarmonyOS | Out-of-bounds write vulnerability in the DFX module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6 | CVE-2026-24919 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei–HarmonyOS | Permission control vulnerability in the AMS module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.2 | CVE-2026-24920 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinvision/2026/2/ |
| Huawei–HarmonyOS | Buffer overflow vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 6.9 | CVE-2026-24922 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei–HarmonyOS | Permission control vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.3 | CVE-2026-24923 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei–HarmonyOS | Vulnerability of improper permission control in the print module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 6.1 | CVE-2026-24924 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| openclaw–openclaw | OpenClaw is a personal AI assistant. Prior to version 2026.1.30, the isValidMedia() function in src/media/parse.ts allows arbitrary file paths including absolute paths, home directory paths, and directory traversal sequences. An agent can read any file on the system by outputting MEDIA:/path/to/file, exfiltrating sensitive data to the user/channel. This issue has been patched in version 2026.1.30. | 2026-02-04 | 6.5 | CVE-2026-25475 | https://github.com/openclaw/openclaw/security/advisories/GHSA-r8g4-86fx-92mq |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a use-after-free vulnerability was reported in the BLE provisioning transport (protocomm_ble) layer. The issue can be triggered by a remote BLE client while the device is in provisioning mode. The vulnerability occurred when provisioning was stopped with keep_ble_on = true. In this configuration, internal protocomm_ble state and GATT metadata were freed while the BLE stack and GATT services remained active. Subsequent BLE read or write callbacks dereferenced freed memory, allowing a connected or newly connected client to trigger invalid memory acces. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25507 | https://github.com/espressif/esp-idf/security/advisories/GHSA-h7r3-gmg9-xjmg https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, an out-of-bounds read vulnerability was reported in the BLE ATT Prepare Write handling of the BLE provisioning transport (protocomm_ble). The issue can be triggered by a remote BLE client while the device is in provisioning mode. The transport accumulated prepared-write fragments in a fixed-size buffer but incorrectly tracked the cumulative length. By sending repeated prepare write requests with overlapping offsets, a remote client could cause the reported length to exceed the allocated buffer size. This inflated length was then passed to provisioning handlers during execute-write processing, resulting in an out-of-bounds read and potential memory corruption. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25508 | https://github.com/espressif/esp-idf/security/advisories/GHSA-9j5x-rf36-54×9 https://github.com/espressif/esp-idf/commit/0540c85140c2c06c0cbecc8843277ea676d5c4a9 https://github.com/espressif/esp-idf/commit/1ff264abf2504cade46f0ce3a03f821310bcf6d7 https://github.com/espressif/esp-idf/commit/47552ff4fd824caf38215468ebd2f31fb5f36d70 https://github.com/espressif/esp-idf/commit/4c3fdcd316f780bab4ae5aa73c9626ea9fe24ac6 https://github.com/espressif/esp-idf/commit/894c28afe3f2f8f31ff25b64191883517dddb5cf https://github.com/espressif/esp-idf/commit/cde7b7362adc15638c141c249681cbe5d23de663 https://github.com/espressif/esp-idf/commit/dba9a7dc01e4dab14c77d328f6a6f46369aeee63 |
| zauberzeug–nicegui | NiceGUI is a Python-based UI framework. The ui.markdown() component uses the markdown2 library to convert markdown content to HTML, which is then rendered via innerHTML. By default, markdown2 allows raw HTML to pass through unchanged. This means that if an application renders user-controlled content through ui.markdown(), an attacker can inject malicious HTML containing JavaScript event handlers. Unlike other NiceGUI components that render HTML (ui.html(), ui.chat_message(), ui.interactive_image()), the ui.markdown() component does not provide or require a sanitize parameter, leaving applications vulnerable to XSS attacks. This vulnerability is fixed in 3.7.0. | 2026-02-06 | 6.1 | CVE-2026-25516 | https://github.com/zauberzeug/nicegui/security/advisories/GHSA-v82v-c5x8-w282 https://github.com/zauberzeug/nicegui/commit/f1f7533577875af7d23f161ed3627f73584cb561 |
| espressif–esp-idf | ESF-IDF is the Espressif Internet of Things (IOT) Development Framework. In versions 5.5.2, 5.4.3, 5.3.4, 5.2.6, and 5.1.6, a vulnerability exists in the WPS (Wi-Fi Protected Setup) Enrollee implementation where malformed EAP-WSC packets with truncated payloads can cause integer underflow during fragment length calculation. When processing EAP-Expanded (WSC) messages, the code computes frag_len by subtracting header sizes from the total packet length. If an attacker sends a packet where the EAP Length field covers only the header and flags but omits the expected payload (such as the 2-byte Message Length field when WPS_MSG_FLAG_LEN is set), frag_len becomes negative. This negative value is then implicitly cast to size_t when passed to wpabuf_put_data(), resulting in a very large unsigned value. This issue has been patched in versions 5.5.3, 5.4.4, 5.3.5, 5.2.7, and 5.1.7. | 2026-02-04 | 6.3 | CVE-2026-25532 | https://github.com/espressif/esp-idf/security/advisories/GHSA-m2h2-683f-9mw7 https://github.com/espressif/esp-idf/commit/60f992a26de17bb5406f2149a2f8282dd7ad1c59 https://github.com/espressif/esp-idf/commit/6f6766f917bc940ffbcc97eac4765a6ab15d5f79 https://github.com/espressif/esp-idf/commit/73a587d42a57ece1962b6a4c530b574600650f63 https://github.com/espressif/esp-idf/commit/b209fae993d795255827ce6b2b0d6942a377f5d4 https://github.com/espressif/esp-idf/commit/b88befde6b5addcdd8d7373ce55c8052dea1e855 https://github.com/espressif/esp-idf/commit/cad36beb4cde27abcf316cd90d8d8dddbc6f213a https://github.com/espressif/esp-idf/commit/de28801e8ea6a736b6f0db6fc0c682739363bb41 |
| mastodon–mastodon | Mastodon is a free, open-source social network server based on ActivityPub. Prior to versions 4.3.19, 4.4.13, 4.5.6, Mastodon is vulnerable to web cache poisoning via `Rails.cache. When AUTHORIZED_FETCH is enabled, the ActivityPub endpoints for pinned posts and featured hashtags have contents that depend on the account that signed the HTTP request. However, these contents are stored in an internal cache and reused with no regards to the signing actor. As a result, an empty response generated for a blocked user account may be served to requests from legitimate non-blocked actors, or conversely, content intended for non-blocked actors may be returned to blocked actors. This issue has been patched in versions 4.3.19, 4.4.13, 4.5.6. | 2026-02-04 | 6.5 | CVE-2026-25540 | https://github.com/mastodon/mastodon/security/advisories/GHSA-ccpr-m53r-mfwr |
| navidrome–navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, a cross-site scripting vulnerability in the frontend allows a malicious attacker to inject code through the comment metadata of a song to exfiltrate user credentials. This issue has been patched in version 0.60.0. | 2026-02-04 | 6.1 | CVE-2026-25578 | https://github.com/navidrome/navidrome/security/advisories/GHSA-rh3r-8pxm-hg4w https://github.com/navidrome/navidrome/commit/d7ec7355c9036d5be659d6ac555c334bb5848ba6 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| tgies–client-certificate-auth | client-certificate-auth is middleware for Node.js implementing client SSL certificate authentication/authorization. Versions 0.2.1 and 0.3.0 of client-certificate-auth contain an open redirect vulnerability. The middleware unconditionally redirects HTTP requests to HTTPS using the unvalidated Host header, allowing an attacker to redirect users to arbitrary domains. This vulnerability is fixed in 1.0.0. | 2026-02-06 | 6.1 | CVE-2026-25651 | https://github.com/tgies/client-certificate-auth/security/advisories/GHSA-m4w9-gch5-c2g4 https://github.com/tgies/client-certificate-auth/releases/tag/v1.0.0 |
| vim–vim | Vim is an open source, command line text editor. Prior to version 9.1.2132, a heap buffer overflow vulnerability exists in Vim’s tag file resolution logic when processing the ‘helpfile’ option. The vulnerability is located in the get_tagfname() function in src/tag.c. When processing help file tags, Vim copies the user-controlled ‘helpfile’ option value into a fixed-size heap buffer of MAXPATHL + 1 bytes (typically 4097 bytes) using an unsafe STRCPY() operation without any bounds checking. This issue has been patched in version 9.1.2132. | 2026-02-06 | 6.6 | CVE-2026-25749 | https://github.com/vim/vim/security/advisories/GHSA-5w93-4g67-mm43 https://github.com/vim/vim/commit/0714b15940b245108e6e9d7aa2260dd849a26fa9 https://github.com/vim/vim/releases/tag/v9.1.2132 |
| BishopFox–sliver | Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to 1.6.11, a path traversal in the website content subsystem lets an authenticated operator read arbitrary files on the Sliver server host. This is an authenticated path traversal / arbitrary file read issue, and it can expose credentials, configs, and keys. This vulnerability is fixed in 1.6.11. | 2026-02-06 | 6.5 | CVE-2026-25760 | https://github.com/BishopFox/sliver/security/advisories/GHSA-2286-hxv5-cmp2 https://github.com/BishopFox/sliver/commit/818127349ccec812876693c4ca74ebf4350ec6b7 |
| Maian Media–Maian Support Helpdesk | Maian Support Helpdesk 4.3 contains a cross-site request forgery vulnerability that allows attackers to create administrative accounts without authentication. Attackers can craft malicious HTML forms to add admin users and upload PHP files with unrestricted file upload capabilities through the FAQ attachment system. | 2026-02-03 | 5.3 | CVE-2020-37091 | ExploitDB-48386 Vendor Homepage VulnCheck Advisory: Maian Support Helpdesk 4.3 – Cross-Site Request Forgery (Add Admin) |
| EDIMAX Technology Co., Ltd.–EW-7438RPn Mini | Edimax EW-7438RPn 1.13 contains a cross-site request forgery vulnerability in the MAC filtering configuration interface. Attackers can craft malicious web pages to trick users into adding unauthorized MAC addresses to the device’s filtering rules without their consent. | 2026-02-03 | 5.3 | CVE-2020-37096 | ExploitDB-48366 Edimax EW-7438RPn Product Homepage VulnCheck Advisory: Edimax EW-7438RPn – Cross-Site Request Forgery (MAC Filtering) |
| Bdtask–Business Live Chat Software | Business Live Chat Software 1.0 contains a cross-site request forgery vulnerability that allows attackers to change user account roles without authentication. Attackers can craft a malicious HTML form to modify user privileges by submitting a POST request to the user creation endpoint with administrative access parameters. | 2026-02-06 | 5.3 | CVE-2020-37106 | ExploitDB-48141 Business Live Chat Software Vendor Homepage VulnCheck Advisory: Business Live Chat Software 1.0 – Cross-Site Request Forgery (Add Admin) |
| Code::Blocks–Code::Blocks | CODE::BLOCKS 16.01 contains a buffer overflow vulnerability that allows attackers to execute arbitrary code by overwriting Structured Exception Handler with crafted Unicode characters. Attackers can create a malicious M3U playlist file with 536 bytes of buffer and shellcode to trigger remote code execution. | 2026-02-05 | 5.5 | CVE-2020-37121 | ExploitDB-48344 CODE::BLOCKS Product Homepage CODE::BLOCKS SourceForge Repository VulnCheck Advisory: CODE::BLOCKS 16.01 – Buffer Overflow (SEH) UNICODE |
| dnsmasq–dnsmasq-utils | Dnsmasq-utils 2.79-1 contains a buffer overflow vulnerability in the dhcp_release utility that allows attackers to cause a denial of service by supplying excessive input. Attackers can trigger a core dump and terminate the dhcp_release process by sending a crafted input string longer than 16 characters. | 2026-02-05 | 5.5 | CVE-2020-37127 | ExploitDB-48301 Software Link for dnsmasq 2.79-1 VulnCheck Advisory: dnsmasq-utils 2.79-1 – ‘dhcp_release’ Denial of Service |
| FinalWire–Everest | Everest, later referred to as AIDA64, 5.50.2100 contains a denial of service vulnerability that allows local attackers to crash the application by manipulating file open functionality. Attackers can generate a 450-byte buffer of repeated characters and paste it into the file open dialog to trigger an application crash. | 2026-02-05 | 5.5 | CVE-2020-37140 | ExploitDB-48259 Archived Product Page VulnCheck Advisory: Everest 5.50.2100 – ‘Open File’ Denial of Service |
| Exagate–Sysguard 6001 | Exagate SYSGuard 6001 contains a cross-site request forgery vulnerability that allows attackers to create unauthorized admin accounts through a crafted HTML form. Attackers can trick users into submitting a malicious form to /kulyon.php that adds a new user with administrative privileges without the victim’s consent. | 2026-02-05 | 5.3 | CVE-2020-37144 | ExploitDB-48234 Exagate Vendor Homepage Archived Sysguard 6001 Product Page VulnCheck Advisory: Exagate Sysguard 6001 – Cross-Site Request Forgery (Add Admin) |
| IBM–Cloud Pak System | IBM Cloud Pak System displays sensitive information in user messages that could aid in further attacks against the system. | 2026-02-04 | 5.3 | CVE-2023-38010 | https://www.ibm.com/support/pages/node/7254419 |
| IBM–Cloud Pak System | IBM Cloud Pak System is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-04 | 5.3 | CVE-2023-38017 | https://www.ibm.com/support/pages/node/7254419 |
| IBM–Cloud Pak System | IBM Cloud Pak System does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | 2026-02-04 | 5.3 | CVE-2023-38281 | https://www.ibm.com/support/pages/node/7254419 |
| IBM–Db2 Big SQL on Cloud Pak for Data | IBM Db2 Big SQL on Cloud Pak for Data versions 7.6 (on CP4D 4.8), 7.7 (on CP4D 5.0), and 7.8 (on CP4D 5.1) do not properly limit the allocation of system resources. An authenticated user with internal knowledge of the environment could exploit this weakness to cause a denial of service. | 2026-02-04 | 5.3 | CVE-2024-39724 | https://www.ibm.com/support/pages/node/7257907 |
| cyberlord92–OAuth Single Sign On SSO (OAuth Client) | The OAuth Single Sign On – SSO (OAuth Client) plugin for WordPress is vulnerable to unauthorized access in all versions up to, and including, 6.26.14. This is due to missing capability checks and authentication verification on the OAuth redirect functionality accessible via the ‘oauthredirect’ option parameter. This makes it possible for unauthenticated attackers to set the global redirect URL option via the redirect_url parameter granted they can access the site directly. | 2026-02-06 | 5.3 | CVE-2025-10753 | https://www.wordfence.com/threat-intel/vulnerabilities/id/915e1a6e-ad9c-4849-8ae0-3ded18720a1f?source=cve https://plugins.trac.wordpress.org/browser/miniorange-login-with-eve-online-google-facebook/tags/6.26.12/class-mooauth-widget.php#L260 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3399223%40miniorange-login-with-eve-online-google-facebook&new=3399223%40miniorange-login-with-eve-online-google-facebook&sfp_email=&sfph_mail= |
| IBM–App Connect Operator | IBM App Connect Enterprise Certified Container up to 12.19.0 (Continuous Delivery) and 12.0 LTS (Long Term Support) could allow an attacker to access sensitive files or modify configurations due to an untrusted search path. | 2026-02-05 | 5.1 | CVE-2025-13491 | https://www.ibm.com/support/pages/node/7259746 |
| elextensions–ELEX WordPress HelpDesk & Customer Ticketing System | The ELEX WordPress HelpDesk & Customer Ticketing System plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 3.3.5. This is due to missing capability checks on the eh_crm_ticket_general function combined with a shared nonce that is exposed to low-privileged users. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify global WSDesk settings via the `eh_crm_ticket_general` AJAX action. | 2026-02-05 | 5.3 | CVE-2025-14079 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6fd3ea16-4706-4573-b905-93dff434968d?source=cve https://plugins.trac.wordpress.org/browser/elex-helpdesk-customer-support-ticket-system/tags/3.3.4/includes/class-crm-ajax-functions-one.php#L15 https://plugins.trac.wordpress.org/changeset/3449609/ |
| unitecms–Unlimited Elements For Elementor | The Unlimited Elements for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the Border Hero widget’s Button Link field in versions up to 2.0.1. This is due to insufficient input sanitization and output escaping on user-supplied URLs. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-03 | 5.4 | CVE-2025-14274 | https://www.wordfence.com/threat-intel/vulnerabilities/id/482c4986-3677-4754-992b-ea9be7573d2e?source=cve https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/framework/functions.class.php#L2859 https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/inc_php/unitecreator_params_processor.class.php#L1518 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3429507%40unlimited-elements-for-elementor%2Ftrunk&old=3403331%40unlimited-elements-for-elementor%2Ftrunk&sfp_email=&sfph_mail=#file15 |
| tpixendit–Xendit Payment | The Xendit Payment plugin for WordPress is vulnerable to unauthorized order status manipulation in all versions up to, and including, 6.0.2. This is due to the plugin exposing a publicly accessible WooCommerce API callback endpoint (`wc_xendit_callback`) that processes payment callbacks without any authentication or cryptographic verification that the requests originate from Xendit’s payment gateway. This makes it possible for unauthenticated attackers to mark any WooCommerce order as paid by sending a crafted POST request to the callback URL with a JSON body containing an `external_id` matching the order ID pattern and a `status` of ‘PAID’ or ‘SETTLED’, granted they can enumerate order IDs (which are sequential integers). This leads to orders being fraudulently marked as completed without any actual payment, resulting in financial loss and inventory depletion. | 2026-02-04 | 5.3 | CVE-2025-14461 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2791bbd5-9101-4484-a352-0e4d2ce04e5d?source=cve https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/trunk/woocommerce-xendit-pg.php#L252 https://plugins.trac.wordpress.org/browser/woo-xendit-virtual-accounts/tags/6.0.2/woocommerce-xendit-pg.php#L252 |
| Tanium–Enforce | Tanium addressed an improper link resolution before file access vulnerability in Enforce. | 2026-02-05 | 5 | CVE-2025-15328 | TAN-2025-007 |
| chapaet–Chapa Payment Gateway Plugin for WooCommerce | The Chapa Payment Gateway Plugin for WooCommerce plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.3 via ‘chapa_proceed’ WooCommerce API endpoint. This makes it possible for unauthenticated attackers to extract sensitive data including the merchant’s Chapa secret API key. | 2026-02-04 | 5.3 | CVE-2025-15482 | https://www.wordfence.com/threat-intel/vulnerabilities/id/190492ec-5982-4dce-9e97-16a518a01a27?source=cve https://plugins.trac.wordpress.org/browser/chapa-payment-gateway-for-woocommerce/tags/1.0.3/includes/class-waf-wc-chapa-gateway.php#L418 |
| magicimport–Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the ajax_sync_usage() function in all versions up to, and including, 1.0.4. This makes it possible for unauthenticated attackers to modify the plugin’s license status and credit balance. | 2026-02-04 | 5.3 | CVE-2025-15507 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6854e470-26ac-4747-b72c-164e79e1a1b1?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L225 |
| magicimport–Magic Import Document Extractor | The Magic Import Document Extractor plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.0.4 via the get_frontend_settings() function. This makes it possible for unauthenticated attackers to extract the site’s magicimport.ai license key from the page source on any page containing the plugin’s shortcode. | 2026-02-04 | 5.3 | CVE-2025-15508 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9ec72ac5-1851-4074-bea4-ccfd684b9c8d?source=cve https://plugins.trac.wordpress.org/browser/magic-import-document-extractor/tags/1.0.4/public/class-public.php#L379 |
| IBM–Engineering Lifecycle Management – Global Configuration Management | IBM Engineering Lifecycle Management – Global Configuration Management 7.0.3 through 7.0.3 Interim Fix 017, and 7.1.0 through 7.1.0 Interim Fix 004 IBM Global Configuration Management is vulnerable to cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-02-03 | 5.4 | CVE-2025-36033 | https://www.ibm.com/support/pages/node/7258063 |
| IBM–Cloud Pak for Business Automation | IBM Cloud Pak for Business Automation 25.0.0 through 25.0.0 Interim Fix 002, 24.0.1 through 24.0.1 Interim Fix 005, and 24.0.0 through 24.0.0 Interim Fix 007 could allow an authenticated user to cause a denial of service or corrupt existing data due to the improper validation of input length. | 2026-02-03 | 5.4 | CVE-2025-36094 | https://www.ibm.com/support/pages/node/7259318 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 uses weaker than expected cryptographic algorithms that could allow an attacker to decrypt highly sensitive information. | 2026-02-02 | 5.9 | CVE-2025-36253 | https://www.ibm.com/support/pages/node/7257565 |
| HCL–AION | Root File System Not Mounted as Read-Only configuration vulnerability. This can allow unintended modifications to critical system files, potentially increasing the risk of system compromise or unauthorized changes. This issue affects AION: 2.0. | 2026-02-03 | 5.5 | CVE-2025-52627 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A–Moodle[.]org | A flaw was found in Moodle. A remote attacker could exploit a reflected Cross-Site Scripting (XSS) vulnerability in the policy tool return URL. This vulnerability arises from insufficient sanitization of URL parameters, allowing attackers to inject malicious scripts through specially crafted links. Successful exploitation could lead to information disclosure or arbitrary client-side script execution within the user’s browser. | 2026-02-03 | 5.4 | CVE-2025-67855 | https://access.redhat.com/security/cve/CVE-2025-67855 RHBZ#2423861 |
| N/A–Moodle[.]org | A flaw was found in Moodle. An authorization logic flaw, specifically due to incomplete role checks during the badge awarding process, allowed badges to be granted without proper verification. This could enable unauthorized users to obtain badges they are not entitled to, potentially leading to privilege escalation or unauthorized access to certain features. | 2026-02-03 | 5.4 | CVE-2025-67856 | https://access.redhat.com/security/cve/CVE-2025-67856 RHBZ#2423864 |
| khoj-ai–khoj | Khoj is a self-hostable artificial intelligence app. Prior to 2.0.0-beta.23, an IDOR in the Notion OAuth callback allows an attacker to hijack any user’s Notion integration by manipulating the state parameter. The callback endpoint accepts any user UUID without verifying the OAuth flow was initiated by that user, allowing attackers to replace victims’ Notion configurations with their own, resulting in data poisoning and unauthorized access to the victim’s Khoj search index. This attack requires knowing the user’s UUID which can be leaked through shared conversations where an AI generated image is present. This vulnerability is fixed in 2.0.0-beta.23. | 2026-02-02 | 5.4 | CVE-2025-69207 | https://github.com/khoj-ai/khoj/security/advisories/GHSA-6whj-7qmg-86qj https://github.com/khoj-ai/khoj/commit/1b7ccd141d47f365edeccc57d7316cb0913d748b https://github.com/khoj-ai/khoj/releases/tag/2.0.0-beta.23 |
| fortispay–Fortis for WooCommerce | The Fortis for WooCommerce plugin for WordPress is vulnerable to authorization bypass due to an inverted nonce check in the ‘check_fortis_notify_response’ function in all versions up to, and including, 1.2.0. This makes it possible for unauthenticated attackers to update arbitrary WooCommerce order statuses to paid/processing/completed, effectively allowing them to mark orders as paid without payment. | 2026-02-04 | 5.3 | CVE-2026-0679 | https://www.wordfence.com/threat-intel/vulnerabilities/id/9f16c098-3e99-4506-b517-ae4b838a0925?source=cve https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/trunk/classes/WC_Gateway_Fortis.php#L1674 https://plugins.trac.wordpress.org/browser/fortis-for-woocommerce/tags/1.2.0/classes/WC_Gateway_Fortis.php#L1674 |
| alimir–WP ULike Engagement Analytics & Interactive Buttons to Understand Your Audience | The WP ULike plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 4.8.3.1. This is due to the `wp_ulike_delete_history_api` AJAX action not verifying that the log entry being deleted belongs to the current user. This makes it possible for authenticated attackers, with Subscriber-level access and above (granted the ‘stats’ capability is assigned to their role), to delete arbitrary log entries belonging to other users via the ‘id’ parameter. | 2026-02-03 | 5.3 | CVE-2026-0909 | https://www.wordfence.com/threat-intel/vulnerabilities/id/bee2e520-46cc-4b54-9849-fafb9b37ba19?source=cve https://plugins.trac.wordpress.org/browser/wp-ulike/trunk/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/browser/wp-ulike/tags/4.8.3.1/admin/admin-ajax.php#L94 https://plugins.trac.wordpress.org/changeset/3451296/wp-ulike/trunk/admin/admin-ajax.php |
| brainstormforce–Spectra Gutenberg Blocks Website Builder for the Block Editor | The Spectra Gutenberg Blocks – Website Builder for the Block Editor plugin for WordPress is vulnerable to Information Disclosure in all versions up to, and including, 2.19.17. This is due to the plugin failing to check `post_password_required()` before rendering post excerpts in the `render_excerpt()` function and the `uagb_get_excerpt()` helper function. This makes it possible for unauthenticated attackers to read excerpts of password-protected posts by simply viewing any page that contains a Spectra Post Grid, Post Masonry, Post Carousel, or Post Timeline block. | 2026-02-03 | 5.3 | CVE-2026-0950 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ccaccf03-4162-4365-9f12-0363a78e91d4?source=cve https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1303 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L1621 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/blocks-config/post/class-uagb-post.php#L2196 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/trunk/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/browser/ultimate-addons-for-gutenberg/tags/2.19.17/classes/class-uagb-helper.php#L1403 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&new=3443216%40ultimate-addons-for-gutenberg%2Ftrunk&old=3410395%40ultimate-addons-for-gutenberg%2Ftrunk&sfp_email=&sfph_mail= |
| metagauss–ProfileGrid User Profiles, Groups and Communities | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 5.9.7.2 via the ‘pm_upload_image’ and ‘pm_upload_cover_image’ AJAX actions. This is due to the update_user_meta() function being called outside of the user authorization check in public/partials/crop.php and public/partials/coverimg_crop.php. This makes it possible for authenticated attackers, with Subscriber-level access and above, to change any user’s profile picture or cover image, including administrators. | 2026-02-05 | 5.3 | CVE-2026-1271 | https://www.wordfence.com/threat-intel/vulnerabilities/id/712535ce-8c38-4944-aa0a-36d9bacaeb67?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/crop.php#L73 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.7/public/partials/coverimg_crop.php#L60 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| themeum–Tutor LMS eLearning and online course solution | The Tutor LMS – eLearning and online course solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 3.9.5. This is due to missing authorization checks in the `ajax_coupon_details()` function, which only validates nonces but does not verify user capabilities. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve sensitive coupon information including coupon codes, discount amounts, usage statistics, and course/bundle applications. | 2026-02-03 | 5.3 | CVE-2026-1371 | https://www.wordfence.com/threat-intel/vulnerabilities/id/7f5c5f64-a864-4ce1-9080-19f7c4418307?source=cve https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L106 https://plugins.trac.wordpress.org/browser/tutor/tags/3.9.5/ecommerce/CouponController.php#L658 https://plugins.trac.wordpress.org/changeset/3448615/tutor/trunk/ecommerce/CouponController.php?contextall=1&old=3422766&old_path=%2Ftutor%2Ftrunk%2Fecommerce%2FCouponController.php |
| getwpfunnels–Mail Mint Newsletters, Email Marketing, Automation, WooCommerce Emails, Post Notification, and more | The Mail Mint plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.19.2. This is due to missing nonce validation on the create_or_update_note function. This makes it possible for unauthenticated attackers to create or update contact notes via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. Due to missing sanitization and escaping this can lead to stored Cross-Site Scripting. | 2026-02-03 | 5.4 | CVE-2026-1447 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e67ae204-2848-4389-a78d-7b3798e4ee54?source=cve https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Routes/Admin/Contact/ContactProfileRoute.php#L105 https://plugins.trac.wordpress.org/browser/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/browser/mail-mint/tags/1.19.2/app/API/Actions/Admin/Contact/ContactProfileAction.php#L85 https://plugins.trac.wordpress.org/changeset/3449536/mail-mint/trunk/app/API/Actions/Admin/Contact/ContactProfileAction.php?old=3032077&old_path=mail-mint%2Ftrunk%2Fapp%2FAPI%2FActions%2FAdmin%2FContact%2FContactProfileAction.php |
| F5–NGINX Open Source | A vulnerability exists in NGINX OSS and NGINX Plus when configured to proxy to upstream Transport Layer Security (TLS) servers. An attacker with a man-in-the-middle (MITM) position on the upstream server side-along with conditions beyond the attacker’s control-may be able to inject plain text data into the response from an upstream proxied server. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-1642 | https://my.f5.com/manage/s/article/K000159824 |
| brstefanovic–Advanced Country Blocker | The Advanced Country Blocker plugin for WordPress is vulnerable to Authorization Bypass in all versions up to, and including, 2.3.1 due to the use of a predictable default value for the secret bypass key created during installation without requiring users to change it. This makes it possible for unauthenticated attackers to bypass the geolocation blocking mechanism by appending the key to any URL on sites where the administrator has not changed the default value. | 2026-02-07 | 5.3 | CVE-2026-1675 | https://www.wordfence.com/threat-intel/vulnerabilities/id/30747988-83f9-41f9-9bc5-1f533bc4cb94?source=cve https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L278 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L336 https://plugins.trac.wordpress.org/browser/advanced-country-blocker/tags/2.3.1/advanced-country-blocking.php#L420 |
| n/a–Open5GS | A security vulnerability has been detected in Open5GS up to 2.7.6. Impacted is the function sgwc_s11_handle_create_indirect_data_forwarding_tunnel_request of the file /src/sgwc/s11-handler.c of the component SGWC. Such manipulation leads to reachable assertion. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. A patch should be applied to remediate this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1736 | VDB-343635 | Open5GS SGWC s11-handler.c assertion VDB-343635 | CTI Indicators (IOB, IOC, IOA) Submit #741191 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4270 https://github.com/open5gs/open5gs/issues/4270#event-21968624624 https://github.com/open5gs/open5gs/issues/4270#issue-3795141303 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was detected in Open5GS up to 2.7.6. The affected element is the function sgwc_s5c_handle_create_bearer_request of the file /src/sgwc/s5c-handler.c of the component CreateBearerRequest Handler. Performing a manipulation results in reachable assertion. Remote exploitation of the attack is possible. The exploit is now public and may be used. To fix this issue, it is recommended to deploy a patch. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1737 | VDB-343636 | Open5GS CreateBearerRequest s5c-handler.c sgwc_s5c_handle_create_bearer_request assertion VDB-343636 | CTI Indicators (IOB, IOC, IOA) Submit #741192 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4271 https://github.com/open5gs/open5gs/issues/4271#event-21968630023 https://github.com/open5gs/open5gs/issues/4271#issue-3795147720 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A flaw has been found in Open5GS up to 2.7.6. The impacted element is the function sgwc_tunnel_add of the file /src/sgwc/context.c of the component SGWC. Executing a manipulation of the argument pdr can lead to reachable assertion. The attack can be executed remotely. The exploit has been published and may be used. It is advisable to implement a patch to correct this issue. The issue report is flagged as already-fixed. | 2026-02-02 | 5.3 | CVE-2026-1738 | VDB-343637 | Open5GS SGWC context.c sgwc_tunnel_add assertion VDB-343637 | CTI Indicators (IOB, IOC, IOA) Submit #741193 | Open5gs SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4261 https://github.com/open5gs/open5gs/issues/4261#event-21968563677 https://github.com/open5gs/open5gs/issues/4261#issue-3787803578 https://github.com/open5gs/open5gs/ |
| Free5GC–pcf | A vulnerability has been found in Free5GC pcf up to 1.4.1. This affects the function HandleCreateSmPolicyRequest of the file internal/sbi/processor/smpolicy.go. The manipulation leads to null pointer dereference. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The identifier of the patch is df535f5524314620715e842baf9723efbeb481a7. Applying a patch is the recommended action to fix this issue. | 2026-02-02 | 5.3 | CVE-2026-1739 | VDB-343638 | Free5GC pcf smpolicy.go HandleCreateSmPolicyRequest null pointer dereference VDB-343638 | CTI Indicators (IOB, IOC, IOA) Submit #741194 | free5gc PCF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/803 https://github.com/free5gc/pcf/pull/62 https://github.com/free5gc/free5gc/issues/803#issue-3815770007 https://github.com/free5gc/pcf/commit/df535f5524314620715e842baf9723efbeb481a7 https://github.com/free5gc/pcf/ |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in SoupServer. This HTTP request smuggling vulnerability occurs because SoupServer improperly handles requests that combine Transfer-Encoding: chunked and Connection: keep-alive headers. A remote, unauthenticated client can exploit this by sending specially crafted requests, causing SoupServer to fail to close the connection as required by RFC 9112. This allows the attacker to smuggle additional requests over the persistent connection, leading to unintended request processing and potential denial-of-service (DoS) conditions. | 2026-02-02 | 5.3 | CVE-2026-1760 | https://access.redhat.com/security/cve/CVE-2026-1760 RHBZ#2435951 |
| Xerox–CentreWare | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Xerox CentreWare on Windows allows Stored XSS. This issue affects CentreWare: through 7.0.6. Consider upgrading Xerox® CentreWare Web® to v7.2.2.25 via the software available on Xerox.com | 2026-02-06 | 5.3 | CVE-2026-1769 | https://securitydocs.business.xerox.com/wp-content/uploads/2026/02/Xerox-Security-Bulletin-XRX26-003-for-Xerox-CentreWare-Web.pdf |
| AWS–SageMaker Python SDK | Amazon SageMaker Python SDK before v3.1.1 or v2.256.0 disables TLS certificate verification for HTTPS connections made by the service when a Triton Python model is imported, incorrectly allowing for requests with invalid and self-signed certificates to succeed. | 2026-02-02 | 5.9 | CVE-2026-1778 | https://aws.amazon.com/security/security-bulletins/2026-004-AWS/ https://github.com/aws/sagemaker-python-sdk/security/advisories/GHSA-62rc-f4v9-h543 https://github.com/aws/sagemaker-python-sdk/releases/tag/v3.1.1 https://github.com/aws/sagemaker-python-sdk/releases/tag/v2.256.0 |
| Red Hat–Red Hat Enterprise Linux 10 | A flaw was found in libsoup, an HTTP client/server library. This HTTP Request Smuggling vulnerability arises from non-RFC-compliant parsing in the soup_filter_input_stream_read_line() logic, where libsoup accepts malformed chunk headers, such as lone line feed (LF) characters instead of the required carriage return and line feed (CRLF). A remote attacker can exploit this without authentication or user interaction by sending specially crafted chunked requests. This allows libsoup to parse and process multiple HTTP requests from a single network message, potentially leading to information disclosure. | 2026-02-03 | 5.3 | CVE-2026-1801 | https://access.redhat.com/security/cve/CVE-2026-1801 RHBZ#2436315 |
| n/a–WeKan | A security vulnerability has been detected in WeKan up to 8.20. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. The attack may be launched remotely. A high complexity level is associated with this attack. The exploitability is reported as difficult. Upgrading to version 8.21 mitigates this issue. The name of the patch is cabfeed9a68e21c469bf206d8655941444b9912c. It is suggested to upgrade the affected component. | 2026-02-04 | 5 | CVE-2026-1892 | VDB-344265 | WeKan REST API boards.js setBoardOrgs improper authorization VDB-344265 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742662 | Wekan <8.21 IDOR via REST API / improper object relationship validation https://github.com/wekan/wekan/commit/cabfeed9a68e21c469bf206d8655941444b9912c https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| Edimax–BR-6208AC | A vulnerability was found in Edimax BR-6208AC 2_1.02. The affected element is the function auth_check_userpass2. Performing a manipulation of the argument Username/Password results in use of default credentials. The attack may be initiated remotely. The exploit has been made public and could be used. The vendor confirms that the affected product is end-of-life. They confirm that they “will issue a consolidated Security Advisory on our official support website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-1972 | VDB-344494 | Edimax BR-6208AC auth_check_userpass2 default credentials VDB-344494 | CTI Indicators (IOB, IOC, IOA) Submit #744032 | Edimax BR-6208AC V2_1.02 Weak Authentication https://tzh00203.notion.site/EDIMAX-BR-6208AC-V2_1-02-Weak-Password-Authentication-Vulnerability-in-auth_check_userpass2-Functi-2f0b5c52018a801c9645dd5261717901?source=copy_link |
| n/a–Free5GC | A vulnerability was determined in Free5GC up to 4.1.0. The impacted element is the function establishPfcpSession of the component SMF. Executing a manipulation can lead to null pointer dereference. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. It is best practice to apply a patch to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1973 | VDB-344495 | Free5GC SMF establishPfcpSession null pointer dereference VDB-344495 | CTI Indicators (IOB, IOC, IOA) Submit #743236 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/815 https://github.com/free5gc/free5gc/issues/815#issue-3832032062 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a–Free5GC | A vulnerability was identified in Free5GC up to 4.1.0. This affects the function ResolveNodeIdToIp of the file internal/sbi/processor/datapath.go of the component SMF. The manipulation leads to denial of service. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-1974 | VDB-344496 | Free5GC SMF datapath.go ResolveNodeIdToIp denial of service VDB-344496 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743237 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/816 https://github.com/free5gc/free5gc/issues/816#issue-3832055233 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a–Free5GC | A security flaw has been discovered in Free5GC up to 4.1.0. This impacts the function identityTriggerType of the file pfcp_reports.go. The manipulation results in null pointer dereference. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks. Applying a patch is advised to resolve this issue. | 2026-02-06 | 5.3 | CVE-2026-1975 | VDB-344497 | Free5GC pfcp_reports.go identityTriggerType null pointer dereference VDB-344497 | CTI Indicators (IOB, IOC, IOA) Submit #743238 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/814 https://github.com/free5gc/free5gc/issues/814#issue-3831993593 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| n/a–Free5GC | A weakness has been identified in Free5GC up to 4.1.0. Affected is the function SessionDeletionResponse of the component SMF. This manipulation causes null pointer dereference. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. It is suggested to install a patch to address this issue. | 2026-02-06 | 5.3 | CVE-2026-1976 | VDB-344498 | Free5GC SMF SessionDeletionResponse null pointer dereference VDB-344498 | CTI Indicators (IOB, IOC, IOA) Submit #743239 | free5gc SMF v4.1.0 Denial of Service https://github.com/free5gc/free5gc/issues/817 https://github.com/free5gc/free5gc/issues/817#issue-3832188092 https://github.com/free5gc/smf/pull/189 https://github.com/free5gc/free5gc/ |
| kalyan02–NanoCMS | A vulnerability was detected in kalyan02 NanoCMS up to 0.4. Affected by this issue is some unknown functionality of the file /data/pagesdata.txt of the component User Information Handler. Performing a manipulation results in direct request. It is possible to initiate the attack remotely. The exploit is now public and may be used. You should change the configuration settings. | 2026-02-06 | 5.3 | CVE-2026-1978 | VDB-344500 | kalyan02 NanoCMS User Information pagesdata.txt direct request VDB-344500 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743260 | SourceCodester NanoCMS V0.4 Sensitive document leak https://github.com/kalyan02/NanoCMS/blob/master/data/pagesdata.txt https://github.com/kalyan02/NanoCMS/ |
| n/a–mruby | A flaw has been found in mruby up to 3.4.0. This affects the function mrb_vm_exec of the file src/vm.c of the component JMPNOT-to-JMPIF Optimization. Executing a manipulation can lead to use after free. The attack needs to be launched locally. The exploit has been published and may be used. This patch is called e50f15c1c6e131fa7934355eb02b8173b13df415. It is advisable to implement a patch to correct this issue. | 2026-02-06 | 5.3 | CVE-2026-1979 | VDB-344501 | mruby JMPNOT-to-JMPIF Optimization vm.c mrb_vm_exec use after free VDB-344501 | CTI Indicators (IOB, IOC, IOA) Submit #743377 | mruby cda2567 Use After Free https://github.com/mruby/mruby/issues/6701 https://github.com/mruby/mruby/issues/6701#issue-3802609843 https://github.com/sysfce2/mruby/commit/e50f15c1c6e131fa7934355eb02b8173b13df415 https://github.com/mruby/mruby/ |
| happyfish100–libfastcommon | A security vulnerability has been detected in happyfish100 libfastcommon up to 1.0.84. Affected by this vulnerability is the function base64_decode of the file src/base64.c. The manipulation leads to stack-based buffer overflow. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The identifier of the patch is 82f66af3e252e3e137dba0c3891570f085e79adf. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2016 | VDB-344598 | happyfish100 libfastcommon base64.c base64_decode stack-based overflow VDB-344598 | CTI Indicators (IOB, IOC, IOA) Submit #743873 | happyfish100 libfastcommon V1.0.84 and earlier Heap-based Buffer Overflow https://github.com/happyfish100/libfastcommon/issues/55 https://github.com/happyfish100/libfastcommon/issues/55#issuecomment-3776757848 https://github.com/happyfish100/libfastcommon/issues/55#issue-3836362577 https://github.com/happyfish100/libfastcommon/commit/82f66af3e252e3e137dba0c3891570f085e79adf https://github.com/happyfish100/libfastcommon/ |
| D-Link–DIR-605L | A security flaw has been discovered in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. Impacted is an unknown function of the component Wifi Setting Handler. Performing a manipulation results in information disclosure. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2054 | VDB-344614 | D-Link DIR-605L/DIR-619L Wifi Setting information disclosure VDB-344614 | CTI Indicators (IOB, IOC, TTP) Submit #744224 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_81/81.md#poc–result https://www.dlink.com/ |
| D-Link–DIR-605L | A weakness has been identified in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The affected element is an unknown function of the component DHCP Client Information Handler. Executing a manipulation can lead to information disclosure. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2055 | VDB-344615 | D-Link DIR-605L/DIR-619L DHCP Client Information information disclosure VDB-344615 | CTI Indicators (IOB, IOC, TTP) Submit #744225 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc–result https://www.dlink.com/ |
| D-Link–DIR-605L | A security vulnerability has been detected in D-Link DIR-605L and DIR-619L 2.06B01/2.13B01. The impacted element is an unknown function of the file /wan_connection_status.asp of the component DHCP Connection Status Handler. The manipulation leads to information disclosure. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 5.3 | CVE-2026-2056 | VDB-344616 | D-Link DIR-605L/DIR-619L DHCP Connection Status wan_connection_status.asp information disclosure VDB-344616 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744226 | D-Link DIR619L、DIR605L 2.06B01、2.13B01 Improper Access Controls https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_83/83.md https://github.com/wudipjq/my_vuln/blob/main/D-Link7/vuln_82/82.md#poc–result https://www.dlink.com/ |
| n/a–Open5GS | A vulnerability was identified in Open5GS up to 2.7.6. This affects the function sgwc_s5c_handle_modify_bearer_response/sgwc_sxa_handle_session_modification_response of the component PGW S5U Address Handler. The manipulation leads to null pointer dereference. The attack can be initiated remotely. The exploit is publicly available and might be used. The identifier of the patch is f1bbd7b57f831e2a070780a7d8d5d4c73babdb59. Applying a patch is the recommended action to fix this issue. | 2026-02-06 | 5.3 | CVE-2026-2062 | VDB-344622 | Open5GS PGW S5U Address sgwc_sxa_handle_session_modification_response null pointer dereference VDB-344622 | CTI Indicators (IOB, IOC, IOA) Submit #744719 | Open5GS SGWC v2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4257 https://github.com/open5gs/open5gs/issues/4257#issue-3787701521 https://github.com/open5gs/open5gs/commit/f1bbd7b57f831e2a070780a7d8d5d4c73babdb59 https://github.com/open5gs/open5gs/ |
| jsbroks–COCO Annotator | A vulnerability was determined in jsbroks COCO Annotator up to 0.11.1. This impacts an unknown function of the file /api/info/long_task of the component Endpoint. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.3 | CVE-2026-2108 | VDB-344684 | jsbroks COCO Annotator Endpoint long_task denial of service VDB-344684 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745547 | coco-annotator 0.11.1 Denial of Service https://github.com/nmmorette/vulnerability-research/blob/main/coco-anotator/Unauthenticated%20Task%20Queue%20Flood%20in%20COCO%20Annotator%202f1ef09b873680f99d39e3f7db9886fa.md |
| jsbroks–COCO Annotator | A vulnerability was identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file /api/undo/ of the component Delete Category Handler. Such manipulation of the argument ID leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 5.4 | CVE-2026-2109 | VDB-344685 | jsbroks COCO Annotator Delete Category undo improper authorization VDB-344685 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745579 | coco-annotator v0.11.1 Broken Function Level Authorization https://github.com/nmmorette/vulnerability-research/blob/main/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo/BFLA%20COCO%20Annotator%20in%20DELETE%20api%20undo%202f1ef09b8736807aa1f7ede4b64fa35d.md |
| Tenda–AC21 | A weakness has been identified in Tenda AC21 16.03.08.16. This impacts an unknown function of the file /cgi-bin/DownloadLog of the component Web Management Interface. Executing a manipulation can lead to information disclosure. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 5.3 | CVE-2026-2147 | VDB-344849 | Tenda AC21 Web Management DownloadLog information disclosure VDB-344849 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747429 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/30 https://www.tenda.com.cn/ |
| Tenda–AC21 | A security vulnerability has been detected in Tenda AC21 16.03.08.16. Affected is an unknown function of the file /cgi-bin/DownloadFlash of the component Web Management Interface. The manipulation leads to information disclosure. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 5.3 | CVE-2026-2148 | VDB-344850 | Tenda AC21 Web Management DownloadFlash information disclosure VDB-344850 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747557 | Tenda AC21 V16.03.08.16 Missing Critical Step in Authentication https://github.com/master-abc/cve/issues/27 https://www.tenda.com.cn/ |
| n/a–WeKan | A weakness has been identified in WeKan up to 8.20. This issue affects some unknown processing of the file server/publications/activities.js of the component Activity Publication Handler. Executing a manipulation can lead to information disclosure. It is possible to launch the attack remotely. Upgrading to version 8.21 is capable of addressing this issue. This patch is called 91a936e07d2976d4246dfe834281c3aaa87f9503. You should upgrade the affected component. | 2026-02-08 | 5.3 | CVE-2026-2207 | VDB-344921 | WeKan Activity Publication activities.js LinkedBoardActivitiesBleed information disclosure VDB-344921 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752163 | Wekan <8.21 Information disclosure via insufficient authorization filtering https://github.com/wekan/wekan/commit/91a936e07d2976d4246dfe834281c3aaa87f9503 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| F5–BIG-IP | When a BIG-IP Advanced WAF or ASM security policy is configured on a virtual server, undisclosed requests along with conditions beyond the attacker’s control can cause the bd process to terminate. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 5.9 | CVE-2026-22548 | https://my.f5.com/manage/s/article/K000158072 |
| NeoRazorX–facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to 2025.8, there a reflected XSS bug in FacturaScripts. The problem is in how error messages get displayed. Twig’s | raw filter is used, which skips HTML escaping. When triggering a database error (like passing a string where an integer is expected), the error message includes the input and gets rendered without sanitization. This vulnerability is fixed in 2025.8. | 2026-02-02 | 5.4 | CVE-2026-23476 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-g6w2-q45f-xrp4 https://github.com/NeoRazorX/facturascripts/commit/2afd98cecd26c5f8357e0e321d86063ad1012fc3 https://github.com/NeoRazorX/facturascripts/releases/tag/v2025.8 |
| CollaboraOnline–online | Collabora Online is a collaborative online office suite based on LibreOffice technology. Prior to Collabora Online Development Edition version 25.04.08.2 and prior to Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5, a user with view-only rights and no download privileges can obtain a local copy of a shared file. Although there are no corresponding buttons in the interface, pressing Ctrl+Shift+S initiates the file download process. This allows the user to bypass the access restrictions and leads to unauthorized data retrieval. This issue has been patched in Collabora Online Development Edition version 25.04.08.2 and Collabora Online versions 23.05.20.1, 24.04.17.3, and 25.04.7.5. | 2026-02-05 | 5.3 | CVE-2026-23623 | https://github.com/CollaboraOnline/online/security/advisories/GHSA-68v6-r6qq-mmq2 |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a username enumeration vulnerability allows unauthenticated attackers to identify valid user accounts by analyzing differences in the login response behavior. This issue has been patched in version 4.2. | 2026-02-03 | 5.3 | CVE-2026-24664 | https://github.com/gunet/openeclass/security/advisories/GHSA-c3wq-m629-5h2j |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, failure to invalidate active user sessions after a password change allows existing session tokens to remain valid, potentially enabling unauthorized continued access to user accounts. This issue has been patched in version 4.2. | 2026-02-03 | 5 | CVE-2026-24667 | https://github.com/gunet/openeclass/security/advisories/GHSA-5h73-53mh-m224 |
| Huawei–HarmonyOS | Identity authentication bypass vulnerability in the window module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24916 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei–HarmonyOS | Out-of-bounds access vulnerability in the frequency modulation module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.5 | CVE-2026-24927 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei–HarmonyOS | Out-of-bounds write vulnerability in the file system module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.8 | CVE-2026-24928 | https://consumer.huawei.com/en/support/bulletin/2026/2/ |
| Huawei–HarmonyOS | Out-of-bounds read vulnerability in the graphics module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 5.9 | CVE-2026-24929 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| Huawei–HarmonyOS | Vulnerability of improper criterion security check in the card module. Impact: Successful exploitation of this vulnerability may affect service confidentiality. | 2026-02-06 | 5.9 | CVE-2026-24931 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ |
| chainguard-dev–apko | apko allows users to build and publish OCI container images built from apk packages. From version 0.14.8 to before 1.1.0, expandapk.Split drains the first gzip stream of an APK archive via io.Copy(io.Discard, gzi) without explicit bounds. With an attacker-controlled input stream, this can force large gzip inflation work and lead to resource exhaustion (availability impact). The Split function reads the first tar header, then drains the remainder of the gzip stream by reading from the gzip reader directly without any maximum uncompressed byte limit or inflate-ratio cap. A caller that parses attacker-controlled APK streams may be forced to spend excessive CPU time inflating gzip data, leading to timeouts or process slowdown. This issue has been patched in version 1.1.0. | 2026-02-04 | 5.5 | CVE-2026-25122 | https://github.com/chainguard-dev/apko/security/advisories/GHSA-6p9p-q6wh-9j89 https://github.com/chainguard-dev/apko/commit/2be3903fe194ad46351840f0569b35f5ac965f09 |
| homarr-labs–homarr | Homarr is an open-source dashboard. Prior to 1.52.0, a public (unauthenticated) tRPC endpoint widget.app.ping accepts an arbitrary url and performs a server-side request to that URL. This allows an unauthenticated attacker to trigger outbound HTTP requests from the Homarr server, enabling SSRF behavior and a reliable port-scanning primitive (open vs closed ports can be inferred from statusCode vs fetch failed and timing). This vulnerability is fixed in 1.52.0. | 2026-02-06 | 5.3 | CVE-2026-25123 | https://github.com/homarr-labs/homarr/security/advisories/GHSA-c6rh-8wj4-gv74 |
| Talishar–Talishar | Talishar is a fan-made Flesh and Blood project. A Stored XSS exists in the chat in-game system. The playerID parameter in SubmitChat.php and is saved without sanitization and executed whenever a user view the current page game. This vulnerability is fixed by 09dd00e5452e3cd998eb1406a88e5b0fa868e6b4. | 2026-02-02 | 5.3 | CVE-2026-25144 | https://github.com/Talishar/Talishar/security/advisories/GHSA-rrr4-h2pc-57g6 https://github.com/Talishar/Talishar/commit/09dd00e5452e3cd998eb1406a88e5b0fa868e6b4 |
| chainguard-dev–melange | melange allows users to build apk packages using declarative pipelines. From version 0.14.0 to before 0.40.3, an attacker who can influence a melange configuration file (e.g., through pull request-driven CI or build-as-a-service scenarios) could read arbitrary files from the host system. The LicensingInfos function in pkg/config/config.go reads license files specified in copyright[].license-path without validating that paths remain within the workspace directory, allowing path traversal via ../ sequences. The contents of the traversed file are embedded into the generated SBOM as license text, enabling exfiltration of sensitive data through build artifacts. This issue has been patched in version 0.40.3. | 2026-02-04 | 5.5 | CVE-2026-25145 | https://github.com/chainguard-dev/melange/security/advisories/GHSA-2w4f-9fgg-q2v9 https://github.com/chainguard-dev/melange/commit/2f95c9f4355ed993f2670bf1bb82d88b0f65e9e4 |
| QwikDev–qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, Qwik City’s server-side request handler inconsistently interprets HTTP request headers, which can be abused by a remote attacker to circumvent form submission CSRF protections using specially crafted or multi-valued Content-Type headers. This issue has been patched in version 1.19.0. | 2026-02-03 | 5.9 | CVE-2026-25151 | https://github.com/QwikDev/qwik/security/advisories/GHSA-r666-8gjf-4v5f https://github.com/QwikDev/qwik/commit/eebf610e04cc3a690f11e10191d09ff0fca1c7ed |
| QwikDev–qwik | Qwik is a performance focused javascript framework. Prior to version 1.12.0, a typo in the regular expression within isContentType causes incorrect parsing of certain Content-Type headers. This issue has been patched in version 1.12.0. | 2026-02-03 | 5.9 | CVE-2026-25155 | https://github.com/QwikDev/qwik/security/advisories/GHSA-vm6g-8r4h-22×8 https://github.com/QwikDev/qwik/commit/d70d7099b90b998f1aac7cedc21c67d87bac4c75 |
| SignalK–signalk-server | Signal K Server is a server application that runs on a central hub in a boat. Prior to 2.20.3, a path traversal vulnerability in SignalK Server’s applicationData API allows authenticated users on Windows systems to read, write, and list arbitrary files and directories on the filesystem. The validateAppId() function blocks forward slashes (/) but not backslashes (), which are treated as directory separators by path.join() on Windows. This enables attackers to escape the intended applicationData directory. This vulnerability is fixed in 2.20.3. | 2026-02-02 | 5 | CVE-2026-25228 | https://github.com/SignalK/signalk-server/security/advisories/GHSA-vrhw-v2hw-jffx https://github.com/SignalK/signalk-server/commit/9bcf61c8fe2cb8a40998b913a02fb64dff9e86c7 |
| ci4-cms-erp–ci4ms | CI4MS is a CodeIgniter 4-based CMS skeleton that delivers a production-ready, modular architecture with RBAC authorization and theme support. Prior to version 0.28.5.0, the authentication implementation in CI4MS is vulnerable to email enumeration. An unauthenticated attacker can determine whether an email address is registered in the system by analyzing the application’s response during the password reset process. This issue has been patched in version 0.28.5.0. | 2026-02-03 | 5.3 | CVE-2026-25509 | https://github.com/ci4-cms-erp/ci4ms/security/advisories/GHSA-654x-9q7r-g966 https://github.com/ci4-cms-erp/ci4ms/commit/86be2930d1c54eb7575102563302b2f3bafcb653 |
| cert-manager–cert-manager | cert-manager adds certificates and certificate issuers as resource types in Kubernetes clusters, and simplifies the process of obtaining, renewing and using those certificates. In versions from 1.18.0 to before 1.18.5 and from 1.19.0 to before 1.19.3, the cert-manager-controller performs DNS lookups during ACME DNS-01 processing (for zone discovery and propagation self-checks). By default, these lookups use standard unencrypted DNS. An attacker who can intercept and modify DNS traffic from the cert-manager-controller pod can insert a crafted entry into cert-manager’s DNS cache. Accessing this entry will trigger a panic, resulting in denial‑of‑service (DoS) of the cert-manager controller. The issue can also be exploited if the authoritative DNS server for the domain being validated is controlled by a malicious actor. This issue has been patched in versions 1.18.5 and 1.19.3. | 2026-02-04 | 5.9 | CVE-2026-25518 | https://github.com/cert-manager/cert-manager/security/advisories/GHSA-gx3x-vq4p-mhhv https://github.com/cert-manager/cert-manager/pull/8467 https://github.com/cert-manager/cert-manager/pull/8468 https://github.com/cert-manager/cert-manager/pull/8469 https://github.com/cert-manager/cert-manager/commit/409fc24e539711a07aae45ed45abbe03dfdad2cc https://github.com/cert-manager/cert-manager/commit/9a73a0b3853035827edd37ac463e4803ba10327d https://github.com/cert-manager/cert-manager/commit/d4faed26ae12115cceb807cdc12507ebc28980e2 |
| OpenMage–magento-lts | Magento-lts is a long-term support alternative to Magento Community Edition (CE). Prior to version 20.16.1, the admin url can be discovered without prior knowledge of it’s location by exploiting the X-Original-Url header on some configurations. This issue has been patched in version 20.16.1. | 2026-02-04 | 5.3 | CVE-2026-25523 | https://github.com/OpenMage/magento-lts/security/advisories/GHSA-jg68-vhv3-9r8f https://hackerone.com/bugs?subject=openmage&report_id=3416312 |
| payloadcms–payload | Payload is a free and open source headless content management system. Prior to 3.74.0, a cross-collection Insecure Direct Object Reference (IDOR) vulnerability exists in the payload-preferences internal collection. In multi-auth collection environments using Postgres or SQLite with default serial/auto-increment IDs, authenticated users from one auth collection can read and delete preferences belonging to users in different auth collections when their numeric IDs collide. This vulnerability has been patched in v3.74.0. | 2026-02-06 | 5.4 | CVE-2026-25574 | https://github.com/payloadcms/payload/security/advisories/GHSA-jq29-r496-r955 |
| samclarke–SCEditor | SCEditor is a lightweight WYSIWYG BBCode and XHTML editor. Prior to 3.2.1, if an attacker has the ability control configuration options passed to sceditor.create(), like emoticons, charset, etc. then it’s possible for them to trigger an XSS attack due to lack of sanitisation of configuration options. This vulnerability is fixed in 3.2.1. | 2026-02-06 | 5.4 | CVE-2026-25581 | https://github.com/samclarke/SCEditor/security/advisories/GHSA-25fq-6qgg-qpj8 https://github.com/samclarke/SCEditor/commit/5733aed4f0e257cb78e1ba191715fc458cbd473d |
| PrestaShop–PrestaShop | PrestaShop is an open source e-commerce web application. Prior to 8.2.4 and 9.0.3, there is a time-based user enumeration vulnerability in the user authentication functionality of PrestaShop. This vulnerability allows an attacker to determine whether a customer account exists in the system by measuring response times. This vulnerability is fixed in 8.2.4 and 9.0.3. | 2026-02-06 | 5.3 | CVE-2026-25597 | https://github.com/PrestaShop/PrestaShop/security/advisories/GHSA-67v7-3g49-mxh2 https://github.com/PrestaShop/PrestaShop/releases/tag/8.2.4 https://github.com/PrestaShop/PrestaShop/releases/tag/9.0.3 |
| Wing FTP Server–Wing FTP Server | Wing FTP Server versions prior to 6.2.7 contain a cross-site request forgery (CSRF) vulnerability in the web administration interface that allows attackers to delete admin users. Attackers can craft a malicious HTML page with a hidden form to submit a request that deletes the administrative user account without proper authorization. | 2026-02-06 | 4.3 | CVE-2020-37079 | ExploitDB-48200 Wing FTP Server Official Homepage Wing FTP Server Version History VulnCheck Advisory: Wing FTP Server < 6.2.7 – Cross-site Request Forgery |
| Openeclass–GUnet OpenEclass | GUnet OpenEclass 1.7.3 allows unauthenticated and authenticated users to access sensitive information, including system information, application version, and other students’ uploaded assessments, due to improper access controls and information disclosure flaws in various modules. Attackers can retrieve system info, version info, and view or download other users’ files without proper authorization. | 2026-02-03 | 4.3 | CVE-2020-37114 | ExploitDB-48163 Official Vendor Homepage Changelog VulnCheck Advisory: GUnet OpenEclass 1.7.3 E-learning platform – Information Disclosure |
| HRSALE–HRSALE | HRSALE 1.1.8 contains a cross-site request forgery vulnerability that allows attackers to add unauthorized administrative users through the employee registration form. Attackers can craft a malicious HTML page with hidden form fields to trick authenticated administrators into creating new user accounts with elevated privileges. | 2026-02-05 | 4.3 | CVE-2020-37145 | ExploitDB-48205 Archived Product Webpage VulnCheck Advisory: HRSALE 1.1.8 – Cross-Site Request Forgery (Add Admin) |
| IBM–Operations Analytics – Log Analysis | IBM Operations Analytics – Log Analysis versions 1.3.5.0 through 1.3.8.3 and IBM SmartCloud Analytics – Log Analysis are vulnerable to a cross-site request forgery (CSRF) vulnerability that could allow an attacker to trick a trusted user into performing unauthorized actions. | 2026-02-04 | 4.3 | CVE-2024-40685 | https://www.ibm.com/support/pages/node/7256429 |
| metagauss–ProfileGrid User Profiles, Groups and Communities | The ProfileGrid – User Profiles, Groups and Communities plugin for WordPress is vulnerable to unauthorized user suspension due to a missing capability check on the pm_deactivate_user_from_group() function in all versions up to, and including, 5.9.7.2. This makes it possible for authenticated attackers, with Subscriber-level access and above, to suspend arbitrary users from groups, including administrators, via the pm_deactivate_user_from_group AJAX action. | 2026-02-05 | 4.3 | CVE-2025-13416 | https://www.wordfence.com/threat-intel/vulnerabilities/id/31c2cd54-f258-43ea-8db2-8d98ad7014d1?source=cve https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/trunk/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/browser/profilegrid-user-profiles-groups-and-communities/tags/5.9.6.5/public/class-profile-magic-public.php#L3167 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3448434%40profilegrid-user-profiles-groups-and-communities&new=3448434%40profilegrid-user-profiles-groups-and-communities&sfp_email=&sfph_mail= |
| Tanium–Patch | Tanium addressed an improper access controls vulnerability in Patch. | 2026-02-05 | 4.3 | CVE-2025-15326 | TAN-2025-006 |
| Tanium–Deploy | Tanium addressed an improper access controls vulnerability in Deploy. | 2026-02-05 | 4.3 | CVE-2025-15327 | TAN-2025-006 |
| Tanium–Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15329 | TAN-2025-019 |
| Tanium–Connect | Tanium addressed an uncontrolled resource consumption vulnerability in Connect. | 2026-02-05 | 4.3 | CVE-2025-15331 | TAN-2025-015 |
| Tanium–Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.9 | CVE-2025-15332 | TAN-2025-020 |
| Tanium–Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15333 | TAN-2025-025 |
| Tanium–Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15334 | TAN-2025-026 |
| Tanium–Threat Response | Tanium addressed an information disclosure vulnerability in Threat Response. | 2026-02-05 | 4.3 | CVE-2025-15335 | TAN-2025-027 |
| Tanium–Reputation | Tanium addressed an improper access controls vulnerability in Reputation. | 2026-02-05 | 4.3 | CVE-2025-15342 | TAN-2025-030 |
| IBM–Jazz Foundation | IBM Jazz Foundation 7.0.3 through 7.0.3 iFix019 and 7.1.0 through 7.1.0 iFix005 is vulnerable to access control violations that allows the users to view or access/perform actions beyond their expected capability. | 2026-02-02 | 4.3 | CVE-2025-15395 | https://www.ibm.com/support/pages/node/7258304 |
| simonfairbairn–The Bucketlister | The The Bucketlister plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the bucketlister_do_admin_ajax() function in all versions up to, and including, 0.1.5. This makes it possible for authenticated attackers, with Subscriber-level access and above, to add delete or modify arbitrary bucket list items. | 2026-02-07 | 4.3 | CVE-2025-15476 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc9e6374-8f9e-4c60-a86b-46cd4122abf9?source=cve https://plugins.trac.wordpress.org/browser/the-bucketlister/tags/0.1.5/bucketlister.php#L185 |
| qriouslad–Code Explorer | The Code Explorer plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.4.6 via the ‘file’ parameter. This makes it possible for authenticated attackers, with Administrator-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information. | 2026-02-04 | 4.9 | CVE-2025-15487 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fad8ad54-56eb-40fa-a357-77b7d656d378?source=cve https://plugins.trac.wordpress.org/browser/code-explorer/tags/1.4.6/admin/class-code-explorer-admin.php#L211 |
| HCL–AION | A Potential Command Injection vulnerability in HCL AION. An This can allow unintended command execution, potentially leading to unauthorized actions on the underlying system. This issue affects AION: 2.0 | 2026-02-03 | 4.5 | CVE-2025-52626 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL–AION | HCL AION is affected by a Cookie with Insecure, Improper, or Missing SameSite vulnerability. This can allow cookies to be sent in cross-site requests, potentially increasing exposure to cross-site request forgery and related security risks. This issue affects AION: 2.0. | 2026-02-03 | 4.6 | CVE-2025-52628 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A–Moodle[.]org | A flaw was found in Moodle. During anonymous assignment submissions, user identifiers were inadvertently exposed in URLs. This data exposure allows unauthorized viewers to see internal user IDs, compromising the intended anonymity and potentially leading to information disclosure. | 2026-02-03 | 4.3 | CVE-2025-67857 | https://access.redhat.com/security/cve/CVE-2025-67857 RHBZ#2423868 https://moodle.org/mod/forum/discuss.php?d=471307 |
| Red Hat–Red Hat Ansible Automation Platform 2 | A security flaw was identified in the Ansible Lightspeed API conversation endpoints that handle AI chat interactions. The APIs do not properly verify whether a conversation identifier belongs to the authenticated user making the request. As a result, an attacker with valid credentials could access or influence conversations owned by other users. This exposes sensitive conversation data and allows unauthorized manipulation of AI-generated outputs. | 2026-02-06 | 4.2 | CVE-2026-0598 | https://access.redhat.com/security/cve/CVE-2026-0598 RHBZ#2427094 |
| rtddev–Extended Random Number Generator | The Extended Random Number Generator plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin settings in all versions up to, and including, 1.1 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level access, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled. | 2026-02-04 | 4.4 | CVE-2026-0681 | https://www.wordfence.com/threat-intel/vulnerabilities/id/575c3329-8dbb-4d15-8e11-a86a01b96f50?source=cve https://plugins.trac.wordpress.org/browser/extended-random-number-generator/trunk/random_number_generator.php#L187 https://plugins.trac.wordpress.org/browser/extended-random-number-generator/tags/1.1/random_number_generator.php#L187 |
| orenhav–WP Content Permission | The WP Content Permission plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘ohmem-message’ parameter in all versions up to, and including, 1.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with Administrator-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-02-04 | 4.4 | CVE-2026-0743 | https://www.wordfence.com/threat-intel/vulnerabilities/id/e44403cd-1cee-43c4-aabc-3eaad433c020?source=cve https://plugins.trac.wordpress.org/browser/wp-content-permission/trunk/admin/views/admin.php#L74 https://plugins.trac.wordpress.org/browser/wp-content-permission/tags/1.2/admin/views/admin.php#L74 |
| gtlwpdev–All push notification for WP | The All push notification for WP plugin for WordPress is vulnerable to time-based SQL Injection via the ‘delete_id’ parameter in all versions up to, and including, 1.5.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-0816 | https://www.wordfence.com/threat-intel/vulnerabilities/id/fc1f36b1-cf28-472c-8a7a-f091ecb48c2d?source=cve https://plugins.trac.wordpress.org/browser/all-push-notification/tags/1.5.3/pushnotification-admin/class-pushnotification-admin.php#L95 https://plugins.trac.wordpress.org/browser/all-push-notification/trunk/pushnotification-admin/class-pushnotification-admin.php#L95 |
| arkapravamajumder–TITLE ANIMATOR | The TITLE ANIMATOR plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.0. This is due to missing nonce validation on the settings page form handler in `inc/settings-page.php`. This makes it possible for unauthenticated attackers to modify plugin settings via a forged request granted they can trick a site administrator into performing an action such as clicking on a link. | 2026-02-07 | 4.3 | CVE-2026-1082 | https://www.wordfence.com/threat-intel/vulnerabilities/id/98736b9d-3e0a-40c0-900a-fbbaaac07958?source=cve https://plugins.trac.wordpress.org/browser/title-animator/trunk/inc/settings-page.php#L5 https://plugins.trac.wordpress.org/browser/title-animator/tags/1.0/inc/settings-page.php#L5 |
| bplugins–Timeline Block Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) | The Timeline Block – Beautiful Timeline Builder for WordPress (Vertical & Horizontal Timelines) plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 1.3.3 via the tlgb_shortcode() function due to missing validation on a user controlled key. This makes it possible for authenticated attackers, with Author-level access and above, to disclose private timeline content via the id attribute supplied to the ‘timeline_block’ shortcode. | 2026-02-06 | 4.3 | CVE-2026-1228 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cecebfd0-c2af-4150-8793-299cdbeaa7b9?source=cve https://plugins.trac.wordpress.org/changeset/3446078/timeline-block-block |
| shortpixel–ShortPixel Image Optimizer Optimize Images, Convert WebP & AVIF | The ShortPixel Image Optimizer plugin for WordPress is vulnerable to Arbitrary File Read via path traversal in the ‘loadFile’ parameter in all versions up to, and including, 6.4.2 due to insufficient path validation and sanitization in the ‘loadLogFile’ AJAX action. This makes it possible for authenticated attackers, with Editor-level access and above, to read the contents of arbitrary files on the server, which can contain sensitive information such as database credentials and authentication keys. | 2026-02-05 | 4.9 | CVE-2026-1246 | https://www.wordfence.com/threat-intel/vulnerabilities/id/03cb41d2-67c8-457f-8d85-7aede8e12d44?source=cve https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L309 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/AjaxController.php#L1686 https://plugins.trac.wordpress.org/browser/shortpixel-image-optimiser/tags/6.4.1/class/Controller/BulkController.php#L200 https://plugins.trac.wordpress.org/changeset?sfp_email=&sfph_mail=&reponame=&old=3449706%40shortpixel-image-optimiser&new=3449706%40shortpixel-image-optimiser&sfp_email=&sfph_mail= |
| comprassibs–SIBS woocommerce payment gateway | The SIBS woocommerce payment gateway plugin for WordPress is vulnerable to time-based SQL Injection via the ‘referencedId’ parameter in all versions up to, and including, 2.2.0 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-02-04 | 4.9 | CVE-2026-1370 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eac8e81c-2f6f-4a4a-9678-f5d75f4954ae?source=cve https://plugins.trac.wordpress.org/browser/sibs-woocommerce/tags/2.2.0/class-sibs-payment-gateway.php#L1855 |
| n/a–iomad | A vulnerability was identified in iomad up to 5.0. Affected is an unknown function of the component Company Admin Block. Such manipulation leads to sql injection. The attack can be executed remotely. It is best practice to apply a patch to resolve this issue. | 2026-02-05 | 4.7 | CVE-2026-1517 | VDB-344487 | iomad Company Admin Block sql injection VDB-344487 | CTI Indicators (IOB, IOC, TTP) https://github.com/iomad/iomad/issues/2559 https://github.com/iomad/iomad/issues/2559#issuecomment-3841174677 https://github.com/iomad/iomad/ |
| Yealink–MeetingBar A30 | A weakness has been identified in Yealink MeetingBar A30 133.321.0.3. This issue affects some unknown processing of the component Diagnostic Handler. This manipulation causes command injection. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.3 | CVE-2026-1735 | VDB-343634 | Yealink MeetingBar A30 Diagnostic command injection VDB-343634 | CTI Indicators (IOB, IOC, TTP) Submit #736622 | Yealink MeetingBar A30 133.321.0.3 Command Injection https://drive.google.com/file/d/1Uf46ihr8UmeXsFfkcvAeOtF1TkvGjozy/view?usp=sharing |
| EFM–ipTIME A8004T | A vulnerability was identified in EFM ipTIME A8004T 14.18.2. Affected by this vulnerability is the function commit_vpncli_file_upload of the file /cgi/timepro.cgi of the component VPN Service. Such manipulation leads to unrestricted upload. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 4.7 | CVE-2026-1742 | VDB-343641 | EFM ipTIME A8004T VPN Service timepro.cgi commit_vpncli_file_upload unrestricted upload VDB-343641 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #741450 | EFM IPTIME A8004T 14.18.2 Authentication Bypass & Arbitrary File Upload https://github.com/LX-LX88/cve/issues/29 |
| SourceCodester–Medical Certificate Generator App | A vulnerability was determined in SourceCodester Medical Certificate Generator App 1.0. This affects an unknown part. This manipulation causes cross-site request forgery. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | 2026-02-02 | 4.3 | CVE-2026-1745 | VDB-343676 | SourceCodester Medical Certificate Generator App cross-site request forgery VDB-343676 | CTI Indicators (IOB, IOC) Submit #742653 | SourceCodester Medical Certificate Generator App 1.0 Cross-Site Request Forgery https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion https://github.com/Asim-QAZi/Cross-Site-Request-Forgery-Arbitrary-Medical-Certificate-Deletion#proof-of-concept-csrf-exploit https://www.sourcecodester.com/ |
| codesnippetspro–Code Snippets | The Code Snippets plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 3.9.4. This is due to missing nonce validation on the cloud snippet download and update actions in the Cloud_Search_List_Table class. This makes it possible for unauthenticated attackers to force logged-in administrators to download or update cloud snippets without their consent via a crafted request, granted they can trick an administrator into visiting a malicious page. | 2026-02-06 | 4.3 | CVE-2026-1785 | https://www.wordfence.com/threat-intel/vulnerabilities/id/4a5787f3-6a16-491a-aa01-6222f275cf0f?source=cve https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/class-cloud-search-list-table.php#L105 https://plugins.trac.wordpress.org/browser/code-snippets/trunk/php/cloud/list-table-shared-ops.php#L57 https://plugins.trac.wordpress.org/browser/code-snippets/tags/3.9.4/php/cloud/list-table-shared-ops.php#L57 https://github.com/codesnippetspro/code-snippets/pull/331/changes |
| lcg0124–BootDo | A vulnerability was identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. This affects an unknown part. The manipulation leads to cross-site request forgery. The attack is possible to be carried out remotely. The exploit is publicly available and might be used. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. | 2026-02-04 | 4.3 | CVE-2026-1835 | VDB-344028 | lcg0124 BootDo cross-site request forgery VDB-344028 | CTI Indicators (IOB, IOC) Submit #742484 | BootDo Web V1.0 CSRF https://github.com/webzzaa/CVE-/issues/6 |
| n/a–ZenTao | A weakness has been identified in ZenTao up to 21.7.6-85642. The impacted element is the function fetchHook of the file module/webhook/model. Php of the component Webhook Module. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-04 | 4.7 | CVE-2026-1884 | VDB-344264 | ZenTao Webhook model.php fetchHook server-side request forgery VDB-344264 | CTI Indicators (IOB, IOC, IOA) Submit #742633 | Zentao PMS <=21.7.6-85642 SSRF https://github.com/ez-lbz/ez-lbz.github.io/issues/9 https://github.com/ez-lbz/ez-lbz.github.io/issues/9#issue-3832844574 |
| n/a–WeKan | A vulnerability was found in WeKan up to 8.20. Affected by this issue is some unknown functionality of the file server/methods/positionHistory.js of the component Position-History Tracking. The manipulation results in missing authorization. The attack may be performed from remote. Upgrading to version 8.21 can resolve this issue. The patch is identified as 55576ec17722db094835470b386162c9a662fb60. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1897 | VDB-344269 | WeKan Position-History Tracking positionHistory.js PositionHistoryBleed authorization VDB-344269 | CTI Indicators (IOB, IOC, IOA) Submit #742671 | Wekan <8.21 Missing authorization checks leading to information disclosure a https://github.com/wekan/wekan/commit/55576ec17722db094835470b386162c9a662fb60 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| wpsoul–Greenshift animation and page builder blocks | The Greenshift – animation and page builder blocks plugin for WordPress is vulnerable to unauthorized access of data due to a missing capability check on the greenshift_app_pass_validation() function in all versions up to, and including, 12.5.7. This makes it possible for authenticated attackers, with Subscriber-level access and above, to retrieve global plugin settings including stored AI API keys. | 2026-02-05 | 4.3 | CVE-2026-1927 | https://www.wordfence.com/threat-intel/vulnerabilities/id/6e2128db-ca9f-4211-8bc5-01a2cc1cba64?source=cve https://plugins.trac.wordpress.org/changeset/3441535/greenshift-animation-and-page-builder-blocks/trunk/init.php |
| n/a–WeKan | A vulnerability was determined in WeKan up to 8.20. This impacts an unknown function of the file models/boards.js of the component REST Endpoint. This manipulation causes improper access controls. Remote exploitation of the attack is possible. Upgrading to version 8.21 will fix this issue. Patch name: 545566f5663545d16174e0f2399f231aa693ab6e. It is advisable to upgrade the affected component. | 2026-02-05 | 4.3 | CVE-2026-1964 | VDB-344486 | WeKan REST Endpoint boards.js BoardTitleRESTBleed access control VDB-344486 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742680 | Wekan <8.21 Improper access control in REST endpoint (CWE-284) https://github.com/wekan/wekan/commit/545566f5663545d16174e0f2399f231aa693ab6e https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| DCN–DCME-320 | A vulnerability was found in DCN DCME-320 up to 20260121. Impacted is the function apply_config of the file /function/system/basic/bridge_cfg.php of the component Web Management Backend. Performing a manipulation of the argument ip_list results in command injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 4.7 | CVE-2026-2000 | VDB-344548 | DCN DCME-320 Web Management Backend bridge_cfg.php apply_config command injection VDB-344548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743455 | 北京神州数码云科信息技术有限公司 Dcme320 latest Command Injection https://github.com/physicszq/Routers/tree/main/Dcme |
| Cisco–Cisco Secure Web Appliance | A vulnerability in the Dynamic Vectoring and Streaming (DVS) Engine implementation of Cisco AsyncOS Software for Cisco Secure Web Appliance could allow an unauthenticated, remote attacker to bypass the anti-malware scanner, allowing malicious archive files to be downloaded. This vulnerability is due to improper handling of certain archive files. An attacker could exploit this vulnerability by sending a crafted archive file, which should be blocked, through an affected device. A successful exploit could allow the attacker to bypass the anti-malware scanner and download malware onto an end user workstation. The downloaded malware will not automatically execute unless the end user extracts and launches the malicious file. | 2026-02-04 | 4 | CVE-2026-20056 | cisco-sa-wsa-archive-bypass-Scx2e8zF |
| Sanluan–PublicCMS | A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation of the argument paymentId leads to improper authorization. The attack can be initiated remotely. The complexity of an attack is rather high. The exploitability is considered difficult. The exploit has been disclosed to the public and may be used. The identifier of the patch is 7329437e1288540336b1c66c114ed3363adcba02. It is recommended to apply a patch to fix this issue. | 2026-02-06 | 4.2 | CVE-2026-2010 | VDB-344592 | Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization VDB-344592 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743487 | PublicCMS 5 Improper Access Controls https://github.com/sanluan/PublicCMS/issues/108 https://github.com/sanluan/PublicCMS/issues/108#issue-3838143772 https://github.com/sanluan/PublicCMS/commit/7329437e1288540336b1c66c114ed3363adcba02 https://github.com/sanluan/PublicCMS/ |
| Cisco–Cisco Prime Infrastructure | A vulnerability in the web-based management interface of Cisco Prime Infrastructure could allow an authenticated, remote attacker to conduct a stored cross-site scripting (XSS) attack against users of the interface of an affected system. This vulnerability exists because the web-based management interface does not properly validate user-supplied input. An attacker could exploit this vulnerability by inserting malicious code into specific data fields in the interface. A successful exploit could allow the attacker to execute arbitrary script code in the context of the affected interface or access sensitive, browser-based information. To exploit this vulnerability, an attacker must have valid administrative credentials. | 2026-02-04 | 4.8 | CVE-2026-20111 | cisco-sa-pi-xss-bYeVKCD |
| Cisco–Cisco Evolved Programmable Network Manager (EPNM) | A vulnerability in the web-based management interface of Cisco Evolved Programmable Network Manager (EPNM) and Cisco Prime Infrastructure could allow an unauthenticated, remote attacker to redirect a user to a malicious web page. This vulnerability is due to improper input validation of the parameters in the HTTP request. An attacker could exploit this vulnerability by intercepting and modifying an HTTP request from a user. A successful exploit could allow the attacker to redirect the user to a malicious web page. | 2026-02-04 | 4.3 | CVE-2026-20123 | cisco-sa-epnm-pi-redirect-6sX82dN |
| D-Link–DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. Affected by this issue is the function sub_424D20 of the file /goform/set_ipv6. Executing a manipulation can lead to os command injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-06 | 4.7 | CVE-2026-2061 | VDB-344621 | D-Link DIR-823X set_ipv6 sub_424D20 os command injection VDB-344621 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744286 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/20 https://www.dlink.com/ |
| D-Link–DIR-823X | A security flaw has been discovered in D-Link DIR-823X 250416. This vulnerability affects unknown code of the file /goform/set_ac_server of the component Web Management Interface. The manipulation of the argument ac_server results in os command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. | 2026-02-06 | 4.7 | CVE-2026-2063 | VDB-344623 | D-Link DIR-823X Web Management set_ac_server os command injection VDB-344623 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #744720 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/19 https://www.dlink.com/ |
| D-Link–DIR-823X | A vulnerability was determined in D-Link DIR-823X 250416. The affected element is an unknown function of the file /goform/set_password. This manipulation of the argument http_passwd causes os command injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-07 | 4.7 | CVE-2026-2081 | VDB-344648 | D-Link DIR-823X set_password os command injection VDB-344648 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745553 | D-Link DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/22 https://github.com/master-abc/cve/issues/22#issue-3847400767 https://www.dlink.com/ |
| D-Link–DIR-823X | A vulnerability was identified in D-Link DIR-823X 250416. The impacted element is an unknown function of the file /goform/set_mac_clone. Such manipulation of the argument mac leads to os command injection. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-02-07 | 4.7 | CVE-2026-2082 | VDB-344649 | D-Link DIR-823X set_mac_clone os command injection VDB-344649 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745854 | dlink DIR-823X 250416 OS Command Injection https://github.com/master-abc/cve/issues/21 https://github.com/master-abc/cve/issues/21#issue-3847172823 https://www.dlink.com/ |
| n/a–JeecgBoot | A weakness has been identified in JeecgBoot up to 3.9.0. Affected by this issue is some unknown functionality of the file /airag/knowledge/doc/edit of the component Retrieval-Augmented Generation Module. Executing a manipulation of the argument filePath can lead to path traversal. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 4.3 | CVE-2026-2111 | VDB-344687 | JeecgBoot Retrieval-Augmented Generation edit path traversal VDB-344687 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746789 | jeecgboot 3.9.0 Absolute Path Traversal https://www.yuque.com/la12138/vxbwk9/ezodz20a26g36y8m |
| PHPGurukul–Hospital Management System | A security vulnerability has been detected in PHPGurukul Hospital Management System 4.0. The affected element is an unknown function of the file /hms/admin/manage-doctors.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used. | 2026-02-08 | 4.7 | CVE-2026-2134 | VDB-344769 | PHPGurukul Hospital Management System manage-doctors.php sql injection VDB-344769 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747214 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQL-Injection https://phpgurukul.com/ |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability was detected in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /appointments.php. The manipulation of the argument patient_id results in cross site scripting. It is possible to launch the attack remotely. The exploit is now public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2149 | VDB-344851 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System appointments.php cross site scripting VDB-344851 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747920 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-appointments-XSS.md |
| SourceCodester–Patients Waiting Area Queue Management System | A flaw has been found in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Affected by this issue is some unknown functionality of the file /checkin.php. This manipulation of the argument patient_id causes cross site scripting. The attack can be initiated remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2150 | VDB-344852 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System checkin.php cross site scripting VDB-344852 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747921 | Patrick Mvuma Patients Waiting Area Queue Management System 1.0 Doubled Character XSS Manipulations https://github.com/xiahao90/CVEproject/blob/main/xiahao.webray.com.cn/Patients-Waiting-Area-Queue-Management-System-checkin-php-XSS.md |
| mwielgoszewski–doorman | A vulnerability was determined in mwielgoszewski doorman up to 0.6. This issue affects the function is_safe_url of the file doorman/users/views.py. Executing a manipulation of the argument Next can lead to open redirect. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.3 | CVE-2026-2153 | VDB-344855 | mwielgoszewski doorman views.py is_safe_url redirect VDB-344855 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748072 | https://github.com/mwielgoszewski/doorman doorman Latest Version (commit 9a9b97c8) Open Redirect https://gist.github.com/RacerZ-fighting/39f230feb0e450ae54f0a80c63c5d924 |
| SourceCodester–Patients Waiting Area Queue Management System | A vulnerability was identified in SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System 1.0. Impacted is an unknown function of the file /registration.php of the component Patient Registration Module. The manipulation of the argument First Name leads to cross site scripting. Remote exploitation of the attack is possible. The exploit is publicly available and might be used. | 2026-02-08 | 4.3 | CVE-2026-2154 | VDB-344856 | SourceCodester/Patrick Mvuma Patients Waiting Area Queue Management System Patient Registration registration.php cross site scripting VDB-344856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748208 | SourceCodester Patients Waiting Area Queue Management System 1 Cross Site Scripting https://medium.com/@rvpipalwa/stored-cross-site-scripting-xss-vulnerability-report-c97788dd6ea6 |
| SourceCodester–Simple Responsive Tourism Website | A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected is an unknown function of the file /tourism/classes/Master.php?f=register of the component Registration. Executing a manipulation of the argument firstname/lastname/username can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used. | 2026-02-08 | 4.3 | CVE-2026-2159 | VDB-344861 | SourceCodester Simple Responsive Tourism Website Registration Master.php cross site scripting VDB-344861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #750995 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_5/blob/main/report.md https://www.sourcecodester.com/ |
| SourceCodester–Simple Responsive Tourism Website | A vulnerability has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /tourism/classes/Master.php?f=save_package. The manipulation of the argument Title leads to cross site scripting. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. | 2026-02-08 | 4.3 | CVE-2026-2160 | VDB-344862 | SourceCodester Simple Responsive Tourism Website Master.php cross site scripting VDB-344862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751016 | sourcecodester.com Simple Responsive Tourism Website 1.0 Cross Site Scripting https://github.com/CH0ico/CVE_choco_6/blob/main/report.md https://www.sourcecodester.com/ |
| itsourcecode–News Portal Project | A vulnerability was determined in itsourcecode News Portal Project 1.0. This affects an unknown part of the file /admin/aboutus.php. This manipulation of the argument pagetitle causes sql injection. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2162 | VDB-344864 | itsourcecode News Portal Project aboutus.php sql injection VDB-344864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751083 | itsourcecode News Portal Project V1.0 SQL Injection https://github.com/Wzl731/test/issues/2 https://itsourcecode.com/ |
| D-Link–DIR-600 | A vulnerability was identified in D-Link DIR-600 up to 2.15WWb02. This vulnerability affects unknown code of the file ssdp.cgi. Such manipulation of the argument HTTP_ST/REMOTE_ADDR/REMOTE_PORT/SERVER_ID leads to command injection. The attack may be launched remotely. The exploit is publicly available and might be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-08 | 4.7 | CVE-2026-2163 | VDB-344865 | D-Link DIR-600 ssdp.cgi command injection VDB-344865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #751764 | D-Link D-Link DIR-600 v2.15WWb02 Remote Arbitrary Command Execution https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md https://github.com/LonTan0/CVE/blob/main/Remote%20Arbitrary%20Command%20Execution%20Vulnerability%20in%20ssdpcgi%20of%20D-Link%20DIR%E2%80%91600.md#poc https://www.dlink.com/ |
| PHPGurukul–Hospital Management System | A vulnerability was determined in PHPGurukul Hospital Management System 4.0. This impacts an unknown function of the file /admin/manage-users.php. This manipulation of the argument ID causes sql injection. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized. | 2026-02-08 | 4.7 | CVE-2026-2179 | VDB-344882 | PHPGurukul Hospital Management System manage-users.php sql injection VDB-344882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #749592 | PHPGurukul Hospital Management System 4.0 SQL Injection https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main https://github.com/Shaon-Xis/PHPGurukul-HMS-SQLi-PoC/tree/main#4-proof-of-concept-reproduction-steps https://phpgurukul.com/ |
| n/a–WeKan | A vulnerability was identified in WeKan up to 8.20. This affects an unknown part of the file server/publications/cards.js of the component Meteor Publication Handler. Such manipulation leads to information disclosure. The attack may be performed from remote. Upgrading to version 8.21 is able to mitigate this issue. The name of the patch is 0f5a9c38778ca550cbab6c5093470e1e90cb837f. Upgrading the affected component is advised. | 2026-02-08 | 4.3 | CVE-2026-2205 | VDB-344919 | WeKan Meteor Publication cards.js CardPubSubBleed information disclosure VDB-344919 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #752161 | Wekan <8.21 Information disclosure via publish/subscribe authorization bug https://github.com/wekan/wekan/commit/0f5a9c38778ca550cbab6c5093470e1e90cb837f https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| n/a–WeKan | A security vulnerability has been detected in WeKan up to 8.20. Impacted is an unknown function of the file server/publications/rules.js of the component Rules Handler. The manipulation leads to missing authorization. The attack can be initiated remotely. Upgrading to version 8.21 is recommended to address this issue. The identifier of the patch is a787bcddf33ca28afb13ff5ea9a4cb92dceac005. The affected component should be upgraded. | 2026-02-08 | 4.3 | CVE-2026-2208 | VDB-344922 | WeKan Rules rules.js RulesBleed authorization VDB-344922 | CTI Indicators (IOB, IOC, IOA) Submit #752164 | Wekan <8.21 Information disclosure / missing authorization on admin publicat https://github.com/wekan/wekan/commit/a787bcddf33ca28afb13ff5ea9a4cb92dceac005 https://github.com/wekan/wekan/releases/tag/v8.21 https://github.com/wekan/wekan/ |
| glpi-project–glpi | GLPI is a free asset and IT management software package. From version 11.0.0 to before 11.0.5, a GLPI administrator can perform SSRF request through the Webhook feature. This issue has been patched in version 11.0.5. | 2026-02-04 | 4.1 | CVE-2026-22247 | https://github.com/glpi-project/glpi/security/advisories/GHSA-f6f6-v3qr-9p5x https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| F5–F5 BIG-IP Container Ingress Services | A vulnerability exists in F5 BIG-IP Container Ingress Services that may allow excessive permissions to read cluster secrets. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 4.9 | CVE-2026-22549 | https://my.f5.com/manage/s/article/K000157960 |
| rizinorg–rizin | Rizin is a UNIX-like reverse engineering framework and command-line toolset. Prior to 0.8.2, a heap overflow can be exploited when a malicious mach0 file, having bogus entries for the dyld chained segments, is parsed by rizin. This vulnerability is fixed in 0.8.2. | 2026-02-02 | 4.4 | CVE-2026-22780 | https://github.com/rizinorg/rizin/security/advisories/GHSA-f3v7-xhmj-9cjj https://github.com/rizinorg/rizin/issues/5768 https://github.com/rizinorg/rizin/pull/5770 https://github.com/rizinorg/rizin/commit/41ea75d5b07d9b41b27ae80675cdda65f1b1c989 https://github.com/rizinorg/rizin/blob/6dd0dba9ff4dc706f549d0cdcd93856b49e59aa0/librz/bin/format/mach0/mach0_chained_fixups.c#L200 https://github.com/rizinorg/rizin/releases/tag/v0.8.2 |
| glpi-project–glpi | GLPI is a free asset and IT management software package. In versions starting from 0.71 to before 10.0.23 and before 11.0.5, when remote authentication is used, based on SSO variables, a user can steal a GLPI session previously opened by another user on the same machine. This issue has been patched in versions . | 2026-02-04 | 4.3 | CVE-2026-23624 | https://github.com/glpi-project/glpi/security/advisories/GHSA-5j4j-vx46-r477 https://github.com/glpi-project/glpi/releases/tag/10.0.23 https://github.com/glpi-project/glpi/releases/tag/11.0.5 |
| Enalean–tuleap | Tuleap is an Open Source Suite for management of software development and collaboration. Tuleap is missing CSRF protection in the Overview inconsistent items. An attacker could use this vulnerability to trick victims into repairing inconsistent items (creating artifact links from the release). This vulnerability is fixed in Tuleap Community Edition 17.0.99.1768924735 and Tuleap Enterprise Edition 17.2-5, 17.1-6, and 17.0-9. | 2026-02-02 | 4.6 | CVE-2026-24007 | https://github.com/Enalean/tuleap/security/advisories/GHSA-7g48-rwqj-ffxw https://github.com/Enalean/tuleap/commit/5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/git/tuleap/tuleap/stable?a=commit&h=5ec5e81e409892fe0e41f11d5d36ee6c85a6fbb5 https://tuleap.net/plugins/tracker/?aid=46389 |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a file upload validation bypass vulnerability allows attackers to upload files with prohibited extensions by embedding them inside ZIP archives and extracting them using the application’s built-in decompression functionality. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24673 | https://github.com/gunet/openeclass/security/advisories/GHSA-3g4j-56gp-v6wv |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a Reflected Cross-Site Scripting (XSS) vulnerability allows remote attackers to execute arbitrary JavaScript in the context of authenticated users by crafting malicious URLs and tricking victims into visiting them. This issue has been patched in version 4.2. | 2026-02-03 | 4.7 | CVE-2026-24674 | https://github.com/gunet/openeclass/security/advisories/GHSA-gqvp-w22w-w99r |
| gunet–openeclass | The Open eClass platform (formerly known as GUnet eClass) is a complete course management system. Prior to version 4.2, a business logic vulnerability allows authenticated students to improperly mark themselves as present in attendance activities, including activities that have already expired, by directly accessing a crafted URL. This issue has been patched in version 4.2. | 2026-02-03 | 4.3 | CVE-2026-24774 | https://github.com/gunet/openeclass/security/advisories/GHSA-rv2x-4rc8-93jh |
| opf–openproject | OpenProject is an open-source, web-based project management software. Prior to 17.0.2, the drag&drop handler moving an agenda item to a different section was not properly checking if the target meeting section is part of the same meeting (or is the backlog, in case of recurring meetings). This allowed an attacker to move a meeting agenda item into a different meeting. The attacker did not get access to meetings, but they could add arbitrary agenda items, that could cause confusions. The vulnerability is fixed in 17.0.2. | 2026-02-06 | 4.3 | CVE-2026-24776 | https://github.com/opf/openproject/security/advisories/GHSA-p9v8-w9ph-hqmf https://github.com/opf/openproject/releases/tag/v17.0.2 |
| Huawei–HarmonyOS | Type confusion vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability. | 2026-02-06 | 4 | CVE-2026-24914 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Huawei–HarmonyOS | Address read vulnerability in the HDC module. Impact: Successful exploitation of this vulnerability will affect availability and confidentiality. | 2026-02-06 | 4.8 | CVE-2026-24921 | https://consumer.huawei.com/en/support/bulletin/2026/2/ https://consumer.huawei.com/en/support/bulletinlaptops/2026/2/ https://consumer.huawei.com/en/support/bulletinwearables/2026/2/ |
| Blesta–Blesta | Blesta 3.x through 5.x before 5.13.3 mishandles input validation, aka CORE-5665. | 2026-02-03 | 4.7 | CVE-2026-25616 | https://www.blesta.com/2026/01/28/security-advisory/ |
| hedgedoc–hedgedoc | HedgeDoc is an open source, real-time, collaborative, markdown notes application. Prior to 1.10.6, files served below the /uploads/ endpoint did not use a more strict security-policy. This resulted in a too open Content-Security-Policy and furthermore opened the possibility to host malicious interactive web content (such as fake login forms) using SVG files. This vulnerability is fixed in 1.10.6. | 2026-02-06 | 4.3 | CVE-2026-25642 | https://github.com/hedgedoc/hedgedoc/security/advisories/GHSA-x74j-jmf9-534w https://github.com/hedgedoc/hedgedoc/commit/74daa0e7a1cbfafd9aeb255eaf064dfe47cd401c https://github.com/hedgedoc/hedgedoc/commit/b930fe04cee92cd4723044030bb59c36781c7137 https://github.com/hedgedoc/hedgedoc/releases/tag/1.10.6 |
| siyuan-note–siyuan | Lute is a structured Markdown engine supporting Go and JavaScript. Lute 1.7.6 and earlier (as used in SiYuan before) has a Stored Cross-Site Scripting (XSS) vulnerability in the Markdown rendering engine. An attacker can inject malicious JavaScript into a Markdown text/note. When another user clicks the rendered content, the script executes in the context of their session. | 2026-02-06 | 4.6 | CVE-2026-25647 | https://github.com/siyuan-note/siyuan/security/advisories/GHSA-rw25-98wq-76qv https://github.com/88250/lute/commit/0118e218916cf0cc7df639b50ce74e0c6c3d1868 |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| P5–FNIP-8x16A | P5 FNIP-8x16A FNIP-4xSH 1.0.20 contains a cross-site request forgery vulnerability that allows attackers to perform administrative actions without user interaction. Attackers can craft malicious web pages to add new admin users, change passwords, and modify system configurations by tricking authenticated users into loading a specially crafted page. | 2026-02-05 | 3.5 | CVE-2020-37118 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A FNIP-4xSH 1.0.20 – Cross-Site Request Forgery (Add Admin) |
| P5–FNIP-8x16A | P5 FNIP-8x16A/FNIP-4xSH versions 1.0.20 and 1.0.11 suffer from a stored cross-site scripting vulnerability. Input passed to several GET/POST parameters is not properly sanitized before being returned to the user, allowing attackers to execute arbitrary HTML and script code in a user’s browser session in the context of the affected site. This can be exploited by submitting crafted input to the label modification functionality, such as the ‘lab4’ parameter in config.html. | 2026-02-05 | 3.5 | CVE-2020-37148 | Zero Science Lab Disclosure (ZSL-2020-5564) ExploitDB-48362 Packet Storm Entry IBM X-Force Vulnerability Report P5 Vendor Homepage VulnCheck Advisory: P5 FNIP-8x16A/FNIP-4xSH 1.0.20, 1.0.11 – Stored Cross-Site Scripting (XSS) |
| Tanium–Interact | Tanium addressed an improper access controls vulnerability in Interact. | 2026-02-05 | 3.1 | CVE-2025-15289 | TAN-2025-033 |
| Tanium–Tanium Client | Tanium addressed a denial of service vulnerability in Tanium Client. | 2026-02-06 | 3.3 | CVE-2025-15320 | TAN-2025-023 |
| Tanium–Tanium Appliance | Tanium addressed an improper certificate validation vulnerability in Tanium Appliance. | 2026-02-05 | 3.7 | CVE-2025-15323 | TAN-2025-031 |
| n/a–Mapnik | A vulnerability has been found in Mapnik up to 4.2.0. This vulnerability affects the function mapnik::detail::mod<…>::operator of the file src/value.cpp. The manipulation leads to divide by zero. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-07 | 3.3 | CVE-2025-15564 | VDB-344502 | Mapnik value.cpp operator divide by zero VDB-344502 | CTI Indicators (IOB, IOC, IOA) Submit #743386 | mapnik Mapnik v4.2.0 and master branch Divide By Zero https://github.com/mapnik/mapnik/issues/4545 https://github.com/oneafter/1219/blob/main/repro https://github.com/mapnik/mapnik/ |
| IBM–Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to cause a denial of service using specially crafted SQL query that consumes excess memory resources. | 2026-02-04 | 3.5 | CVE-2025-1823 | https://www.ibm.com/support/pages/node/7258083 |
| IBM–Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the network to affect the system’s performance using complicated queries due to insufficient resource pooling. | 2026-02-04 | 3.5 | CVE-2025-2134 | https://www.ibm.com/support/pages/node/7258083 |
| IBM–Jazz Reporting Service | IBM Jazz Reporting Service could allow an authenticated user on the host network to obtain sensitive information about other projects that reside on the server. | 2026-02-04 | 3.5 | CVE-2025-27550 | https://www.ibm.com/support/pages/node/7258083 |
| IBM–Concert | IBM Concert 1.0.0 through 2.1.0 stores potentially sensitive information in log files that could be read by a local user. | 2026-02-03 | 3.3 | CVE-2025-33081 | https://www.ibm.com/support/pages/node/7257565 |
| HCL–AION | HCL AION is affected by an Autocomplete HTML Attribute Not Disabled for Password Field vulnerability. This can allow autocomplete on password fields may lead to unintended storage or disclosure of sensitive credentials, potentially increasing the risk of unauthorized access. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52623 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL–AION | HCL AION is susceptible to Missing Content-Security-Policy. An The absence of a CSP header may increase the risk of cross-site scripting and other content injection attacks by allowing unsafe scripts or resources to execute. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52629 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL–AION | HCL AION is affected by a Missing or Insecure HTTP Strict-Transport-Security (HSTS) Header vulnerability. This can allow insecure connections, potentially exposing the application to man-in-the-middle and protocol downgrade attacks. This issue affects AION: 2.0. | 2026-02-03 | 3.7 | CVE-2025-52631 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| HCL–AION | HCL AION is affected by a Permanent Cookie Containing Sensitive Session Information vulnerability. It is storing sensitive session data in persistent cookies may increase the risk of unauthorized access if the cookies are intercepted or compromised. This issue affects AION: 2.0. | 2026-02-03 | 3.1 | CVE-2025-52633 | https://support.hcl-software.com/csm?id=kb_article&sysparm_article=KB0127972 |
| N/A–Moodle[.]org | A flaw was found in Moodle. An open redirect vulnerability in the OAuth login flow allows a remote attacker to redirect users to attacker-controlled pages after they have successfully authenticated. This occurs due to insufficient validation of redirect parameters, which could lead to phishing attacks or information disclosure. | 2026-02-03 | 3.5 | CVE-2025-67852 | https://access.redhat.com/security/cve/CVE-2025-67852 RHBZ#2423844 |
| webpack–webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.0, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) enforces allowedUris only for the initial URL, but does not re-validate allowedUris after following HTTP 30x redirects. As a result, an import that appears restricted to a trusted allow-list can be redirected to HTTP(S) URLs outside the allow-list. This is a policy/allow-list bypass that enables build-time SSRF behavior (requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion in build outputs (redirected content is treated as module source and bundled). This issue has been patched in version 5.104.0. | 2026-02-05 | 3.7 | CVE-2025-68157 | https://github.com/webpack/webpack/security/advisories/GHSA-38r7-794h-5758 |
| webpack–webpack | Webpack is a module bundler. From version 5.49.0 to before 5.104.1, when experiments.buildHttp is enabled, webpack’s HTTP(S) resolver (HttpUriPlugin) can be bypassed to fetch resources from hosts outside allowedUris by using crafted URLs that include userinfo (username:password@host). If allowedUris enforcement relies on a raw string prefix check (e.g., uri.startsWith(allowed)), a URL that looks allow-listed can pass validation while the actual network request is sent to a different authority/host after URL parsing. This is a policy/allow-list bypass that enables build-time SSRF behavior (outbound requests from the build machine to internal-only endpoints, depending on network access) and untrusted content inclusion (the fetched response is treated as module source and bundled). This issue has been patched in version 5.104.1. | 2026-02-05 | 3.7 | CVE-2025-68458 | https://github.com/webpack/webpack/security/advisories/GHSA-8fgc-7cc6-rx7x |
| DJI–Mavic Mini | A vulnerability has been found in DJI Mavic Mini, Air, Spark and Mini SE up to 01.00.0500. Affected by this vulnerability is an unknown functionality of the component Enhanced Wi-Fi Pairing. The manipulation leads to authentication bypass by capture-replay. The attack must be carried out from within the local network. A high degree of complexity is needed for the attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-02 | 3.1 | CVE-2026-1743 | VDB-343674 | DJI Mavic Mini/Air/Spark/Mini SE Enhanced Wi-Fi Pairing authentication replay VDB-343674 | CTI Indicators (IOB, IOC, TTP) Submit #741323 | DJI DJI Mavic Mini, Spark, Mini SE 01.00.0500 and Below Authentication Bypass by Capture-replay https://github.com/ByteMe1001/DJI-CatNect https://github.com/ByteMe1001/DJI-CatNect/blob/main/exploit.c |
| GitLab–GitLab | A vulnerability has been discovered in GitLab CE/EE affecting all versions starting with 16.8 before 18.5.0 that could have allowed unauthorized edits to merge request approval rules under certain conditions. | 2026-02-02 | 3.1 | CVE-2026-1751 | GitLab Issue #519340 HackerOne Bug Bounty Report #2980839 |
| Edimax–BR-6258n | A flaw has been found in Edimax BR-6258n up to 1.18. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup. This manipulation of the argument submit-url causes open redirect. The attack can be initiated remotely. The exploit has been published and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they “will issue a consolidated Security Advisory on our official support website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-05 | 3.5 | CVE-2026-1970 | VDB-344492 | Edimax BR-6258n formStaDrvSetup redirect VDB-344492 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742734 | Edimax BR-6258n v1.18 Open Redirect https://tzh00203.notion.site/EDIMAX-BR-6258n-v1-18-Open-Redirect-Vulnerability-in-Web-formStaDrvSetup-handler-2eeb5c52018a803bb958e4f80cdf2550?source=copy_link |
| n/a–oatpp | A security vulnerability has been detected in oatpp up to 1.3.1. This impacts the function oatpp::data::type::ObjectWrapper::ObjectWrapper of the file src/oatpp/data/type/Type.hpp. The manipulation leads to null pointer dereference. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1990 | VDB-344508 | oatpp Type.hpp ObjectWrapper null pointer dereference VDB-344508 | CTI Indicators (IOB, IOC, IOA) Submit #743387 | oatpp 1.3.1 and master-branch NULL Pointer Dereference https://github.com/oatpp/oatpp/issues/1080 https://github.com/oatpp/oatpp/issues/1080#issue-3806715350 https://github.com/oatpp/oatpp/ |
| n/a–libuvc | A vulnerability was detected in libuvc up to 0.0.7. Affected is the function uvc_scan_streaming of the file src/device.c of the component UVC Descriptor Handler. The manipulation results in null pointer dereference. The attack needs to be approached locally. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-06 | 3.3 | CVE-2026-1991 | VDB-344509 | libuvc UVC Descriptor device.c uvc_scan_streaming null pointer dereference VDB-344509 | CTI Indicators (IOB, IOC, IOA) Submit #743388 | libuvc v0.0.7 and master-branch NULL Pointer Dereference https://github.com/libuvc/libuvc/issues/300 https://github.com/oneafter/0104/blob/main/repro https://github.com/libuvc/libuvc/ |
| n/a–micropython | A flaw has been found in micropython up to 1.27.0. This vulnerability affects the function mp_import_all of the file py/runtime.c. This manipulation causes memory corruption. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 570744d06c5ba9dba59b4c3f432ca4f0abd396b6. It is suggested to install a patch to address this issue. | 2026-02-06 | 3.3 | CVE-2026-1998 | VDB-344546 | micropython runtime.c mp_import_all memory corruption VDB-344546 | CTI Indicators (IOB, IOC, IOA) Submit #743396 | micropython 0fd0843 Memory Corruption https://github.com/micropython/micropython/issues/18639 https://github.com/micropython/micropython/pull/18671 https://github.com/micropython/micropython/issues/18639#issue-3780651410 https://github.com/dpgeorge/micropython/commit/570744d06c5ba9dba59b4c3f432ca4f0abd396b6 https://github.com/micropython/micropython/ |
| Portabilis–i-Educar | A vulnerability was identified in Portabilis i-Educar up to 2.10. Affected by this vulnerability is an unknown functionality of the file /intranet/meusdadod.php of the component User Data Page. Such manipulation of the argument File leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-06 | 3.5 | CVE-2026-2064 | VDB-344631 | Portabilis i-Educar User Data meusdadod.php cross site scripting VDB-344631 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #745108 | Portabilis i-Educar 2.10 Cross Site Scripting https://github.com/nmmorette/vulnerability-research/tree/main/XSS-Idiario |
| ggml-org–llama.cpp | A flaw has been found in ggml-org llama.cpp up to 55abc39. Impacted is the function llama_grammar_advance_stack of the file llama.cpp/src/llama-grammar.cpp of the component GBNF Grammar Handler. This manipulation causes stack-based buffer overflow. The attack needs to be launched locally. The exploit has been published and may be used. Patch name: 18993. To fix this issue, it is recommended to deploy a patch. | 2026-02-06 | 3.3 | CVE-2026-2069 | VDB-344636 | ggml-org llama.cpp GBNF Grammar llama-grammar.cpp llama_grammar_advance_stack stack-based overflow VDB-344636 | CTI Indicators (IOB, IOC, IOA) Submit #745263 | llama.cpp commit 55abc39 Stack-based Buffer Overflow https://github.com/ggml-org/llama.cpp/issues/18988 https://github.com/ggml-org/llama.cpp/issues/18988#event-4426704865 https://github.com/user-attachments/files/24761101/poc.zip https://github.com/ggml-org/llama.cpp/pull/18993 https://github.com/ggml-org/llama.cpp/ |
| F5–BIG-IP Edge Client | A vulnerability exists in BIG-IP Edge Client and browser VPN clients on Windows that may allow attackers to gain access to sensitive information. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated | 2026-02-04 | 3.3 | CVE-2026-20730 | https://my.f5.com/manage/s/article/K000158931 |
| F5–BIG-IP | A vulnerability exists in an undisclosed BIG-IP Configuration utility page that may allow an attacker to spoof error messages. Note: Software versions which have reached End of Technical Support (EoTS) are not evaluated. | 2026-02-04 | 3.1 | CVE-2026-20732 | https://my.f5.com/manage/s/article/K000156644 |
| Tasin1025–SwiftBuy | A security flaw has been discovered in Tasin1025 SwiftBuy up to 0f5011372e8d1d7edfd642d57d721c9fadc54ec7. Affected by this vulnerability is an unknown functionality of the file /login.php. Performing a manipulation results in improper restriction of excessive authentication attempts. Remote exploitation of the attack is possible. The attack’s complexity is rated as high. The exploitation appears to be difficult. The exploit has been released to the public and may be used for attacks. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-02-07 | 3.7 | CVE-2026-2110 | VDB-344686 | Tasin1025 SwiftBuy login.php excessive authentication VDB-344686 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #746251 | Md Tasin Rahman Swiftbuy 1.0 Improper Restriction of Excessive Authentication Attempts https://www.websecurityinsights.my.id/2026/01/swiftbuy-v-10-loginphp-no-limit-to.html |
| cym1102–nginxWebUI | A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. Such manipulation of the argument nginxDir leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-02-08 | 3.5 | CVE-2026-2145 | VDB-344847 | cym1102 nginxWebUI Web Management check cross site scripting VDB-344847 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #747404 | cym1102 nginxWebUI 4.3.7 Cross Site Scripting https://github.com/cym1102/nginxWebUI/issues/203 https://github.com/cym1102/nginxWebUI/issues/203#issue-3860109934 https://github.com/cym1102/nginxWebUI/ |
| asterisk–asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, user supplied/control values for Cookies and any GET variable query Parameter are directly interpolated into the HTML of the page using ast_str_append. The endpoint at GET /httpstatus is the potential vulnerable endpoint relating to asterisk/main /http.c. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 3.5 | CVE-2026-23738 | https://github.com/asterisk/asterisk/security/advisories/GHSA-v6hp-wh3r-cwxh |
| Kubernetes–ingress-nginx | A security issue was discovered in ingress-nginx where the protection afforded by the `auth-url` Ingress annotation may not be effective in the presence of a specific misconfiguration. If the ingress-nginx controller is configured with a default custom-errors configuration that includes HTTP errors 401 or 403, and if the configured default custom-errors backend is defective and fails to respect the X-Code HTTP header, then an Ingress with the `auth-url` annotation may be accessed even when authentication fails. Note that the built-in custom-errors backend works correctly. To trigger this issue requires an administrator to specifically configure ingress-nginx with a broken external component. | 2026-02-03 | 3.1 | CVE-2026-24513 | https://github.com/kubernetes/kubernetes/issues/136679 |
| fastify–fastify | Fastify is a fast and low overhead web framework, for Node.js. Prior to version 5.7.3, a denial-of-service vulnerability in Fastify’s Web Streams response handling can allow a remote client to exhaust server memory. Applications that return a ReadableStream (or Response with a Web Stream body) via reply.send() are impacted. A slow or non-reading client can trigger unbounded buffering when backpressure is ignored, leading to process crashes or severe degradation. This issue has been patched in version 5.7.3. | 2026-02-03 | 3.7 | CVE-2026-25224 | https://github.com/fastify/fastify/security/advisories/GHSA-mrq3-vjjr-p77c https://github.com/fastify/fastify/commit/eb11156396f6a5fedaceed0140aed2b7f026be37 https://hackerone.com/reports/3524779 |
| opf–openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an HTML injection vulnerability occurs in the time tracking function of OpenProject. The application does not escape HTML tags, an attacker with administrator privileges can create a work package with the name containing the HTML tags and add it to the Work package section when creating time tracking. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | 3.5 | CVE-2026-25764 | https://github.com/opf/openproject/security/advisories/GHSA-q523-c695-h3hp https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| Fortinet–FortiOS | Fortinet FortiOS through 7.6.6 allows attackers to decrypt LDAP credentials stored in device configuration files, as exploited in the wild from 2025-12-16 through 2026 (by default, the encryption key is the same across all customers’ installations). NOTE: the Supplier’s position is that the instance of CWE-1394 is not a vulnerability because customers “are supposed to enable” a non-default option that eliminates the weakness. However, that non-default option can disrupt functionality as shown in the “Managing FortiGates with private data encryption” document, and is therefore intentionally not a default option. | 2026-02-05 | 3.2 | CVE-2026-25815 | https://www.cert.at/en/blog/2026/1/threat-actors-use-forticloud-to-collect-ldap-connection-passwords https://docs.fortinet.com/document/fortimanager/7.6.6/administration-guide/30332/managing-fortigates-with-private-data-encryption |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak Admin API. This vulnerability allows an administrator with limited privileges to retrieve sensitive custom attributes via the /unmanagedAttributes endpoint, bypassing User Profile visibility settings. | 2026-02-02 | 2.7 | CVE-2025-13881 | https://access.redhat.com/security/cve/CVE-2025-13881 RHBZ#2418330 |
| Tanium–Tanium Appliance | Tanium addressed an improper input validation vulnerability in Tanium Appliance. | 2026-02-05 | 2.7 | CVE-2025-15321 | TAN-2025-024 |
| IBM–PowerVM Hypervisor | IBM PowerVM Hypervisor FW1110.00 through FW1110.03, FW1060.00 through FW1060.51, and FW950.00 through FW950.F0 may expose a limited amount of data to a peer partition in specific shared processor configurations during certain operations. | 2026-02-02 | 2.8 | CVE-2025-36194 | https://www.ibm.com/support/pages/node/7257555 |
| Red Hat–Red Hat Build of Keycloak | A flaw was found in Keycloak’s CIBA feature where insufficient validation of client-configured backchannel notification endpoints could allow blind server-side requests to internal services. | 2026-02-02 | 2.7 | CVE-2026-1518 | https://access.redhat.com/security/cve/CVE-2026-1518 RHBZ#2433727 |
| D-Link–DSL-6641K | A vulnerability was found in D-Link DSL-6641K N8.TR069.20131126. Affected by this issue is the function doSubmitPPP of the file sp_pppoe_user.js. The manipulation of the argument Username results in cross site scripting. The attack may be launched remotely. The exploit has been made public and could be used. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-02 | 2.4 | CVE-2026-1744 | VDB-343675 | D-Link DSL-6641K sp_pppoe_user.js doSubmitPPP cross site scripting VDB-343675 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #742439 | D-Link DSL6641K version N8.TR069.20131126 Cross Site Scripting https://tzh00203.notion.site/D-Link-DSL6641K-version-N8-TR069-20131126-XSS-via-sp_pppoe_user-js-Configuration-2eeb5c52018a80d083aaf19efbaa9130?source=copy_link https://www.dlink.com/ |
| Hillstone Networks–Operation and Maintenance Security Gateway | Unrestricted Upload of File with Dangerous Type vulnerability in Hillstone Networks Operation and Maintenance Security Gateway on Linux allows Upload a Web Shell to a Web Server. This issue affects Operation and Maintenance Security Gateway: V5.5ST00001B113. | 2026-02-04 | 2.7 | CVE-2026-1791 | https://www.hillstonenet.com.cn/security-notification/2025/12/08/wgscld/ |
| Edimax–BR-6288ACL | A vulnerability has been found in Edimax BR-6288ACL up to 1.12. Impacted is the function wiz_WISP24gmanual of the file wiz_WISP24gmanual.asp. Such manipulation of the argument manualssid leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used. The vendor confirms that the affected product is end-of-life. They confirm that they “will issue a consolidated Security Advisory on our official support website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-02-06 | 2.4 | CVE-2026-1971 | VDB-344493 | Edimax BR-6288ACL wiz_WISP24gmanual.asp wiz_WISP24gmanual cross site scripting VDB-344493 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #743318 | Edimax BR6288ACL v1.12 Cross Site Scripting https://tzh00203.notion.site/EDIMAX-BR6288ACL-v1-12-XSS-via-wiz_WISP24gmanual-asp-Configuration-2eeb5c52018a802e8ed9f6d000f7a6aa?source=copy_link |
| code-projects–Online Student Management System | A weakness has been identified in code-projects Online Student Management System 1.0. The impacted element is an unknown function of the file /admin/announcement/index.php?view=add of the component Announcement Management Module. This manipulation causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks. | 2026-02-08 | 2.4 | CVE-2026-2156 | VDB-344858 | code-projects Online Student Management System Announcement Management index.php cross site scripting VDB-344858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #748328 | code-projects Online Student Management System in PHP latest (no version specified by vendor) Cross-Site Scripting https://github.com/baguette168/CVE/issues/1 https://code-projects.org/ |
| asterisk–asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the ast_xml_open() function in xml.c parses XML documents using libxml with unsafe parsing options that enable entity expansion and XInclude processing. Specifically, it invokes xmlReadFile() with the XML_PARSE_NOENT flag and later processes XIncludes via xmlXIncludeProcess().If any untrusted or user-supplied XML file is passed to this function, it can allow an attacker to trigger XML External Entity (XXE) or XInclude-based local file disclosure, potentially exposing sensitive files from the host system. This can also be triggered in other cases in which the user is able to supply input in xml format that triggers the asterisk process to parse it. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | 2 | CVE-2026-23739 | https://github.com/asterisk/asterisk/security/advisories/GHSA-85×7-54wr-vh42 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| wintercms–winter | Winter is a free, open-source content management system (CMS) based on the Laravel PHP framework. Versions of Winter CMS before 1.2.10 allow users with access to the CMS Asset Manager were able to upload SVGs without automatic sanitization. To actively exploit this security issue, an attacker would need access to the Backend with a user account with the following permission: cms.manage_assets. The Winter CMS maintainers strongly recommend that the cms.manage_assets permission only be reserved to trusted administrators and developers in general. This vulnerability is fixed in 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-22254 | https://github.com/wintercms/winter/security/advisories/GHSA-m7gw-rffq-rxjm https://github.com/wintercms/winter/commit/8a7f74b004fcd19721764fc63af0cdb339d9fb65 https://github.com/wintercms/winter/releases/tag/v1.2.10 |
| asterisk–asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, when ast_coredumper writes its gdb init and output files to a directory that is world-writable (for example /tmp), an attacker with write permission(which is all users on a linux system) to that directory can cause root to execute arbitrary commands or overwrite arbitrary files by controlling the gdb init file and output paths. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23740 | https://github.com/asterisk/asterisk/security/advisories/GHSA-xpc6-x892-v83c |
| asterisk–asterisk | Asterisk is an open source private branch exchange and telephony toolkit. Prior to versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2, the asterisk/contrib/scripts/ast_coredumper runs as root, as noted by the NOTES tag on line 689 of the ast_coredumper file. The script will source the contents of /etc/asterisk/ast_debug_tools.conf, which resides in a folder that is writeable by the asterisk user:group. Due to the /etc/asterisk/ast_debug_tools.conf file following bash semantics and it being loaded; an attacker with write permissions may add or modify the file such that when the root ast_coredumper is run; it would source and thereby execute arbitrary bash code found in the /etc/asterisk/ast_debug_tools.conf. This issue has been patched in versions 20.7-cert9, 20.18.2, 21.12.1, 22.8.2, and 23.2.2. | 2026-02-06 | not yet calculated | CVE-2026-23741 | https://github.com/asterisk/asterisk/security/advisories/GHSA-rvch-3jmx-3jf3 |
| Arox–School ERP Pro | School ERP Pro 1.0 contains a remote code execution vulnerability that allows authenticated admin users to upload arbitrary PHP files as profile photos by bypassing file extension checks. Attackers can exploit improper file validation in pre-editstudent.inc.php to execute arbitrary code on the server. | 2026-02-03 | not yet calculated | CVE-2020-37084 | ExploitDB-48392 Archived Vendor Homepage Archived SourceForge Product Page VulnCheck Advisory: School ERP Pro 1.0 Admin Profile Photo Upload Remote Code Execution Vulnerability |
| Rubikon Teknoloji–Easy Transfer | Easy Transfer Wifi Transfer v1.7 for iOS contains a persistent cross-site scripting vulnerability that allows remote attackers to inject malicious scripts by manipulating the oldPath, newPath, and path parameters in Create Folder and Move/Edit functions. Attackers can exploit improper input validation via POST requests to execute arbitrary JavaScript in the context of the mobile web application. | 2026-02-03 | not yet calculated | CVE-2020-37087 | ExploitDB-48395 Vulnerability-Lab Advisory Official App Store Product Page VulnCheck Advisory: Easy Transfer 1.7 for iOS – Persistent Cross-Site Scripting |
| PHP-Fusion–PHP-Fusion | PHP-Fusion 9.03.50 panels.php is vulnerable to cross-site scripting (XSS) via the ‘panel_content’ POST parameter. The application fails to properly sanitize user input before rendering it in the browser, allowing attackers to inject arbitrary JavaScript. This can be exploited by submitting crafted input to the ‘panel_content’ field in panels.php, resulting in execution of malicious scripts in the context of the affected site. | 2026-02-05 | not yet calculated | CVE-2020-37152 | Vendor Homepage ExploitDB-48299 VulnCheck Advisory: PHP-Fusion 9.03.50 panels.php – Cross-Site Scripting (XSS) |
| parisneo–parisneo/lollms-webui | A Local File Inclusion (LFI) vulnerability exists in the ‘/reinstall_extension’ endpoint of the parisneo/lollms-webui application, specifically within the `name` parameter of the `@router.post(“/reinstall_extension”)` route. This vulnerability allows attackers to inject a malicious `name` parameter, leading to the server loading and executing arbitrary Python files from the upload directory for discussions. This issue arises due to the concatenation of `data.name` directly with `lollmsElfServer.lollms_paths.extensions_zoo_path` and its use as an argument for `ExtensionBuilder().build_extension()`. The server’s handling of the `__init__.py` file in arbitrary locations, facilitated by `importlib.machinery.SourceFileLoader`, enables the execution of arbitrary code, such as command execution or creating a reverse-shell connection. This vulnerability affects the latest version of parisneo/lollms-webui and can lead to Remote Code Execution (RCE) when the application is exposed to an external endpoint or the UI, especially when bound to `0.0.0.0` or in `headless mode`. No user interaction is required for exploitation. | 2026-02-02 | not yet calculated | CVE-2024-2356 | https://huntr.com/bounties/cb9867b4-28e3-4406-9031-f66fc28553d4 https://github.com/parisneo/lollms-webui/commit/41dbb1b3f2e78ea276e5269544e50514252c0c25 |
| lunary-ai–lunary-ai/lunary | In lunary-ai/lunary version 1.2.13, an insufficient granularity of access control vulnerability allows users to delete prompts created in other organizations through ID manipulation. The vulnerability stems from the application’s failure to validate the ownership of the prompt before deletion, only checking if the user has permissions to delete such resources without verifying if it belongs to the user’s project or organization. As a result, users can remove prompts not owned by their organization or project, leading to legitimate users being unable to access the removed prompts and causing information inconsistencies. | 2026-02-02 | not yet calculated | CVE-2024-4147 | https://huntr.com/bounties/3f051943-71ea-414c-a528-cd8b5d82a7ad https://github.com/lunary-ai/lunary/commit/0755dde1afc2a74ec23b55eee03e4416916cf48f |
| lunary-ai–lunary-ai/lunary | In lunary-ai/lunary version 1.2.2, an account hijacking vulnerability exists due to a password reset token leak. A user with a ‘viewer’ role can exploit this vulnerability to hijack another user’s account by obtaining the password reset token. The vulnerability is triggered when the ‘viewer’ role user sends a specific request to the server, which responds with a password reset token in the ‘recoveryToken’ parameter. This token can then be used to reset the password of another user’s account without authorization. The issue results from an excessive attack surface, allowing lower-privileged users to escalate their privileges and take over accounts. | 2026-02-02 | not yet calculated | CVE-2024-5386 | https://huntr.com/bounties/602eb4a1-305d-46d6-b975-5a5d8b040ad1 https://github.com/lunary-ai/lunary/commit/fc7ab3d5621c18992da5dab3a2a9a8d227d42311 |
| h2oai–h2oai/h2o-3 | A vulnerability in h2oai/h2o-3 version 3.46.0.1 allows remote attackers to write arbitrary data to any file on the server. This is achieved by exploiting the `/3/Parse` endpoint to inject attacker-controlled data as the header of an empty file, which is then exported using the `/3/Frames/framename/export` endpoint. The impact of this vulnerability includes the potential for remote code execution and complete access to the system running h2o-3, as attackers can overwrite critical files such as private SSH keys or script files. | 2026-02-02 | not yet calculated | CVE-2024-5986 | https://huntr.com/bounties/64ff5319-6ac3-4447-87f7-b53495d4d5a3 |
| Nokia–Infinera DNA | Infinera DNA is vulnerable to a time-based SQL injection vulnerability due to insufficient input validation, which may result in leaking of sensitive information. | 2026-02-05 | not yet calculated | CVE-2025-10258 | Nokia Product Security Advisory |
| mlflow–mlflow/mlflow | In mlflow version 2.20.3, the temporary directory used for creating Python virtual environments is assigned insecure world-writable permissions (0o777). This vulnerability allows an attacker with write access to the `/tmp` directory to exploit a race condition and overwrite `.py` files in the virtual environment, leading to arbitrary code execution. The issue is resolved in version 3.4.0. | 2026-02-02 | not yet calculated | CVE-2025-10279 | https://huntr.com/bounties/01d3b81e-13d1-43aa-b91a-443aec68bdc8 https://github.com/mlflow/mlflow/commit/1d7c8d4cf0a67d407499a8a4ffac387ea4f8194a |
| Wikimedia Foundation–OATHAuth | Vulnerability in Wikimedia Foundation OATHAuth. This vulnerability is associated with program files src/Special/OATHManage.Php. This issue affects OATHAuth: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-11173 | https://phabricator.wikimedia.org/T401862 https://phabricator.wikimedia.org/T402094 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Language/mediawiki.Language.Js. This issue affects MediaWiki: from * before 1.39.15, 1.43.5, 1.44.2. | 2026-02-03 | not yet calculated | CVE-2025-11261 | https://https://phabricator.wikimedia.org/T406322 https://phabricator.wikimedia.org/T402077 |
| Centralny Orodek Informatyki–mObywatel | In mObywatel iOS application an unauthorized user can use the App Switcher to view the account owner’s personal information in the minimized app window, even after the login session has ended (reopening the app would require the user to log in). The data exposed depends on the last application view displayed before the application was minimized This issue was fixed in version 4.71.0 | 2026-02-03 | not yet calculated | CVE-2025-11598 | https://info.mobywatel.gov.pl/ https://cert.pl/posts/2026/02/CVE-2025-11598 |
| silabs.com–Simplicity SDK | A truncated 802.15.4 packet can lead to an assert, resulting in a denial of service. | 2026-02-05 | not yet calculated | CVE-2025-12131 | https://community.silabs.com/068Vm00000g8dP3 |
| Brocade–SANnav | A vulnerability in Brocade SANnav before 2.4.0b prints the Password-Based Encryption (PBE) key in plaintext in the system audit log file. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the pbe key. Note: The vulnerability is only triggered during a migration and not in a new installation. The system audit logs are accessible only to a privileged user on the server. These audit logs are the local server VM’s audit logs and are not controlled by SANnav. These logs are only visible to the server admin of the host server and are not visible to the SANnav admin or any SANnav user. | 2026-02-02 | not yet calculated | CVE-2025-12679 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36845 |
| Brocade–SANnav | Brocade SANnav before Brocade SANnav 2.4.0b logs database passwords in clear text in the standby SANnav server, after disaster recovery failover. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the database password. | 2026-02-02 | not yet calculated | CVE-2025-12680 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36844 |
| Brocade–SANnav | Brocade SANnav before 2.4.0b logs the Brocade Fabric OS Switch admin password on the SANnav support save logs. When OOM occurs on a Brocade SANnav server, the call stack trace for the Brocade switch is also collected in the heap dump file which contains this switch password in clear text. The vulnerability could allow a remote authenticated attacker with admin privilege able to access the SANnav logs or the supportsave to read the switch admin password. | 2026-02-02 | not yet calculated | CVE-2025-12772 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36846 |
| Brocade–SANnav | A vulnerability in update-reports-purge-settings.sh script logging for Brocade SANnav before 2.4.0a could allow the collection of SANnav database password in the system audit logs. The vulnerability could allow a remote authenticated attacker with access to the audit logs to access the Brocade SANnav database password. | 2026-02-03 | not yet calculated | CVE-2025-12773 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36847 |
| Brocade–SANnav | A vulnerability in the migration script for Brocade SANnav before 3.0 could allow the collection of database sql queries in the SANnav support save file. An attacker with access to Brocade SANnav supportsave file, could open the file and then obtain sensitive information such as details of database tables and encrypted passwords. | 2026-02-03 | not yet calculated | CVE-2025-12774 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36848 |
| ASUS–ASUS Business Manager | An improper access control vulnerability exists in ASUS Secure Delete Driver of ASUS Business Manager. This vulnerability can be triggered by a local user sending a specially crafted request, potentially leading to the creation of arbitrary files in a specified path. Refer to the “Security Update for ASUS Business Manager” section on the ASUS Security Advisory for more information. | 2026-02-02 | not yet calculated | CVE-2025-13348 | https://www.asus.com/security-advisory/ |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. The `django.contrib.auth.handlers.modwsgi.check_password()` function for authentication via `mod_wsgi` allows remote attackers to enumerate users via a timing attack. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Stackered for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-13473 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| ESET spol s.r.o.–ESET Management Agent | Local privilege escalation vulnerability via insecure temporary batch file execution in ESET Management Agent | 2026-02-06 | not yet calculated | CVE-2025-13818 | https://support.eset.com/en/ca8913-eset-customer-advisory-local-privilege-escalation-via-insecure-temporary-batch-file-execution-in-eset-management-agent-for-windows-fixed |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `ASGIRequest` allows a remote attacker to cause a potential denial-of-service via a crafted request with multiple duplicate headers. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Jiyong Yang for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2025-14550 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| Unknown–User Profile Builder | The User Profile Builder WordPress plugin before 3.15.2 does not have a proper password reset process, allowing a few unauthenticated requests to reset the password of any user by knowing their username, such as administrator ones, and therefore gain access to their account | 2026-02-02 | not yet calculated | CVE-2025-15030 | https://wpscan.com/vulnerability/344cb1b1-342e-44b2-ae4a-3bb31be56b22/ |
| Mitsubishi Electric Corporation–MELSEC iQ-R Series R08PCPU | Improper Validation of Specified Quantity in Input vulnerability in Mitsubishi Electric MELSEC iQ-R Series R08PCPU, R16PCPU, R32PCPU, and R120PCPU allows an unauthenticated attacker to read device data or part of a control program from the affected product, write device data in the affected product, or cause a denial of service (DoS) condition on the affected product by sending a specially crafted packet containing a specific command to the affected product. | 2026-02-05 | not yet calculated | CVE-2025-15080 | https://jvn.jp/vu/JVNVU95093080/ https://www.mitsubishielectric.com/psirt/vulnerability/pdf/2025-020_en.pdf https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-02 |
| Unknown–Library Viewer | The Library Viewer WordPress plugin before 3.2.0 does not sanitise and escape some parameters before outputting them back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin. | 2026-02-02 | not yet calculated | CVE-2025-15396 | https://wpscan.com/vulnerability/08790e11-019d-4680-a75f-ee0a937f8cc8/ |
| Unknown–Post Slides | The Post Slides WordPress plugin through 1.0.1 does not validate some shortcode attributes before using them to generate paths passed to include function/s, allowing any authenticated users such as with contributor or higher roles to perform LFI attacks | 2026-02-07 | not yet calculated | CVE-2025-15491 | https://wpscan.com/vulnerability/eb0424cc-e60c-44a5-aa24-cd1fe042b27a/ |
| TP-Link Systems Inc.–Archer MR200 v5.2 | The response coming from TP-Link Archer MR200 v5.2, C20 v6, TL-WR850N v3, and TL-WR845N v4 for any request is getting executed by the JavaScript function like eval directly without any check. Attackers can exploit this vulnerability via a Man-in-the-Middle (MitM) attack to execute JavaScript code on the router’s admin web portal without the user’s permission or knowledge. | 2026-02-05 | not yet calculated | CVE-2025-15551 | https://www.tp-link.com/en/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/en/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr850n/#Firmware https://www.tp-link.com/en/support/download/tl-wr845n/#Firmware https://www.tp-link.com/in/support/download/archer-mr200/v5.20/#Firmware https://www.tp-link.com/in/support/download/archer-c20/v6/#Firmware https://www.tp-link.com/in/support/download/tl-wr845n/#Firmware https://www.tp-link.com/us/support/faq/4948/ |
| notepad-plus-plus–notepad-plus-plus | Notepad++ versions prior to 8.8.9, when using the WinGUp updater, contain an update integrity verification vulnerability where downloaded update metadata and installers are not cryptographically verified. An attacker able to intercept or redirect update traffic can cause the updater to download and execute an attacker-controlled installer, resulting in arbitrary code execution with the privileges of the user. | 2026-02-03 | not yet calculated | CVE-2025-15556 | https://community.notepad-plus-plus.org/topic/27298/notepad-v8-8-9-vulnerability-fix https://notepad-plus-plus.org/news/hijacked-incident-info-update/ https://github.com/notepad-plus-plus/notepad-plus-plus/commit/bcf2aa68ef414338d717e20e059459570ed6c5ab https://github.com/notepad-plus-plus/wingup/commit/ce0037549995ed0396cc363544d14b3425614fdb https://www.vulncheck.com/advisories/notepad-plus-plus-wingup-updater-lacks-update-integrity-verification |
| TP-Link Systems Inc.–Tapo H100 v1 | An Improper Certificate Validation vulnerability in TP-Link Tapo H100 v1 and Tapo P100 v1 allows an on-path attacker on the same network segment to intercept and modify encrypted device-cloud communications. This may compromise the confidentiality and integrity of device-to-cloud communication, enabling manipulation of device data or operations. | 2026-02-05 | not yet calculated | CVE-2025-15557 | https://www.tp-link.com/us/support/download/tapo-h100/ https://www.tp-link.com/us/support/download/tapo-p100/ https://www.tp-link.com/en/support/download/tapo-h100/ https://www.tp-link.com/en/support/download/tapo-p100/ https://www.tp-link.com/us/support/faq/4949/ |
| Go standard library–os | It was possible to improperly access the parent directory of an os.Root by opening a filename ending in “../”. For example, Root.Open(“../”) would open the parent directory of the Root. This escape only permits opening the parent directory itself, not ancestors of the parent or files contained within the parent. | 2026-02-04 | not yet calculated | CVE-2025-22873 | https://go.dev/cl/670036 https://go.dev/issue/73555 https://groups.google.com/g/golang-announce/c/UZoIkUT367A/m/5WDxKizJAQAJ https://pkg.go.dev/vuln/GO-2026-4403 |
| Hancom Inc.–Hancom Office 2018 | Access of Resource Using Incompatible Type (‘Type Confusion’) vulnerability in Hancom Inc. Hancom Office 2018, Hancom Inc. Hancom Office 2020, Hancom Inc. Hancom Office 2022, Hancom Inc. Hancom Office 2024 allows File Content Injection. This issue affects Hancom Office 2018: before 10.0.0.12681; Hancom Office 2020: before 11.0.0.8916; Hancom Office 2022: before 12.0.0.4426; Hancom Office 2024: before 13.0.0.3050. | 2026-02-04 | not yet calculated | CVE-2025-29867 | https://www.boho.or.kr/kr/bbs/view.do?searchCnd=&bbsId=B0000302&searchWrd=&menuNo=205023&pageIndex=1&categoryCode=&nttId=71959 https://www.hancom.com/support/downloadCenter/download |
| Significant-Gravitas–AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.32, there is a DoS vulnerability in ReadRSSFeedBlock. In RSSBlock, feedparser.parser is called to obtain the XML file according to the URL input by the user, parse the XML, and finally obtain the parsed result. However, during the parsing process, there is no limit on the parsing time and the resources that can be allocated for parsing. When a malicious user lets RSSBlock parse a carefully constructed, deep XML, it will cause memory resources to be exhausted, eventually causing DoS. This issue has been patched in autogpt-platform-beta-v0.6.32. | 2026-02-05 | not yet calculated | CVE-2025-32393 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-5cqw-g779-9f9x https://github.com/Significant-Gravitas/AutoGPT/commit/57a06f70883ce6be18738c6ae8bb41085c71e266 |
| Luna Imaging–LUNA | Stored Cross-Site Scripting (XSS) vulnerability type in LUNA software v7.5.5.6. This vulnerability allows an attacker to execute JavaScript code in the victim’s browser by inyecting a malicious payload through the ‘Edit Batch Name’ function. THe payload is stored by the application and subsequently displayed without proper sanitization when other users access it. This vulnerability can be exploited to steal sensitive user data, such as session cookies, or to perform actions on behalf of the user. | 2026-02-03 | not yet calculated | CVE-2025-41065 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-luna-luna-imaging |
| Apidog–Apidog Web Platform | Stored Cross-Site Scripting (XSS) vulnerability type in Apidog in the version 2.7.15, where SVG image uploads are not properly sanitized. This allows attackers to embed malicious scripts in SVG files by sending a POST request to ‘/api/v1/user-avatar’, which are then stored on the server and executed in the context of any user accessing the compromised resource. | 2026-02-04 | not yet calculated | CVE-2025-41085 | https://www.incibe.es/en/incibe-cert/notices/aviso/stored-cross-site-scripting-xss-apidog-web-platform |
| n/a–Tinyfilemanager 2.6 | Tiny File Manager through 2.6 contains a server-side request forgery (SSRF) vulnerability in the URL upload feature. Due to insufficient validation of user-supplied URLs, an attacker can send crafted requests to localhost by using http://www.127.0.0.1.example.com/ or a similarly constructed domain name. This may lead to unauthorized port scanning or access to internal-only services. | 2026-02-03 | not yet calculated | CVE-2025-46651 | https://github.com/prasathmani/tinyfilemanager/blob/master/tinyfilemanager.php#L608 https://github.com/RobertoLuzanilla/tinyfilemanager-security-advisories/blob/main/CVE-2025-46651.md |
| golang.org/x/net–golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has quadratic parsing complexity when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-47911 | https://go.dev/cl/709876 https://github.com/golang/vulndb/issues/4440 https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://pkg.go.dev/vuln/GO-2026-4440 |
| n/a–Beijing YouDataSum Tech | YouDataSum CPAS Audit Management System <=v4.9 is vulnerable to SQL Injection in /cpasList/findArchiveReportByDah due to insufficient input validation. This allows remote unauthenticated attackers to execute arbitrary SQL commands via crafted input to the parameter. Successful exploitation could lead to unauthorized data access | 2026-02-03 | not yet calculated | CVE-2025-57529 | https://github.com/songqb-xx/CPAS-bug https://github.com/songqb-xx/CVE-2025-57529/blob/main/README.md |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted set of network packets containing an excessive number of host entries This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58077 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| golang.org/x/net–golang.org/x/net/html | The html.Parse function in golang.org/x/net/html has an infinite parsing loop when processing certain inputs, which can lead to denial of service (DoS) if an attacker provides specially crafted HTML content. | 2026-02-05 | not yet calculated | CVE-2025-58190 | https://groups.google.com/g/golang-announce/c/jnQcOYpiR2c https://github.com/golang/vulndb/issues/4441 https://go.dev/cl/709875 https://pkg.go.dev/vuln/GO-2026-4441 |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_delts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58340 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58340/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_cert_disable_ht_vht write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58341 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58341/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/uapsd write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58342 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58342/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/create_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58343 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58343/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation in a /proc/driver/unifi0/conn_log_event_burst_to_us write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58344 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58344/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/ap_certif_11ax_mode write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58345 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58345/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/send_addts write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58346 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58346/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/p2p_certif write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58347 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58347/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in the Wi-Fi driver in Samsung Mobile Processor and Wearable Processor Exynos 980, 850, 1080, 1280, 1330, 1380, 1480, 1580, W920, W930 and W1000. There is unbounded memory allocation via a large buffer in a /proc/driver/unifi0/confg_tspec write operation, leading to kernel memory exhaustion. | 2026-02-03 | not yet calculated | CVE-2025-58348 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-58348 |
| Brocade–Fabric OS | Brocade Fabric OS before 9.2.1 has a vulnerability that could allow a local authenticated attacker to reveal command line passwords using commands that may expose higher privilege sensitive information by a lower privileged user. | 2026-02-03 | not yet calculated | CVE-2025-58379 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36850 |
| Brocade–Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1 could allow an authenticated attacker with admin privileges using the shell command “grep” to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58380 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36854 |
| Brocade–Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c2 could allow an authenticated attacker with admin privileges using the shell commands “source, ping6, sleep, disown, wait to modify the path variables and move upwards in the directory structure or to traverse to different directories. | 2026-02-03 | not yet calculated | CVE-2025-58381 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36853 |
| Brocade–Fabric OS | A vulnerability in the secure configuration of authentication and management services in Brocade Fabric OS before Fabric OS 9.2.1c2 could allow an authenticated, remote attacker with administrative credentials to execute arbitrary commands as root using “supportsave”, “seccertmgmt”, “configupload” command. | 2026-02-03 | not yet calculated | CVE-2025-58382 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36849 |
| Brocade–Fabric OS | A vulnerability in Brocade Fabric OS versions before 9.2.1c2 could allow an administrator-level user to execute the bind command, to escalate privileges and bypass security controls allowing the execution of arbitrary commands. | 2026-02-03 | not yet calculated | CVE-2025-58383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36878 |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-58455 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| Semiconductor[.]Samsung[.]com–Processor Exynos | An issue was discovered in Samsung Mobile Processor, Wearable Processor and Modem Exynos 980, 990, 850, 1080, 9110, W920, W930, W1000 and Modem 5123. Incorrect handling of NAS Registration messages leads to a Denial of Service because of Improper Handling of Exceptional Conditions. | 2026-02-03 | not yet calculated | CVE-2025-59439 | https://semiconductor.samsung.com/support/quality-support/product-security-updates/ https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59482 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code. The vulnerability arises from improper validation of a packet field whose offset is used to determine the write location in memory. By crafting a packet with a manipulated field offset, an attacker can redirect writes to arbitrary memory locations. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-59487 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| NICE–NICE Chat | HTML injection vulnerability in NICE Chat. This vulnerability allows an attacker to inject and render arbitrary HTML content in email transcripts by modifying the ‘firstName’ and ‘lastName’ parameters during a chat session. The injected HTML is included in the body of the email sent by the system, which could enable phishing attacks, impersonation, or credential theft. | 2026-02-03 | not yet calculated | CVE-2025-59902 | https://www.incibe.es/en/incibe-cert/notices/aviso/html-injection-nice-chat |
| www[.]pchelpsoft[.]com–Avanquest Driver Updater v.9 | Insecure Permissions vulnerability in avanquest Driver Updater v.9.1.57803.1174 allows a local attacker to escalate privileges via the Driver Updater Service windows component. | 2026-02-03 | not yet calculated | CVE-2025-60865 | https://www.pchelpsoft.com/products/driver-updater/ https://github.com/parad0x1334/CVE-Disclosures/tree/50e5d2bf33b2926db2cb14d47d392b38ac619a41/Driver%20Updater%20-%20PCHelpsoft |
| n/a–MediaCrush | An issue was discovered in MediaCrush thru 1.0.1 allowing remote unauthenticated attackers to upload arbitrary files of any size to the /upload endpoint. | 2026-02-03 | not yet calculated | CVE-2025-61506 | https://gist.github.com/pescada-dev/a046d36e8026bbaf1ee591c6dad0d7e6 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Rest/Handler/PageHTMLHandler.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61634 | https://phabricator.wikimedia.org/T387478 |
| Wikimedia Foundation–ConfirmEdit | Vulnerability in Wikimedia Foundation ConfirmEdit. This vulnerability is associated with program files includes/FancyCaptcha/ApiFancyCaptchaReload.Php. This issue affects ConfirmEdit: *. | 2026-02-02 | not yet calculated | CVE-2025-61635 | https://phabricator.wikimedia.org/T355073 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61636 | https://phabricator.wikimedia.org/T394396 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Action/mediawiki.Action.Edit.Preview.Js, resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61637 | https://phabricator.wikimedia.org/T394856 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Parsoid. This vulnerability is associated with program files includes/parser/Sanitizer.Php, src/Core/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Parsoid: from * before 0.16.6, 0.20.4, 0.21.1. | 2026-02-02 | not yet calculated | CVE-2025-61638 | https://phabricator.wikimedia.org/T401099 |
| Wikimedia Foundation–MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/logging/ManualLogEntry.Php, includes/recentchanges/RecentChangeFactory.Php, includes/recentchanges/RecentChangeStore.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61639 | https://phabricator.wikimedia.org/T280413 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/RclToOrFromWidget.Js. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61640 | https://phabricator.wikimedia.org/T402075 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiQueryAllPages.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61641 | https://phabricator.wikimedia.org/T298690 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/CodexHTMLForm.Php, includes/htmlform/fields/HTMLButtonField.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61642 | https://phabricator.wikimedia.org/T402313 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/recentchanges/RecentChangeRCFeedNotifier.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-02 | not yet calculated | CVE-2025-61643 | https://phabricator.wikimedia.org/T403757 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Rcfilters/ui/WatchlistTopSectionWidget.Js. This issue affects MediaWiki: from * before > fb856ce9cf121e046305116852cca4899ecb48ca. | 2026-02-02 | not yet calculated | CVE-2025-61644 | https://phabricator.wikimedia.org/T403411 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/pager/CodexTablePager.Php. This issue affects MediaWiki: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61645 | https://phabricator.wikimedia.org/T403761 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/RecentChanges/EnhancedChangesList.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61646 | https://phabricator.wikimedia.org/T398706 |
| Wikimedia Foundation–CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Api/Rest/Handler/UserInfoHandler.Php. This issue affects CheckUser: from a3dc1bbcc33acbcca6831d6afaccbb1054c93a57, 0584eb2ad564648aa3ce9c555dd044dda02b55f4. | 2026-02-03 | not yet calculated | CVE-2025-61647 | https://phabricator.wikimedia.org/T399093 |
| Wikimedia Foundation–CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser.TempAccounts/components/ShowIPButton.Vue, modules/ext.CheckUser.TempAccounts/SpecialBlock.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61648 | https://phabricator.wikimedia.org/T402077 |
| Wikimedia Foundation–CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from 7cedd58781d261f110651b6af4f41d2d11ae7309. | 2026-02-03 | not yet calculated | CVE-2025-61649 | https://phabricator.wikimedia.org/T397396 |
| Wikimedia Foundation–CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/Services/CheckUserUserInfoCardService.Php. This issue affects CheckUser: from * before 795bf333272206a0189050d975e94b70eb7dc507. | 2026-02-03 | not yet calculated | CVE-2025-61650 | https://phabricator.wikimedia.org/T403289 |
| Wikimedia Foundation–CheckUser | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files modules/ext.CheckUser/checkuser/checkUserHelper/buildUserElement.Js. This issue affects CheckUser: from * before 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61651 | https://phabricator.wikimedia.org/T403408 |
| Wikimedia Foundation–DiscussionTools | Vulnerability in Wikimedia Foundation DiscussionTools. This issue affects DiscussionTools: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61652 | https://phabricator.wikimedia.org/T397580 |
| Wikimedia Foundation–TextExtracts | Vulnerability in Wikimedia Foundation TextExtracts. This vulnerability is associated with program files includes/ApiQueryExtracts.Php. This issue affects TextExtracts: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61653 | https://phabricator.wikimedia.org/T397577 |
| Wikimedia Foundation–Thanks | Vulnerability in Wikimedia Foundation Thanks. This vulnerability is associated with program files includes/ThanksQueryHelper.Php. This issue affects Thanks: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61654 | https://phabricator.wikimedia.org/T397497 https://nvd.nist.gov/vuln/detail/CVE-2025-62661 |
| Wikimedia Foundation–VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files includes/ApiVisualEditorEdit.Php, modules/ve-mw/init/targets/ve.Init.Mw.DesktopArticleTarget.Js, modules/ve-mw/ui/dialogs/ve.Ui.MWSaveDialog.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61655 | https://phabricator.wikimedia.org/T395858 |
| Wikimedia Foundation–VisualEditor | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation VisualEditor. This vulnerability is associated with program files src/ce/ve.Ce.ClipboardHandler.Js. This issue affects VisualEditor: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61656 | https://phabricator.wikimedia.org/T397232 |
| Wikimedia Foundation–Vector | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/stickyHeader.Js. This issue affects Vector: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61657 | https://phabricator.wikimedia.org/T398636 |
| Wikimedia Foundation–CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files src/GlobalContributions/GlobalContributionsPager.Php. This issue affects CheckUser: from * before 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-61658 | https://phabricator.wikimedia.org/T404805 |
| Go toolchain–cmd/cgo | A discrepancy between how Go and C/C++ comments were parsed allowed for code smuggling into the resulting cgo binary. | 2026-02-05 | not yet calculated | CVE-2025-61732 | https://go.dev/cl/734220 https://go.dev/issue/76697 https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://pkg.go.dev/vuln/GO-2026-4433 |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61944 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing an excessive number of fields with zero‑length values. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-61983 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| run-llama–run-llama/llama_index | The `SimpleDirectoryReader` component in `llama_index.core` version 0.12.23 suffers from uncontrolled memory consumption due to a resource management flaw. The vulnerability arises because the user-specified file limit (`num_files_limit`) is applied after all files in a directory are loaded into memory. This can lead to memory exhaustion and degraded performance, particularly in environments with limited resources. The issue is resolved in version 0.12.41. | 2026-02-02 | not yet calculated | CVE-2025-6208 | https://huntr.com/bounties/7d722bb6-6567-4608-8b23-f95048d7605a https://github.com/run-llama/llama_index/commit/53614e2f7913c0e86b58add9470b3c900b6c60b2 |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62404 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows authenticated adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a field whose length exceeds the maximum expected value. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62405 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| TP-Link Systems Inc.–Archer AX53 v1.0 | SSH Hostkey misconfiguration vulnerability in TP-Link Archer AX53 v1.0 (tmpserver modules) allows attackers to obtain device credentials through a specially crafted man‑in‑the‑middle (MITM) attack. This could enable unauthorized access if captured credentials are reused. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62501 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage – specifically by tampering with the length field in readPropertySeq – are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versi ons 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62599 | https://security-tracker.debian.org/tracker/CVE-2025-62599 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of PID_IDENTITY_TOKEN or PID_PERMISSION_TOKEN in the DATA Submessage – specifically by tampering with the length field in readBinaryPropertySeq – are modified, an integer overflow occurs, leading to an OOM during the resize operation. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62600 | https://security-tracker.debian.org/tracker/CVE-2025-62600 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage – specifically by tampering with the `str_size` value read by `readString` (called from `readBinaryProperty`) – are modified, a 32-bit integer overflow can occur, causing `std::vector::resize` to use an attacker-controlled size and quickly trigger heap buffer overflow and remote process term ination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62601 | https://security-tracker.debian.org/tracker/CVE-2025-62601 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes a heap buffer overflow, resulting in remote termination of Fast-DDS. If the fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with – specially `readOctetVector` reads an unchecked `vecsize` that is propagated unchanged into `readData` as the `length` parameter – the attacker-contro lled `vecsize` can trigger a 32-bit integer overflow during the `length` calculation. That overflow can cause large alloca tion attempt that quickly leads to OOM, enabling a remotely-triggerable denial-of-service and remote process termination. Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62602 | https://security-tracker.debian.org/tracker/CVE-2025-62602 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). ParticipantGenericMessage is the DDS Security control-message container that carries not only the handshake but also on going security-control traffic after the handshake, such as crypto-token exchange, rekeying, re-authentication, and token delivery for newly appearing endpoints. On receive, the CDR parser is invoked first and deserializes the `message_data` (i .e., the `DataHolderSeq`) via the `readParticipantGenericMessage → readDataHolderSeq` path. The `DataHolderSeq` is parsed sequentially: a sequence count (`uint32`), and for each DataHolder the `class_id` string (e.g. `DDS:Auth:PKI-DH:1.0+Req`), string properties (a sequence of key/value pairs), and binary properties (a name plus an octet-vector). The parser operat es at a stateless level and does not know higher-layer state (for example, whether the handshake has already completed), s o it fully unfolds the structure before distinguishing legitimate from malformed traffic. Because RTPS permits duplicates, delays, and retransmissions, a receiver must perform at least minimal structural parsing to check identity and sequence n umbers before discarding or processing a message; the current implementation, however, does not “peek” only at a minimal header and instead parses the entire `DataHolderSeq`. As a result, prior to versions 3.4.1, 3.3.1, and 2.6.11, this parsi ng behavior can trigger an out-of-memory condition and remotely terminate the process. Versions 3.4.1, 3.3.1, and 2.6.11 p atch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62603 | https://security-tracker.debian.org/tracker/CVE-2025-62603 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| Significant-Gravitas–AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in RSSFeedBlock, the third-party library urllib.request.urlopen is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62615 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-r55v-q5pc-j57f |
| Significant-Gravitas–AutoGPT | AutoGPT is a platform that allows users to create, deploy, and manage continuous artificial intelligence agents that automate complex workflows. Prior to autogpt-platform-beta-v0.6.34, in SendDiscordFileBlock, the third-party library aiohttp.ClientSession().get is used directly to access the URL, but the input URL is not filtered, which will cause SSRF vulnerability. This issue has been patched in autogpt-platform-beta-v0.6.34. | 2026-02-04 | not yet calculated | CVE-2025-62616 | https://github.com/Significant-Gravitas/AutoGPT/security/advisories/GHSA-ggc4-4fmm-9hmc |
| TP-Link Systems Inc.–Archer AX53 v1.0 | Heap-based Buffer Overflow vulnerability in TP-Link Archer AX53 v1.0 (tdpserver modules) allows adjacent attackers to cause a segmentation fault or potentially execute arbitrary code via a specially crafted network packet containing a maliciously formed field. This issue affects Archer AX53 v1.0: through 1.3.1 Build 20241120. | 2026-02-03 | not yet calculated | CVE-2025-62673 | https://talosintelligence.com/vulnerability_reports/ https://www.tp-link.com/en/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/my/support/download/archer-ax53/v1/#Firmware https://www.tp-link.com/us/support/faq/4943/ |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a heap buffer overflow exists in the Fast-DDS DATA_FRAG receive path. An un authenticated sender can transmit a single malformed RTPS DATA_FRAG packet where `fragmentSize` and `sampleSize` are craft ed to violate internal assumptions. Due to a 4-byte alignment step during fragment metadata initialization, the code write s past the end of the allocated payload buffer, causing immediate crash (DoS) and potentially enabling memory corruption ( RCE risk). Versions 3.4.1, 3.3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-62799 | https://security-tracker.debian.org/tracker/CVE-2025-62799 https://github.com/eProsima/Fast-DDS/commit/d6dd58f4ecd28cd1c3bc4ef0467be9110fa94659 https://github.com/eProsima/Fast-DDS/commit/0c3824ef4991628de5dfba240669dc6172d63b46 https://github.com/eProsima/Fast-DDS/commit/955c8a15899dc6eb409e080fe7dc89e142d5a514 |
| Articentgroup–Zip Rar Extractor 1.3 | Articentgroup Zip Rar Extractor Tool 1.345.93.0 is vulnerable to Directory Traversal. The vulnerability resides in the ZIP file processing component, specifically in the functionality responsible for extracting and handling ZIP archive contents. | 2026-02-03 | not yet calculated | CVE-2025-63372 | https://articentgroup.com/zip-rar-extractor-tool/ |
| Shandong Kede Electronics–Water meter monitor v.1 | SQL Injection vulnerability in Shandong Kede Electronics Co., Ltd IoT smart water meter monitoring platform v.1.0 allows a remote attacker to execute arbitrary code via the imei_list.aspx file. | 2026-02-03 | not yet calculated | CVE-2025-63624 | https://github.com/songqb-xx/Internet-of-Things-Smart-Water-Meter-Monitoring-Platform-Unauthorized-RCE |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, when the security mode is enabled, modifying the DATA Submessage within an SPDP packet sent by a publisher causes an Out-Of-Memory (OOM) condition, resulting in remote termination of Fast-DDS. If t he fields of `PID_IDENTITY_TOKEN` or `PID_PERMISSIONS_TOKEN` in the DATA Submessage are tampered with – specifically by ta mpering with the the `vecsize` value read by `readOctetVector` – a 32-bit integer overflow can occur, causing `std::vector ::resize` to request an attacker-controlled size and quickly trigger OOM and remote process termination. Versions 3.4.1, 3 .3.1, and 2.6.11 patch the issue. | 2026-02-03 | not yet calculated | CVE-2025-64098 | https://security-tracker.debian.org/tracker/CVE-2025-64098 https://github.com/eProsima/Fast-DDS/commit/354218514d32beac963ff5c306f1cf159ee37c5f https://github.com/eProsima/Fast-DDS/commit/ced3b6f92d928af1eae77d5fe889878128ad421a https://github.com/eProsima/Fast-DDS/commit/a726e6a5daba660418d1f7c05b6f203c17747d2b |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, due to the insufficient patch for CVE-2024-56731, it’s still possible to update files in the .git directory and achieve remote command execution. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64111 | https://github.com/gogs/gogs/security/advisories/GHSA-gg64-xxr9-qhjp |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, Gogs’ 2FA recovery code validation does not scope codes by user, enabling cross-account bypass. If an attacker knows a victim’s username and password, they can use any unused recovery code (e.g., from their own account) to bypass the victim’s 2FA. This enables full account takeover and renders 2FA ineffective in all environments where it’s enabled.. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2025-64175 | https://github.com/gogs/gogs/security/advisories/GHSA-p6x6-9mx6-26wj |
| eProsima–Fast-DDS | Fast DDS is a C++ implementation of the DDS (Data Distribution Service) standard of the OMG (Object Management Group ). Prior to versions 3.4.1, 3.3.1, and 2.6.11, a remotely triggerable Out-of-Memory (OOM) denial-of-service exists in Fast -DDS when processing RTPS GAP submessages under RELIABLE QoS. By sending a tiny GAP packet with a huge gap range (`gapList .base – gapStart`), an attacker drives `StatefulReader::processGapMsg()` into an unbounded loop that inserts millions of s equence numbers into `WriterProxy::changes_received_` (`std::set`), causing multi-GB heap growth and process termination. No authentication is required beyond network reachability to the reader on the DDS domain. In environments without an RSS limit (non-ASan / unlimited), memory consumption was observed to rise to ~64 GB. Versions 3.4.1, 3.3.1, and 2.6.11 patch t he issue. | 2026-02-03 | not yet calculated | CVE-2025-64438 | https://security-tracker.debian.org/tracker/CVE-2025-64438 https://github.com/eProsima/Fast-DDS/commit/0b0cb308eaeeb2175694aa0a0a723106824ce9a7 https://github.com/eProsima/Fast-DDS/commit/71da01b4aea4d937558984f2cf0089f5ba3c871f https://github.com/eProsima/Fast-DDS/commit/8ca016134dac20b6e30e42b7b73466ef7cdbc213 |
| decidim–decidim | Decidim is a participatory democracy framework. In versions from 0.30.0 to before 0.30.4 and from 0.31.0.rc1 to before 0.31.0, the private data exports can lead to data leaks in case the UUID generation, causing collisions for the generated UUIDs. This issue has been patched in versions 0.30.4 and 0.31.0. | 2026-02-03 | not yet calculated | CVE-2025-65017 | https://github.com/decidim/decidim/security/advisories/GHSA-3cx6-j9j4-54mp https://github.com/decidim/decidim/pull/13571 https://github.com/decidim/decidim/releases/tag/v0.30.4 https://github.com/decidim/decidim/releases/tag/v0.31.0 |
| Lexmark–MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A relative path traversal vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65077 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark–MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An untrusted search path vulnerability has been identified in the Embedded Solutions Framework in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-65078 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark–MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A heap-based buffer overflow vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65079 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark–MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | A type confusion vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65080 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Lexmark–MXTCT, MSNGM, MSTGM, MXNGM, MXTGM, CSNGV, CSTGV, CXTGV, MSNGW, MSTGW, MXTGW, CSTLS, CXTLS, MXTLS, CSTMM, CXTMM, CSTPC, CXTPC, MXTPM, MSNSN, MSTSN, MXTSN, CSNZJ, CSTZJ, CXNZJ, CXTZJ | An out-of-bounds read vulnerability has been identified in the Postscript interpreter in various Lexmark devices. This vulnerability can be leveraged by an attacker to execute arbitrary code as an unprivileged user. | 2026-02-03 | not yet calculated | CVE-2025-65081 | https://www.lexmark.com/en_us/solutions/security/lexmark-security-advisories.html |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php. This issue affects MediaWiki: >= 1.42.0. | 2026-02-02 | not yet calculated | CVE-2025-6589 | https://phabricator.wikimedia.org/T391343 |
| Wikimedia Foundation–MediaWiki | Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/htmlform/fields/HTMLUserTextField.Php. This issue affects MediaWiki: from * through 1.39.12, 1.42.76 1.43.1, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6590 | https://phabricator.wikimedia.org/T392746 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/api/ApiFeedContributions.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6591 | https://phabricator.wikimedia.org/T392276 |
| Wikimedia Foundation–AbuseFilter | Vulnerability in Wikimedia Foundation AbuseFilter. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects AbuseFilter: from fe0b1cb9e9691faf4d8d9bd80646589f6ec37615 before 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6592 | https://phabricator.wikimedia.org/T391218 |
| n/a–ERPNext | A Stored Cross-Site Scripting (XSS) vulnerability was discovered within the CSV import mechanism of ERPNext thru 15.88.1 when using the Update Existing Recordsoption. An attacker can embed malicious JavaScript code into a CSV field, which is then stored in the database and executed whenever the affected record is viewed by a user within the ERPNext web interface. This exposure may allow an attacker to compromise user sessions or perform unauthorized actions under the context of a victim’s account. | 2026-02-03 | not yet calculated | CVE-2025-65923 | https://github.com/frappe/frappe_docker.git |
| n/a–ERPNext | ERPNext thru 15.88.1 does not sanitize or remove certain HTML tags specifically `<a>` hyperlinks in fields that are intended for plain text. Although JavaScript is blocked (preventing XSS), the HTML is still preserved in the generated PDF document. As a result, an attacker can inject malicious clickable links into an ERP-generated PDF. Since PDF files generated by the ERP system are generally considered trustworthy, users are highly likely to click these links, potentially enabling phishing attacks or malware delivery. This issue occurs in the Add Quality Goal’ function. | 2026-02-03 | not yet calculated | CVE-2025-65924 | https://github.com/frappe/frappe_docker.git |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/user/User.Php. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6593 | https://phabricator.wikimedia.org/T396230 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandbox.Js. This issue affects MediaWiki: from 1.27.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6594 | https://phabricator.wikimedia.org/T395063 |
| Wikimedia Foundation–MultimediaViewer | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MultimediaViewer. This issue affects MultimediaViewer: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6595 | https://phabricator.wikimedia.org/T394863 |
| Wikimedia Foundation–Vector | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation Vector. This vulnerability is associated with program files resources/skins.Vector.Js/portlets.Js, resources/skins.Vector.Legacy.Js/portlets.Js. This issue affects Vector: from >= 1.40.0 before 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6596 | https://phabricator.wikimedia.org/T396685 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/auth/AuthManager.Php. This issue affects MediaWiki: from * before 1.39.13, 1.42.7, 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6597 | https://phabricator.wikimedia.org/T389009 |
| CyberArk–CyberArk Endpoint Agent v25.10.0 | CyberArk Endpoint Privilege Manager Agent through 25.10.0 allows a local user to achieve privilege escalation through policy elevation of an Administration task. | 2026-02-03 | not yet calculated | CVE-2025-66374 | https://www.cyberark.com/product-security/ https://www.cyberark.com/ca26-01 https://docs.cyberark.com/epm/latest/en/content/release%20notes/rn-whatsnew25-12.htm#Security |
| TOTOlink–A950RG Router | TOTOLINK A950RG V4.1.2cu.5204_B20210112 contains a buffer overflow vulnerability in the setUrlFilterRules interface of /lib/cste_modules/firewall.so. The vulnerability occurs because the `url` parameter is not properly validated for length, allowing remote attackers to trigger a buffer overflow, potentially leading to arbitrary code execution or denial of service. | 2026-02-03 | not yet calculated | CVE-2025-67186 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setUrlFliterRules-url-buffer.md |
| TOTOlink–A950RG Router | A stack-based buffer overflow vulnerability was identified in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The flaw exists in the setIpQosRules interface of /lib/cste_modules/firewall.so where the comment parameter is not properly validated for length. | 2026-02-03 | not yet calculated | CVE-2025-67187 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setIpQosRules-comment-buffer.md |
| TOTOlink–A950RG Router | A buffer overflow vulnerability exists in TOTOLINK A950RG V4.1.2cu.5204_B20210112. The issue resides in the setRadvdCfg interface of the /lib/cste_modules/ipv6.so module. The function fails to properly validate the length of the user-controlled radvdinterfacename parameter, allowing remote attackers to trigger a stack buffer overflow. | 2026-02-03 | not yet calculated | CVE-2025-67188 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-ipv6-setRadvdCfg-radvdinterfacename-buffer.md |
| TOTOlink–A950RG Router | A buffer overflow vulnerability exists in the setParentalRules interface of TOTOLINK A950RG V4.1.2cu.5204_B20210112. The urlKeyword parameter is not properly validated, and the function concatenates multiple user-controlled fields into a fixed-size stack buffer without performing boundary checks. A remote attacker can exploit this flaw to cause denial of service or potentially achieve arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2025-67189 | https://github.com/SunnyYANGyaya/cuicuishark-sheep-fishIOT/blob/main/ToTolink/A950RG/5024-setParentRules-urlKeyWord-buffer.md |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/CommentFormatter/CommentParser.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67475 | https://phabricator.wikimedia.org/T406664 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Import/ImportableOldRevisionImporter.Php. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67476 | https://phabricator.wikimedia.org/T405859 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Special.Apisandbox/ApiSandboxLayout.Js. This issue affects MediaWiki: from * before 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67477 | https://phabricator.wikimedia.org/T406639 |
| Wikimedia Foundation–CheckUser | Vulnerability in Wikimedia Foundation CheckUser. This vulnerability is associated with program files includes/Mail/UserMailer.Php. This issue affects CheckUser: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67478 | https://phabricator.wikimedia.org/T385403 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki, Wikimedia Foundation Cite. This vulnerability is associated with program files includes/Parser/CoreParserFunctions.Php, includes/Parser/Sanitizer.Php. This issue affects MediaWiki: from * before 1.39.14, 1.43.4, 1.44.1; Cite: from * before 1.39.14, 1.43.4, 1.44.1. | 2026-02-03 | not yet calculated | CVE-2025-67479 | https://phabricator.wikimedia.org/T407131 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiQueryRevisionsBase.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67480 | https://phabricator.wikimedia.org/T401053 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.JqueryMsg/mediawiki.JqueryMsg.Js. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67481 | https://phabricator.wikimedia.org/T251032 |
| Wikimedia Foundation–Scribunto | Vulnerability in Wikimedia Foundation Scribunto, Wikimedia Foundation luasandbox. This vulnerability is associated with program files includes/Engines/LuaCommon/lualib/mwInit.Lua, library.C. This issue affects Scribunto: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1; luasandbox: from * before fea2304f8f6ab30314369a612f4f5b165e68e95a. | 2026-02-03 | not yet calculated | CVE-2025-67482 | https://phabricator.wikimedia.org/T408135 |
| Wikimedia Foundation–MediaWiki | Improper Neutralization of Input During Web Page Generation (XSS or ‘Cross-site Scripting’) vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files resources/src/mediawiki.Page.Preview.Js. This issue affects MediaWiki: from * before 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67483 | https://phabricator.wikimedia.org/T409226 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Api/ApiFormatXml.Php. This issue affects MediaWiki: from * before 1.39.16, 1.43.6, 1.44.3, 1.45.1. | 2026-02-03 | not yet calculated | CVE-2025-67484 | https://phabricator.wikimedia.org/T401995 |
| Go standard library–crypto/tls | During session resumption in crypto/tls, if the underlying Config has its ClientCAs or RootCAs fields mutated between the initial handshake and the resumed handshake, the resumed handshake may succeed when it should have failed. This may happen when a user calls Config.Clone and mutates the returned Config, or uses Config.GetConfigForClient. This can cause a client to resume a session with a server that it would not have resumed with during the initial handshake, or cause a server to resume a session with a client that it would not have resumed with during the initial handshake. | 2026-02-05 | not yet calculated | CVE-2025-68121 | https://groups.google.com/g/golang-announce/c/K09ubi9FQFk https://go.dev/cl/737700 https://go.dev/issue/77217 https://pkg.go.dev/vuln/GO-2026-4337 |
| Axigen–Mail Server | Axigen Mail Server before 10.5.57 allows stored Cross-Site Scripting (XSS) in the handling of the timeFormat account preference parameter. Attackers can exploit this by deploying a multi-stage attack. In the first stage, a malicious JavaScript payload is injected into the timeFormat preference by exploiting a separate vulnerability or using compromised credentials. In the second stage, when the victim logs into the WebMail interface, the unsanitized timeFormat value is loaded from storage and inserted into the DOM, causing the injected script to execute. | 2026-02-05 | not yet calculated | CVE-2025-68643 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebMail-Stored-XSS-Vulnerability-CVE-2025-68643-_405.html |
| Axigen–Mail Server | Axigen Mail Server before 10.5.57 contains an improper access control vulnerability in the WebAdmin interface. A delegated admin account with zero permissions can bypass access control checks and gain unauthorized access to the SSL Certificates management endpoint (page=sslcerts). This allows the attacker to view, download, upload, and delete SSL certificate files, despite lacking the necessary privileges to access the Security & Filtering section. | 2026-02-05 | not yet calculated | CVE-2025-68721 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Improper-Access-Control-Vulnerability-CVE-2025-68721-_406.html |
| Axigen–Mail Server | Axigen Mail Server before 10.5.57 and 10.6.x before 10.6.26 contains a Cross-Site Request Forgery (CSRF) vulnerability in the WebAdmin interface through improper handling of the _s (breadcrumb) parameter. The application accepts state-changing requests via the GET method and automatically processes base64-encoded commands queued in the _s parameter immediately after administrator authentication. Attackers can craft malicious URLs that, when clicked by administrators, execute arbitrary administrative actions upon login without further user interaction, including creating rogue administrator accounts or modifying critical server configurations. | 2026-02-05 | not yet calculated | CVE-2025-68722 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-CSRF-Vulnerability-CVE-2025-68722-_407.html |
| Axigen–Mail Server | Axigen Mail Server before 10.5.57 contains multiple stored Cross-Site Scripting (XSS) vulnerabilities in the WebAdmin interface. Three instances exist: (1) the log file name parameter in the Local Services Log page, (2) certificate file content in the SSL Certificates View Usage feature, and (3) the Certificate File name parameter in the WebMail Listeners SSL settings. Attackers can inject malicious JavaScript payloads that execute in administrators’ browsers when they access affected pages or features, enabling privilege escalation attacks where low-privileged admins can force high-privileged admins to perform unauthorized actions. | 2026-02-05 | not yet calculated | CVE-2025-68723 | https://www.axigen.com/mail-server/download/ https://www.axigen.com/knowledgebase/Axigen-WebAdmin-Stored-XSS-Vulnerabilities-CVE-2025-68723-_408.html |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, a critical OS Command Injection vulnerability exists in the P7M (signed XML) file decoding functionality. An authenticated attacker can upload a ZIP file containing a .p7m file with a malicious filename to execute arbitrary system commands on the server. | 2026-02-06 | not yet calculated | CVE-2025-69212 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-25fp-8w8p-mx36 |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, a SQL Injection vulnerability exists in the ajax_complete.php endpoint when handling the get_sedi operation. An authenticated attacker can inject malicious SQL code through the idanagrafica parameter, leading to unauthorized database access. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69213 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-w995-ff8h-rppg |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an SQL Injection vulnerability exists in the ajax_select.php endpoint when handling the componenti operation. An authenticated attacker can inject malicious SQL code through the options[matricola] parameter. | 2026-02-06 | not yet calculated | CVE-2025-69214 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qjv8-63xq-gq8m |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In version 2.9.8 and prior, there is a SQL Injection vulnerability in the Stampe Module. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2025-69215 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-qx9p-w3vj-q24q |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. In 2.9.8 and earlier, an authenticated SQL injection vulnerability in OpenSTAManager’s Scadenzario (Payment Schedule) print template allows any authenticated user to extract sensitive data from the database, including admin credentials, customer information, and financial records. The vulnerability exists in templates/scadenzario/init.php, where the id_anagrafica parameter is directly concatenated into an SQL query without proper sanitization. The vulnerability enables complete database read access through error-based SQL injection techniques. | 2026-02-06 | not yet calculated | CVE-2025-69216 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-q6g3-fv43-m2w6 |
| Wikimedia Foundation–MediaWiki | Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/specials/pagers/BlockListPager.Php, includes/api/ApiQueryBlocks.Php. This issue affects MediaWiki: from >= 1.42.0 before 1.39.13, 1.42.7 1.43.2, 1.44.0. | 2026-02-02 | not yet calculated | CVE-2025-6927 | https://phabricator.wikimedia.org/T397595 |
| ORICO–NAS CD3510 | The ORICO NAS CD3510 (version V1.9.12 and below) contains an Incorrect Symlink Follow vulnerability that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device’s slot, then access the USB drive’s symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69429 | https://www.notion.so/ORICO-NAS-Incorrect-Symlink-Follow-2c36cf4e528a80b7bf0be4dcac758419?source=copy_link |
| Yottamaster NAS– Symlink Follow | An Incorrect Symlink Follow vulnerability exists in multiple Yottamaster NAS devices, including DM2 (version equal to or prior to V1.9.12), DM3 (version equal to or prior to V1.9.12), and DM200 (version equal to or prior to V1.2.23) that could be exploited by attackers to leak or tamper with the internal file system. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device’s slot, then access the USB drive’s symlink directory mounted on the NAS to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69430 | https://www.notion.so/Yottamaster-Incorrect-Symlink-Follow-2c36cf4e528a8001b37cdad4be7431f8?source=copy_link |
| ZSPACE–Q2C NAS | The ZSPACE Q2C NAS contains a vulnerability related to incorrect symbolic link following. Attackers can format a USB drive to ext4, create a symbolic link to its root directory, insert the drive into the NAS device’s slot, and then access the USB drive’s directory mounted on the NAS using the Samba protocol. This allows them to obtain all files within the NAS system and tamper with those files. | 2026-02-03 | not yet calculated | CVE-2025-69431 | https://www.notion.so/ZSPACE-Incorrect-Symlink-Follow-2c26cf4e528a8087ba14d9b1d31a5bb2?source=copy_link |
| Coto[.]com–Tarot, Astro & Healing v11.4 | An arbitrary file overwrite vulnerability in the file import process of Tarot, Astro & Healing v11.4.0 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69618 | https://secsys.fudan.edu.cn/ http://coto.com https://coto.world/ https://github.com/Secsys-FDU/AF_CVEs/issues/9 |
| Zipperapp[.]cafe24–Text Editor v1.6.2 | A path traversal in My Text Editor v1.6.2 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-05 | not yet calculated | CVE-2025-69619 | http://my.com https://secsys.fudan.edu.cn/ http://zipperapp.cafe24.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/10 |
| n/a–Moo Chan Song v4.5.7 | A path traversal in Moo Chan Song v4.5.7 allows attackers to cause a Denial of Service (DoS) via writing files to the internal storage. | 2026-02-04 | not yet calculated | CVE-2025-69620 | https://secsys.fudan.edu.cn/ http://office.com http://www.ntoolslab.com/ https://github.com/Secsys-FDU/AF_CVEs/issues/11 |
| n/a–Comic Book Reader v1.0.95 | An arbitrary file overwrite vulnerability in the file import process of Comic Book Reader v1.0.95 allows attackers to overwrite critical internal files, potentially leading to arbitrary code execution or exposure of sensitive information. | 2026-02-04 | not yet calculated | CVE-2025-69621 | https://secsys.fudan.edu.cn/ http://comic.com https://android-tools.ru/ https://github.com/Secsys-FDU/AF_CVEs/issues/12 |
| n/a–NetBox | NetBox is an open-source infrastructure resource modeling and IP address management platform. A reflected cross-site scripting (XSS) vulnerability exists in versions 2.11.0 through 3.7.x in the ProtectedError handling logic, where object names are included in HTML error messages without proper escaping. This allows user-controlled content to be rendered in the web interface when a delete operation fails due to protected relationships, potentially enabling execution of arbitrary client-side code in the context of a privileged user. | 2026-02-03 | not yet calculated | CVE-2025-69848 | https://github.com/netbox-community/netbox |
| n/a–Quick Heal Security 23.0.0 | A vulnerability exists in Quick Heal Total Security 23.0.0 in the quarantine management component where insufficient validation of restore paths and improper permission handling allow a low-privileged local user to restore quarantined files into protected system directories. This behavior can be abused by a local attacker to place files in high-privilege locations, potentially leading to privilege escalation. | 2026-02-03 | not yet calculated | CVE-2025-69875 | https://github.com/mertdas/QuickHealTotalSecurityPOC https://semiconductor.samsung.com/support/quality-support/product-security-updates/cve-2025-59439/ |
| n/a–Monstra CMS v3.0.4 | Monstra CMS v3.0.4 contains an arbitrary file upload vulnerability in the Files Manager plugin. The application relies on blacklist-based file extension validation and stores uploaded files directly in a web-accessible directory. Under typical server configurations, this can allow an attacker to upload files that are interpreted as executable code, resulting in remote code execution. | 2026-02-05 | not yet calculated | CVE-2025-69906 | https://github.com/monstra-cms/monstra/tree/master/plugins/box/filesmanager https://github.com/cypherdavy/CVE-2025-69906-Monstra-CMS-3.0.4-Arbitrary-File-Upload-to-RCE |
| n/a–FUXA v1.2.7 | FUXA v1.2.7 contains an insecure default configuration vulnerability in server/settings.default.js. The ‘secureEnabled’ flag is commented out by default, causing the application to initialize with authentication disabled. This allows unauthenticated remote attackers to access sensitive API endpoints, modify projects, and control industrial equipment immediately after installation. | 2026-02-03 | not yet calculated | CVE-2025-69970 | https://github.com/frangoteam/FUXA/blob/master/server/settings.default.js |
| n/a–FUXA v1.2.7 | FUXA v1.2.7 contains a hard-coded credential vulnerability in server/api/jwt-helper.js. The application uses a hard-coded secret key to sign and verify JWT Tokens. This allows remote attackers to forge valid admin tokens and bypass authentication to gain full administrative access. | 2026-02-03 | not yet calculated | CVE-2025-69971 | https://github.com/frangoteam/FUXA/blob/master/server/api/jwt-helper.js |
| n/a–FUXA v1.2.7 | FUXA v1.2.7 contains an Unrestricted File Upload vulnerability in the `/api/upload` API endpoint. The endpoint lacks authentication mechanisms, allowing unauthenticated remote attackers to upload arbitrary files. This can be exploited to overwrite critical system files (such as the SQLite user database) to gain administrative access, or to upload malicious scripts to execute arbitrary code. | 2026-02-03 | not yet calculated | CVE-2025-69981 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js#L193 |
| n/a–FUXA v1.2.7 | FUXA v1.2.7 allows Remote Code Execution (RCE) via the project import functionality. The application does not properly sanitize or sandbox user-supplied scripts within imported project files. An attacker can upload a malicious project containing system commands, leading to full system compromise. | 2026-02-03 | not yet calculated | CVE-2025-69983 | https://github.com/frangoteam/FUXA/blob/master/server/api/projects/index.js |
| n/a–ChestnutCMS v.1.5.8 | An issue in ChestnutCMS v.1.5.8 and before allows a remote attacker to execute arbitrary code via the template creation function | 2026-02-05 | not yet calculated | CVE-2025-70073 | https://github.com/liweiyi/ChestnutCMS/issues/8 |
| n/a–JEEWMS 1.0 | JEEWMS 1.0 is vulnerable to SQL Injection. Attackers can inject malicious SQL statements through the id1 and id2 parameters in the /systemControl.do interface for attack. | 2026-02-03 | not yet calculated | CVE-2025-70311 | https://gitee.com/erzhongxmu/JEEWMS |
| PPC (Belden)–2K05X router firmware v1.1.9_206 | A stored cross-site scripting (XSS) vulnerability exists in the web management interface of the PPC (Belden) ONT 2K05X router running firmware v1.1.9_206L. The Common Gateway Interface (CGI) component improperly handles user-supplied input, allowing a remote, unauthenticated attacker to inject arbitrary JavaScript that is persistently stored and executed when the affected interface is accessed. | 2026-02-04 | not yet calculated | CVE-2025-70545 | http://ppc.com https://github.com/jeyabalaji711/CVE-2025-70545 |
|
n/a–pdfminer.six
|
pdfminer.six before 20251230 contains an insecure deserialization vulnerability in the CMap loading mechanism. The library uses Python pickle to deserialize CMap cache files without validation. An attacker with the ability to place a malicious pickle file in a location accessible to the application can trigger arbitrary code execution or privilege escalation when the file is loaded by a trusted process. This is caused by an incomplete patch to CVE-2025-64512. | 2026-02-03 | not yet calculated | CVE-2025-70559 | https://github.com/pdfminer/pdfminer.six/security/advisories/GHSA-f83h-ghpp-7wcc https://github.com/advisories/GHSA-f83h-ghpp-7wcc |
| n/a–Boltz 2.0 | Boltz 2.0.0 contains an insecure deserialization vulnerability in its molecule loading functionality. The application uses Python pickle to deserialize molecule data files without validation. An attacker with the ability to place a malicious pickle file in a directory processed by boltz can achieve arbitrary code execution when the file is loaded. | 2026-02-03 | not yet calculated | CVE-2025-70560 | https://github.com/jwohlwend/boltz/issues/600 https://github.com/jwohlwend/boltz/blob/cb04aeccdd480fd4db707f0bbafde538397fa2ac/src/boltz/data/mol.py#L80 |
| n/a–chetans9 | chetans9 core-php-admin-panel through commit a94a780d6 contains an authentication bypass vulnerability in includes/auth_validate.php. The application sends an HTTP redirect via header(Location:login.php) when a user is not authenticated but fails to call exit() afterward. This allows remote unauthenticated attackers to access protected pages.customer database. | 2026-02-03 | not yet calculated | CVE-2025-70758 | https://github.com/chetans9/core-php-admin-panel https://github.com/chetans9/core-php-admin-panel/blob/master/includes/auth_validate.php https://github.com/XavLimSG/Vulnerability-Research/tree/main/CVE-2025-70758 |
| n/a–Microweber 2.0.19 | Cross Site Scripting vulnerability in the “/admin/order/abandoned” endpoint of Microweber 2.0.19. An attacker can manipulate the “orderDirection” parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim’s browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70791 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/9615b9915a4cacda9f57bb57f13ab6d4 |
| n/a–n/a | Cross Site Scripting vulnerability in the “/admin/category/create” endpoint of Microweber 2.0.19. An attacker can manipulate the “rel_id” parameter in a crafted URL and lure a user with admin privileges into visiting it, achieving JavaScript code execution in the victim’s browser. The issue was reported to the developers and fixed in version 2.0.20. | 2026-02-05 | not yet calculated | CVE-2025-70792 | https://github.com/microweber/microweber/commit/aa0791fc286d785ccd33ccc706f7bb3ed05b1d7f https://gist.github.com/TimRecktenwald/f4b0d1edbb87e75c17c639ca0bacba57 |
| n/a–podinfo | Arbitrary File Upload in podinfo thru 6.9.0 allows unauthenticated attackers to upload arbitrary files via crafted POST request to the /store endpoint. The application renders uploaded content without a restrictive Content-Security-Policy (CSP) or adequate Content-Type validation, leading to Stored Cross-Site Scripting (XSS). | 2026-02-03 | not yet calculated | CVE-2025-70849 | https://gist.github.com/kazisabu/27f3e272f474005001a9ecd2c258dbea |
| n/a–Subrion CMS v4.2.1 | Multiple reflected cross-site scripting (XSS) vulnerabilities in the installation module of Subrion CMS v4.2.1 allows attackers to execute arbitrary Javascript in the context of the user’s browser via injecting a crafted payload into the dbuser, dbpwd, and dbname parameters. | 2026-02-02 | not yet calculated | CVE-2025-70958 | https://github.com/emirhanyucell/Subrion-CMS-4.2.1/blob/main/subrion-cms-exploit.txt |
| n/a–Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Jobs module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70959 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a–Tendenci CMS v15.3.7 | A stored cross-site scripting (XSS) vulnerability in the Forums module of Tendenci CMS v15.3.7 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload. | 2026-02-02 | not yet calculated | CVE-2025-70960 | https://github.com/emirhanyucelll/tendenci/blob/main/Readme.md |
| n/a–Gophish | Gophish <=0.12.1 is vulnerable to Incorrect Access Control. The administrative dashboard exposes each user’s long-lived API key directly inside the rendered HTML/JavaScript of the page on every login. This makes permanent API credentials accessible to any script running in the browser context. | 2026-02-06 | not yet calculated | CVE-2025-70963 | https://github.com/gophish/gophish/issues/9366 |
| n/a–eladmin v2.7 | A vulnerability has been discovered in eladmin v2.7 and before. This vulnerability allows for an arbitrary user password reset under any user permission level. | 2026-02-04 | not yet calculated | CVE-2025-70997 | https://github.com/elunez/eladmin https://github.com/fofo137/CVE/issues/1 |
| n/a–n/a | Water-Melon Melon commit 9df9292 and below is vulnerable to Denial of Service. The HTTP component doesn’t have any maximum length. As a result, an excessive request header could cause a denial of service by consuming RAM memory. | 2026-02-04 | not yet calculated | CVE-2025-71031 | https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/denial-of-service-in-melon-c-library https://suphawith-phusanbai.gitbook.io/book-of-suphawith/my-exploits/cve-2025-71031-denial-of-service-in-melon-c-library |
| danny-avila–danny-avila/librechat | A vulnerability in danny-avila/librechat allows attackers to exploit the unrestricted Fork Function in `/api/convos/fork` to fork numerous contents rapidly. If the forked content includes a Mermaid graph with a large number of nodes, it can lead to a JavaScript heap out of memory error upon service restart, causing a denial of service. This issue affects the latest version of the product. | 2026-02-02 | not yet calculated | CVE-2025-7105 | https://huntr.com/bounties/e44f0740-48bd-443b-8826-528e6afe9e34 https://github.com/danny-avila/librechat/commit/97a99985fa339db0a21ad63604e0bb8db4442ffc |
| n/a–Creativeitem Academy LMS 7.0 | Creativeitem Academy LMS 7.0 contains reflected Cross-Site Scripting (XSS) vulnerabilities via the search parameter to the /academy/blogs endpoint, and the string parameter to the /academy/course_bundles/search/query endpoint. These vulnerabilities are distinct from the patch for CVE-2023-4119, which only fixed XSS in query and sort_by parameters to the /academy/home/courses endpoint. | 2026-02-03 | not yet calculated | CVE-2025-71179 | https://codecanyon.net/item/academy-course-based-learning-management-system/22703468 https://creativeitem.com/products/academy-learning-management-system/ https://github.com/cod3rLucas/security-advisories/blob/main/CVE-2025-71179.md |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ac97: fix a double free in snd_ac97_controller_register() If ac97_add_adapter() fails, put_device() is the correct way to drop the device reference. kfree() is not required. Add kfree() if idr_alloc() fails and in ac97_adapter_release() to do the cleanup. Found by code review. | 2026-02-04 | not yet calculated | CVE-2025-71192 | https://git.kernel.org/stable/c/c80f9b3349a99a9d5b295f5bbc23f544c5995ad7 https://git.kernel.org/stable/c/21f8bc5179bed91c3f946adb5e55d717b891960c https://git.kernel.org/stable/c/fcc04c92cbb5497ce67c58dd2f0001bb87f40396 https://git.kernel.org/stable/c/cb73d37ac18bc1716690ff5255a0ef1952827e9e https://git.kernel.org/stable/c/830988b6cf197e6dcffdfe2008c5738e6c6c3c0f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: qcom-qusb2: Fix NULL pointer dereference on early suspend Enabling runtime PM before attaching the QPHY instance as driver data can lead to a NULL pointer dereference in runtime PM callbacks that expect valid driver data. There is a small window where the suspend callback may run after PM runtime enabling and before runtime forbid. This causes a sporadic crash during boot: “` Unable to handle kernel NULL pointer dereference at virtual address 00000000000000a1 […] CPU: 0 UID: 0 PID: 11 Comm: kworker/0:1 Not tainted 6.16.7+ #116 PREEMPT Workqueue: pm pm_runtime_work pstate: 20000005 (nzCv daif -PAN -UAO -TCO -DIT -SSBS BTYPE=–) pc : qusb2_phy_runtime_suspend+0x14/0x1e0 [phy_qcom_qusb2] lr : pm_generic_runtime_suspend+0x2c/0x44 […] “` Attach the QPHY instance as driver data before enabling runtime PM to prevent NULL pointer dereference in runtime PM callbacks. Reorder pm_runtime_enable() and pm_runtime_forbid() to prevent a short window where an unnecessary runtime suspend can occur. Use the devres-managed version to ensure PM runtime is symmetrically disabled during driver removal for proper cleanup. | 2026-02-04 | not yet calculated | CVE-2025-71193 | https://git.kernel.org/stable/c/beba460a299150b5d8dcbe3474a8f4bdf0205180 https://git.kernel.org/stable/c/d50a9b7fd07296a1ab81c49ceba14cae3d31df86 https://git.kernel.org/stable/c/4ac15caa27ff842b068a54f1c6a8ff8b31f658e7 https://git.kernel.org/stable/c/1ca52c0983c34fca506921791202ed5bdafd5306 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix deadlock in wait_current_trans() due to ignored transaction type When wait_current_trans() is called during start_transaction(), it currently waits for a blocked transaction without considering whether the given transaction type actually needs to wait for that particular transaction state. The btrfs_blocked_trans_types[] array already defines which transaction types should wait for which transaction states, but this check was missing in wait_current_trans(). This can lead to a deadlock scenario involving two transactions and pending ordered extents: 1. Transaction A is in TRANS_STATE_COMMIT_DOING state 2. A worker processing an ordered extent calls start_transaction() with TRANS_JOIN 3. join_transaction() returns -EBUSY because Transaction A is in TRANS_STATE_COMMIT_DOING 4. Transaction A moves to TRANS_STATE_UNBLOCKED and completes 5. A new Transaction B is created (TRANS_STATE_RUNNING) 6. The ordered extent from step 2 is added to Transaction B’s pending ordered extents 7. Transaction B immediately starts commit by another task and enters TRANS_STATE_COMMIT_START 8. The worker finally reaches wait_current_trans(), sees Transaction B in TRANS_STATE_COMMIT_START (a blocked state), and waits unconditionally 9. However, TRANS_JOIN should NOT wait for TRANS_STATE_COMMIT_START according to btrfs_blocked_trans_types[] 10. Transaction B is waiting for pending ordered extents to complete 11. Deadlock: Transaction B waits for ordered extent, ordered extent waits for Transaction B This can be illustrated by the following call stacks: CPU0 CPU1 btrfs_finish_ordered_io() start_transaction(TRANS_JOIN) join_transaction() # -EBUSY (Transaction A is # TRANS_STATE_COMMIT_DOING) # Transaction A completes # Transaction B created # ordered extent added to # Transaction B’s pending list btrfs_commit_transaction() # Transaction B enters # TRANS_STATE_COMMIT_START # waiting for pending ordered # extents wait_current_trans() # waits for Transaction B # (should not wait!) Task bstore_kv_sync in btrfs_commit_transaction waiting for ordered extents: __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 btrfs_commit_transaction+0xbf7/0xda0 [btrfs] btrfs_sync_file+0x342/0x4d0 [btrfs] __x64_sys_fdatasync+0x4b/0x80 do_syscall_64+0x33/0x40 entry_SYSCALL_64_after_hwframe+0x44/0xa9 Task kworker in wait_current_trans waiting for transaction commit: Workqueue: btrfs-syno_nocow btrfs_work_helper [btrfs] __schedule+0x2e7/0x8a0 schedule+0x64/0xe0 wait_current_trans+0xb0/0x110 [btrfs] start_transaction+0x346/0x5b0 [btrfs] btrfs_finish_ordered_io.isra.0+0x49b/0x9c0 [btrfs] btrfs_work_helper+0xe8/0x350 [btrfs] process_one_work+0x1d3/0x3c0 worker_thread+0x4d/0x3e0 kthread+0x12d/0x150 ret_from_fork+0x1f/0x30 Fix this by passing the transaction type to wait_current_trans() and checking btrfs_blocked_trans_types[cur_trans->state] against the given type before deciding to wait. This ensures that transaction types which are allowed to join during certain blocked states will not unnecessarily wait and cause deadlocks. | 2026-02-04 | not yet calculated | CVE-2025-71194 | https://git.kernel.org/stable/c/e563f59395981fcd69d130761290929806e728d6 https://git.kernel.org/stable/c/dc84036c173cff6a432d9ab926298850b1d2a659 https://git.kernel.org/stable/c/d7b04b40ac8e6d814e35202a0e1568809b818295 https://git.kernel.org/stable/c/99da896614d17e8a84aeb2b2d464ac046cc8633d https://git.kernel.org/stable/c/8b0bb145d3bc264360f525c9717653be3522e528 https://git.kernel.org/stable/c/9ac63333d600732a56b35ee1fa46836da671eb50 https://git.kernel.org/stable/c/5037b342825df7094a4906d1e2a9674baab50cb2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: dmaengine: xilinx: xdma: Fix regmap max_register The max_register field is assigned the size of the register memory region instead of the offset of the last register. The result is that reading from the regmap via debugfs can cause a segmentation fault: tail /sys/kernel/debug/regmap/xdma.1.auto/registers Unable to handle kernel paging request at virtual address ffff800082f70000 Mem abort info: ESR = 0x0000000096000007 EC = 0x25: DABT (current EL), IL = 32 bits SET = 0, FnV = 0 EA = 0, S1PTW = 0 FSC = 0x07: level 3 translation fault […] Call trace: regmap_mmio_read32le+0x10/0x30 _regmap_bus_reg_read+0x74/0xc0 _regmap_read+0x68/0x198 regmap_read+0x54/0x88 regmap_read_debugfs+0x140/0x380 regmap_map_read_file+0x30/0x48 full_proxy_read+0x68/0xc8 vfs_read+0xcc/0x310 ksys_read+0x7c/0x120 __arm64_sys_read+0x24/0x40 invoke_syscall.constprop.0+0x64/0x108 do_el0_svc+0xb0/0xd8 el0_svc+0x38/0x130 el0t_64_sync_handler+0x120/0x138 el0t_64_sync+0x194/0x198 Code: aa1e03e9 d503201f f9400000 8b214000 (b9400000) —[ end trace 0000000000000000 ]— note: tail[1217] exited with irqs disabled note: tail[1217] exited with preempt_count 1 Segmentation fault | 2026-02-04 | not yet calculated | CVE-2025-71195 | https://git.kernel.org/stable/c/df8a131a41ff6202d47f59452735787f2b71dd2d https://git.kernel.org/stable/c/606ea969e78295407f4bf06aa0e272fe59897184 https://git.kernel.org/stable/c/5e7ad329d259cf5bed7530d6d2525bcf7cb487a1 https://git.kernel.org/stable/c/c7d436a6c1a274c1ac28d5fb3b8eb8f03b6d0e10 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: phy: stm32-usphyc: Fix off by one in probe() The “index” variable is used as an index into the usbphyc->phys[] array which has usbphyc->nphys elements. So if it is equal to usbphyc->nphys then it is one element out of bounds. The “index” comes from the device tree so it’s data that we trust and it’s unlikely to be wrong, however it’s obviously still worth fixing the bug. Change the > to >=. | 2026-02-04 | not yet calculated | CVE-2025-71196 | https://git.kernel.org/stable/c/a9eec890879731c280697fdf1c50699e905b2fa7 https://git.kernel.org/stable/c/fb9d513cdf1614bf0f0e785816afb1faae3f81af https://git.kernel.org/stable/c/c06f13876cbad702582cd67fc77356e5524d02cd https://git.kernel.org/stable/c/76b870fdaad82171a24b8aacffe5e4d9e0d2ee2c https://git.kernel.org/stable/c/b91c9f6bfb04e430adeeac7e7ebc9d80f9d72bad https://git.kernel.org/stable/c/7c27eaf183563b86d815ff6e9cca0210b4cfa051 https://git.kernel.org/stable/c/cabd25b57216ddc132efbcc31f972baa03aad15a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: w1: therm: Fix off-by-one buffer overflow in alarms_store The sysfs buffer passed to alarms_store() is allocated with ‘size + 1’ bytes and a NUL terminator is appended. However, the ‘size’ argument does not account for this extra byte. The original code then allocated ‘size’ bytes and used strcpy() to copy ‘buf’, which always writes one byte past the allocated buffer since strcpy() copies until the NUL terminator at index ‘size’. Fix this by parsing the ‘buf’ parameter directly using simple_strtoll() without allocating any intermediate memory or string copying. This removes the overflow while simplifying the code. | 2026-02-04 | not yet calculated | CVE-2025-71197 | https://git.kernel.org/stable/c/49ff9b4b9deacbefa6654a0a2bcaf910c9de7e95 https://git.kernel.org/stable/c/060b08d72a38b158a7f850d4b83c17c2969e0f6b https://git.kernel.org/stable/c/b3fc3e1f04dcc7c41787bbf08a6e0d2728e022cf https://git.kernel.org/stable/c/6a5820ecfa5a76c3d3e154802c8c15f391ef442e https://git.kernel.org/stable/c/6fd6d2a8e41b7f544a4d26cbd60bedf9c67893a0 https://git.kernel.org/stable/c/e6b2609af21b5cccc9559339591b8a2cbf884169 https://git.kernel.org/stable/c/761fcf46a1bd797bd32d23f3ea0141ffd437668a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: imu: st_lsm6dsx: fix iio_chan_spec for sensors without event detection The st_lsm6dsx_acc_channels array of struct iio_chan_spec has a non-NULL event_spec field, indicating support for IIO events. However, event detection is not supported for all sensors, and if userspace tries to configure accelerometer wakeup events on a sensor device that does not support them (e.g. LSM6DS0), st_lsm6dsx_write_event() dereferences a NULL pointer when trying to write to the wakeup register. Define an additional struct iio_chan_spec array whose members have a NULL event_spec field, and use this array instead of st_lsm6dsx_acc_channels for sensors without event detection capability. | 2026-02-04 | not yet calculated | CVE-2025-71198 | https://git.kernel.org/stable/c/7673167fac9323110973a3300637adba7d45de3a https://git.kernel.org/stable/c/4d60ffcdedfe2cdb68a1cde19bb292bc67451629 https://git.kernel.org/stable/c/81ed6e42d6e555dd978c9dd5e3f7c20cb121221b https://git.kernel.org/stable/c/c34e2e2d67b3bb8d5a6d09b0d6dac845cdd13fb3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: adc: at91-sama5d2_adc: Fix potential use-after-free in sama5d2_adc driver at91_adc_interrupt can call at91_adc_touch_data_handler function to start the work by schedule_work(&st->touch_st.workq). If we remove the module which will call at91_adc_remove to make cleanup, it will free indio_dev through iio_device_unregister but quite a bit later. While the work mentioned above will be used. The sequence of operations that may lead to a UAF bug is as follows: CPU0 CPU1 | at91_adc_workq_handler at91_adc_remove | iio_device_unregister(indio_dev) | //free indio_dev a bit later | | iio_push_to_buffers(indio_dev) | //use indio_dev Fix it by ensuring that the work is canceled before proceeding with the cleanup in at91_adc_remove. | 2026-02-04 | not yet calculated | CVE-2025-71199 | https://git.kernel.org/stable/c/4c83dd62595ee7b7c9298a4d19a256b6647e7240 https://git.kernel.org/stable/c/fdc8c835c637a3473878d1e7438c77ab8928af63 https://git.kernel.org/stable/c/919d176b05776c7ede79c36744c823a07d631617 https://git.kernel.org/stable/c/9795fe80976f8c31cafda7d44edfc0f532d1f7c4 https://git.kernel.org/stable/c/d7b6fc224c7f5d6d8adcb18037138d3cfe2bbdfe https://git.kernel.org/stable/c/d890234a91570542c228a20f132ce74f9fedd904 https://git.kernel.org/stable/c/dbdb442218cd9d613adeab31a88ac973f22c4873 |
| Brocade–Fabric OS | A vulnerability in Brocade Fabric OS before 9.2.1c3 could allow elevating the privileges of the local authenticated user to “root” using the export option of seccertmgmt and seccryptocfg commands. | 2026-02-03 | not yet calculated | CVE-2025-9711 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36852 |
| Nokia–Nokia ONT | The unified WEBUI application of the ONT/Beacon device contains an input handling flaw that allows authenticated users to trigger unintended system-level command execution. Due to insufficient validation of user-supplied data, a low-privileged authenticated attacker may be able to execute arbitrary commands on the underlying ONT/Beacon operating system, potentially impacting the confidentiality, integrity, and availability of the device. | 2026-02-02 | not yet calculated | CVE-2025-9974 | Nokia Security Advisory |
| Google–Android | In vpu_mmap of vpu_ioctl, there is a possible arbitrary address mmap due to a missing bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. | 2026-02-05 | not yet calculated | CVE-2026-0106 | https://source.android.com/security/bulletin/pixel/2026-02-01 |
| Brocade–Fabric OS | A vulnerability in Brocade Fabric OS could allow an authenticated, local attacker with privileges to access the Bash shell to access insecurely stored file contents including the history command. | 2026-02-03 | not yet calculated | CVE-2026-0383 | https://support.broadcom.com/web/ecx/support-content-notification/-/external/content/SecurityAdvisories/0/36851 |
| TYDAC AG–MAP+ | A reflected cross-site scripting (XSS) vulnerability in the PDF export functionality of the TYDAC AG MAP+ solution allows unauthenticated attackers to craft a malicious URL, that if visited by a victim, will execute arbitrary JavaScript in the victim’s context. Such a URL could be delivered through various means, for instance, by sending a link or by tricking victims to visit a page crafted by the attacker. This issue was verified in MAP+: 3.4.0. | 2026-02-06 | not yet calculated | CVE-2026-0521 | https://www.tydac.ch/en/mapplus/ https://www.redguard.ch/blog/2026/02/05/advisory-tydac-mapplus/ |
| huggingface–huggingface/text-generation-inference | A vulnerability in huggingface/text-generation-inference version 3.3.6 allows unauthenticated remote attackers to exploit unbounded external image fetching during input validation in VLM mode. The issue arises when the router scans inputs for Markdown image links and performs a blocking HTTP GET request, reading the entire response body into memory and cloning it before decoding. This behavior can lead to resource exhaustion, including network bandwidth saturation, memory inflation, and CPU overutilization. The vulnerability is triggered even if the request is later rejected for exceeding token limits. The default deployment configuration, which lacks memory usage limits and authentication, exacerbates the impact, potentially crashing the host machine. The issue is resolved in version 3.3.7. | 2026-02-02 | not yet calculated | CVE-2026-0599 | https://huntr.com/bounties/1d3f2085-666c-4441-b265-22f6f7d8d9cd https://github.com/huggingface/text-generation-inference/commit/24ee40d143d8d046039f12f76940a85886cbe152 |
| TP-Link Systems Inc.–AXE75 | When configured as L2TP/IPSec VPN server, Archer AXE75 V1 may accept connections using L2TP without IPSec protection, even when IPSec is enabled. This allows VPN sessions without encryption, exposing data in transit and compromising confidentiality. | 2026-02-03 | not yet calculated | CVE-2026-0620 | https://www.tp-link.com/en/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/download/archer-axe75/v1/#Firmware https://www.tp-link.com/us/support/faq/4942/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0630 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows an adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-0631 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| Unknown–Five Star Restaurant Reservations | The Five Star Restaurant Reservations WordPress plugin before 2.7.9 does not have CSRF checks in some bulk actions, which could allow attackers to make logged in admins perform unwanted actions, such as deleting bookings via CSRF attacks. | 2026-02-02 | not yet calculated | CVE-2026-0658 | https://wpscan.com/vulnerability/6e39090e-a4b2-4c16-806f-e2b1c456fb00/ |
| Moxa–UC-1200A Series | A physical attack vulnerability exists in certain Moxa industrial computers using TPM-backed LUKS full-disk encryption on Moxa Industrial Linux 3, where the discrete TPM is connected to the CPU via an SPI bus. Exploitation requires invasive physical access, including opening the device and attaching external equipment to the SPI bus to capture TPM communications. If successful, the captured data may allow offline decryption of eMMC contents. This attack cannot be performed through brief or opportunistic physical access and requires extended physical access, possession of the device, appropriate equipment, and sufficient time for signal capture and analysis. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0714 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Moxa–UC-1200A Series | Moxa Arm-based industrial computers running Moxa Industrial Linux Secure use a device-unique bootloader password provided on the device. An attacker with physical access to the device could use this information to access the bootloader menu via a serial interface. Access to the bootloader menu does not allow full system takeover or privilege escalation. The bootloader enforces digital signature verification and only permits flashing of Moxa-signed images. As a result, an attacker cannot install malicious firmware or execute arbitrary code. The primary impact is limited to a potential temporary denial-of-service condition if a valid image is reflashed. Remote exploitation is not possible. | 2026-02-05 | not yet calculated | CVE-2026-0715 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-255121-cve-2026-0714-cve-2026-0715-multiple-vulnerabilities-in-industrial-computers |
| Ercom–Cryptobox | On a Cryptobox platform where administrator segregation based on entities is used, some vulnerabilities in Ercom Cryptobox administration console allows an authenticated entity administrator with knowledge to elevate his account to global administrator. | 2026-02-04 | not yet calculated | CVE-2026-0873 | https://info.cryptobox.com/doc/v4.40/4.40.en/ |
| Dr.Buho–BuhoCleaner | BuhoCleaner contains an insecure XPC service that allows local, unprivileged users to escalate their privileges to root via insecure functions. This issue affects BuhoCleaner: 1.15.2. | 2026-02-02 | not yet calculated | CVE-2026-0924 | https://fluidattacks.com/advisories/solstafir https://www.drbuho.com/buhocleaner https://www.drbuho.com/buhocleaner/download |
| Drupal–Group invite | Improper Check for Unusual or Exceptional Conditions vulnerability in Drupal Group invite allows Forceful Browsing. This issue affects Group invite: from 0.0.0 before 2.3.9, from 3.0.0 before 3.0.4, from 4.0.0 before 4.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0944 | https://www.drupal.org/sa-contrib-2026-001 |
| Drupal–Role Delegation | Privilege Defined With Unsafe Actions vulnerability in Drupal Role Delegation allows Privilege Escalation. This issue affects Role Delegation: from 1.3.0 before 1.5.0. | 2026-02-04 | not yet calculated | CVE-2026-0945 | https://www.drupal.org/sa-contrib-2026-002 |
| Drupal–AT Internet SmartTag | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal AT Internet SmartTag allows Cross-Site Scripting (XSS). This issue affects AT Internet SmartTag: from 0.0.0 before 1.0.1. | 2026-02-04 | not yet calculated | CVE-2026-0946 | https://www.drupal.org/sa-contrib-2026-003 |
| Drupal–AT Internet Piano Analytics | Improper Neutralization of Input During Web Page Generation (“Cross-site Scripting”) vulnerability in Drupal AT Internet Piano Analytics allows Cross-Site Scripting (XSS). This issue affects AT Internet Piano Analytics: from 0.0.0 before 1.0.1, from 2.0.0 before 2.3.1. | 2026-02-04 | not yet calculated | CVE-2026-0947 | https://www.drupal.org/sa-contrib-2026-004 |
| Drupal–Microsoft Entra ID SSO Login | Authentication Bypass Using an Alternate Path or Channel vulnerability in Drupal Microsoft Entra ID SSO Login allows Privilege Escalation. This issue affects Microsoft Entra ID SSO Login: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-0948 | https://www.drupal.org/sa-contrib-2026-005 |
| parisneo–parisneo/lollms | A vulnerability in the `lollms_generation_events.py` component of parisneo/lollms version 5.9.0 allows unauthenticated access to sensitive Socket.IO events. The `add_events` function registers event handlers such as `generate_text`, `cancel_generation`, `generate_msg`, and `generate_msg_from` without implementing authentication or authorization checks. This allows unauthenticated clients to execute resource-intensive or state-altering operations, leading to potential denial of service, state corruption, and race conditions. Additionally, the use of global flags (`lollmsElfServer.busy`, `lollmsElfServer.cancel_gen`) for state management in a multi-client environment introduces further vulnerabilities, enabling one client’s actions to affect the server’s state and other clients’ operations. The lack of proper access control and reliance on insecure global state management significantly impacts the availability and integrity of the service. | 2026-02-02 | not yet calculated | CVE-2026-1117 | https://huntr.com/bounties/d2846a7f-0140-4105-b1bb-5ef64ec8b829 https://github.com/parisneo/lollms/commit/36a5b513dfefe9c2913bf9b618457b4fea603e3b |
| ABC PRO SP. Z O.O.–EAP Legislator | EAP Legislator is vulnerable to Path Traversal in file extraction functionality. Attacker can prepare zipx archive (default file type used by the Legislator application) and choose arbitrary path outside the intended directory (e.x. system startup) where files will be extracted by the victim upon opening the file. This issue was fixed in version 2.25a. | 2026-02-02 | not yet calculated | CVE-2026-1186 | https://abcpro.pl/eap-legislator https://cert.pl/posts/2026/02/CVE-2026-1186 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. Raster lookups on “RasterField“ (only implemented on PostGIS) allows remote attackers to inject SQL via the band index parameter. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Tarek Nakkouch for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1207 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| BeyondTrust–Privilege management for Windows | A medium-severity vulnerability has been identified in BeyondTrust Privilege Management for Windows versions <=25.7. Under certain conditions, a local authenticated user with elevated privileges may be able to bypass the product’s anti-tamper protections, which could allow access to protected application components and the ability to modify product configuration. | 2026-02-02 | not yet calculated | CVE-2026-1232 | https://www.beyondtrust.com/trust-center/security-advisories/bt26-01 https://beyondtrustcorp.service-now.com/csm?id=kb_article_view&sysparm_article=KB0023100 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `django.utils.text.Truncator.chars()` and `Truncator.words()` methods (with `html=True`) and the `truncatechars_html` and `truncatewords_html` template filters allow a remote attacker to cause a potential denial-of-service via crafted inputs containing a large number of unmatched HTML end tags. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Seokchan Yoon for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1285 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `FilteredRelation` is subject to SQL injection in column aliases via control characters, using a suitably crafted dictionary, with dictionary expansion, as the `**kwargs` passed to `QuerySet` methods `annotate()`, `aggregate()`, `extra()`, `values()`, `values_list()`, and `alias()`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1287 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| o6 Automation GmbH–Open62541 | In builds with PubSub and JSON enabled, a crafted JSON message can cause the decoder to write beyond a heap-allocated array before authentication, reliably crashing the process and corrupting memory. | 2026-02-05 | not yet calculated | CVE-2026-1301 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-036-03 |
| djangoproject–Django | An issue was discovered in 6.0 before 6.0.2, 5.2 before 5.2.11, and 4.2 before 4.2.28. `.QuerySet.order_by()` is subject to SQL injection in column aliases containing periods when the same alias is, using a suitably crafted dictionary, with dictionary expansion, used in `FilteredRelation`. Earlier, unsupported Django series (such as 5.0.x, 4.1.x, and 3.2.x) were not evaluated and may also be affected. Django would like to thank Solomon Kebede for reporting this issue. | 2026-02-03 | not yet calculated | CVE-2026-1312 | Django security archive Django releases announcements Django security releases issued: 6.0.2, 5.2.11, and 4.2.28 |
| neo4j–Enterprise Edition | Insufficient escaping of unicode characters in query log in Neo4j Enterprise and Community editions prior to 2026.01 can lead to XSS if the user opens the logs in a tool that treats them as HTML. There is no security impact on Neo4j products, but this advisory is released as a precaution to treat the logs as plain text if using versions prior to 2026.01. Proof of concept exploit: https://github.com/JoakimBulow/CVE-2026-1337 | 2026-02-06 | not yet calculated | CVE-2026-1337 | https://github.com/JoakimBulow/CVE-2026-1337 |
| Avation–Avation Light Engine Pro | Avation Light Engine Pro exposes its configuration and control interface without any authentication or access control. | 2026-02-03 | not yet calculated | CVE-2026-1341 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-034-02 |
| T-Systems–Buroweb | SQL injection vulnerability in the Buroweb platform version 2505.0.12, specifically in the ‘tablon’ component. This vulnerability is present in several parameters that do not correctly sanitize user input in the endpoint ‘/sta/CarpetaPublic/doEvent?APP_CODE=STA&PAGE_CODE=TABLON’. Exploiting this vulnerability could allow an attacker to execute queries on the database and gain access to confidential information. | 2026-02-03 | not yet calculated | CVE-2026-1432 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-sqli-buroweb-platform |
| PRIMION DIGITEK–Digitek ADT1100 | Path Traversal vulnerability in Digitek ADT1100 and Digitek DT950 from PRIMION DIGITEK, S.L.U (Azkoyen Group). This vulnerability allows an attacker to access arbitrary files in the server’s file system, thet is, ‘http://<host>/..%2F..% 2F..%2F..%2F..%2F..%2F..%2F..%2F..%2Fetc%2Fpasswd’. By manipulating the input to include URL encoded directory traversal sequences (e.g., %2F representing /), an attacker can bypass the input validation mechanisms ans retrieve sensitive files outside the intended directory, which could lead to information disclosure or further system compromise. | 2026-02-05 | not yet calculated | CVE-2026-1523 | https://www.incibe.es/en/incibe-cert/notices/aviso/path-traversal-digitek-grupo-azkoyen |
| Drupal–Drupal Canvas | Incorrect Authorization vulnerability in Drupal Drupal Canvas allows Forceful Browsing. This issue affects Drupal Canvas: from 0.0.0 before 1.0.4. | 2026-02-04 | not yet calculated | CVE-2026-1553 | https://www.drupal.org/sa-contrib-2026-006 |
| Drupal–Central Authentication System (CAS) Server | XML Injection (aka Blind XPath Injection) vulnerability in Drupal Central Authentication System (CAS) Server allows Privilege Escalation. This issue affects Central Authentication System (CAS) Server: from 0.0.0 before 2.0.3, from 2.1.0 before 2.1.2. | 2026-02-04 | not yet calculated | CVE-2026-1554 | https://www.drupal.org/sa-contrib-2026-007 |
| neo4j–Enterprise Edition | Neo4j Enterprise and Community editions versions prior to 2026.01.3 and 5.26.21 are vulnerable to a potential information disclosure by a user who has ability to access the local log files. The “obfuscate_literals” option in the query logs does not redact error information, exposing unredacted data in the query log when a customer writes a query that fails. It can allow a user with legitimate access to the local log files to obtain information they are not authorised to see. If this user is also in a position to run queries and trigger errors, this vulnerability can potentially help them to infer information they are not authorised to see through their intended database access. We recommend upgrading to versions 2026.01.3 (or 5.26.21) where the issue is fixed, and reviewing query log files permissions to ensure restricted access. If your configuration had db.logs.query.obfuscate_literals enabled, and you wish the obfuscation to cover the error messages as well, you need to enable the new configuration setting db.logs.query.obfuscate_errors once you have upgraded Neo4j. | 2026-02-04 | not yet calculated | CVE-2026-1622 | https://neo4j.com/security/CVE-2026-1622 |
| N/A–N/A | Summary An Insecure Direct Object Reference has been found to exist in `createHeaderBasedEmailResolver()` function within the Cloudflare Agents SDK. The issue occurs because the `Message-ID` and `References` headers are parsed to derive the target agentName and agentId without proper validation or origin checks, allowing an external attacker with control of these headers to route inbound mail to arbitrary Durable Object instances and namespaces . Root cause The `createHeaderBasedEmailResolver()` function lacks cryptographic verification or origin validation for the headers used in the routing logic, effectively allowing external input to dictate internal object routing. Impact Insecure Direct Object Reference (IDOR) in email routing lets an attacker steer inbound mail to arbitrary Agent instances via spoofed Message-ID. Mitigation: * PR: https://github.com/cloudflare/agents/blob/main/docs/email.md ] provides the necessary architectural context for coding agents to mitigate the issue by refactoring the resolver to enforce strict identity boundaries. * Agents-sdk users should upgrade to agents@0.3.7 | 2026-02-03 | not yet calculated | CVE-2026-1664 | https://github.com/cloudflare/agents |
| Python Packaging Authority–pip | When pip is installing and extracting a maliciously crafted wheel archive, files may be extracted outside the installation directory. The path traversal is limited to prefixes of the installation directory, thus isn’t able to inject or overwrite executable files in typical situations. | 2026-02-02 | not yet calculated | CVE-2026-1703 | https://github.com/pypa/pip/pull/13777 https://github.com/pypa/pip/commit/8e227a9be4faa9594e05d02ca05a413a2a4e7735 https://mail.python.org/archives/list/security-announce@python.org/thread/WIEA34D4TABF2UNQJAOMXKCICSPBE2DJ/ |
| Google Cloud–Gemini Enterprise (formerly Agentspace) | The Agentspace service was affected by a vulnerability that exposed sensitive information due to the use of predictable Google Cloud Storage bucket names. These names were utilized for error logs and temporary staging during data imports from GCS and Cloud SQL. This predictability allowed an attacker to engage in “bucket squatting” by establishing these buckets before a victim’s initial use. All versions after December 12th, 2025 have been updated to protect from this vulnerability. No user action is required for this. | 2026-02-06 | not yet calculated | CVE-2026-1727 | https://docs.cloud.google.com/gemini/enterprise/docs/release-notes#February_06_2026 |
| BeyondTrust–Remote Support(RS) & Privileged Remote Access(PRA) | BeyondTrust Remote Support (RS) and certain older versions of Privileged Remote Access (PRA) contain a critical pre-authentication remote code execution vulnerability. By sending specially crafted requests, an unauthenticated remote attacker may be able to execute operating system commands in the context of the site user. | 2026-02-06 | not yet calculated | CVE-2026-1731 | https://beyondtrustcorp.service-now.com/csm?id=csm_kb_article&sysparm_article=KB0023293 https://www.beyondtrust.com/trust-center/security-advisories/bt26-02 |
| CrafterCMS–CrafterCMS | Improper Control of Dynamically-Managed Code Resources vulnerability in Crafter Studio of Crafter CMS allows authenticated developers to execute OS commands via Groovy Sandbox Bypass. By inserting malicious Groovy elements, an attacker may bypass sandbox restrictions and obtain RCE (Remote Code Execution). | 2026-02-02 | not yet calculated | CVE-2026-1770 | https://docs.craftercms.org/current/security/advisory.html#cv-2026020201 |
| Xquic Project–Xquic Server | : Out-of-bounds Write vulnerability in Xquic Project Xquic Server xquic on Linux (QUIC protocol implementation, packet processing module modules) allows : Buffer Manipulation. This issue affects Xquic Server: through 1.8.3. | 2026-02-03 | not yet calculated | CVE-2026-1788 | https://github.com/alibaba/xquic |
| Rapid7–InsightVM/Nexpose | A security vulnerability has been identified in Rapid7 Nexpose. Remediation is in progress. | 2026-02-03 | not yet calculated | CVE-2026-1814 | https://www.atredis.com/disclosure |
| Google–Chrome | Heap buffer overflow in libvpx in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1861 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/478942410 |
| Google–Chrome | Type Confusion in V8 in Google Chrome prior to 144.0.7559.132 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page. (Chromium security severity: High) | 2026-02-03 | not yet calculated | CVE-2026-1862 | https://chromereleases.googleblog.com/2026/02/stable-channel-update-for-desktop.html https://issues.chromium.org/issues/479726070 |
| Nukegraphic CMS–Nukegraphic CMS | Nukegraphic CMS v3.1.2 contains a stored cross-site scripting (XSS) vulnerability in the user profile edit functionality at /ngc-cms/user-edit-profile.php. The application fails to properly sanitize user input in the name field before storing it in the database and rendering it across multiple CMS pages. An authenticated attacker with low privileges can inject malicious JavaScript payloads through the profile edit request, which are then executed site-wide whenever the affected user’s name is displayed. This allows the attacker to execute arbitrary JavaScript in the context of other users’ sessions, potentially leading to session hijacking, credential theft, or unauthorized actions performed on behalf of victims. | 2026-02-05 | not yet calculated | CVE-2026-1953 | https://github.com/carlosbudiman/CVE-2026-1953-Disclosure |
| YugabyteDB Inc–YugabyteDB Anywhere | YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services. | 2026-02-05 | not yet calculated | CVE-2026-1966 | https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/ |
| MediaTek, Inc.–MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738310; Issue ID: MSV-5933. | 2026-02-02 | not yet calculated | CVE-2026-20401 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8675, MT8771, MT8791, MT8791T, MT8797 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00693083; Issue ID: MSV-5928. | 2026-02-02 | not yet calculated | CVE-2026-20402 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6989, MT6990, MT6991, MT6993, MT8673, MT8675, MT8676, MT8771, MT8791, MT8791T, MT8795T, MT8797, MT8798, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689254 (Note: For N15 and NR16) / MOLY01689259 (Note: For NR17 and NR17R); Issue ID: MSV-4843. | 2026-02-02 | not yet calculated | CVE-2026-20403 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01689248; Issue ID: MSV-4837. | 2026-02-02 | not yet calculated | CVE-2026-20404 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to a missing bounds check. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01688495; Issue ID: MSV-4818. | 2026-02-02 | not yet calculated | CVE-2026-20405 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to an uncaught exception. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01726634; Issue ID: MSV-5728. | 2026-02-02 | not yet calculated | CVE-2026-20406 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT7902, MT7920, MT7921, MT7922, MT7925, MT7927 | In wlan STA driver, there is a possible escalation of privilege due to a missing bounds check. This could lead to local escalation of privilege with User execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00464377; Issue ID: MSV-4905. | 2026-02-02 | not yet calculated | CVE-2026-20407 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6890, MT7615, MT7915, MT7916, MT7981, MT7986 | In wlan, there is a possible out of bounds write due to a heap buffer overflow. This could lead to remote (proximal/adjacent) escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461651; Issue ID: MSV-4758. | 2026-02-02 | not yet calculated | CVE-2026-20408 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6897, MT6989 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363246; Issue ID: MSV-5779. | 2026-02-02 | not yet calculated | CVE-2026-20409 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6897, MT6989, MT8370, MT8390, MT8395 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362552; Issue ID: MSV-5760. | 2026-02-02 | not yet calculated | CVE-2026-20410 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8370, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8793 | In cameraisp, there is a possible escalation of privilege due to use after free. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5737. | 2026-02-02 | not yet calculated | CVE-2026-20411 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6878, MT6879, MT6881, MT6886, MT6895, MT6897, MT6899, MT6983, MT6985, MT6989, MT6991, MT6993, MT8168, MT8188, MT8195, MT8365, MT8390, MT8395, MT8666, MT8667, MT8673, MT8676, MT8696, MT8793 | In cameraisp, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10351676; Issue ID: MSV-5733. | 2026-02-02 | not yet calculated | CVE-2026-20412 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6899, MT6991, MT8678, MT8793 | In imgsys, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362725; Issue ID: MSV-5694. | 2026-02-02 | not yet calculated | CVE-2026-20413 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6897, MT6989, MT8196, MT8678, MT8766, MT8768, MT8786, MT8796 | In imgsys, there is a possible escalation of privilege due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10362999; Issue ID: MSV-5625. | 2026-02-02 | not yet calculated | CVE-2026-20414 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6897, MT6989 | In imgsys, there is a possible memory corruption due to improper locking. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10363254; Issue ID: MSV-5617. | 2026-02-02 | not yet calculated | CVE-2026-20415 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6991, MT6993, MT8678 | In pcie, there is a possible out of bounds write due to a missing bounds check. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10314946 / ALPS10340155; Issue ID: MSV-5154. | 2026-02-02 | not yet calculated | CVE-2026-20417 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT7931, MT7933 | In Thread, there is a possible out of bounds write due to a missing bounds check. This could lead to remote escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00465153; Issue ID: MSV-4927. | 2026-02-02 | not yet calculated | CVE-2026-20418 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT6890, MT6989TB, MT7902, MT7915, MT7916, MT7920, MT7921, MT7922, MT7925, MT7927, MT7981, MT7986, MT8196, MT8668, MT8676, MT8678, MT8775, MT8791T, MT8792, MT8793, MT8796, MT8873, MT8883, MT8893, MT8910 | In wlan AP/STA firmware, there is a possible system becoming irresponsive due to an uncaught exception. This could lead to remote (proximal/adjacent) denial of service with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: WCNCR00461663 / WCNCR00463309; Issue ID: MSV-4852. | 2026-02-02 | not yet calculated | CVE-2026-20419 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8676, MT8791 | In Modem, there is a possible system crash due to incorrect error handling. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738313; Issue ID: MSV-5935. | 2026-02-02 | not yet calculated | CVE-2026-20420 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT6833, MT6853, MT6855, MT6873, MT6875, MT6877, MT6880, MT6883, MT6885, MT6889, MT6890, MT6891, MT6893, MT8791 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY01738293; Issue ID: MSV-5922. | 2026-02-02 | not yet calculated | CVE-2026-20421 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| MediaTek, Inc.–MT2735, MT2737, MT6813, MT6815, MT6833, MT6835, MT6853, MT6855, MT6858, MT6873, MT6875, MT6877, MT6878, MT6879, MT6880, MT6883, MT6885, MT6886, MT6889, MT6890, MT6891, MT6893, MT6895, MT6896, MT6897, MT6899, MT6980, MT6983, MT6985, MT6986, MT6989, MT6990, MT6991, MT6993, MT8668, MT8673, MT8675, MT8676, MT8678, MT8755, MT8771, MT8775, MT8791, MT8791T, MT8792, MT8793, MT8795T, MT8797, MT8798, MT8863, MT8873, MT8883, MT8893 | In Modem, there is a possible system crash due to improper input validation. This could lead to remote denial of service, if a UE has connected to a rogue base station controlled by the attacker, with no additional execution privileges needed. User interaction is not needed for exploitation. Patch ID: MOLY00827332; Issue ID: MSV-5919. | 2026-02-02 | not yet calculated | CVE-2026-20422 | https://corp.mediatek.com/product-security-bulletin/February-2026 |
| ELECOM CO.,LTD.–WRC-X1500GS-B | Cross-site request forgery vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. If a user accesses a malicious page while logged-in to the affected product, unintended operations may be performed. | 2026-02-03 | not yet calculated | CVE-2026-20704 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Cybozu, Inc.–Cybozu Garoon | Cross-site scripting vulnerability exists in E-mail function of Cybozu Garoon 5.0.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | 2026-02-02 | not yet calculated | CVE-2026-20711 | https://kb.cybozu.support/article/39081/ https://jvn.jp/en/jp/JVN35265756/ |
| Samsung Mobile–Samsung Mobile Devices | Improper access control in Emergency Sharing prior to SMR Feb-2026 Release 1 allows local attackers to interrupt its functioning. | 2026-02-04 | not yet calculated | CVE-2026-20977 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Improper authorization in KnoxGuardManager prior to SMR Feb-2026 Release 1 allows local attackers to bypass the persistence configuration of the application. | 2026-02-04 | not yet calculated | CVE-2026-20978 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Improper privilege management in Settings prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Settings privilege. | 2026-02-04 | not yet calculated | CVE-2026-20979 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Improper input validation in PACM prior to SMR Feb-2026 Release 1 allows physical attacker to execute arbitrary commands. | 2026-02-04 | not yet calculated | CVE-2026-20980 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Improper input validation in FacAtFunction prior to SMR Feb-2026 Release 1 allows privileged physical attacker to execute arbitrary command with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20981 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Path traversal in ShortcutService prior to SMR Feb-2026 Release 1 allows privileged local attacker to create file with system privilege. | 2026-02-04 | not yet calculated | CVE-2026-20982 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Mobile Devices | Improper export of android application components in Samsung Dialer prior to SMR Feb-2026 Release 1 allows local attackers to launch arbitrary activity with Samsung Dialer privilege. | 2026-02-04 | not yet calculated | CVE-2026-20983 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=02 |
| Samsung Mobile–Galaxy Wearable | Improper handling of insufficient permission in Galaxy Wearable installed on non-Samsung Device prior to version 2.2.68 allows local attackers to access sensitive information. | 2026-02-04 | not yet calculated | CVE-2026-20984 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile–Samsung Members | Improper input validation in Samsung Members prior to version 5.6.00.11 allows remote attackers to connect arbitrary URL and launch arbitrary activity with Samsung Members privilege. User interaction is required for triggering this vulnerability. | 2026-02-04 | not yet calculated | CVE-2026-20985 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile–Chinese Samsung Members | Path traversal in Samsung Members prior to Chinese version 15.5.05.4 allows local attackers to overwrite data within Samsung Members. | 2026-02-04 | not yet calculated | CVE-2026-20986 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Samsung Mobile–GalaxyDiagnostics | Improper input validation in GalaxyDiagnostics prior to version 3.5.050 allows local privileged attackers to execute privileged commands. | 2026-02-04 | not yet calculated | CVE-2026-20987 | https://security.samsungmobile.com/serviceWeb.smsb?year=2026&month=02 |
| Six Apart Ltd.–Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Edit Comment. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user’s web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-21393 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Stackideas.com–EasyDiscuss extension for Joomla | Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure | 2026-02-06 | not yet calculated | CVE-2026-21626 | https://stackideas.com/easydiscuss |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. Prior to version alpha.78, IP-based access control can be bypassed: get_condition_values trusts client-supplied X-Forwarded-For/X-Real-Ip without verifying a trusted proxy, so any reachable client can spoof aws:SourceIp and satisfy IP-allowlist policies. This issue has been patched in version alpha.78. | 2026-02-03 | not yet calculated | CVE-2026-21862 | https://github.com/rustfs/rustfs/security/advisories/GHSA-fc6g-2gcp-2qrq |
| n8n-io–n8n | n8n is an open source workflow automation platform. From version 0.187.0 to before 1.120.3, a command injection vulnerability was identified in n8n’s community package installation functionality. The issue allowed authenticated users with administrative permissions to execute arbitrary system commands on the n8n host under specific conditions. This issue has been patched in version 1.120.3. | 2026-02-04 | not yet calculated | CVE-2026-21893 | https://github.com/n8n-io/n8n/security/advisories/GHSA-7c4h-vh2m-743m https://github.com/n8n-io/n8n/commit/ae0669a736cc496beeb296e115267862727ae838 |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A lack of proper input validation in the HTTP processing path in TP-Link Archer BE230 v1.2 (web modules) may allow a crafted request to cause the device’s web service to become unresponsive, resulting in a denial of service condition. A network adjacent attacker with high privileges could cause the device’s web interface to temporarily stop responding until it recovers or is rebooted. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22220 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22221 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(web modules) allows adjacent authenticated attacker to execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22222 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link System Inc.–Archer BE230 v1.2 | An OS Command Injection vulnerability in TP-Link Archer BE230 v1.2(vpn modules) allows adjacent authenticated attacker execute arbitrary code. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22223 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin’s authentication in the cloud communication interface on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22224 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin’s authentication in the VPN Connection Service on the Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22225 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin’s authentication in the VPN server configuration module on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22226 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin’s authentication via the configuration backup restoration function of the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22227 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | An authenticated user with high privileges may trigger a denial‑of‑service condition in TP-Link Archer BE230 v1.2 by restoring a crafted configuration file containing an excessively long parameter. Restoring such a file can cause the device to become unresponsive, requiring a reboot to restore normal operation. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-03 | not yet calculated | CVE-2026-22228 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4941/ |
| TP-Link Systems Inc.–Archer BE230 v1.2 | A command injection vulnerability may be exploited after the admin’s authentication via the import of a crafted VPN client configuration file on the TP-Link Archer BE230 v1.2. Successful exploitation could allow an attacker to gain full administrative control of the device, resulting in severe compromise of configuration integrity, network security, and service availability. This CVE covers one of multiple distinct OS command injection issues identified across separate code paths. Although similar in nature, each instance is tracked under a unique CVE ID. This issue affects Archer BE230 v1.2 < 1.2.4 Build 20251218 rel.70420. | 2026-02-02 | not yet calculated | CVE-2026-22229 | https://www.tp-link.com/us/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/en/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/sg/support/download/archer-be230/v1.20/#Firmware https://www.tp-link.com/us/support/faq/4935/ |
| ELECOM CO.,LTD.–WRC-X1500GS-B | OS command injection vulnerability exists in WRC-X1500GS-B and WRC-X1500GSA-B. A crafted request from a logged-in user may lead to an arbitrary OS command execution. | 2026-02-03 | not yet calculated | CVE-2026-22550 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| Six Apart Ltd.–Movable Type (Software Edition) | Movable Type contains a stored cross-site scripting vulnerability in Export Sites. If crafted input is stored by an attacker, arbitrary script may be executed on a logged-in user’s web browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-22875 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Cybozu, Inc.–Cybozu Garoon | Cross-site scripting vulnerability exists in Message function of Cybozu Garoon 5.15.0 to 6.0.3, which may allow an attacker to reset arbitrary users’ passwords. | 2026-02-02 | not yet calculated | CVE-2026-22881 | https://kb.cybozu.support/article/39084/ https://jvn.jp/en/jp/JVN35265756/ |
| Cybozu, Inc.–Cybozu Garoon | Improper input verification issue exists in Cybozu Garoon 5.0.0 to 6.0.3, which may lead to unauthorized alteration of portal settings, potentially blocking access to the product. | 2026-02-02 | not yet calculated | CVE-2026-22888 | https://kb.cybozu.support/article/39083/ https://jvn.jp/en/jp/JVN35265756/ |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: mac80211_hwsim: fix typo in frequency notification The NAN notification is for 5745 MHz which corresponds to channel 149 and not 5475 which is not actually a valid channel. This could result in a NULL pointer dereference in cfg80211_next_nan_dw_notif. | 2026-02-04 | not yet calculated | CVE-2026-23040 | https://git.kernel.org/stable/c/1251bbdb8f5b2ea86ca9b4268a2e6aa34372ab33 https://git.kernel.org/stable/c/333418872bfecf4843f1ded7a4151685dfcf07d5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bnxt_en: Fix NULL pointer crash in bnxt_ptp_enable during error cleanup When bnxt_init_one() fails during initialization (e.g., bnxt_init_int_mode returns -ENODEV), the error path calls bnxt_free_hwrm_resources() which destroys the DMA pool and sets bp->hwrm_dma_pool to NULL. Subsequently, bnxt_ptp_clear() is called, which invokes ptp_clock_unregister(). Since commit a60fc3294a37 (“ptp: rework ptp_clock_unregister() to disable events”), ptp_clock_unregister() now calls ptp_disable_all_events(), which in turn invokes the driver’s .enable() callback (bnxt_ptp_enable()) to disable PTP events before completing the unregistration. bnxt_ptp_enable() attempts to send HWRM commands via bnxt_ptp_cfg_pin() and bnxt_ptp_cfg_event(), both of which call hwrm_req_init(). This function tries to allocate from bp->hwrm_dma_pool, causing a NULL pointer dereference: bnxt_en 0000:01:00.0 (unnamed net_device) (uninitialized): bnxt_init_int_mode err: ffffffed KASAN: null-ptr-deref in range [0x0000000000000028-0x000000000000002f] Call Trace: __hwrm_req_init (drivers/net/ethernet/broadcom/bnxt/bnxt_hwrm.c:72) bnxt_ptp_enable (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:323 drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:517) ptp_disable_all_events (drivers/ptp/ptp_chardev.c:66) ptp_clock_unregister (drivers/ptp/ptp_clock.c:518) bnxt_ptp_clear (drivers/net/ethernet/broadcom/bnxt/bnxt_ptp.c:1134) bnxt_init_one (drivers/net/ethernet/broadcom/bnxt/bnxt.c:16889) Lines are against commit f8f9c1f4d0c7 (“Linux 6.19-rc3”) Fix this by clearing and unregistering ptp (bnxt_ptp_clear()) before freeing HWRM resources. | 2026-02-04 | not yet calculated | CVE-2026-23041 | https://git.kernel.org/stable/c/0174d5466caefc22f03a36c43b2a3cce7e332627 https://git.kernel.org/stable/c/3358995b1a7f9dcb52a56ec8251570d71024dad0 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: idpf: fix aux device unplugging when rdma is not supported by vport If vport flags do not contain VIRTCHNL2_VPORT_ENABLE_RDMA, driver does not allocate vdev_info for this vport. This leads to kernel NULL pointer dereference in idpf_idc_vport_dev_down(), which references vdev_info for every vport regardless. Check, if vdev_info was ever allocated before unplugging aux device. | 2026-02-04 | not yet calculated | CVE-2026-23042 | https://git.kernel.org/stable/c/0ad6d6e50e9d8bf596cfe77a882ddc20b29f525a https://git.kernel.org/stable/c/4648fb2f2e7210c53b85220ee07d42d1e4bae3f9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: btrfs: fix NULL pointer dereference in do_abort_log_replay() Coverity reported a NULL pointer dereference issue (CID 1666756) in do_abort_log_replay(). When btrfs_alloc_path() fails in replay_one_buffer(), wc->subvol_path is NULL, but btrfs_abort_log_replay() calls do_abort_log_replay() which unconditionally dereferences wc->subvol_path when attempting to print debug information. Fix this by adding a NULL check before dereferencing wc->subvol_path in do_abort_log_replay(). | 2026-02-04 | not yet calculated | CVE-2026-23043 | https://git.kernel.org/stable/c/6d1b61b8e1e44888c643d89225ab819b10649b2e https://git.kernel.org/stable/c/530e3d4af566ca44807d79359b90794dea24c4f3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: PM: hibernate: Fix crash when freeing invalid crypto compressor When crypto_alloc_acomp() fails, it returns an ERR_PTR value, not NULL. The cleanup code in save_compressed_image() and load_compressed_image() unconditionally calls crypto_free_acomp() without checking for ERR_PTR, which causes crypto_acomp_tfm() to dereference an invalid pointer and crash the kernel. This can be triggered when the compression algorithm is unavailable (e.g., CONFIG_CRYPTO_LZO not enabled). Fix by adding IS_ERR_OR_NULL() checks before calling crypto_free_acomp() and acomp_request_free(), similar to the existing kthread_stop() check. [ rjw: Added 2 empty code lines ] | 2026-02-04 | not yet calculated | CVE-2026-23044 | https://git.kernel.org/stable/c/b7a883b0135dbc6817e90a829421c9fc8cd94bad https://git.kernel.org/stable/c/7966cf0ebe32c981bfa3db252cb5fc3bb1bf2e77 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/ena: fix missing lock when update devlink params Fix assert lock warning while calling devl_param_driverinit_value_set() in ena. WARNING: net/devlink/core.c:261 at devl_assert_locked+0x62/0x90, CPU#0: kworker/0:0/9 CPU: 0 UID: 0 PID: 9 Comm: kworker/0:0 Not tainted 6.19.0-rc2+ #1 PREEMPT(lazy) Hardware name: Amazon EC2 m8i-flex.4xlarge/, BIOS 1.0 10/16/2017 Workqueue: events work_for_cpu_fn RIP: 0010:devl_assert_locked+0x62/0x90 Call Trace: <TASK> devl_param_driverinit_value_set+0x15/0x1c0 ena_devlink_alloc+0x18c/0x220 [ena] ? __pfx_ena_devlink_alloc+0x10/0x10 [ena] ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? devm_ioremap_wc+0x9a/0xd0 ena_probe+0x4d2/0x1b20 [ena] ? __lock_acquire+0x56a/0xbd0 ? __pfx_ena_probe+0x10/0x10 [ena] ? local_clock+0x15/0x30 ? __lock_release.isra.0+0x1c9/0x340 ? mark_held_locks+0x40/0x70 ? lockdep_hardirqs_on_prepare.part.0+0x92/0x170 ? trace_hardirqs_on+0x18/0x140 ? lockdep_hardirqs_on+0x8c/0x130 ? __raw_spin_unlock_irqrestore+0x5d/0x80 ? __raw_spin_unlock_irqrestore+0x46/0x80 ? __pfx_ena_probe+0x10/0x10 [ena] …… </TASK> | 2026-02-04 | not yet calculated | CVE-2026-23045 | https://git.kernel.org/stable/c/f2c4bcfa193eef1b7457a56be9c47a8de015f225 https://git.kernel.org/stable/c/8da901ffe497a53fa4ecc3ceed0e6d771586f88e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: virtio_net: fix device mismatch in devm_kzalloc/devm_kfree Initial rss_hdr allocation uses virtio_device->device, but virtnet_set_queues() frees using net_device->device. This device mismatch causing below devres warning [ 3788.514041] ————[ cut here ]———— [ 3788.514044] WARNING: drivers/base/devres.c:1095 at devm_kfree+0x84/0x98, CPU#16: vdpa/1463 [ 3788.514054] Modules linked in: octep_vdpa virtio_net virtio_vdpa [last unloaded: virtio_vdpa] [ 3788.514064] CPU: 16 UID: 0 PID: 1463 Comm: vdpa Tainted: G W 6.18.0 #10 PREEMPT [ 3788.514067] Tainted: [W]=WARN [ 3788.514069] Hardware name: Marvell CN106XX board (DT) [ 3788.514071] pstate: 63400009 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=–) [ 3788.514074] pc : devm_kfree+0x84/0x98 [ 3788.514076] lr : devm_kfree+0x54/0x98 [ 3788.514079] sp : ffff800084e2f220 [ 3788.514080] x29: ffff800084e2f220 x28: ffff0003b2366000 x27: 000000000000003f [ 3788.514085] x26: 000000000000003f x25: ffff000106f17c10 x24: 0000000000000080 [ 3788.514089] x23: ffff00045bb8ab08 x22: ffff00045bb8a000 x21: 0000000000000018 [ 3788.514093] x20: ffff0004355c3080 x19: ffff00045bb8aa00 x18: 0000000000080000 [ 3788.514098] x17: 0000000000000040 x16: 000000000000001f x15: 000000000007ffff [ 3788.514102] x14: 0000000000000488 x13: 0000000000000005 x12: 00000000000fffff [ 3788.514106] x11: ffffffffffffffff x10: 0000000000000005 x9 : ffff800080c8c05c [ 3788.514110] x8 : ffff800084e2eeb8 x7 : 0000000000000000 x6 : 000000000000003f [ 3788.514115] x5 : ffff8000831bafe0 x4 : ffff800080c8b010 x3 : ffff0004355c3080 [ 3788.514119] x2 : ffff0004355c3080 x1 : 0000000000000000 x0 : 0000000000000000 [ 3788.514123] Call trace: [ 3788.514125] devm_kfree+0x84/0x98 (P) [ 3788.514129] virtnet_set_queues+0x134/0x2e8 [virtio_net] [ 3788.514135] virtnet_probe+0x9c0/0xe00 [virtio_net] [ 3788.514139] virtio_dev_probe+0x1e0/0x338 [ 3788.514144] really_probe+0xc8/0x3a0 [ 3788.514149] __driver_probe_device+0x84/0x170 [ 3788.514152] driver_probe_device+0x44/0x120 [ 3788.514155] __device_attach_driver+0xc4/0x168 [ 3788.514158] bus_for_each_drv+0x8c/0xf0 [ 3788.514161] __device_attach+0xa4/0x1c0 [ 3788.514164] device_initial_probe+0x1c/0x30 [ 3788.514168] bus_probe_device+0xb4/0xc0 [ 3788.514170] device_add+0x614/0x828 [ 3788.514173] register_virtio_device+0x214/0x258 [ 3788.514175] virtio_vdpa_probe+0xa0/0x110 [virtio_vdpa] [ 3788.514179] vdpa_dev_probe+0xa8/0xd8 [ 3788.514183] really_probe+0xc8/0x3a0 [ 3788.514186] __driver_probe_device+0x84/0x170 [ 3788.514189] driver_probe_device+0x44/0x120 [ 3788.514192] __device_attach_driver+0xc4/0x168 [ 3788.514195] bus_for_each_drv+0x8c/0xf0 [ 3788.514197] __device_attach+0xa4/0x1c0 [ 3788.514200] device_initial_probe+0x1c/0x30 [ 3788.514203] bus_probe_device+0xb4/0xc0 [ 3788.514206] device_add+0x614/0x828 [ 3788.514209] _vdpa_register_device+0x58/0x88 [ 3788.514211] octep_vdpa_dev_add+0x104/0x228 [octep_vdpa] [ 3788.514215] vdpa_nl_cmd_dev_add_set_doit+0x2d0/0x3c0 [ 3788.514218] genl_family_rcv_msg_doit+0xe4/0x158 [ 3788.514222] genl_rcv_msg+0x218/0x298 [ 3788.514225] netlink_rcv_skb+0x64/0x138 [ 3788.514229] genl_rcv+0x40/0x60 [ 3788.514233] netlink_unicast+0x32c/0x3b0 [ 3788.514237] netlink_sendmsg+0x170/0x3b8 [ 3788.514241] __sys_sendto+0x12c/0x1c0 [ 3788.514246] __arm64_sys_sendto+0x30/0x48 [ 3788.514249] invoke_syscall.constprop.0+0x58/0xf8 [ 3788.514255] do_el0_svc+0x48/0xd0 [ 3788.514259] el0_svc+0x48/0x210 [ 3788.514264] el0t_64_sync_handler+0xa0/0xe8 [ 3788.514268] el0t_64_sync+0x198/0x1a0 [ 3788.514271] —[ end trace 0000000000000000 ]— Fix by using virtio_device->device consistently for allocation and deallocation | 2026-02-04 | not yet calculated | CVE-2026-23046 | https://git.kernel.org/stable/c/a5e2d902f64c76169c771f584559c82b588090e3 https://git.kernel.org/stable/c/acb4bc6e1ba34ae1a34a9334a1ce8474c909466e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: libceph: make calc_target() set t->paused, not just clear it Currently calc_target() clears t->paused if the request shouldn’t be paused anymore, but doesn’t ever set t->paused even though it’s able to determine when the request should be paused. Setting t->paused is left to __submit_request() which is fine for regular requests but doesn’t work for linger requests — since __submit_request() doesn’t operate on linger requests, there is nowhere for lreq->t.paused to be set. One consequence of this is that watches don’t get reestablished on paused -> unpaused transitions in cases where requests have been paused long enough for the (paused) unwatch request to time out and for the subsequent (re)watch request to enter the paused state. On top of the watch not getting reestablished, rbd_reregister_watch() gets stuck with rbd_dev->watch_mutex held: rbd_register_watch __rbd_register_watch ceph_osdc_watch linger_reg_commit_wait It’s waiting for lreq->reg_commit_wait to be completed, but for that to happen the respective request needs to end up on need_resend_linger list and be kicked when requests are unpaused. There is no chance for that if the request in question is never marked paused in the first place. The fact that rbd_dev->watch_mutex remains taken out forever then prevents the image from getting unmapped — “rbd unmap” would inevitably hang in D state on an attempt to grab the mutex. | 2026-02-04 | not yet calculated | CVE-2026-23047 | https://git.kernel.org/stable/c/2b3329b3c29d9e188e40d902d5230c2d5989b940 https://git.kernel.org/stable/c/5d0dc83cb9a69c1d0bea58f1c430199b05f6b021 https://git.kernel.org/stable/c/4d3399c52e0e61720ae898f5a0b5b75d4460ae24 https://git.kernel.org/stable/c/4ebc711b738d139cabe2fc9e7e7749847676a342 https://git.kernel.org/stable/c/6f468f6ff233c6a81e0e761d9124e982903fe9a5 https://git.kernel.org/stable/c/5647d42c47b535573b63e073e91164d6a5bb058c https://git.kernel.org/stable/c/c0fe2994f9a9d0a2ec9e42441ea5ba74b6a16176 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: udp: call skb_orphan() before skb_attempt_defer_free() Standard UDP receive path does not use skb->destructor. But skmsg layer does use it, since it calls skb_set_owner_sk_safe() from udp_read_skb(). This then triggers this warning in skb_attempt_defer_free(): DEBUG_NET_WARN_ON_ONCE(skb->destructor); We must call skb_orphan() to fix this issue. | 2026-02-04 | not yet calculated | CVE-2026-23048 | https://git.kernel.org/stable/c/0c63d5683eae6a7b4d81382bcbecb2a19feff90d https://git.kernel.org/stable/c/e5c8eda39a9fc1547d1398d707aa06c1d080abdd |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/panel-simple: fix connector type for DataImage SCF0700C48GGU18 panel The connector type for the DataImage SCF0700C48GGU18 panel is missing and devm_drm_panel_bridge_add() requires connector type to be set. This leads to a warning and a backtrace in the kernel log and panel does not work: ” WARNING: CPU: 3 PID: 38 at drivers/gpu/drm/bridge/panel.c:379 devm_drm_of_get_bridge+0xac/0xb8 ” The warning is triggered by a check for valid connector type in devm_drm_panel_bridge_add(). If there is no valid connector type set for a panel, the warning is printed and panel is not added. Fill in the missing connector type to fix the warning and make the panel operational once again. | 2026-02-04 | not yet calculated | CVE-2026-23049 | https://git.kernel.org/stable/c/f4c330b4499e7334ec6fce535574e09d55843d71 https://git.kernel.org/stable/c/bb309377eece5317207d71fd833f99cca4727fbd https://git.kernel.org/stable/c/83e0d8d22e7ee3151af1951595104887eebed6ab https://git.kernel.org/stable/c/bc0b17bdba3838e9e17e7e9adc968384ac99938b https://git.kernel.org/stable/c/04218cd68d1502000823c8288f37b4f171dcdcae https://git.kernel.org/stable/c/f7940d3ec1dc6bf719eddc69d4b8e52cc2201896 https://git.kernel.org/stable/c/6ab3d4353bf75005eaa375677c9fed31148154d6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: pNFS: Fix a deadlock when returning a delegation during open() Ben Coddington reports seeing a hang in the following stack trace: 0 [ffffd0b50e1774e0] __schedule at ffffffff9ca05415 1 [ffffd0b50e177548] schedule at ffffffff9ca05717 2 [ffffd0b50e177558] bit_wait at ffffffff9ca061e1 3 [ffffd0b50e177568] __wait_on_bit at ffffffff9ca05cfb 4 [ffffd0b50e1775c8] out_of_line_wait_on_bit at ffffffff9ca05ea5 5 [ffffd0b50e177618] pnfs_roc at ffffffffc154207b [nfsv4] 6 [ffffd0b50e1776b8] _nfs4_proc_delegreturn at ffffffffc1506586 [nfsv4] 7 [ffffd0b50e177788] nfs4_proc_delegreturn at ffffffffc1507480 [nfsv4] 8 [ffffd0b50e1777f8] nfs_do_return_delegation at ffffffffc1523e41 [nfsv4] 9 [ffffd0b50e177838] nfs_inode_set_delegation at ffffffffc1524a75 [nfsv4] 10 [ffffd0b50e177888] nfs4_process_delegation at ffffffffc14f41dd [nfsv4] 11 [ffffd0b50e1778a0] _nfs4_opendata_to_nfs4_state at ffffffffc1503edf [nfsv4] 12 [ffffd0b50e1778c0] _nfs4_open_and_get_state at ffffffffc1504e56 [nfsv4] 13 [ffffd0b50e177978] _nfs4_do_open at ffffffffc15051b8 [nfsv4] 14 [ffffd0b50e1779f8] nfs4_do_open at ffffffffc150559c [nfsv4] 15 [ffffd0b50e177a80] nfs4_atomic_open at ffffffffc15057fb [nfsv4] 16 [ffffd0b50e177ad0] nfs4_file_open at ffffffffc15219be [nfsv4] 17 [ffffd0b50e177b78] do_dentry_open at ffffffff9c09e6ea 18 [ffffd0b50e177ba8] vfs_open at ffffffff9c0a082e 19 [ffffd0b50e177bd0] dentry_open at ffffffff9c0a0935 The issue is that the delegreturn is being asked to wait for a layout return that cannot complete because a state recovery was initiated. The state recovery cannot complete until the open() finishes processing the delegations it was given. The solution is to propagate the existing flags that indicate a non-blocking call to the function pnfs_roc(), so that it knows not to wait in this situation. | 2026-02-04 | not yet calculated | CVE-2026-23050 | https://git.kernel.org/stable/c/a316fd9d3065b753b03d802530004aea481512cc https://git.kernel.org/stable/c/d6c75aa9d607044d1e5c8498eff0259eed356c32 https://git.kernel.org/stable/c/857bf9056291a16785ae3be1d291026b2437fc48 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu: fix drm panic null pointer when driver not support atomic When driver not support atomic, fb using plane->fb rather than plane->state->fb. (cherry picked from commit 2f2a72de673513247cd6fae14e53f6c40c5841ef) | 2026-02-04 | not yet calculated | CVE-2026-23051 | https://git.kernel.org/stable/c/a1aedf4053af7dad3772b94b057a7d1f5473055f https://git.kernel.org/stable/c/9cb6278b44c38899961b36d303d7b18b38be2a6e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ftrace: Do not over-allocate ftrace memory The pg_remaining calculation in ftrace_process_locs() assumes that ENTRIES_PER_PAGE multiplied by 2^order equals the actual capacity of the allocated page group. However, ENTRIES_PER_PAGE is PAGE_SIZE / ENTRY_SIZE (integer division). When PAGE_SIZE is not a multiple of ENTRY_SIZE (e.g. 4096 / 24 = 170 with remainder 16), high-order allocations (like 256 pages) have significantly more capacity than 256 * 170. This leads to pg_remaining being underestimated, which in turn makes skip (derived from skipped – pg_remaining) larger than expected, causing the WARN(skip != remaining) to trigger. Extra allocated pages for ftrace: 2 with 654 skipped WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7295 ftrace_process_locs+0x5bf/0x5e0 A similar problem in ftrace_allocate_records() can result in allocating too many pages. This can trigger the second warning in ftrace_process_locs(). Extra allocated pages for ftrace WARNING: CPU: 0 PID: 0 at kernel/trace/ftrace.c:7276 ftrace_process_locs+0x548/0x580 Use the actual capacity of a page group to determine the number of pages to allocate. Have ftrace_allocate_pages() return the number of allocated pages to avoid having to calculate it. Use the actual page group capacity when validating the number of unused pages due to skipped entries. Drop the definition of ENTRIES_PER_PAGE since it is no longer used. | 2026-02-04 | not yet calculated | CVE-2026-23052 | https://git.kernel.org/stable/c/9aef476717994e96dadfb359641c4b82b521aa36 https://git.kernel.org/stable/c/be55257fab181b93af38f8c4b1b3cb453a78d742 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: NFS: Fix a deadlock involving nfs_release_folio() Wang Zhaolong reports a deadlock involving NFSv4.1 state recovery waiting on kthreadd, which is attempting to reclaim memory by calling nfs_release_folio(). The latter cannot make progress due to state recovery being needed. It seems that the only safe thing to do here is to kick off a writeback of the folio, without waiting for completion, or else kicking off an asynchronous commit. | 2026-02-04 | not yet calculated | CVE-2026-23053 | https://git.kernel.org/stable/c/49d352bc263fe4a834233338bfaad31b3109addf https://git.kernel.org/stable/c/19b4d9ab5e77843eac0429c019470c02f8710b55 https://git.kernel.org/stable/c/cce0be6eb4971456b703aaeafd571650d314bcca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: hv_netvsc: reject RSS hash key programming without RX indirection table RSS configuration requires a valid RX indirection table. When the device reports a single receive queue, rndis_filter_device_add() does not allocate an indirection table, accepting RSS hash key updates in this state leads to a hang. Fix this by gating netvsc_set_rxfh() on ndc->rx_table_sz and return -EOPNOTSUPP when the table is absent. This aligns set_rxfh with the device capabilities and prevents incorrect behavior. | 2026-02-04 | not yet calculated | CVE-2026-23054 | https://git.kernel.org/stable/c/8288136f508e78eb3563e7073975999cf225a2f9 https://git.kernel.org/stable/c/82c9039c8ebb715753a40434df714f865a3aec9c https://git.kernel.org/stable/c/4cd55c609e85ae2313248ef1a33619a3eef44a16 https://git.kernel.org/stable/c/11dd9a9ef4dc4507a15a69b8511a0013c6c28fa3 https://git.kernel.org/stable/c/d23564955811da493f34412d7de60fa268c8cb50 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: i2c: riic: Move suspend handling to NOIRQ phase Commit 53326135d0e0 (“i2c: riic: Add suspend/resume support”) added suspend support for the Renesas I2C driver and following this change on RZ/G3E the following WARNING is seen on entering suspend … [ 134.275704] Freezing remaining freezable tasks completed (elapsed 0.001 seconds) [ 134.285536] ————[ cut here ]———— [ 134.290298] i2c i2c-2: Transfer while suspended [ 134.295174] WARNING: drivers/i2c/i2c-core.h:56 at __i2c_smbus_xfer+0x1e4/0x214, CPU#0: systemd-sleep/388 [ 134.365507] Tainted: [W]=WARN [ 134.368485] Hardware name: Renesas SMARC EVK version 2 based on r9a09g047e57 (DT) [ 134.375961] pstate: 60400005 (nZCv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 134.382935] pc : __i2c_smbus_xfer+0x1e4/0x214 [ 134.387329] lr : __i2c_smbus_xfer+0x1e4/0x214 [ 134.391717] sp : ffff800083f23860 [ 134.395040] x29: ffff800083f23860 x28: 0000000000000000 x27: ffff800082ed5d60 [ 134.402226] x26: 0000001f4395fd74 x25: 0000000000000007 x24: 0000000000000001 [ 134.409408] x23: 0000000000000000 x22: 000000000000006f x21: ffff800083f23936 [ 134.416589] x20: ffff0000c090e140 x19: ffff0000c090e0d0 x18: 0000000000000006 [ 134.423771] x17: 6f63657320313030 x16: 2e30206465737061 x15: ffff800083f23280 [ 134.430953] x14: 0000000000000000 x13: ffff800082b16ce8 x12: 0000000000000f09 [ 134.438134] x11: 0000000000000503 x10: ffff800082b6ece8 x9 : ffff800082b16ce8 [ 134.445315] x8 : 00000000ffffefff x7 : ffff800082b6ece8 x6 : 80000000fffff000 [ 134.452495] x5 : 0000000000000504 x4 : 0000000000000000 x3 : 0000000000000000 [ 134.459672] x2 : 0000000000000000 x1 : 0000000000000000 x0 : ffff0000c9ee9e80 [ 134.466851] Call trace: [ 134.469311] __i2c_smbus_xfer+0x1e4/0x214 (P) [ 134.473715] i2c_smbus_xfer+0xbc/0x120 [ 134.477507] i2c_smbus_read_byte_data+0x4c/0x84 [ 134.482077] isl1208_i2c_read_time+0x44/0x178 [rtc_isl1208] [ 134.487703] isl1208_rtc_read_time+0x14/0x20 [rtc_isl1208] [ 134.493226] __rtc_read_time+0x44/0x88 [ 134.497012] rtc_read_time+0x3c/0x68 [ 134.500622] rtc_suspend+0x9c/0x170 The warning is triggered because I2C transfers can still be attempted while the controller is already suspended, due to inappropriate ordering of the system sleep callbacks. If the controller is autosuspended, there is no way to wake it up once runtime PM disabled (in suspend_late()). During system resume, the I2C controller will be available only after runtime PM is re-enabled (in resume_early()). However, this may be too late for some devices. Wake up the controller in the suspend() callback while runtime PM is still enabled. The I2C controller will remain available until the suspend_noirq() callback (pm_runtime_force_suspend()) is called. During resume, the I2C controller can be restored by the resume_noirq() callback (pm_runtime_force_resume()). Finally, the resume() callback re-enables autosuspend. As a result, the I2C controller can remain available until the system enters suspend_noirq() and from resume_noirq(). | 2026-02-04 | not yet calculated | CVE-2026-23055 | https://git.kernel.org/stable/c/469f8fe4c87e43520f279e45b927c35d6fe99194 https://git.kernel.org/stable/c/0b4c0fbbe00b7de76bdaea7fa771017d7a979b0d https://git.kernel.org/stable/c/e383f0961422f983451ac4dd6aed1a3d3311f2be |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: implement mremap in uacce_vm_ops to return -EPERM The current uacce_vm_ops does not support the mremap operation of vm_operations_struct. Implement .mremap to return -EPERM to remind users. The reason we need to explicitly disable mremap is that when the driver does not implement .mremap, it uses the default mremap method. This could lead to a risk scenario: An application might first mmap address p1, then mremap to p2, followed by munmap(p1), and finally munmap(p2). Since the default mremap copies the original vma’s vm_private_data (i.e., q) to the new vma, both munmap operations would trigger vma_close, causing q->qfr to be freed twice(qfr will be set to null here, so repeated release is ok). | 2026-02-04 | not yet calculated | CVE-2026-23056 | https://git.kernel.org/stable/c/78d99f062d42e3af2ca46bde1a8e46e0dfd372e3 https://git.kernel.org/stable/c/ebfa85658a39b49ec3901ceea7535b73aa0429e6 https://git.kernel.org/stable/c/75b29bdc935ff93b8e8bf6f6b4d8a4810b26e06f https://git.kernel.org/stable/c/4c042bc71474dbe417c268f4bfb8ec196f802f07 https://git.kernel.org/stable/c/a407ddd61b3e6afc5ccfcd1478797171cf5686ee https://git.kernel.org/stable/c/ba29b59d124e725e0377f09b2044909c91d657a1 https://git.kernel.org/stable/c/02695347be532b628f22488300d40c4eba48b9b7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: Coalesce only linear skb vsock/virtio common tries to coalesce buffers in rx queue: if a linear skb (with a spare tail room) is followed by a small skb (length limited by GOOD_COPY_LEN = 128), an attempt is made to join them. Since the introduction of MSG_ZEROCOPY support, assumption that a small skb will always be linear is incorrect. In the zerocopy case, data is lost and the linear skb is appended with uninitialized kernel memory. Of all 3 supported virtio-based transports, only loopback-transport is affected. G2H virtio-transport rx queue operates on explicitly linear skbs; see virtio_vsock_alloc_linear_skb() in virtio_vsock_rx_fill(). H2G vhost-transport may allocate non-linear skbs, but only for sizes that are not considered for coalescence; see PAGE_ALLOC_COSTLY_ORDER in virtio_vsock_alloc_skb(). Ensure only linear skbs are coalesced. Note that skb_tailroom(last_skb) > 0 guarantees last_skb is linear. | 2026-02-04 | not yet calculated | CVE-2026-23057 | https://git.kernel.org/stable/c/568e9cd8ed7ca9bf748c7687ba6501f29d30e59f https://git.kernel.org/stable/c/63ef9b300bd09e24c57050c5dbe68feedce42e72 https://git.kernel.org/stable/c/0386bd321d0f95d041a7b3d7b07643411b044a96 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: ems_usb: ems_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”). In ems_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback ems_usb_read_bulk_callback(), the URBs are processed and resubmitted. In ems_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in ems_usb_close(). Fix the memory leak by anchoring the URB in the ems_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23058 | https://git.kernel.org/stable/c/e2c71030dc464d437110bcfb367c493fd402bddb https://git.kernel.org/stable/c/f48eabd15194b216030b32445f44230df95f5fe0 https://git.kernel.org/stable/c/61e6d3674c3d1da1475dc207b3e75c55d678d18e https://git.kernel.org/stable/c/e9410fdd4d5f7eaa6526d8c80e83029d7c86a8e8 https://git.kernel.org/stable/c/46a191ff7eeec33a2ccb2a1bfea34e18fbc5dc1a https://git.kernel.org/stable/c/68c62b3e53901846b5f68c5a8bade72a5d9c0b87 https://git.kernel.org/stable/c/0ce73a0eb5a27070957b67fd74059b6da89cc516 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: qla2xxx: Sanitize payload size to prevent member overflow In qla27xx_copy_fpin_pkt() and qla27xx_copy_multiple_pkt(), the frame_size reported by firmware is used to calculate the copy length into item->iocb. However, the iocb member is defined as a fixed-size 64-byte array within struct purex_item. If the reported frame_size exceeds 64 bytes, subsequent memcpy calls will overflow the iocb member boundary. While extra memory might be allocated, this cross-member write is unsafe and triggers warnings under CONFIG_FORTIFY_SOURCE. Fix this by capping total_bytes to the size of the iocb member (64 bytes) before allocation and copying. This ensures all copies remain within the bounds of the destination structure member. | 2026-02-04 | not yet calculated | CVE-2026-23059 | https://git.kernel.org/stable/c/408bfa8d70f79ac696cec1bdbdfb3bf43a02e6d0 https://git.kernel.org/stable/c/1922468a4a80424e5a69f7ba50adcee37f4722e9 https://git.kernel.org/stable/c/aa14451fa5d5f2de919384c637e2a8c604e1a1fe https://git.kernel.org/stable/c/19bc5f2a6962dfaa0e32d0e0bc2271993d85d414 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: crypto: authencesn – reject too-short AAD (assoclen<8) to match ESP/ESN spec authencesn assumes an ESP/ESN-formatted AAD. When assoclen is shorter than the minimum expected length, crypto_authenc_esn_decrypt() can advance past the end of the destination scatterlist and trigger a NULL pointer dereference in scatterwalk_map_and_copy(), leading to a kernel panic (DoS). Add a minimum AAD length check to fail fast on invalid inputs. | 2026-02-04 | not yet calculated | CVE-2026-23060 | https://git.kernel.org/stable/c/df22c9a65e9a9daa368a72fed596af9d7d5876bb https://git.kernel.org/stable/c/fee86edf5803f1d1f19e3b4f2dacac241bddfa48 https://git.kernel.org/stable/c/767e8349f7e929b7dd95c08f0b4cb353459b365e https://git.kernel.org/stable/c/b0a9609283a5c852addb513dafa655c61eebc1ef https://git.kernel.org/stable/c/161bdc90fce25bd9890adc67fa1c8563a7acbf40 https://git.kernel.org/stable/c/9532ff0d0e90ff78a214299f594ab9bac81defe4 https://git.kernel.org/stable/c/2397e9264676be7794f8f7f1e9763d90bd3c7335 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: kvaser_usb: kvaser_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”). In kvaser_usb_set_{,data_}bittiming() -> kvaser_usb_setup_rx_urbs(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback kvaser_usb_read_bulk_callback(), the URBs are processed and resubmitted. In kvaser_usb_remove_interfaces() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the kvaser_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23061 | https://git.kernel.org/stable/c/d9d824582f2ec76459ffab449e9b05c7bc49645c https://git.kernel.org/stable/c/40a3334ffda479c63e416e61ff086485e24401f7 https://git.kernel.org/stable/c/c1b39fa24c140bc616f51fef4175c1743e2bb132 https://git.kernel.org/stable/c/7c308f7530bffafa994e0aa8dc651a312f4b9ff4 https://git.kernel.org/stable/c/94a7fc42e21c7d9d1c49778cd1db52de5df52a01 https://git.kernel.org/stable/c/3b1a593eab941c3f32417896cc7df564191f2482 https://git.kernel.org/stable/c/248e8e1a125fa875158df521b30f2cc7e27eeeaa |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86: hp-bioscfg: Fix kernel panic in GET_INSTANCE_ID macro The GET_INSTANCE_ID macro that caused a kernel panic when accessing sysfs attributes: 1. Off-by-one error: The loop condition used ‘<=’ instead of ‘<‘, causing access beyond array bounds. Since array indices are 0-based and go from 0 to instances_count-1, the loop should use ‘<‘. 2. Missing NULL check: The code dereferenced attr_name_kobj->name without checking if attr_name_kobj was NULL, causing a null pointer dereference in min_length_show() and other attribute show functions. The panic occurred when fwupd tried to read BIOS configuration attributes: Oops: general protection fault [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:min_length_show+0xcf/0x1d0 [hp_bioscfg] Add a NULL check for attr_name_kobj before dereferencing and corrects the loop boundary to match the pattern used elsewhere in the driver. | 2026-02-04 | not yet calculated | CVE-2026-23062 | https://git.kernel.org/stable/c/eb5ff1025c92117d5d1cc728bcfa294abe484da1 https://git.kernel.org/stable/c/eba49c1dee9c5e514ca18e52c545bba524e8a045 https://git.kernel.org/stable/c/193922a23d7294085a47d7719fdb7d66ad0a236f https://git.kernel.org/stable/c/25150715e0b049b99df664daf05dab12f41c3e13 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: ensure safe queue release with state management Directly calling `put_queue` carries risks since it cannot guarantee that resources of `uacce_queue` have been fully released beforehand. So adding a `stop_queue` operation for the UACCE_CMD_PUT_Q command and leaving the `put_queue` operation to the final resource release ensures safety. Queue states are defined as follows: – UACCE_Q_ZOMBIE: Initial state – UACCE_Q_INIT: After opening `uacce` – UACCE_Q_STARTED: After `start` is issued via `ioctl` When executing `poweroff -f` in virt while accelerator are still working, `uacce_fops_release` and `uacce_remove` may execute concurrently. This can cause `uacce_put_queue` within `uacce_fops_release` to access a NULL `ops` pointer. Therefore, add state checks to prevent accessing freed pointers. | 2026-02-04 | not yet calculated | CVE-2026-23063 | https://git.kernel.org/stable/c/b457abeb5d962db88aaf60e249402fd3073dbfab https://git.kernel.org/stable/c/8b57bf1d3b1db692f34bce694a03e41be79f6016 https://git.kernel.org/stable/c/336fb41a186e7c0415ae94fec9e23d1f04b87483 https://git.kernel.org/stable/c/43f233eb6e7b9d88536881a9bc43726d0e34800d https://git.kernel.org/stable/c/47634d70073890c9c37e39ab4ff93d4b585b028a https://git.kernel.org/stable/c/92e4f11e29b98ef424ff72d6371acac03e5d973c https://git.kernel.org/stable/c/26c08dabe5475d99a13f353d8dd70e518de45663 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: act_ife: avoid possible NULL deref tcf_ife_encode() must make sure ife_encode() does not return NULL. syzbot reported: Oops: general protection fault, probably for non-canonical address 0xdffffc0000000000: 0000 [#1] SMP KASAN NOPTI KASAN: null-ptr-deref in range [0x0000000000000000-0x0000000000000007] RIP: 0010:ife_tlv_meta_encode+0x41/0xa0 net/ife/ife.c:166 CPU: 3 UID: 0 PID: 8990 Comm: syz.0.696 Not tainted syzkaller #0 PREEMPT(full) Call Trace: <TASK> ife_encode_meta_u32+0x153/0x180 net/sched/act_ife.c:101 tcf_ife_encode net/sched/act_ife.c:841 [inline] tcf_ife_act+0x1022/0x1de0 net/sched/act_ife.c:877 tc_act include/net/tc_wrapper.h:130 [inline] tcf_action_exec+0x1c0/0xa20 net/sched/act_api.c:1152 tcf_exts_exec include/net/pkt_cls.h:349 [inline] mall_classify+0x1a0/0x2a0 net/sched/cls_matchall.c:42 tc_classify include/net/tc_wrapper.h:197 [inline] __tcf_classify net/sched/cls_api.c:1764 [inline] tcf_classify+0x7f2/0x1380 net/sched/cls_api.c:1860 multiq_classify net/sched/sch_multiq.c:39 [inline] multiq_enqueue+0xe0/0x510 net/sched/sch_multiq.c:66 dev_qdisc_enqueue+0x45/0x250 net/core/dev.c:4147 __dev_xmit_skb net/core/dev.c:4262 [inline] __dev_queue_xmit+0x2998/0x46c0 net/core/dev.c:4798 | 2026-02-04 | not yet calculated | CVE-2026-23064 | https://git.kernel.org/stable/c/4ef2c77851676b7ed106f0c47755bee9eeec9a40 https://git.kernel.org/stable/c/dd9442aedbeae87c44cc64c0ee41abd296dc008b https://git.kernel.org/stable/c/1440d749fe49c8665da6f744323b1671d25a56a0 https://git.kernel.org/stable/c/03710cebfc0bcfe247a9e04381e79ea33896e278 https://git.kernel.org/stable/c/374915dfc932adf57712df3be010667fd1190e3c https://git.kernel.org/stable/c/6c75fed55080014545f262b7055081cec4768b20 https://git.kernel.org/stable/c/27880b0b0d35ad1c98863d09788254e36f874968 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: platform/x86/amd: Fix memory leak in wbrf_record() The tmp buffer is allocated using kcalloc() but is not freed if acpi_evaluate_dsm() fails. This causes a memory leak in the error path. Fix this by explicitly freeing the tmp buffer in the error handling path of acpi_evaluate_dsm(). | 2026-02-04 | not yet calculated | CVE-2026-23065 | https://git.kernel.org/stable/c/1152dffe01af86e42ce2b208b92ef7f8c275d130 https://git.kernel.org/stable/c/1a0072bd1f1e559eda3e91a24dbc51c9eb025c54 https://git.kernel.org/stable/c/2bf1877b7094c684e1d652cac6912cfbc507ad3e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: rxrpc: Fix recvmsg() unconditional requeue If rxrpc_recvmsg() fails because MSG_DONTWAIT was specified but the call at the front of the recvmsg queue already has its mutex locked, it requeues the call – whether or not the call is already queued. The call may be on the queue because MSG_PEEK was also passed and so the call was not dequeued or because the I/O thread requeued it. The unconditional requeue may then corrupt the recvmsg queue, leading to things like UAFs or refcount underruns. Fix this by only requeuing the call if it isn’t already on the queue – and moving it to the front if it is already queued. If we don’t queue it, we have to put the ref we obtained by dequeuing it. Also, MSG_PEEK doesn’t dequeue the call so shouldn’t call rxrpc_notify_socket() for the call if we didn’t use up all the data on the queue, so fix that also. | 2026-02-04 | not yet calculated | CVE-2026-23066 | https://git.kernel.org/stable/c/930114425065f7ace6e0c0630fab4af75e059ea8 https://git.kernel.org/stable/c/2c28769a51deb6022d7fbd499987e237a01dd63a |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iommu/io-pgtable-arm: fix size_t signedness bug in unmap path __arm_lpae_unmap() returns size_t but was returning -ENOENT (negative error code) when encountering an unmapped PTE. Since size_t is unsigned, -ENOENT (typically -2) becomes a huge positive value (0xFFFFFFFFFFFFFFFE on 64-bit systems). This corrupted value propagates through the call chain: __arm_lpae_unmap() returns -ENOENT as size_t -> arm_lpae_unmap_pages() returns it -> __iommu_unmap() adds it to iova address -> iommu_pgsize() triggers BUG_ON due to corrupted iova This can cause IOVA address overflow in __iommu_unmap() loop and trigger BUG_ON in iommu_pgsize() from invalid address alignment. Fix by returning 0 instead of -ENOENT. The WARN_ON already signals the error condition, and returning 0 (meaning “nothing unmapped”) is the correct semantic for size_t return type. This matches the behavior of other io-pgtable implementations (io-pgtable-arm-v7s, io-pgtable-dart) which return 0 on error conditions. | 2026-02-04 | not yet calculated | CVE-2026-23067 | https://git.kernel.org/stable/c/41ec6988547819756fb65e94fc24f3e0dddf84ac https://git.kernel.org/stable/c/374e7af67d9d9d6103c2cfc8eb32abfecf3a2fd8 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: spi: spi-sprd-adi: Fix double free in probe error path The driver currently uses spi_alloc_host() to allocate the controller but registers it using devm_spi_register_controller(). If devm_register_restart_handler() fails, the code jumps to the put_ctlr label and calls spi_controller_put(). However, since the controller was registered via a devm function, the device core will automatically call spi_controller_put() again when the probe fails. This results in a double-free of the spi_controller structure. Fix this by switching to devm_spi_alloc_host() and removing the manual spi_controller_put() call. | 2026-02-04 | not yet calculated | CVE-2026-23068 | https://git.kernel.org/stable/c/bddd3d10d039729b81cfb0804520c8832a701a0e https://git.kernel.org/stable/c/417cdfd9b9f986e95bfcb1d68eb443e6e0a15f8c https://git.kernel.org/stable/c/346775f2b4cf839177e8e86b94aa180a06dc15b0 https://git.kernel.org/stable/c/f6d6b3f172df118db582fe5ec43ae223a55d99cf https://git.kernel.org/stable/c/383d4f5cffcc8df930d95b06518a9d25a6d74aac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: fix potential underflow in virtio_transport_get_credit() The credit calculation in virtio_transport_get_credit() uses unsigned arithmetic: ret = vvs->peer_buf_alloc – (vvs->tx_cnt – vvs->peer_fwd_cnt); If the peer shrinks its advertised buffer (peer_buf_alloc) while bytes are in flight, the subtraction can underflow and produce a large positive value, potentially allowing more data to be queued than the peer can handle. Reuse virtio_transport_has_space() which already handles this case and add a comment to make it clear why we are doing that. [Stefano: use virtio_transport_has_space() instead of duplicating the code] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23069 | https://git.kernel.org/stable/c/d96de882d6b99955604669d962ae14e94b66a551 https://git.kernel.org/stable/c/02f9af192b98d15883c70dd41ac76d1b0217c899 https://git.kernel.org/stable/c/d05bc313788f0684b27f0f5b60c52a844669b542 https://git.kernel.org/stable/c/ec0f1b3da8061be3173d1c39faaf9504f91942c3 https://git.kernel.org/stable/c/3ef3d52a1a9860d094395c7a3e593f3aa26ff012 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: Octeontx2-af: Add proper checks for fwdata firmware populates MAC address, link modes (supported, advertised) and EEPROM data in shared firmware structure which kernel access via MAC block(CGX/RPM). Accessing fwdata, on boards booted with out MAC block leading to kernel panics. Internal error: Oops: 0000000096000005 [#1] SMP [ 10.460721] Modules linked in: [ 10.463779] CPU: 0 UID: 0 PID: 174 Comm: kworker/0:3 Not tainted 6.19.0-rc5-00154-g76ec646abdf7-dirty #3 PREEMPT [ 10.474045] Hardware name: Marvell OcteonTX CN98XX board (DT) [ 10.479793] Workqueue: events work_for_cpu_fn [ 10.484159] pstate: 80400009 (Nzcv daif +PAN -UAO -TCO -DIT -SSBS BTYPE=–) [ 10.491124] pc : rvu_sdp_init+0x18/0x114 [ 10.495051] lr : rvu_probe+0xe58/0x1d18 | 2026-02-04 | not yet calculated | CVE-2026-23070 | https://git.kernel.org/stable/c/e343973fab43c266a40e4e0dabdc4216db6d5eff https://git.kernel.org/stable/c/4a3dba48188208e4f66822800e042686784d29d1 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: regmap: Fix race condition in hwspinlock irqsave routine Previously, the address of the shared member ‘&map->spinlock_flags’ was passed directly to ‘hwspin_lock_timeout_irqsave’. This creates a race condition where multiple contexts contending for the lock could overwrite the shared flags variable, potentially corrupting the state for the current lock owner. Fix this by using a local stack variable ‘flags’ to store the IRQ state temporarily. | 2026-02-04 | not yet calculated | CVE-2026-23071 | https://git.kernel.org/stable/c/e1a7072bc4f958c9e852dc7e57e39f12b0bb44b5 https://git.kernel.org/stable/c/766e243ae8c8b27087a4cc605752c0d5ee2daeab https://git.kernel.org/stable/c/f1e2fe26a51eca95b41420af76d22c2e613efd5e https://git.kernel.org/stable/c/24f31be6ad70537fd7706269d99c92cade465a09 https://git.kernel.org/stable/c/4aab0ca0a0f7760e33edcb4e47576064d05128f5 https://git.kernel.org/stable/c/c2d2cf710dc3ee1a69e00b4ed8de607a92a07889 https://git.kernel.org/stable/c/4b58aac989c1e3fafb1c68a733811859df388250 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: l2tp: Fix memleak in l2tp_udp_encap_recv(). syzbot reported memleak of struct l2tp_session, l2tp_tunnel, sock, etc. [0] The cited commit moved down the validation of the protocol version in l2tp_udp_encap_recv(). The new place requires an extra error handling to avoid the memleak. Let’s call l2tp_session_put() there. [0]: BUG: memory leak unreferenced object 0xffff88810a290200 (size 512): comm “syz.0.17”, pid 6086, jiffies 4294944299 hex dump (first 32 bytes): 7d eb 04 0c 00 00 00 00 01 00 00 00 00 00 00 00 }…………… 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. backtrace (crc babb6a4f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] __do_kmalloc_node mm/slub.c:5656 [inline] __kmalloc_noprof+0x3e0/0x660 mm/slub.c:5669 kmalloc_noprof include/linux/slab.h:961 [inline] kzalloc_noprof include/linux/slab.h:1094 [inline] l2tp_session_create+0x3a/0x3b0 net/l2tp/l2tp_core.c:1778 pppol2tp_connect+0x48b/0x920 net/l2tp/l2tp_ppp.c:755 __sys_connect_file+0x7a/0xb0 net/socket.c:2089 __sys_connect+0xde/0x110 net/socket.c:2108 __do_sys_connect net/socket.c:2114 [inline] __se_sys_connect net/socket.c:2111 [inline] __x64_sys_connect+0x1c/0x30 net/socket.c:2111 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23072 | https://git.kernel.org/stable/c/5cd158a88eef34e7b100cd9b963873d3b4e41b35 https://git.kernel.org/stable/c/d4ce79e6dce2a4a49eebceea7b4caf5dc0f0ef3d https://git.kernel.org/stable/c/4d10edfd1475b69dbd4c47f34b61a3772ece83ca |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: wifi: rsi: Fix memory corruption due to not set vif driver data size The struct ieee80211_vif contains trailing space for vif driver data, when struct ieee80211_vif is allocated, the total memory size that is allocated is sizeof(struct ieee80211_vif) + size of vif driver data. The size of vif driver data is set by each WiFi driver as needed. The RSI911x driver does not set vif driver data size, no trailing space for vif driver data is therefore allocated past struct ieee80211_vif . The RSI911x driver does however use the vif driver data to store its vif driver data structure “struct vif_priv”. An access to vif->drv_priv leads to access out of struct ieee80211_vif bounds and corruption of some memory. In case of the failure observed locally, rsi_mac80211_add_interface() would write struct vif_priv *vif_info = (struct vif_priv *)vif->drv_priv; vif_info->vap_id = vap_idx. This write corrupts struct fq_tin member struct list_head new_flows . The flow = list_first_entry(head, struct fq_flow, flowchain); in fq_tin_reset() then reports non-NULL bogus address, which when accessed causes a crash. The trigger is very simple, boot the machine with init=/bin/sh , mount devtmpfs, sysfs, procfs, and then do “ip link set wlan0 up”, “sleep 1”, “ip link set wlan0 down” and the crash occurs. Fix this by setting the correct size of vif driver data, which is the size of “struct vif_priv”, so that memory is allocated and the driver can store its driver data in it, instead of corrupting memory around it. | 2026-02-04 | not yet calculated | CVE-2026-23073 | https://git.kernel.org/stable/c/49ef094fdbc3526e5db2aebb404b84f79c5603dc https://git.kernel.org/stable/c/0d7c9e793e351cbbe9e06a9ca47d77b6ad288fb0 https://git.kernel.org/stable/c/7c54d0c3e2cad4300be721ec2aecfcf8a63bc9f4 https://git.kernel.org/stable/c/7761d7801f40e61069b4df3db88b36d80d089f8a https://git.kernel.org/stable/c/99129d80a5d4989ef8566f434f3589f60f28042b https://git.kernel.org/stable/c/31efbcff90884ea5f65bf3d1de01267db51ee3d1 https://git.kernel.org/stable/c/4f431d88ea8093afc7ba55edf4652978c5a68f33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: Enforce that teql can only be used as root qdisc Design intent of teql is that it is only supposed to be used as root qdisc. We need to check for that constraint. Although not important, I will describe the scenario that unearthed this issue for the curious. GangMin Kim <km.kim1503@gmail.com> managed to concot a scenario as follows: ROOT qdisc 1:0 (QFQ) ├── class 1:1 (weight=15, lmax=16384) netem with delay 6.4s └── class 1:2 (weight=1, lmax=1514) teql GangMin sends a packet which is enqueued to 1:1 (netem). Any invocation of dequeue by QFQ from this class will not return a packet until after 6.4s. In the meantime, a second packet is sent and it lands on 1:2. teql’s enqueue will return success and this will activate class 1:2. Main issue is that teql only updates the parent visible qlen (sch->q.qlen) at dequeue. Since QFQ will only call dequeue if peek succeeds (and teql’s peek always returns NULL), dequeue will never be called and thus the qlen will remain as 0. With that in mind, when GangMin updates 1:2’s lmax value, the qfq_change_class calls qfq_deact_rm_from_agg. Since the child qdisc’s qlen was not incremented, qfq fails to deactivate the class, but still frees its pointers from the aggregate. So when the first packet is rescheduled after 6.4 seconds (netem’s delay), a dangling pointer is accessed causing GangMin’s causing a UAF. | 2026-02-04 | not yet calculated | CVE-2026-23074 | https://git.kernel.org/stable/c/73d970ff0eddd874a84c953387c7f4464b705fc6 https://git.kernel.org/stable/c/ae810e6a8ac4fe25042e6825d2a401207a2e41fb https://git.kernel.org/stable/c/dad49a67c2d817bfec98e6e45121b351e3a0202c https://git.kernel.org/stable/c/0686bedfed34155520f3f735cbf3210cb9044380 https://git.kernel.org/stable/c/4c7e8aa71c9232cba84c289b4b56cba80b280841 https://git.kernel.org/stable/c/16ed73c1282d376b956bff23e5139add061767ba https://git.kernel.org/stable/c/50da4b9d07a7a463e2cfb738f3ad4cff6b2c9c3b |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: esd_usb: esd_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”). In esd_usb_open(), the URBs for USB-in transfers are allocated, added to the dev->rx_submitted anchor and submitted. In the complete callback esd_usb_read_bulk_callback(), the URBs are processed and resubmitted. In esd_usb_close() the URBs are freed by calling usb_kill_anchored_urbs(&dev->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in esd_usb_close(). Fix the memory leak by anchoring the URB in the esd_usb_read_bulk_callback() to the dev->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23075 | https://git.kernel.org/stable/c/93b34d4ba7266030801a509c088ac77c0d7a12e9 https://git.kernel.org/stable/c/dc934d96673992af8568664c1b58e13eb164010d https://git.kernel.org/stable/c/92d26ce07ac3b7a850dc68c8d73d487b39c39b33 https://git.kernel.org/stable/c/adec5e1f9c99fe079ec4c92cca3f1109a3e257c3 https://git.kernel.org/stable/c/9d1807b442fc3286b204f8e59981b10e743533ce https://git.kernel.org/stable/c/a9503ae43256e80db5cba9d449b238607164c51d https://git.kernel.org/stable/c/5a4391bdc6c8357242f62f22069c865b792406b3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: ctxfi: Fix potential OOB access in audio mixer handling In the audio mixer handling code of ctxfi driver, the conf field is used as a kind of loop index, and it’s referred in the index callbacks (amixer_index() and sum_index()). As spotted recently by fuzzers, the current code causes OOB access at those functions. | UBSAN: array-index-out-of-bounds in /build/reproducible-path/linux-6.17.8/sound/pci/ctxfi/ctamixer.c:347:48 | index 8 is out of range for type ‘unsigned char [8]’ After the analysis, the cause was found to be the lack of the proper (re-)initialization of conj field. This patch addresses those OOB accesses by adding the proper initializations of the loop indices. | 2026-02-04 | not yet calculated | CVE-2026-23076 | https://git.kernel.org/stable/c/6524205326e0c1a21263b5c14e48e14ef7e449ae https://git.kernel.org/stable/c/afca7ff5d5d4d63a1acb95461f55ca9a729feedf https://git.kernel.org/stable/c/8c1d09806e1441bc6a54b9a4f2818918046d5174 https://git.kernel.org/stable/c/a8c42d11b0526a89192bd2f79facb4c60c8a1f38 https://git.kernel.org/stable/c/d77ba72558cd66704f0fb7e0969f697e87c0f71c https://git.kernel.org/stable/c/873e2360d247eeee642878fcc3398babff7e387c https://git.kernel.org/stable/c/61006c540cbdedea83b05577dc7fb7fa18fe1276 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge Patch series “mm/vma: fix anon_vma UAF on mremap() faulted, unfaulted merge”, v2. Commit 879bca0a2c4f (“mm/vma: fix incorrectly disallowed anonymous VMA merges”) introduced the ability to merge previously unavailable VMA merge scenarios. However, it is handling merges incorrectly when it comes to mremap() of a faulted VMA adjacent to an unfaulted VMA. The issues arise in three cases: 1. Previous VMA unfaulted: copied —–| v |———–|………….| | unfaulted |(faulted VMA)| |———–|………….| prev 2. Next VMA unfaulted: copied —–| v |………….|———–| |(faulted VMA)| unfaulted | |………….|———–| next 3. Both adjacent VMAs unfaulted: copied —–| v |———–|………….|———–| | unfaulted |(faulted VMA)| unfaulted | |———–|………….|———–| prev next This series fixes each of these cases, and introduces self tests to assert that the issues are corrected. I also test a further case which was already handled, to assert that my changes continues to correctly handle it: 4. prev unfaulted, next faulted: copied —–| v |———–|………….|———–| | unfaulted |(faulted VMA)| faulted | |———–|………….|———–| prev next This bug was discovered via a syzbot report, linked to in the first patch in the series, I confirmed that this series fixes the bug. I also discovered that we are failing to check that the faulted VMA was not forked when merging a copied VMA in cases 1-3 above, an issue this series also addresses. I also added self tests to assert that this is resolved (and confirmed that the tests failed prior to this). I also cleaned up vma_expand() as part of this work, renamed vma_had_uncowed_parents() to vma_is_fork_child() as the previous name was unduly confusing, and simplified the comments around this function. This patch (of 4): Commit 879bca0a2c4f (“mm/vma: fix incorrectly disallowed anonymous VMA merges”) introduced the ability to merge previously unavailable VMA merge scenarios. The key piece of logic introduced was the ability to merge a faulted VMA immediately next to an unfaulted VMA, which relies upon dup_anon_vma() to correctly handle anon_vma state. In the case of the merge of an existing VMA (that is changing properties of a VMA and then merging if those properties are shared by adjacent VMAs), dup_anon_vma() is invoked correctly. However in the case of the merge of a new VMA, a corner case peculiar to mremap() was missed. The issue is that vma_expand() only performs dup_anon_vma() if the target (the VMA that will ultimately become the merged VMA): is not the next VMA, i.e. the one that appears after the range in which the new VMA is to be established. A key insight here is that in all other cases other than mremap(), a new VMA merge either expands an existing VMA, meaning that the target VMA will be that VMA, or would have anon_vma be NULL. Specifically: * __mmap_region() – no anon_vma in place, initial mapping. * do_brk_flags() – expanding an existing VMA. * vma_merge_extend() – expanding an existing VMA. * relocate_vma_down() – no anon_vma in place, initial mapping. In addition, we are in the unique situation of needing to duplicate anon_vma state from a VMA that is neither the previous or next VMA being merged with. dup_anon_vma() deals exclusively with the target=unfaulted, src=faulted case. This leaves four possibilities, in each case where the copied VMA is faulted: 1. Previous VMA unfaulted: copied —–| —truncated— | 2026-02-04 | not yet calculated | CVE-2026-23077 | https://git.kernel.org/stable/c/a4d9dbfc1bab16e25fefd34b5e537a46bed8fc96 https://git.kernel.org/stable/c/61f67c230a5e7c741c352349ea80147fbe65bfae |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: scarlett2: Fix buffer overflow in config retrieval The scarlett2_usb_get_config() function has a logic error in the endianness conversion code that can cause buffer overflows when count > 1. The code checks `if (size == 2)` where `size` is the total buffer size in bytes, then loops `count` times treating each element as u16 (2 bytes). This causes the loop to access `count * 2` bytes when the buffer only has `size` bytes allocated. Fix by checking the element size (config_item->size) instead of the total buffer size. This ensures the endianness conversion matches the actual element type. | 2026-02-04 | not yet calculated | CVE-2026-23078 | https://git.kernel.org/stable/c/d5e80d1f97ae55bcea1426f551e4419245b41b9c https://git.kernel.org/stable/c/51049f6e3f05d70660e2458ad3bb302a3721b751 https://git.kernel.org/stable/c/91a756d22f0482eac5bedb113c8922f90b254449 https://git.kernel.org/stable/c/27049f50be9f5ae3a62d272128ce0b381cb26a24 https://git.kernel.org/stable/c/31a3eba5c265a763260976674a22851e83128f6d https://git.kernel.org/stable/c/6f5c69f72e50d51be3a8c028ae7eda42c82902cb |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gpio: cdev: Fix resource leaks on errors in lineinfo_changed_notify() On error handling paths, lineinfo_changed_notify() doesn’t free the allocated resources which results leaks. Fix it. | 2026-02-04 | not yet calculated | CVE-2026-23079 | https://git.kernel.org/stable/c/16414341b0dd58b650b5df45c79115bc5977bb76 https://git.kernel.org/stable/c/70b3c280533167749a8f740acaa8ef720f78f984 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: mcba_usb: mcba_usb_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”). In mcba_usb_probe() -> mcba_usb_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback mcba_usb_read_bulk_callback(), the URBs are processed and resubmitted. In mcba_usb_close() -> mcba_urb_unlink() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the mcba_usb_read_bulk_callback()to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23080 | https://git.kernel.org/stable/c/8b34c611a4feb81921bc4728c091e4e3ba0270c0 https://git.kernel.org/stable/c/b5a1ccdc63b71d93a69a6b72f7a3f3934293ea60 https://git.kernel.org/stable/c/59153b6388e05609144ad56a9b354e9100a91983 https://git.kernel.org/stable/c/179f6f0cf5ae489743273b7c1644324c0c477ea9 https://git.kernel.org/stable/c/94c9f6f7b953f6382fef4bdc48c046b861b8868f https://git.kernel.org/stable/c/d374d715e338dfc3804aaa006fa6e470ffebb264 https://git.kernel.org/stable/c/710a7529fb13c5a470258ff5508ed3c498d54729 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net: phy: intel-xway: fix OF node refcount leakage Automated review spotted am OF node reference count leakage when checking if the ‘leds’ child node exists. Call of_put_node() to correctly maintain the refcount. | 2026-02-04 | not yet calculated | CVE-2026-23081 | https://git.kernel.org/stable/c/1f24dfd556401b75f78e8d9cbd94dd9f31411c3a https://git.kernel.org/stable/c/79912b256e14054e6ba177d7e7e631485ce23dbe |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: gs_usb: gs_usb_receive_bulk_callback(): unanchor URL on usb_submit_urb() error In commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”), the URB was re-anchored before usb_submit_urb() in gs_usb_receive_bulk_callback() to prevent a leak of this URB during cleanup. However, this patch did not take into account that usb_submit_urb() could fail. The URB remains anchored and usb_kill_anchored_urbs(&parent->rx_submitted) in gs_can_close() loops infinitely since the anchor list never becomes empty. To fix the bug, unanchor the URB when an usb_submit_urb() error occurs, also print an info message. | 2026-02-04 | not yet calculated | CVE-2026-23082 | https://git.kernel.org/stable/c/aa8a8866c533a150be4763bcb27993603bd5426c https://git.kernel.org/stable/c/ce4352057fc5a986c76ece90801b9755e7c6e56c https://git.kernel.org/stable/c/c610b550ccc0438d456dfe1df9f4f36254ccaae3 https://git.kernel.org/stable/c/c3edc14da81a8d8398682f6e4ab819f09f37c0b7 https://git.kernel.org/stable/c/79a6d1bfe1148bc921b8d7f3371a7fbce44e30f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fou: Don’t allow 0 for FOU_ATTR_IPPROTO. fou_udp_recv() has the same problem mentioned in the previous patch. If FOU_ATTR_IPPROTO is set to 0, skb is not freed by fou_udp_recv() nor “resubmit”-ted in ip_protocol_deliver_rcu(). Let’s forbid 0 for FOU_ATTR_IPPROTO. | 2026-02-04 | not yet calculated | CVE-2026-23083 | https://git.kernel.org/stable/c/c7498f9bc390479ccfad7c7f2332237ff4945b03 https://git.kernel.org/stable/c/611ef4bd9c73d9e6d87bed57a635ff1fdd8c91ea https://git.kernel.org/stable/c/6e983789b7588ee59cbf303583546c043bad8e19 https://git.kernel.org/stable/c/1cc98b8887cabb1808d2f4a37cd10a7be7574771 https://git.kernel.org/stable/c/b7db31a52c3862a1a32202a273a4c32e7f5f4823 https://git.kernel.org/stable/c/9b75dff8446ec871030d8daf5a69e74f5fe8b956 https://git.kernel.org/stable/c/7a9bc9e3f42391e4c187e099263cf7a1c4b69ff5 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: be2net: Fix NULL pointer dereference in be_cmd_get_mac_from_list When the parameter pmac_id_valid argument of be_cmd_get_mac_from_list() is set to false, the driver may request the PMAC_ID from the firmware of the network card, and this function will store that PMAC_ID at the provided address pmac_id. This is the contract of this function. However, there is a location within the driver where both pmac_id_valid == false and pmac_id == NULL are being passed. This could result in dereferencing a NULL pointer. To resolve this issue, it is necessary to pass the address of a stub variable to the function. | 2026-02-04 | not yet calculated | CVE-2026-23084 | https://git.kernel.org/stable/c/4cba480c9b9a3861a515262225cb53a1f5978344 https://git.kernel.org/stable/c/92c6dc181a18e6e0ddb872ed35cb48a9274829e4 https://git.kernel.org/stable/c/6c3e00888dbec887125a08b51a705b9b163fcdd1 https://git.kernel.org/stable/c/e206fb415db36bad52bb90c08d46ce71ffbe8a80 https://git.kernel.org/stable/c/47ffb4dcffe336f4a7bd0f3284be7aadc6484698 https://git.kernel.org/stable/c/31410a01a86bcb98c798d01061abf1f789c4f75a https://git.kernel.org/stable/c/8215794403d264739cc676668087512950b2ff31 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: irqchip/gic-v3-its: Avoid truncating memory addresses On 32-bit machines with CONFIG_ARM_LPAE, it is possible for lowmem allocations to be backed by addresses physical memory above the 32-bit address limit, as found while experimenting with larger VMSPLIT configurations. This caused the qemu virt model to crash in the GICv3 driver, which allocates the ‘itt’ object using GFP_KERNEL. Since all memory below the 4GB physical address limit is in ZONE_DMA in this configuration, kmalloc() defaults to higher addresses for ZONE_NORMAL, and the ITS driver stores the physical address in a 32-bit ‘unsigned long’ variable. Change the itt_addr variable to the correct phys_addr_t type instead, along with all other variables in this driver that hold a physical address. The gicv5 driver correctly uses u64 variables, while all other irqchip drivers don’t call virt_to_phys or similar interfaces. It’s expected that other device drivers have similar issues, but fixing this one is sufficient for booting a virtio based guest. | 2026-02-04 | not yet calculated | CVE-2026-23085 | https://git.kernel.org/stable/c/e332b3b69e5b3acf07204a4b185071bab15c2b88 https://git.kernel.org/stable/c/e2f9c751f73a2d5bb62d94ab030aec118a811f27 https://git.kernel.org/stable/c/85215d633983233809f7d4dad163b953331b8238 https://git.kernel.org/stable/c/1b323391560354d8c515de8658b057a1daa82adb https://git.kernel.org/stable/c/084ba3b99f2dfd991ce7e84fb17117319ec3cd9f https://git.kernel.org/stable/c/03faa61eb4b9ca9aa09bd91d4c3773d8e7b1ac98 https://git.kernel.org/stable/c/8d76a7d89c12d08382b66e2f21f20d0627d14859 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: vsock/virtio: cap TX credit to local buffer size The virtio transports derives its TX credit directly from peer_buf_alloc, which is set from the remote endpoint’s SO_VM_SOCKETS_BUFFER_SIZE value. On the host side this means that the amount of data we are willing to queue for a connection is scaled by a guest-chosen buffer size, rather than the host’s own vsock configuration. A malicious guest can advertise a large buffer and read slowly, causing the host to allocate a correspondingly large amount of sk_buff memory. The same thing would happen in the guest with a malicious host, since virtio transports share the same code base. Introduce a small helper, virtio_transport_tx_buf_size(), that returns min(peer_buf_alloc, buf_alloc), and use it wherever we consume peer_buf_alloc. This ensures the effective TX window is bounded by both the peer’s advertised buffer and our own buf_alloc (already clamped to buffer_max_size via SO_VM_SOCKETS_BUFFER_MAX_SIZE), so a remote peer cannot force the other to queue more data than allowed by its own vsock settings. On an unpatched Ubuntu 22.04 host (~64 GiB RAM), running a PoC with 32 guest vsock connections advertising 2 GiB each and reading slowly drove Slab/SUnreclaim from ~0.5 GiB to ~57 GiB; the system only recovered after killing the QEMU process. That said, if QEMU memory is limited with cgroups, the maximum memory used will be limited. With this patch applied: Before: MemFree: ~61.6 GiB Slab: ~142 MiB SUnreclaim: ~117 MiB After 32 high-credit connections: MemFree: ~61.5 GiB Slab: ~178 MiB SUnreclaim: ~152 MiB Only ~35 MiB increase in Slab/SUnreclaim, no host OOM, and the guest remains responsive. Compatibility with non-virtio transports: – VMCI uses the AF_VSOCK buffer knobs to size its queue pairs per socket based on the local vsk->buffer_* values; the remote side cannot enlarge those queues beyond what the local endpoint configured. – Hyper-V’s vsock transport uses fixed-size VMBus ring buffers and an MTU bound; there is no peer-controlled credit field comparable to peer_buf_alloc, and the remote endpoint cannot drive in-flight kernel memory above those ring sizes. – The loopback path reuses virtio_transport_common.c, so it naturally follows the same semantics as the virtio transport. This change is limited to virtio_transport_common.c and thus affects virtio-vsock, vhost-vsock, and loopback, bringing them in line with the “remote window intersected with local policy” behaviour that VMCI and Hyper-V already effectively have. [Stefano: small adjustments after changing the previous patch] [Stefano: tweak the commit message] | 2026-02-04 | not yet calculated | CVE-2026-23086 | https://git.kernel.org/stable/c/fef7110ae5617555c792a2bb4d27878d84583adf https://git.kernel.org/stable/c/d9d5f222558b42f6277eafaaa6080966faf37676 https://git.kernel.org/stable/c/c0e42fb0e054c2b2ec4ee80f48ccd256ae0227ce https://git.kernel.org/stable/c/84ef86aa7120449828d1e0ce438c499014839711 https://git.kernel.org/stable/c/8ee784fdf006cbe8739cfa093f54d326cbf54037 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: xen: scsiback: Fix potential memory leak in scsiback_remove() Memory allocated for struct vscsiblk_info in scsiback_probe() is not freed in scsiback_remove() leading to potential memory leaks on remove, as well as in the scsiback_probe() error paths. Fix that by freeing it in scsiback_remove(). | 2026-02-04 | not yet calculated | CVE-2026-23087 | https://git.kernel.org/stable/c/a8bb3ec8d85951a56af0a72d93ccbc2aee42eef9 https://git.kernel.org/stable/c/427b0fb30ddec3bad05dcd73b00718f98c7026d2 https://git.kernel.org/stable/c/4a975c72429b050c234405668b742cdecc11548e https://git.kernel.org/stable/c/f86264ec0e2b102fcd49bf3e4f32fee669d482fc https://git.kernel.org/stable/c/32e52b56056daf0f0881fd9254706acf25b4be97 https://git.kernel.org/stable/c/24c441f0e24da175d7912095663f526ac480dc4f https://git.kernel.org/stable/c/901a5f309daba412e2a30364d7ec1492fa11c32c |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: tracing: Fix crash on synthetic stacktrace field usage When creating a synthetic event based on an existing synthetic event that had a stacktrace field and the new synthetic event used that field a kernel crash occurred: ~# cd /sys/kernel/tracing ~# echo ‘s:stack unsigned long stack[];’ > dynamic_events ~# echo ‘hist:keys=prev_pid:s0=common_stacktrace if prev_state & 3’ >> events/sched/sched_switch/trigger ~# echo ‘hist:keys=next_pid:s1=$s0:onmatch(sched.sched_switch).trace(stack,$s1)’ >> events/sched/sched_switch/trigger The above creates a synthetic event that takes a stacktrace when a task schedules out in a non-running state and passes that stacktrace to the sched_switch event when that task schedules back in. It triggers the “stack” synthetic event that has a stacktrace as its field (called “stack”). ~# echo ‘s:syscall_stack s64 id; unsigned long stack[];’ >> dynamic_events ~# echo ‘hist:keys=common_pid:s2=stack’ >> events/synthetic/stack/trigger ~# echo ‘hist:keys=common_pid:s3=$s2,i0=id:onmatch(synthetic.stack).trace(syscall_stack,$i0,$s3)’ >> events/raw_syscalls/sys_exit/trigger The above makes another synthetic event called “syscall_stack” that attaches the first synthetic event (stack) to the sys_exit trace event and records the stacktrace from the stack event with the id of the system call that is exiting. When enabling this event (or using it in a historgram): ~# echo 1 > events/synthetic/syscall_stack/enable Produces a kernel crash! BUG: unable to handle page fault for address: 0000000000400010 #PF: supervisor read access in kernel mode #PF: error_code(0x0000) – not-present page PGD 0 P4D 0 Oops: Oops: 0000 [#1] SMP PTI CPU: 6 UID: 0 PID: 1257 Comm: bash Not tainted 6.16.3+deb14-amd64 #1 PREEMPT(lazy) Debian 6.16.3-1 Hardware name: QEMU Standard PC (Q35 + ICH9, 2009), BIOS 1.17.0-debian-1.17.0-1 04/01/2014 RIP: 0010:trace_event_raw_event_synth+0x90/0x380 Code: c5 00 00 00 00 85 d2 0f 84 e1 00 00 00 31 db eb 34 0f 1f 00 66 66 2e 0f 1f 84 00 00 00 00 00 66 66 2e 0f 1f 84 00 00 00 00 00 <49> 8b 04 24 48 83 c3 01 8d 0c c5 08 00 00 00 01 cd 41 3b 5d 40 0f RSP: 0018:ffffd2670388f958 EFLAGS: 00010202 RAX: ffff8ba1065cc100 RBX: 0000000000000000 RCX: 0000000000000000 RDX: 0000000000000001 RSI: fffff266ffda7b90 RDI: ffffd2670388f9b0 RBP: 0000000000000010 R08: ffff8ba104e76000 R09: ffffd2670388fa50 R10: ffff8ba102dd42e0 R11: ffffffff9a908970 R12: 0000000000400010 R13: ffff8ba10a246400 R14: ffff8ba10a710220 R15: fffff266ffda7b90 FS: 00007fa3bc63f740(0000) GS:ffff8ba2e0f48000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000400010 CR3: 0000000107f9e003 CR4: 0000000000172ef0 Call Trace: <TASK> ? __tracing_map_insert+0x208/0x3a0 action_trace+0x67/0x70 event_hist_trigger+0x633/0x6d0 event_triggers_call+0x82/0x130 trace_event_buffer_commit+0x19d/0x250 trace_event_raw_event_sys_exit+0x62/0xb0 syscall_exit_work+0x9d/0x140 do_syscall_64+0x20a/0x2f0 ? trace_event_raw_event_sched_switch+0x12b/0x170 ? save_fpregs_to_fpstate+0x3e/0x90 ? _raw_spin_unlock+0xe/0x30 ? finish_task_switch.isra.0+0x97/0x2c0 ? __rseq_handle_notify_resume+0xad/0x4c0 ? __schedule+0x4b8/0xd00 ? restore_fpregs_from_fpstate+0x3c/0x90 ? switch_fpu_return+0x5b/0xe0 ? do_syscall_64+0x1ef/0x2f0 ? do_fault+0x2e9/0x540 ? __handle_mm_fault+0x7d1/0xf70 ? count_memcg_events+0x167/0x1d0 ? handle_mm_fault+0x1d7/0x2e0 ? do_user_addr_fault+0x2c3/0x7f0 entry_SYSCALL_64_after_hwframe+0x76/0x7e The reason is that the stacktrace field is not labeled as such, and is treated as a normal field and not as a dynamic event that it is. In trace_event_raw_event_synth() the event is field is still treated as a dynamic array, but the retrieval of the data is considered a normal field, and the reference is just the meta data: // Meta data is retrieved instead of a dynamic array —truncated— | 2026-02-04 | not yet calculated | CVE-2026-23088 | https://git.kernel.org/stable/c/98ecbfb2598c9c7ca755a29f402da9d36c057077 https://git.kernel.org/stable/c/327af07dff6ab5650b21491eb4f69694999ff3d1 https://git.kernel.org/stable/c/3b90d099efa2b67239bd3b3dc3521ec584261748 https://git.kernel.org/stable/c/90f9f5d64cae4e72defd96a2a22760173cb3c9ec |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ALSA: usb-audio: Fix use-after-free in snd_usb_mixer_free() When snd_usb_create_mixer() fails, snd_usb_mixer_free() frees mixer->id_elems but the controls already added to the card still reference the freed memory. Later when snd_card_register() runs, the OSS mixer layer calls their callbacks and hits a use-after-free read. Call trace: get_ctl_value+0x63f/0x820 sound/usb/mixer.c:411 get_min_max_with_quirks.isra.0+0x240/0x1f40 sound/usb/mixer.c:1241 mixer_ctl_feature_info+0x26b/0x490 sound/usb/mixer.c:1381 snd_mixer_oss_build_test+0x174/0x3a0 sound/core/oss/mixer_oss.c:887 … snd_card_register+0x4ed/0x6d0 sound/core/init.c:923 usb_audio_probe+0x5ef/0x2a90 sound/usb/card.c:1025 Fix by calling snd_ctl_remove() for all mixer controls before freeing id_elems. We save the next pointer first because snd_ctl_remove() frees the current element. | 2026-02-04 | not yet calculated | CVE-2026-23089 | https://git.kernel.org/stable/c/51b1aa6fe7dc87356ba58df06afb9677c9b841ea https://git.kernel.org/stable/c/56fb6efd5d04caf6f14994d51ec85393b9a896c6 https://git.kernel.org/stable/c/7009daeefa945973a530b2f605fe445fc03747af https://git.kernel.org/stable/c/7bff0156d13f0ad9436e5178b979b063d59f572a https://git.kernel.org/stable/c/e6f103a22b08daf5df2f4aa158081840e5910963 https://git.kernel.org/stable/c/dc1a5dd80af1ee1f29d8375b12dd7625f6294dad https://git.kernel.org/stable/c/930e69757b74c3ae083b0c3c7419bfe7f0edc7b2 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: slimbus: core: fix device reference leak on report present Slimbus devices can be allocated dynamically upon reception of report-present messages. Make sure to drop the reference taken when looking up already registered devices. Note that this requires taking an extra reference in case the device has not yet been registered and has to be allocated. | 2026-02-04 | not yet calculated | CVE-2026-23090 | https://git.kernel.org/stable/c/b1217e40705b2f6d311c197b12866752656217ff https://git.kernel.org/stable/c/948615429c9f2ac9d25d4e1f1a4472926b217a9a https://git.kernel.org/stable/c/02b78bbfbafe49832e508079148cb87cdfa55825 https://git.kernel.org/stable/c/2ddc09f6a0a221b1d91a7cbc8cc2cefdbd334fe6 https://git.kernel.org/stable/c/54de72a7aabc0749938d7a2833a0c1a5d3ed7ac9 https://git.kernel.org/stable/c/6602bb4d1338e92b5838e50322b87697bdbd2ee0 https://git.kernel.org/stable/c/9391380eb91ea5ac792aae9273535c8da5b9aa01 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: intel_th: fix device leak on output open() Make sure to drop the reference taken when looking up the th device during output device open() on errors and on close(). Note that a recent commit fixed the leak in a couple of open() error paths but not all of them, and the reference is still leaking on successful open(). | 2026-02-04 | not yet calculated | CVE-2026-23091 | https://git.kernel.org/stable/c/af4b9467296b9a16ebc008147238070236982b6d https://git.kernel.org/stable/c/64015cbf06e8bb75b81ae95b997e847b55280f7f https://git.kernel.org/stable/c/b71e64ef7ff9443835d1333e3e80ab1e49e5209f https://git.kernel.org/stable/c/bf7785434b5d05d940d936b78925080950bd54dd https://git.kernel.org/stable/c/0fca16c5591534cc1fec8b6181277ee3a3d0f26c https://git.kernel.org/stable/c/f9b059bda4276f2bb72cb98ec7875a747f042ea2 https://git.kernel.org/stable/c/95fc36a234da24bbc5f476f8104a5a15f99ed3e3 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: iio: dac: ad3552r-hs: fix out-of-bound write in ad3552r_hs_write_data_source When simple_write_to_buffer() succeeds, it returns the number of bytes actually copied to the buffer. The code incorrectly uses ‘count’ as the index for null termination instead of the actual bytes copied. If count exceeds the buffer size, this leads to out-of-bounds write. Add a check for the count and use the return value as the index. The bug was validated using a demo module that mirrors the original code and was tested under QEMU. Pattern of the bug: – A fixed 64-byte stack buffer is filled using count. – If count > 64, the code still does buf[count] = ‘�’, causing an – out-of-bounds write on the stack. Steps for reproduce: – Opens the device node. – Writes 128 bytes of A to it. – This overflows the 64-byte stack buffer and KASAN reports the OOB. Found via static analysis. This is similar to the commit da9374819eb3 (“iio: backend: fix out-of-bound write”) | 2026-02-04 | not yet calculated | CVE-2026-23092 | https://git.kernel.org/stable/c/db16e7c52032c79156930a337ee17232931794ba https://git.kernel.org/stable/c/978d28136c53df38f8f0b747191930e2f95e9084 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ksmbd: smbd: fix dma_unmap_sg() nents The dma_unmap_sg() functions should be called with the same nents as the dma_map_sg(), not the value the map function returned. | 2026-02-04 | not yet calculated | CVE-2026-23093 | https://git.kernel.org/stable/c/f569f5b8bfd5133defdf9c7f8a72c63aa11f54ec https://git.kernel.org/stable/c/6ececffd3e9fe93a87738625dc0671165d27bf96 https://git.kernel.org/stable/c/4d1e9a4a450aae47277763562122cc80ed703ab2 https://git.kernel.org/stable/c/70ba85e439221a5d6dda34a3004db6640f0525e6 https://git.kernel.org/stable/c/d1943bc9dc9508f5933788a76f8a35d10e43a646 https://git.kernel.org/stable/c/98e3e2b561bc88f4dd218d1c05890672874692f6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix isolate sysfs check condition uacce supports the device isolation feature. If the driver implements the isolate_err_threshold_read and isolate_err_threshold_write callback functions, uacce will create sysfs files now. Users can read and configure the isolation policy through sysfs. Currently, sysfs files are created as long as either isolate_err_threshold_read or isolate_err_threshold_write callback functions are present. However, accessing a non-existent callback function may cause the system to crash. Therefore, intercept the creation of sysfs if neither read nor write exists; create sysfs if either is supported, but intercept unsupported operations at the call site. | 2026-02-04 | not yet calculated | CVE-2026-23094 | https://git.kernel.org/stable/c/9ab05cdcac354b1b1139918f49c6418b9005d042 https://git.kernel.org/stable/c/fdbbb47d15ae17bf39fafec7e2028c1f8efba15e https://git.kernel.org/stable/c/82821a681d5dcce31475a65190fc39ea8f372cc0 https://git.kernel.org/stable/c/98eec349259b1fd876f350b1c600403bcef8f85d |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: gue: Fix skb memleak with inner IP protocol 0. syzbot reported skb memleak below. [0] The repro generated a GUE packet with its inner protocol 0. gue_udp_recv() returns -guehdr->proto_ctype for “resubmit” in ip_protocol_deliver_rcu(), but this only works with non-zero protocol number. Let’s drop such packets. Note that 0 is a valid number (IPv6 Hop-by-Hop Option). I think it is not practical to encap HOPOPT in GUE, so once someone starts to complain, we could pass down a resubmit flag pointer to distinguish two zeros from the upper layer: * no error * resubmit HOPOPT [0] BUG: memory leak unreferenced object 0xffff888109695a00 (size 240): comm “syz.0.17”, pid 6088, jiffies 4294943096 hex dump (first 32 bytes): 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ……………. 00 40 c2 10 81 88 ff ff 00 00 00 00 00 00 00 00 .@………….. backtrace (crc a84b336f): kmemleak_alloc_recursive include/linux/kmemleak.h:44 [inline] slab_post_alloc_hook mm/slub.c:4958 [inline] slab_alloc_node mm/slub.c:5263 [inline] kmem_cache_alloc_noprof+0x3b4/0x590 mm/slub.c:5270 __build_skb+0x23/0x60 net/core/skbuff.c:474 build_skb+0x20/0x190 net/core/skbuff.c:490 __tun_build_skb drivers/net/tun.c:1541 [inline] tun_build_skb+0x4a1/0xa40 drivers/net/tun.c:1636 tun_get_user+0xc12/0x2030 drivers/net/tun.c:1770 tun_chr_write_iter+0x71/0x120 drivers/net/tun.c:1999 new_sync_write fs/read_write.c:593 [inline] vfs_write+0x45d/0x710 fs/read_write.c:686 ksys_write+0xa7/0x170 fs/read_write.c:738 do_syscall_x64 arch/x86/entry/syscall_64.c:63 [inline] do_syscall_64+0xa4/0xf80 arch/x86/entry/syscall_64.c:94 entry_SYSCALL_64_after_hwframe+0x77/0x7f | 2026-02-04 | not yet calculated | CVE-2026-23095 | https://git.kernel.org/stable/c/886f186328b718400dbf79e1bc8cbcbd710ab766 https://git.kernel.org/stable/c/380a82d36e37db49fd41ecc378c22fd29392e96a https://git.kernel.org/stable/c/536f5bbc322eb1e175bdd1ced22b236a951c4d8f https://git.kernel.org/stable/c/f87b9b7a618c82e7465e872eb10e14c803871892 https://git.kernel.org/stable/c/ce569b389a5c78d64788a5ea94560e17fa574b35 https://git.kernel.org/stable/c/5437a279804ced8088cabb945dba88a26d828f8c https://git.kernel.org/stable/c/9a56796ad258786d3624eef5aefba394fc9bdded |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: uacce: fix cdev handling in the cleanup path When cdev_device_add fails, it internally releases the cdev memory, and if cdev_device_del is then executed, it will cause a hang error. To fix it, we check the return value of cdev_device_add() and clear uacce->cdev to avoid calling cdev_device_del in the uacce_remove. | 2026-02-04 | not yet calculated | CVE-2026-23096 | https://git.kernel.org/stable/c/c94c7188d325bc5137d447d67a2f18f7d4f2f4a3 https://git.kernel.org/stable/c/1bc3e51367c420e6db31f41efa874c7a8e12194a https://git.kernel.org/stable/c/819d647406200d0e83e56fd2df8f451b11290559 https://git.kernel.org/stable/c/d9031575a2f8aabc53af3025dd79af313a2e046b https://git.kernel.org/stable/c/98d67a1bd6caddd0a8b8c82a0b925742cf500936 https://git.kernel.org/stable/c/bd2393ed7712513e7e2dbcb6e21464a67ff9e702 https://git.kernel.org/stable/c/a3bece3678f6c88db1f44c602b2a63e84b4040ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: migrate: correct lock ordering for hugetlb file folios Syzbot has found a deadlock (analyzed by Lance Yang): 1) Task (5749): Holds folio_lock, then tries to acquire i_mmap_rwsem(read lock). 2) Task (5754): Holds i_mmap_rwsem(write lock), then tries to acquire folio_lock. migrate_pages() -> migrate_hugetlbs() -> unmap_and_move_huge_page() <- Takes folio_lock! -> remove_migration_ptes() -> __rmap_walk_file() -> i_mmap_lock_read() <- Waits for i_mmap_rwsem(read lock)! hugetlbfs_fallocate() -> hugetlbfs_punch_hole() <- Takes i_mmap_rwsem(write lock)! -> hugetlbfs_zero_partial_page() -> filemap_lock_hugetlb_folio() -> filemap_lock_folio() -> __filemap_get_folio <- Waits for folio_lock! The migration path is the one taking locks in the wrong order according to the documentation at the top of mm/rmap.c. So expand the scope of the existing i_mmap_lock to cover the calls to remove_migration_ptes() too. This is (mostly) how it used to be after commit c0d0381ade79. That was removed by 336bf30eb765 for both file & anon hugetlb pages when it should only have been removed for anon hugetlb pages. | 2026-02-04 | not yet calculated | CVE-2026-23097 | https://git.kernel.org/stable/c/e7396d23f9d5739f56cf9ab430c3a169f5508394 https://git.kernel.org/stable/c/ad97b9a55246eb940a26ac977f80892a395cabf9 https://git.kernel.org/stable/c/5edb9854f8df5428b40990a1c7d60507da5bd330 https://git.kernel.org/stable/c/526394af4e8ade89cacd1a9ce2b97712712fcc34 https://git.kernel.org/stable/c/b75070823b89009f5123fd0e05a8e0c3d39937c1 https://git.kernel.org/stable/c/1b68efce6dd483d22f50d0d3800c4cfda14b1305 https://git.kernel.org/stable/c/b7880cb166ab62c2409046b2347261abf701530e |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: netrom: fix double-free in nr_route_frame() In nr_route_frame(), old_skb is immediately freed without checking if nr_neigh->ax25 pointer is NULL. Therefore, if nr_neigh->ax25 is NULL, the caller function will free old_skb again, causing a double-free bug. Therefore, to prevent this, we need to modify it to check whether nr_neigh->ax25 is NULL before freeing old_skb. | 2026-02-04 | not yet calculated | CVE-2026-23098 | https://git.kernel.org/stable/c/25aab6bfc31017a7e52035b99aef5c2b6bde8ffb https://git.kernel.org/stable/c/6e0110ea90313b7c0558a0b77038274a6821caf8 https://git.kernel.org/stable/c/7c48fdf2d1349bb54815b56fb012b9d577707708 https://git.kernel.org/stable/c/bd8955337e3764f912f49b360e176d8aaecf7016 https://git.kernel.org/stable/c/94d1a8bd08af1f4cc345c5c29f5db1ea72b8bb8c https://git.kernel.org/stable/c/9f5fa78d9980fe75a69835521627ab7943cb3d67 https://git.kernel.org/stable/c/ba1096c315283ee3292765f6aea4cca15816c4f7 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: bonding: limit BOND_MODE_8023AD to Ethernet devices BOND_MODE_8023AD makes sense for ARPHRD_ETHER only. syzbot reported: BUG: KASAN: global-out-of-bounds in __hw_addr_create net/core/dev_addr_lists.c:63 [inline] BUG: KASAN: global-out-of-bounds in __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 Read of size 16 at addr ffffffff8bf94040 by task syz.1.3580/19497 CPU: 1 UID: 0 PID: 19497 Comm: syz.1.3580 Tainted: G L syzkaller #0 PREEMPT(full) Tainted: [L]=SOFTLOCKUP Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 10/25/2025 Call Trace: <TASK> dump_stack_lvl+0xe8/0x150 lib/dump_stack.c:120 print_address_description mm/kasan/report.c:378 [inline] print_report+0xca/0x240 mm/kasan/report.c:482 kasan_report+0x118/0x150 mm/kasan/report.c:595 check_region_inline mm/kasan/generic.c:-1 [inline] kasan_check_range+0x2b0/0x2c0 mm/kasan/generic.c:200 __asan_memcpy+0x29/0x70 mm/kasan/shadow.c:105 __hw_addr_create net/core/dev_addr_lists.c:63 [inline] __hw_addr_add_ex+0x25d/0x760 net/core/dev_addr_lists.c:118 __dev_mc_add net/core/dev_addr_lists.c:868 [inline] dev_mc_add+0xa1/0x120 net/core/dev_addr_lists.c:886 bond_enslave+0x2b8b/0x3ac0 drivers/net/bonding/bond_main.c:2180 do_set_master+0x533/0x6d0 net/core/rtnetlink.c:2963 do_setlink+0xcf0/0x41c0 net/core/rtnetlink.c:3165 rtnl_changelink net/core/rtnetlink.c:3776 [inline] __rtnl_newlink net/core/rtnetlink.c:3935 [inline] rtnl_newlink+0x161c/0x1c90 net/core/rtnetlink.c:4072 rtnetlink_rcv_msg+0x7cf/0xb70 net/core/rtnetlink.c:6958 netlink_rcv_skb+0x208/0x470 net/netlink/af_netlink.c:2550 netlink_unicast_kernel net/netlink/af_netlink.c:1318 [inline] netlink_unicast+0x82f/0x9e0 net/netlink/af_netlink.c:1344 netlink_sendmsg+0x805/0xb30 net/netlink/af_netlink.c:1894 sock_sendmsg_nosec net/socket.c:727 [inline] __sock_sendmsg+0x21c/0x270 net/socket.c:742 ____sys_sendmsg+0x505/0x820 net/socket.c:2592 ___sys_sendmsg+0x21f/0x2a0 net/socket.c:2646 __sys_sendmsg+0x164/0x220 net/socket.c:2678 do_syscall_32_irqs_on arch/x86/entry/syscall_32.c:83 [inline] __do_fast_syscall_32+0x1dc/0x560 arch/x86/entry/syscall_32.c:307 do_fast_syscall_32+0x34/0x80 arch/x86/entry/syscall_32.c:332 entry_SYSENTER_compat_after_hwframe+0x84/0x8e </TASK> The buggy address belongs to the variable: lacpdu_mcast_addr+0x0/0x40 | 2026-02-04 | not yet calculated | CVE-2026-23099 | https://git.kernel.org/stable/c/72925dbb0c8c7b16bf922e93c6cc03cbd8c955c4 https://git.kernel.org/stable/c/5063b2cd9b27d35ab788d707d7858ded0acc8f1d https://git.kernel.org/stable/c/80c881e53a4fa0a80fa4bef7bc0ead0e8e88940d https://git.kernel.org/stable/c/ef68afb1bee8d35a18896c27d7358079353d8d8a https://git.kernel.org/stable/c/43dee6f7ef1d228821de1b61c292af3744c8d7da https://git.kernel.org/stable/c/c84fcb79e5dbde0b8d5aeeaf04282d2149aebcf6 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: mm/hugetlb: fix hugetlb_pmd_shared() Patch series “mm/hugetlb: fixes for PMD table sharing (incl. using mmu_gather)”, v3. One functional fix, one performance regression fix, and two related comment fixes. I cleaned up my prototype I recently shared [1] for the performance fix, deferring most of the cleanups I had in the prototype to a later point. While doing that I identified the other things. The goal of this patch set is to be backported to stable trees “fairly” easily. At least patch #1 and #4. Patch #1 fixes hugetlb_pmd_shared() not detecting any sharing Patch #2 + #3 are simple comment fixes that patch #4 interacts with. Patch #4 is a fix for the reported performance regression due to excessive IPI broadcasts during fork()+exit(). The last patch is all about TLB flushes, IPIs and mmu_gather. Read: complicated There are plenty of cleanups in the future to be had + one reasonable optimization on x86. But that’s all out of scope for this series. Runtime tested, with a focus on fixing the performance regression using the original reproducer [2] on x86. This patch (of 4): We switched from (wrongly) using the page count to an independent shared count. Now, shared page tables have a refcount of 1 (excluding speculative references) and instead use ptdesc->pt_share_count to identify sharing. We didn’t convert hugetlb_pmd_shared(), so right now, we would never detect a shared PMD table as such, because sharing/unsharing no longer touches the refcount of a PMD table. Page migration, like mbind() or migrate_pages() would allow for migrating folios mapped into such shared PMD tables, even though the folios are not exclusive. In smaps we would account them as “private” although they are “shared”, and we would be wrongly setting the PM_MMAP_EXCLUSIVE in the pagemap interface. Fix it by properly using ptdesc_pmd_is_shared() in hugetlb_pmd_shared(). | 2026-02-04 | not yet calculated | CVE-2026-23100 | https://git.kernel.org/stable/c/69c4e241ff13545d410a8b2a688c932182a858bf https://git.kernel.org/stable/c/ca1a47cd3f5f4c46ca188b1c9a27af87d1ab2216 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: leds: led-class: Only Add LED to leds_list when it is fully ready Before this change the LED was added to leds_list before led_init_core() gets called adding it the list before led_classdev.set_brightness_work gets initialized. This leaves a window where led_trigger_register() of a LED’s default trigger will call led_trigger_set() which calls led_set_brightness() which in turn will end up queueing the *uninitialized* led_classdev.set_brightness_work. This race gets hit by the lenovo-thinkpad-t14s EC driver which registers 2 LEDs with a default trigger provided by snd_ctl_led.ko in quick succession. The first led_classdev_register() causes an async modprobe of snd_ctl_led to run and that async modprobe manages to exactly hit the window where the second LED is on the leds_list without led_init_core() being called for it, resulting in: ————[ cut here ]———— WARNING: CPU: 11 PID: 5608 at kernel/workqueue.c:4234 __flush_work+0x344/0x390 Hardware name: LENOVO 21N2S01F0B/21N2S01F0B, BIOS N42ET93W (2.23 ) 09/01/2025 … Call trace: __flush_work+0x344/0x390 (P) flush_work+0x2c/0x50 led_trigger_set+0x1c8/0x340 led_trigger_register+0x17c/0x1c0 led_trigger_register_simple+0x84/0xe8 snd_ctl_led_init+0x40/0xf88 [snd_ctl_led] do_one_initcall+0x5c/0x318 do_init_module+0x9c/0x2b8 load_module+0x7e0/0x998 Close the race window by moving the adding of the LED to leds_list to after the led_init_core() call. | 2026-02-04 | not yet calculated | CVE-2026-23101 | https://git.kernel.org/stable/c/f7a6df659af777058833802c29b3b7974db5e78a https://git.kernel.org/stable/c/d117fdcb21b05c0e0460261d017b92303cd9ba77 https://git.kernel.org/stable/c/e90c861411fc84629a240384b0a72830539d3386 https://git.kernel.org/stable/c/2757f7748ce2d0fa44112024907bafb37e104d6e https://git.kernel.org/stable/c/da565bf98c9ad0eabcb09fc97859e0b52f98b7c3 https://git.kernel.org/stable/c/78822628165f3d817382f67f91129161159ca234 https://git.kernel.org/stable/c/d1883cefd31752f0504b94c3bcfa1f6d511d6e87 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Fix restoration of SVE context When SME is supported, Restoring SVE signal context can go wrong in a few ways, including placing the task into an invalid state where the kernel may read from out-of-bounds memory (and may potentially take a fatal fault) and/or may kill the task with a SIGKILL. (1) Restoring a context with SVE_SIG_FLAG_SM set can place the task into an invalid state where SVCR.SM is set (and sve_state is non-NULL) but TIF_SME is clear, consequently resuting in out-of-bounds memory reads and/or killing the task with SIGKILL. This can only occur in unusual (but legitimate) cases where the SVE signal context has either been modified by userspace or was saved in the context of another task (e.g. as with CRIU), as otherwise the presence of an SVE signal context with SVE_SIG_FLAG_SM implies that TIF_SME is already set. While in this state, task_fpsimd_load() will NOT configure SMCR_ELx (leaving some arbitrary value configured in hardware) before restoring SVCR and attempting to restore the streaming mode SVE registers from memory via sve_load_state(). As the value of SMCR_ELx.LEN may be larger than the task’s streaming SVE vector length, this may read memory outside of the task’s allocated sve_state, reading unrelated data and/or triggering a fault. While this can result in secrets being loaded into streaming SVE registers, these values are never exposed. As TIF_SME is clear, fpsimd_bind_task_to_cpu() will configure CPACR_ELx.SMEN to trap EL0 accesses to streaming mode SVE registers, so these cannot be accessed directly at EL0. As fpsimd_save_user_state() verifies the live vector length before saving (S)SVE state to memory, no secret values can be saved back to memory (and hence cannot be observed via ptrace, signals, etc). When the live vector length doesn’t match the expected vector length for the task, fpsimd_save_user_state() will send a fatal SIGKILL signal to the task. Hence the task may be killed after executing userspace for some period of time. (2) Restoring a context with SVE_SIG_FLAG_SM clear does not clear the task’s SVCR.SM. If SVCR.SM was set prior to restoring the context, then the task will be left in streaming mode unexpectedly, and some register state will be combined inconsistently, though the task will be left in legitimate state from the kernel’s PoV. This can only occur in unusual (but legitimate) cases where ptrace has been used to set SVCR.SM after entry to the sigreturn syscall, as syscall entry clears SVCR.SM. In these cases, the the provided SVE register data will be loaded into the task’s sve_state using the non-streaming SVE vector length and the FPSIMD registers will be merged into this using the streaming SVE vector length. Fix (1) by setting TIF_SME when setting SVCR.SM. This also requires ensuring that the task’s sme_state has been allocated, but as this could contain live ZA state, it should not be zeroed. Fix (2) by clearing SVCR.SM when restoring a SVE signal context with SVE_SIG_FLAG_SM clear. For consistency, I’ve pulled the manipulation of SVCR, TIF_SVE, TIF_SME, and fp_type earlier, immediately after the allocation of sve_state/sme_state, before the restore of the actual register state. This makes it easier to ensure that these are always modified consistently, even if a fault is taken while reading the register data from the signal context. I do not expect any software to depend on the exact state restored when a fault is taken while reading the context. | 2026-02-04 | not yet calculated | CVE-2026-23102 | https://git.kernel.org/stable/c/9bc3adba8c35119be80ab20217027720446742f2 https://git.kernel.org/stable/c/ce820dd4e6e2d711242dc4331713b9bb4fe06d09 https://git.kernel.org/stable/c/7b5a52cf252a0d2e89787b645290ad288878f332 https://git.kernel.org/stable/c/d2907cbe9ea0a54cbe078076f9d089240ee1e2d9 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ipvlan: Make the addrs_lock be per port Make the addrs_lock be per port, not per ipvlan dev. Initial code seems to be written in the assumption, that any address change must occur under RTNL. But it is not so for the case of IPv6. So 1) Introduce per-port addrs_lock. 2) It was needed to fix places where it was forgotten to take lock (ipvlan_open/ipvlan_close) This appears to be a very minor problem though. Since it’s highly unlikely that ipvlan_add_addr() will be called on 2 CPU simultaneously. But nevertheless, this could cause: 1) False-negative of ipvlan_addr_busy(): one interface iterated through all port->ipvlans + ipvlan->addrs under some ipvlan spinlock, and another added IP under its own lock. Though this is only possible for IPv6, since looks like only ipvlan_addr6_event() can be called without rtnl_lock. 2) Race since ipvlan_ht_addr_add(port) is called under different ipvlan->addrs_lock locks This should not affect performance, since add/remove IP is a rare situation and spinlock is not taken on fast paths. | 2026-02-04 | not yet calculated | CVE-2026-23103 | https://git.kernel.org/stable/c/3c149b662cbb202a450e81f938e702ba333864ad https://git.kernel.org/stable/c/70feb16e3fbfb10b15de1396557c38e99f1ab8df https://git.kernel.org/stable/c/88f83e6c9cdb46b8c8ddd0ba01393362963cf589 https://git.kernel.org/stable/c/04ba6de6eff61238e5397c14ac26a6578c7735a5 https://git.kernel.org/stable/c/1f300c10d92c547c3a7d978e1212ff52f18256ed https://git.kernel.org/stable/c/6a81e2db096913d7e43aada1c350c1282e76db39 https://git.kernel.org/stable/c/d3ba32162488283c0a4c5bedd8817aec91748802 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: ice: fix devlink reload call trace Commit 4da71a77fc3b (“ice: read internal temperature sensor”) introduced internal temperature sensor reading via HWMON. ice_hwmon_init() was added to ice_init_feature() and ice_hwmon_exit() was added to ice_remove(). As a result if devlink reload is used to reinit the device and then the driver is removed, a call trace can occur. BUG: unable to handle page fault for address: ffffffffc0fd4b5d Call Trace: string+0x48/0xe0 vsnprintf+0x1f9/0x650 sprintf+0x62/0x80 name_show+0x1f/0x30 dev_attr_show+0x19/0x60 The call trace repeats approximately every 10 minutes when system monitoring tools (e.g., sadc) attempt to read the orphaned hwmon sysfs attributes that reference freed module memory. The sequence is: 1. Driver load, ice_hwmon_init() gets called from ice_init_feature() 2. Devlink reload down, flow does not call ice_remove() 3. Devlink reload up, ice_hwmon_init() gets called from ice_init_feature() resulting in a second instance 4. Driver unload, ice_hwmon_exit() called from ice_remove() leaving the first hwmon instance orphaned with dangling pointer Fix this by moving ice_hwmon_exit() from ice_remove() to ice_deinit_features() to ensure proper cleanup symmetry with ice_hwmon_init(). | 2026-02-04 | not yet calculated | CVE-2026-23104 | https://git.kernel.org/stable/c/87c1dacca197cc64e06fedeb269e3dd6699bae60 https://git.kernel.org/stable/c/d3f867e7a04678640ebcbfb81893c59f4af48586 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: net/sched: qfq: Use cl_is_active to determine whether class is active in qfq_rm_from_ag This is more of a preventive patch to make the code more consistent and to prevent possible exploits that employ child qlen manipulations on qfq. use cl_is_active instead of relying on the child qdisc’s qlen to determine class activation. | 2026-02-04 | not yet calculated | CVE-2026-23105 | https://git.kernel.org/stable/c/fac2c67bb2bb732eae4283e45fc338af7e08c254 https://git.kernel.org/stable/c/b8c24cf5268fb3bfb8d16324c3dbb985f698c835 https://git.kernel.org/stable/c/f27047abf7cac1b6f90c3ad60de21ef9f717c26d https://git.kernel.org/stable/c/93b8635974fb050c43d07e35e5edfe6e685ca28a https://git.kernel.org/stable/c/abd9fc26ea577561a5ef6241a1b058755ffdad0c https://git.kernel.org/stable/c/77f1afd0bb4d5da95236f6114e6d0dfcde187ff6 https://git.kernel.org/stable/c/d837fbee92453fbb829f950c8e7cf76207d73f33 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: timekeeping: Adjust the leap state for the correct auxiliary timekeeper When __do_ajdtimex() was introduced to handle adjtimex for any timekeeper, this reference to tk_core was not updated. When called on an auxiliary timekeeper, the core timekeeper would be updated incorrectly. This gets caught by the lock debugging diagnostics because the timekeepers sequence lock gets written to without holding its associated spinlock: WARNING: include/linux/seqlock.h:226 at __do_adjtimex+0x394/0x3b0, CPU#2: test/125 aux_clock_adj (kernel/time/timekeeping.c:2979) __do_sys_clock_adjtime (kernel/time/posix-timers.c:1161 kernel/time/posix-timers.c:1173) do_syscall_64 (arch/x86/entry/syscall_64.c:63 (discriminator 1) arch/x86/entry/syscall_64.c:94 (discriminator 1)) entry_SYSCALL_64_after_hwframe (arch/x86/entry/entry_64.S:131) Update the correct auxiliary timekeeper. | 2026-02-04 | not yet calculated | CVE-2026-23106 | https://git.kernel.org/stable/c/8f7c9dbeaa0be5810e44d323735967d3dba9239d https://git.kernel.org/stable/c/e806f7dde8ba28bc72a7a0898589cac79f6362ac |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: arm64/fpsimd: signal: Allocate SSVE storage when restoring ZA The code to restore a ZA context doesn’t attempt to allocate the task’s sve_state before setting TIF_SME. Consequently, restoring a ZA context can place a task into an invalid state where TIF_SME is set but the task’s sve_state is NULL. In legitimate but uncommon cases where the ZA signal context was NOT created by the kernel in the context of the same task (e.g. if the task is saved/restored with something like CRIU), we have no guarantee that sve_state had been allocated previously. In these cases, userspace can enter streaming mode without trapping while sve_state is NULL, causing a later NULL pointer dereference when the kernel attempts to store the register state: | # ./sigreturn-za | Unable to handle kernel NULL pointer dereference at virtual address 0000000000000000 | Mem abort info: | ESR = 0x0000000096000046 | EC = 0x25: DABT (current EL), IL = 32 bits | SET = 0, FnV = 0 | EA = 0, S1PTW = 0 | FSC = 0x06: level 2 translation fault | Data abort info: | ISV = 0, ISS = 0x00000046, ISS2 = 0x00000000 | CM = 0, WnR = 1, TnD = 0, TagAccess = 0 | GCS = 0, Overlay = 0, DirtyBit = 0, Xs = 0 | user pgtable: 4k pages, 52-bit VAs, pgdp=0000000101f47c00 | [0000000000000000] pgd=08000001021d8403, p4d=0800000102274403, pud=0800000102275403, pmd=0000000000000000 | Internal error: Oops: 0000000096000046 [#1] SMP | Modules linked in: | CPU: 0 UID: 0 PID: 153 Comm: sigreturn-za Not tainted 6.19.0-rc1 #1 PREEMPT | Hardware name: linux,dummy-virt (DT) | pstate: 214000c9 (nzCv daIF +PAN -UAO -TCO +DIT -SSBS BTYPE=–) | pc : sve_save_state+0x4/0xf0 | lr : fpsimd_save_user_state+0xb0/0x1c0 | sp : ffff80008070bcc0 | x29: ffff80008070bcc0 x28: fff00000c1ca4c40 x27: 63cfa172fb5cf658 | x26: fff00000c1ca5228 x25: 0000000000000000 x24: 0000000000000000 | x23: 0000000000000000 x22: fff00000c1ca4c40 x21: fff00000c1ca4c40 | x20: 0000000000000020 x19: fff00000ff6900f0 x18: 0000000000000000 | x17: fff05e8e0311f000 x16: 0000000000000000 x15: 028fca8f3bdaf21c | x14: 0000000000000212 x13: fff00000c0209f10 x12: 0000000000000020 | x11: 0000000000200b20 x10: 0000000000000000 x9 : fff00000ff69dcc0 | x8 : 00000000000003f2 x7 : 0000000000000001 x6 : fff00000c1ca5b48 | x5 : fff05e8e0311f000 x4 : 0000000008000000 x3 : 0000000000000000 | x2 : 0000000000000001 x1 : fff00000c1ca5970 x0 : 0000000000000440 | Call trace: | sve_save_state+0x4/0xf0 (P) | fpsimd_thread_switch+0x48/0x198 | __switch_to+0x20/0x1c0 | __schedule+0x36c/0xce0 | schedule+0x34/0x11c | exit_to_user_mode_loop+0x124/0x188 | el0_interrupt+0xc8/0xd8 | __el0_irq_handler_common+0x18/0x24 | el0t_64_irq_handler+0x10/0x1c | el0t_64_irq+0x198/0x19c | Code: 54000040 d51b4408 d65f03c0 d503245f (e5bb5800) | —[ end trace 0000000000000000 ]— Fix this by having restore_za_context() ensure that the task’s sve_state is allocated, matching what we do when taking an SME trap. Any live SVE/SSVE state (which is restored earlier from a separate signal context) must be preserved, and hence this is not zeroed. | 2026-02-04 | not yet calculated | CVE-2026-23107 | https://git.kernel.org/stable/c/c5a5b150992ebab779c1ce54f54676786e47e94c https://git.kernel.org/stable/c/19b2c3f3ca1b4b6dccd2a42aca2692d8c79c4214 https://git.kernel.org/stable/c/0af233d66eff90fb8f3e0fc09f2316bba0b72bb9 https://git.kernel.org/stable/c/70f7f54566afc23f2c71bf1411af81f5d8009e0f https://git.kernel.org/stable/c/ea8ccfddbce0bee6310da4f3fc560ad520f5e6b4 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: can: usb_8dev: usb_8dev_read_bulk_callback(): fix URB memory leak Fix similar memory leak as in commit 7352e1d5932a (“can: gs_usb: gs_usb_receive_bulk_callback(): fix URB memory leak”). In usb_8dev_open() -> usb_8dev_start(), the URBs for USB-in transfers are allocated, added to the priv->rx_submitted anchor and submitted. In the complete callback usb_8dev_read_bulk_callback(), the URBs are processed and resubmitted. In usb_8dev_close() -> unlink_all_urbs() the URBs are freed by calling usb_kill_anchored_urbs(&priv->rx_submitted). However, this does not take into account that the USB framework unanchors the URB before the complete function is called. This means that once an in-URB has been completed, it is no longer anchored and is ultimately not released in usb_kill_anchored_urbs(). Fix the memory leak by anchoring the URB in the usb_8dev_read_bulk_callback() to the priv->rx_submitted anchor. | 2026-02-04 | not yet calculated | CVE-2026-23108 | https://git.kernel.org/stable/c/feb8243eaea7efd5279b19667d7189fd8654c87a https://git.kernel.org/stable/c/ef6e608e5ee71eca0cd3475c737e684cef24f240 https://git.kernel.org/stable/c/60719661b4cbd7ffbed1a0e0fa3bbc82d8bd2be9 https://git.kernel.org/stable/c/59ff56992bba28051ad67cd8cc7b0edfe7280796 https://git.kernel.org/stable/c/ea4a98e924164586066b39f29bfcc7cc9da108cd https://git.kernel.org/stable/c/07e9373739c6388af9d99797cdb2e79dbbcbe92b https://git.kernel.org/stable/c/f7a980b3b8f80fe367f679da376cf76e800f9480 |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: fs/writeback: skip AS_NO_DATA_INTEGRITY mappings in wait_sb_inodes() Above the while() loop in wait_sb_inodes(), we document that we must wait for all pages under writeback for data integrity. Consequently, if a mapping, like fuse, traditionally does not have data integrity semantics, there is no need to wait at all; we can simply skip these inodes. This restores fuse back to prior behavior where syncs are no-ops. This fixes a user regression where if a system is running a faulty fuse server that does not reply to issued write requests, this causes wait_sb_inodes() to wait forever. | 2026-02-04 | not yet calculated | CVE-2026-23109 | https://git.kernel.org/stable/c/3f4ed5e2b8f111553562507ad6202432c7c57731 https://git.kernel.org/stable/c/f9a49aa302a05e91ca01f69031cb79a0ea33031f |
| Linux–Linux | In the Linux kernel, the following vulnerability has been resolved: scsi: core: Wake up the error handler when final completions race against each other The fragile ordering between marking commands completed or failed so that the error handler only wakes when the last running command completes or times out has race conditions. These race conditions can cause the SCSI layer to fail to wake the error handler, leaving I/O through the SCSI host stuck as the error state cannot advance. First, there is an memory ordering issue within scsi_dec_host_busy(). The write which clears SCMD_STATE_INFLIGHT may be reordered with reads counting in scsi_host_busy(). While the local CPU will see its own write, reordering can allow other CPUs in scsi_dec_host_busy() or scsi_eh_inc_host_failed() to see a raised busy count, causing no CPU to see a host busy equal to the host_failed count. This race condition can be prevented with a memory barrier on the error path to force the write to be visible before counting host busy commands. Second, there is a general ordering issue with scsi_eh_inc_host_failed(). By counting busy commands before incrementing host_failed, it can race with a final command in scsi_dec_host_busy(), such that scsi_dec_host_busy() does not see host_failed incremented but scsi_eh_inc_host_failed() counts busy commands before SCMD_STATE_INFLIGHT is cleared by scsi_dec_host_busy(), resulting in neither waking the error handler task. This needs the call to scsi_host_busy() to be moved after host_failed is incremented to close the race condition. | 2026-02-04 | not yet calculated | CVE-2026-23110 | https://git.kernel.org/stable/c/cc872e35c0df80062abc71268d690a2f749e542e https://git.kernel.org/stable/c/6d9a367be356101963c249ebf10ea10b32886607 https://git.kernel.org/stable/c/9fdc6f28d5e81350ab1d2cac8389062bd09e61e1 https://git.kernel.org/stable/c/64ae21b9c4f0c7e60cf47a53fa7ab68852079ef0 https://git.kernel.org/stable/c/219f009ebfd1ef3970888ee9eef4c8a06357f862 https://git.kernel.org/stable/c/fe2f8ad6f0999db3b318359a01ee0108c703a8c3 |
| Six Apart Ltd.–Movable Type (Software Edition) | A non-administrative user can upload malicious files. When an administrator or the product accesses that file, an arbitrary script may be executed on the administrator’s browser. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-23704 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| Apache Software Foundation–Apache Syncope | Reflected XSS in Apache Syncope’s Enduser Login page. An attacker that tricks a legitimate user into clicking a malicious link and logging in to Syncope Enduser could steal that user’s credentials. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23794 | https://lists.apache.org/thread/7h30ghqdsf3spl3h7gdmscxofrm8ygjo |
| Apache Software Foundation–Apache Syncope | Improper Restriction of XML External Entity Reference vulnerability in Apache Syncope Console. An administrator with adequate entitlements to create or edit Keymaster parameters via Console can construct malicious XML text to launch an XXE attack, thereby causing sensitive data leakage occurs. This issue affects Apache Syncope: from 3.0 through 3.0.15, from 4.0 through 4.0.3. Users are recommended to upgrade to version 3.0.16 / 4.0.4, which fix this issue. | 2026-02-03 | not yet calculated | CVE-2026-23795 | https://lists.apache.org/thread/mzgbdn8hzk8vr94o660njcc7w62c2pos |
| OpenSolution–Quick.Cart | Quick.Cart allows a user’s session identifier to be set before authentication. The value of this session ID stays the same after authentication. This behaviour enables an attacker to fix a session ID for a victim and later hijack the authenticated session. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23796 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| OpenSolution–Quick.Cart | In Quick.Cart user passwords are stored in plaintext form. An attacker with high privileges can display users’ password in user editing page. The vendor was notified early about this vulnerability, but didn’t respond with the details of vulnerability or vulnerable version range. Only version 6.7 was tested and confirmed as vulnerable, other versions were not tested and might also be vulnerable. | 2026-02-05 | not yet calculated | CVE-2026-23797 | https://opensolution.org/sklep-internetowy-quick-cart.html https://cert.pl/posts/2026/02/CVE-2026-23796 |
| parallax–jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, the addJS method in the jspdf Node.js build utilizes a shared module-scoped variable (text) to store JavaScript content. When used in a concurrent environment (e.g., a Node.js web server), this variable is shared across all requests. If multiple requests generate PDFs simultaneously, the JavaScript content intended for one user may be overwritten by a subsequent request before the document is generated. This results in Cross-User Data Leakage, where the PDF generated for User A contains the JavaScript payload (and any embedded sensitive data) intended for User B. Typically, this only affects server-side environments, although the same race conditions might occur if jsPDF runs client-side. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24040 | https://github.com/parallax/jsPDF/security/advisories/GHSA-cjw8-79×6-5cj4 https://github.com/parallax/jsPDF/commit/2863e5c26afef211a545e8c174ab4d5fce3b8c0e https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| parallax–jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addMetadata function allows users to inject arbitrary XML. If given the possibility to pass unsanitized input to the addMetadata method, a user can inject arbitrary XMP metadata into the generated PDF. If the generated PDF is signed, stored or otherwise processed after, the integrity of the PDF can no longer be guaranteed. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24043 | https://github.com/parallax/jsPDF/security/advisories/GHSA-vm32-vv63-w422 https://github.com/parallax/jsPDF/commit/efe54bf50f3f5e5416b2495e3c24624fc80b6cff https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| zulip–zulip | Zulip is an open-source team collaboration tool. From 5.0 to before 11.5, some administrative actions on the user profile were susceptible to stored XSS in group names or channel names. Exploiting these vulnerabilities required the user explicitly interacting with the problematic object. This vulnerability is fixed in 11.5. | 2026-02-06 | not yet calculated | CVE-2026-24050 | https://github.com/zulip/zulip/security/advisories/GHSA-56qv-8823-6fq9 https://github.com/zulip/zulip/commit/e6093d9e4788f4d82236d856c5ed7b16767886a7 https://github.com/zulip/zulip/releases/tag/11.5 https://zulip.readthedocs.io/en/latest/overview/changelog.html#zulip-server-11-5 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 1.0.111, Claude Code contained insufficient URL validation in its trusted domain verification mechanism for WebFetch requests. The application used a startsWith() function to validate trusted domains (e.g., docs.python.org, modelcontextprotocol.io), this could have enabled attackers to register domains like modelcontextprotocol.io.example.com that would pass validation. This could enable automatic requests to attacker-controlled domains without user consent, potentially leading to data exfiltration. This issue has been patched in version 1.0.111. | 2026-02-03 | not yet calculated | CVE-2026-24052 | https://github.com/anthropics/claude-code/security/advisories/GHSA-vhw5-3g5m-8ggf |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.74, due to a Bash command validation flaw in parsing ZSH clobber syntax, it was possible to bypass directory restrictions and write files outside the current working directory without user permission prompts. Exploiting this required the user to use ZSH and the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.74. | 2026-02-03 | not yet calculated | CVE-2026-24053 | https://github.com/anthropics/claude-code/security/advisories/GHSA-q728-gf8j-w49r |
| Native Instruments–Native Access | During the installation of the Native Access application, a privileged helper `com.native-instruments.NativeAccess.Helper2`, which is used by Native Access to trigger functions via XPC communication like copy-file, remove or set-permissions, is deployed as well. The communication with the XPC service of the privileged helper is only allowed if the client process is signed with the corresponding certificate and fulfills the following code signing requirement: “anchor trusted and certificate leaf[subject.CN] = “Developer ID Application: Native Instruments GmbH (83K5EG6Z9V)”” The Native Access application was found to be signed with the `com.apple.security.cs.allow-dyld-environment-variables` and `com.apple.security.cs.disable-library-validation` entitlements leading to DYLIB injection and therefore command execution in the context of this application. A low privileged user can exploit the DYLIB injection to trigger functions of the privileged helper XPC service resulting in privilege escalation by first deleting the /etc/sudoers file and then copying a malicious version of that file to /etc/sudoers. | 2026-02-02 | not yet calculated | CVE-2026-24070 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| Native Instruments–Native Access | It was found that the XPC service offered by the privileged helper of Native Access uses the PID of the connecting client to verify its code signature. This is considered insecure and can be exploited by PID reuse attacks. The connection handler function uses _xpc_connection_get_pid(arg2) as argument for the hasValidSignature function. This value can not be trusted since it is vulnerable to PID reuse attacks. | 2026-02-02 | not yet calculated | CVE-2026-24071 | https://sec-consult.com/vulnerability-lab/advisory/multiple-vulnerabilities-in-native-instruments-native-access-macos/ |
| parallax–jsPDF | jsPDF is a library to generate PDFs in JavaScript. Prior to 4.1.0, user control of the first argument of the addImage method results in denial of service. If given the possibility to pass unsanitized image data or URLs to the addImage method, a user can provide a harmful BMP file that results in out of memory errors and denial of service. Harmful BMP files have large width and/or height entries in their headers, which lead to excessive memory allocation. The html method is also affected. The vulnerability has been fixed in jsPDF@4.1.0. | 2026-02-02 | not yet calculated | CVE-2026-24133 | https://github.com/parallax/jsPDF/security/advisories/GHSA-95fx-jjr5-f39c https://github.com/parallax/jsPDF/commit/ae4b93f76d8fc1baa5614bd5fdb5d174c3b85f0d https://github.com/parallax/jsPDF/releases/tag/v4.1.0 |
| gogs–gogs | Gogs is an open source self-hosted Git service. In version 0.13.3 and prior, a path traversal vulnerability exists in the updateWikiPage function of Gogs. The vulnerability allows an authenticated user with write access to a repository’s wiki to delete arbitrary files on the server by manipulating the old_title parameter in the wiki editing form. This issue has been patched in versions 0.13.4 and 0.14.0+dev. | 2026-02-06 | not yet calculated | CVE-2026-24135 | https://github.com/gogs/gogs/security/advisories/GHSA-jp7c-wj6q-3qf2 |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the article pricing completion handler. The application fails to properly sanitize the idarticolo parameter before using it in SQL queries, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24416 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-p864-fqgv-92q4 |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Time-Based Blind SQL Injection vulnerability in the global search functionality. The application fails to properly sanitize the term parameter before using it in SQL LIKE clauses across multiple module-specific search handlers, allowing attackers to inject arbitrary SQL commands and extract sensitive data through time-based Boolean inference. | 2026-02-06 | not yet calculated | CVE-2026-24417 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4hc4-8599-xh2h |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the bulk operations handler for the Scadenzario (Payment Schedule) module. The application fails to validate that elements of the id_records array are integers before using them in an SQL IN() clause, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24418 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4xwv-49c8-fvhq |
| devcode-it–openstamanager | OpenSTAManager is an open source management software for technical assistance and invoicing. OpenSTAManager v2.9.8 and earlier contain a critical Error-Based SQL Injection vulnerability in the Prima Nota (Journal Entry) module’s add.php file. The application fails to validate that comma-separated values from the id_documenti GET parameter are integers before using them in SQL IN() clauses, allowing attackers to inject arbitrary SQL commands and extract sensitive data through XPATH error messages. | 2026-02-06 | not yet calculated | CVE-2026-24419 | https://github.com/devcode-it/openstamanager/security/advisories/GHSA-4j2x-jh4m-fqv6 |
| Shenzhen Tenda Technology Co., Ltd.–Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior contain an improper output encoding vulnerability in the web management interface. User-supplied input is reflected in HTTP responses without adequate escaping, allowing injection of arbitrary HTML or JavaScript in a victim’s browser context. | 2026-02-03 | not yet calculated | CVE-2026-24426 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-reflected-xss-via-web-interface-output-encoding |
| Shenzhen Tenda Technology Co., Ltd.–Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose sensitive information in web management responses. Administrative credentials, including the router and/or admin panel password, are included in plaintext within configuration response bodies. In addition, responses lack appropriate Cache-Control directives, which may permit web browsers to cache pages containing these credentials and enable subsequent disclosure to an attacker with access to the client system or browser profile. | 2026-02-03 | not yet calculated | CVE-2026-24427 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-exposes-admin-credentials-in-configuration-responses |
| Shenzhen Tenda Technology Co., Ltd.–Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior does not implement CSRF protections for administrative functions in the web management interface. The interface does not enforce anti-CSRF tokens or robust origin validation, which can allow an attacker to induce a logged-in administrator to perform unintended state-changing requests and modify router settings. | 2026-02-03 | not yet calculated | CVE-2026-24434 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-web-interface-lacks-csrf-protections-for-admin-actions |
| Shenzhen Tenda Technology Co., Ltd.–Tenda AC7 | Shenzhen Tenda AC7 firmware version V03.03.03.01_cn and prior expose account credentials in plaintext within HTTP responses, allowing an on-path attacker to obtain sensitive authentication material. | 2026-02-03 | not yet calculated | CVE-2026-24441 | https://www.tendacn.com/product/AC7 https://www.vulncheck.com/advisories/tenda-ac7-transmits-admin-credentials-without-https-protection |
| Six Apart Ltd.–Movable Type (Software Edition) | If a malformed data is input to the affected product, a CSV file downloaded from the affected product may contain such malformed data. When a victim user download and open such a CSV file, the embedded code may be executed in the user’s environment. Note that Movable Type 7 series and 8.4 series, which are End-of-Life (EOL), are affected by the vulnerability as well. | 2026-02-04 | not yet calculated | CVE-2026-24447 | https://movabletype.org/news/2026/02/mt-906-released.html https://www.sixapart.jp/movabletype/news/2026/02/04-1100.html https://jvn.jp/en/jp/JVN45405689/ |
| ELECOM CO.,LTD.–WRC-X1500GS-B | For WRC-X1500GS-B and WRC-X1500GSA-B, the initial passwords can be calculated easily from the system information. | 2026-02-03 | not yet calculated | CVE-2026-24449 | https://www.elecom.co.jp/news/security/20260203-01/ https://jvn.jp/en/jp/JVN94012927/ |
| ELECOM CO.,LTD.–WAB-S733IW2-PD | Stack-based buffer overflow vulnerability exists in ELECOM wireless LAN access point devices. A crafted packet may lead to arbitrary code execution. | 2026-02-03 | not yet calculated | CVE-2026-24465 | https://www.elecom.co.jp/news/security/20260203-01/ https://www.elecom.co.jp/news/security/20260203-02/ https://jvn.jp/en/jp/JVN94012927/ |
| continuwuity–continuwuity | continuwuity is a Matrix homeserver written in Rust. This vulnerability allows an attacker with a malicious remote server to cause the local server to sign an arbitrary event upon user interaction. Upon a user account leaving a room (rejecting an invite), joining a room or knocking on a room, the victim server may ask a remote server for assistance. If the victim asks the attacker server for assistance the attacker is able to provide an arbitrary event, which the victim will sign and return to the attacker. For the /leave endpoint, this works for any event with a supported room version, where the origin and origin_server_ts is set by the victim. For the /join endpoint, an additionally victim-set content field in the format of a join membership is needed. For the /knock endpoint, an additional victim-set content field in the format of a knock membership and a room version not between 1 and 6 is needed. This was exploited as a part of a larger chain against the continuwuity.org homeserver. This vulnerability affects all Conduit-derived servers. This vulnerability is fixed in Continuwuity 0.5.1, Conduit 0.10.11, Grapevine 0aae932b, and Tuwunel 1.4.9. | 2026-02-02 | not yet calculated | CVE-2026-24471 | https://github.com/continuwuity/continuwuity/security/advisories/GHSA-m5p2-vccg-8c9v https://forgejo.ellis.link/continuwuation/continuwuity/commit/12aecf809172205436c852a1eaf268c1a2c3a900 |
| Roland Corporation–Roland Cloud Manager | The installer for Roland Cloud Manager ver.3.1.19 and prior insecurely loads Dynamic Link Libraries (DLLs), which could allow an attacker to execute arbitrary code with the privileges of the application. | 2026-02-03 | not yet calculated | CVE-2026-24694 | https://www.roland.com/global/products/rc_roland_cloud_manager/support/#dl-support_documents https://jvn.jp/en/jp/JVN89992160/ |
| Apache Software Foundation–Apache Answer | Exposure of Private Personal Information to an Unauthorized Actor vulnerability in Apache Answer. This issue affects Apache Answer: through 1.7.1. An unauthenticated API endpoint incorrectly exposes full revision history for deleted content. This allows unauthorized user to retrieve restricted or sensitive information. Users are recommended to upgrade to version 2.0.0, which fixes the issue. | 2026-02-04 | not yet calculated | CVE-2026-24735 | https://lists.apache.org/thread/whxloom7mpxlyt5wzdskflsg5mzdzd60 |
| rustfs–rustfs | RustFS is a distributed object storage system built in Rust. From versions alpha.13 to alpha.81, RustFS logs sensitive credential material (access key, secret key, session token) to application logs at INFO level. This results in credentials being recorded in plaintext in log output, which may be accessible to internal or external log consumers and could lead to compromise of sensitive credentials. This issue has been patched in version alpha.82. | 2026-02-03 | not yet calculated | CVE-2026-24762 | https://github.com/rustfs/rustfs/security/advisories/GHSA-r54g-49rx-98cr |
| RaspAP–raspap-webgui | RaspAP raspap-webgui versions prior to 3.3.6 contain an OS command injection vulnerability. If exploited, an arbitrary OS command may be executed by a user who can log in to the product. | 2026-02-02 | not yet calculated | CVE-2026-24788 | https://github.com/RaspAP/raspap-webgui/releases https://jvn.jp/en/jp/JVN27202136/ |
| openfga–openfga | OpenFGA is a high-performance and flexible authorization/permission engine built for developers and inspired by Google Zanzibar. OpenFGA v1.8.5 to v1.11.2 ( openfga-0.2.22<= Helm chart <= openfga-0.2.51, v.1.8.5 <= docker <= v.1.11.2) are vulnerable to improper policy enforcement when certain Check calls are executed. The vulnerability requires a model that has a a relation directly assignable by a type bound public access and assignable by type bound non-public access, a tuple assigned for the relation that is a type bound public access, a tuple assigned for the same object with the same relation that is not type bound public access, and a tuple assigned for a different object that has an object ID lexicographically larger with the same user and relation which is not type bound public access. This vulnerability is fixed in v1.11.3. | 2026-02-06 | not yet calculated | CVE-2026-24851 | https://github.com/openfga/openfga/security/advisories/GHSA-jq9f-gm9w-rwm9 https://github.com/openfga/openfga/releases/tag/v1.11.3 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.72, due to an error in command parsing, it was possible to bypass the Claude Code confirmation prompt to trigger execution of untrusted commands through the find command. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.72. | 2026-02-03 | not yet calculated | CVE-2026-24887 | https://github.com/anthropics/claude-code/security/advisories/GHSA-qgqw-h4xq-7w8w |
| AlgoNetLab–OrcaStatLLM-Researcher | OrcaStatLLM Researcher is an LLM Based Research Paper Generator. A Stored Cross-Site Scripting (XSS) vulnerability was discovered in the Log Message in the Session Page in OrcaStatLLM-Researcher that allows attackers to inject and execute arbitrary JavaScript code in victims’ browsers through malicious research topic inputs. | 2026-02-06 | not yet calculated | CVE-2026-24903 | https://github.com/AlgoNetLab/OrcaStatLLM-Researcher/security/advisories/GHSA-47wv-g894-82m4 |
| ASUSTOR–ADM | The DDNS update function in ADM fails to properly validate the hostname of the DDNS server’s TLS/SSL certificate. Although the connection uses HTTPS, an improper validated TLS/SSL certificates allows a remote attacker can intercept the communication to perform a Man-in-the-Middle (MitM) attack, which may obtain the sensitive information of DDNS updating process, including the user’s account email, MD5 hashed password, and device serial number. This issue affects ADM: from 4.1.0 through 4.3.3.ROF1, from 5.0.0 through 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24932 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR–ADM | The API communication component fails to validate the SSL/TLS certificate when sending HTTPS requests to the server. An improper certificates validation vulnerability allows an unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to intercept the cleartext communication, potentially leading to the exposure of sensitive user information, including account emails, MD5 hashed passwords, and device serial numbers. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24933 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR–ADM | The DDNS function uses an insecure HTTP connection or fails to validate the SSL/TLS certificate when querying an external server for the device’s WAN IP address. An unauthenticated remote attacker can perform a Man-in-the-Middle (MitM) attack to spoof the response, leading the device to update its DDNS record with an incorrect IP address. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24934 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR–ADM | A third-party NAT traversal module fails to validate SSL/TLS certificates when connecting to the signaling server. While subsequent access to device services requires additional authentication, a Man-in-the-Middle (MitM) attacker can intercept or redirect the NAT tunnel establishment. This could allow an attacker to disrupt service availability or facilitate further targeted attacks by acting as a proxy between the user and the device services. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24935 | https://www.asustor.com/security/security_advisory_detail?id=50 |
| ASUSTOR–ADM | When a specific function is enabled while joining a AD Domain from ADM, an improper input parameters validation vulnerability in a specific CGI program allowing an unauthenticated remote attacker to write arbitrary data to any file on the system. By exploiting this vulnerability, attackers can overwrite critical system files, leading to a complete system compromise. Affected products and versions include: from ADM 4.1.0 through ADM 4.3.3.ROF1 as well as from ADM 5.0.0 through ADM 5.1.1.RCI1. | 2026-02-03 | not yet calculated | CVE-2026-24936 | https://www.asustor.com/security/security_advisory_detail?id=51 |
| Ajay–Better Search | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Ajay Better Search better-search allows Stored XSS. This issue affects Better Search: from n/a through <= 4.2.1. | 2026-02-03 | not yet calculated | CVE-2026-24938 | https://patchstack.com/database/Wordpress/Plugin/better-search/vulnerability/wordpress-better-search-plugin-4-2-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| WP Chill–Modula Image Gallery | Missing Authorization vulnerability in WP Chill Modula Image Gallery modula-best-grid-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Modula Image Gallery: from n/a through <= 2.13.6. | 2026-02-03 | not yet calculated | CVE-2026-24939 | https://patchstack.com/database/Wordpress/Plugin/modula-best-grid-gallery/vulnerability/wordpress-modula-image-gallery-plugin-2-13-6-broken-access-control-vulnerability?_s_id=cve |
| Themefic–Travelfic Toolkit | Missing Authorization vulnerability in Themefic Travelfic Toolkit travelfic-toolkit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Travelfic Toolkit: from n/a through <= 1.3.3. | 2026-02-03 | not yet calculated | CVE-2026-24940 | https://patchstack.com/database/Wordpress/Plugin/travelfic-toolkit/vulnerability/wordpress-travelfic-toolkit-plugin-1-3-3-broken-access-control-vulnerability?_s_id=cve |
| magepeopleteam–WpEvently | Cross-Site Request Forgery (CSRF) vulnerability in magepeopleteam WpEvently mage-eventpress allows Cross Site Request Forgery. This issue affects WpEvently: from n/a through <= 5.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24942 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-1-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Themefic–Ultimate Addons for Contact Form 7 | Missing Authorization vulnerability in Themefic Ultimate Addons for Contact Form 7 ultimate-addons-for-contact-form-7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Ultimate Addons for Contact Form 7: from n/a through <= 3.5.34. | 2026-02-03 | not yet calculated | CVE-2026-24945 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-contact-form-7/vulnerability/wordpress-ultimate-addons-for-contact-form-7-plugin-3-5-34-broken-access-control-vulnerability?_s_id=cve |
| LA-Studio–LA-Studio Element Kit for Elementor | Missing Authorization vulnerability in LA-Studio LA-Studio Element Kit for Elementor lastudio-element-kit allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects LA-Studio Element Kit for Elementor: from n/a through < 1.5.6.3. | 2026-02-03 | not yet calculated | CVE-2026-24947 | https://patchstack.com/database/Wordpress/Plugin/lastudio-element-kit/vulnerability/wordpress-la-studio-element-kit-for-elementor-plugin-1-5-6-3-broken-access-control-vulnerability?_s_id=cve |
| Saad Iqbal–myCred | Missing Authorization vulnerability in Saad Iqbal myCred mycred allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects myCred: from n/a through <= 2.9.7.3. | 2026-02-03 | not yet calculated | CVE-2026-24951 | https://patchstack.com/database/Wordpress/Plugin/mycred/vulnerability/wordpress-mycred-plugin-2-9-7-3-broken-access-control-vulnerability?_s_id=cve |
| Craig Hewitt–Seriously Simple Podcasting | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Craig Hewitt Seriously Simple Podcasting seriously-simple-podcasting allows Stored XSS. This issue affects Seriously Simple Podcasting: from n/a through <= 3.14.1. | 2026-02-03 | not yet calculated | CVE-2026-24952 | https://patchstack.com/database/Wordpress/Plugin/seriously-simple-podcasting/vulnerability/wordpress-seriously-simple-podcasting-plugin-3-14-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| magepeopleteam–WpEvently | Deserialization of Untrusted Data vulnerability in magepeopleteam WpEvently mage-eventpress allows Object Injection. This issue affects WpEvently: from n/a through <= 5.0.8. | 2026-02-03 | not yet calculated | CVE-2026-24954 | https://patchstack.com/database/Wordpress/Plugin/mage-eventpress/vulnerability/wordpress-wpevently-plugin-5-0-8-deserialization-of-untrusted-data-vulnerability?_s_id=cve |
| WP Chill–Strong Testimonials | Missing Authorization vulnerability in WP Chill Strong Testimonials strong-testimonials allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Strong Testimonials: from n/a through <= 3.2.20. | 2026-02-03 | not yet calculated | CVE-2026-24957 | https://patchstack.com/database/Wordpress/Plugin/strong-testimonials/vulnerability/wordpress-strong-testimonials-plugin-3-2-20-broken-access-control-vulnerability?_s_id=cve |
| Crocoblock–JetElements For Elementor | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Crocoblock JetElements For Elementor jet-elements allows DOM-Based XSS. This issue affects JetElements For Elementor: from n/a through <= 2.7.12.2. | 2026-02-03 | not yet calculated | CVE-2026-24958 | https://patchstack.com/database/Wordpress/Plugin/jet-elements/vulnerability/wordpress-jetelements-for-elementor-plugin-2-7-12-2-cross-site-scripting-xss-vulnerability?_s_id=cve |
| ThemeGoods–Grand Blog | Server-Side Request Forgery (SSRF) vulnerability in ThemeGoods Grand Blog grandblog allows Server Side Request Forgery. This issue affects Grand Blog: from n/a through < 3.1.5. | 2026-02-03 | not yet calculated | CVE-2026-24961 | https://patchstack.com/database/Wordpress/Theme/grandblog/vulnerability/wordpress-grand-blog-theme-3-1-5-server-side-request-forgery-ssrf-vulnerability?_s_id=cve |
| Brainstorm Force–Sigmize | Cross-Site Request Forgery (CSRF) vulnerability in Brainstorm Force Sigmize sigmize allows Cross Site Request Forgery. This issue affects Sigmize: from n/a through <= 0.0.9. | 2026-02-03 | not yet calculated | CVE-2026-24962 | https://patchstack.com/database/Wordpress/Plugin/sigmize/vulnerability/wordpress-sigmize-plugin-0-0-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Wasiliy Strecker / ContestGallery developer–Contest Gallery | Missing Authorization vulnerability in Wasiliy Strecker / ContestGallery developer Contest Gallery contest-gallery allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Contest Gallery: from n/a through <= 28.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24965 | https://patchstack.com/database/Wordpress/Plugin/contest-gallery/vulnerability/wordpress-contest-gallery-plugin-28-1-1-broken-access-control-vulnerability?_s_id=cve |
| Copyscape–Copyscape Premium | Cross-Site Request Forgery (CSRF) vulnerability in Copyscape Copyscape Premium copyscape-premium allows Cross Site Request Forgery. This issue affects Copyscape Premium: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-24966 | https://patchstack.com/database/Wordpress/Plugin/copyscape-premium/vulnerability/wordpress-copyscape-premium-plugin-1-4-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ameliabooking–Amelia | Missing Authorization vulnerability in ameliabooking Amelia ameliabooking allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Amelia: from n/a through <= 1.2.38. | 2026-02-03 | not yet calculated | CVE-2026-24967 | https://patchstack.com/database/Wordpress/Plugin/ameliabooking/vulnerability/wordpress-amelia-plugin-1-2-38-broken-access-control-vulnerability?_s_id=cve |
| Brainstorm Force–Spectra | Missing Authorization vulnerability in Brainstorm Force Spectra ultimate-addons-for-gutenberg allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Spectra: from n/a through <= 2.19.17. | 2026-02-03 | not yet calculated | CVE-2026-24982 | https://patchstack.com/database/Wordpress/Plugin/ultimate-addons-for-gutenberg/vulnerability/wordpress-spectra-plugin-2-19-17-broken-access-control-vulnerability?_s_id=cve |
| Brecht–Visual Link Preview | Missing Authorization vulnerability in Brecht Visual Link Preview visual-link-preview allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Visual Link Preview: from n/a through <= 2.2.9. | 2026-02-03 | not yet calculated | CVE-2026-24984 | https://patchstack.com/database/Wordpress/Plugin/visual-link-preview/vulnerability/wordpress-visual-link-preview-plugin-2-2-9-broken-access-control-vulnerability?_s_id=cve |
| approveme–WP Forms Signature Contract Add-On | Missing Authorization vulnerability in approveme WP Forms Signature Contract Add-On wp-forms-signature-contract-add-on allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Forms Signature Contract Add-On: from n/a through <= 1.8.2. | 2026-02-03 | not yet calculated | CVE-2026-24985 | https://patchstack.com/database/Wordpress/Plugin/wp-forms-signature-contract-add-on/vulnerability/wordpress-wp-forms-signature-contract-add-on-plugin-1-8-2-broken-access-control-to-notice-dismissal-vulnerability?_s_id=cve |
| wp.insider–Simple Membership WP user Import | Cross-Site Request Forgery (CSRF) vulnerability in wp.insider Simple Membership WP user Import simple-membership-wp-user-import allows Cross Site Request Forgery. This issue affects Simple Membership WP user Import: from n/a through <= 1.9.1. | 2026-02-03 | not yet calculated | CVE-2026-24986 | https://patchstack.com/database/Wordpress/Plugin/simple-membership-wp-user-import/vulnerability/wordpress-simple-membership-wp-user-import-plugin-1-9-1-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Brian Hogg–The Events Calendar Shortcode & Block | Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) vulnerability in Brian Hogg The Events Calendar Shortcode & Block the-events-calendar-shortcode allows Stored XSS. This issue affects The Events Calendar Shortcode & Block: from n/a through <= 3.1.1. | 2026-02-03 | not yet calculated | CVE-2026-24988 | https://patchstack.com/database/Wordpress/Plugin/the-events-calendar-shortcode/vulnerability/wordpress-the-events-calendar-shortcode-block-plugin-3-1-1-cross-site-scripting-xss-vulnerability?_s_id=cve |
| Fahad Mahmood–WP Docs | Missing Authorization vulnerability in Fahad Mahmood WP Docs wp-docs allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Docs: from n/a through <= 2.2.8. | 2026-02-03 | not yet calculated | CVE-2026-24990 | https://patchstack.com/database/Wordpress/Plugin/wp-docs/vulnerability/wordpress-wp-docs-plugin-2-2-8-broken-access-control-vulnerability?_s_id=cve |
| HT Plugins–Extensions For CF7 | Authorization Bypass Through User-Controlled Key vulnerability in HT Plugins Extensions For CF7 extensions-for-cf7 allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Extensions For CF7: from n/a through <= 3.4.0. | 2026-02-03 | not yet calculated | CVE-2026-24991 | https://patchstack.com/database/Wordpress/Plugin/extensions-for-cf7/vulnerability/wordpress-extensions-for-cf7-plugin-3-4-0-insecure-direct-object-references-idor-vulnerability?_s_id=cve |
| WPFactory–Advanced WooCommerce Product Sales Reporting | Insertion of Sensitive Information Into Sent Data vulnerability in WPFactory Advanced WooCommerce Product Sales Reporting webd-woocommerce-advanced-reporting-statistics allows Retrieve Embedded Sensitive Data. This issue affects Advanced WooCommerce Product Sales Reporting: from n/a through <= 4.1.2. | 2026-02-03 | not yet calculated | CVE-2026-24992 | https://patchstack.com/database/Wordpress/Plugin/webd-woocommerce-advanced-reporting-statistics/vulnerability/wordpress-advanced-woocommerce-product-sales-reporting-plugin-4-1-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| sunshinephotocart–Sunshine Photo Cart | Missing Authorization vulnerability in sunshinephotocart Sunshine Photo Cart sunshine-photo-cart allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Sunshine Photo Cart: from n/a through <= 3.5.7.2. | 2026-02-03 | not yet calculated | CVE-2026-24994 | https://patchstack.com/database/Wordpress/Plugin/sunshine-photo-cart/vulnerability/wordpress-sunshine-photo-cart-plugin-3-5-7-2-broken-access-control-vulnerability?_s_id=cve |
| Iulia Cazan–Latest Post Shortcode | Missing Authorization vulnerability in Iulia Cazan Latest Post Shortcode latest-post-shortcode allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Latest Post Shortcode: from n/a through <= 14.2.0. | 2026-02-03 | not yet calculated | CVE-2026-24995 | https://patchstack.com/database/Wordpress/Plugin/latest-post-shortcode/vulnerability/wordpress-latest-post-shortcode-plugin-14-2-0-broken-access-control-vulnerability?_s_id=cve |
| wpelemento–WPElemento Importer | Missing Authorization vulnerability in wpelemento WPElemento Importer wpelemento-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WPElemento Importer: from n/a through <= 0.6.4. | 2026-02-03 | not yet calculated | CVE-2026-24996 | https://patchstack.com/database/Wordpress/Plugin/wpelemento-importer/vulnerability/wordpress-wpelemento-importer-plugin-0-6-4-broken-access-control-vulnerability?_s_id=cve |
| Wired Impact–Wired Impact Volunteer Management | Missing Authorization vulnerability in Wired Impact Wired Impact Volunteer Management wired-impact-volunteer-management allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Wired Impact Volunteer Management: from n/a through <= 2.8. | 2026-02-03 | not yet calculated | CVE-2026-24997 | https://patchstack.com/database/Wordpress/Plugin/wired-impact-volunteer-management/vulnerability/wordpress-wired-impact-volunteer-management-plugin-2-8-broken-access-control-vulnerability?_s_id=cve |
| WPMU DEV – Your All-in-One WordPress Platform–Hustle | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in WPMU DEV – Your All-in-One WordPress Platform Hustle wordpress-popup allows Retrieve Embedded Sensitive Data. This issue affects Hustle: from n/a through <= 7.8.9.2. | 2026-02-03 | not yet calculated | CVE-2026-24998 | https://patchstack.com/database/Wordpress/Plugin/wordpress-popup/vulnerability/wordpress-hustle-plugin-7-8-9-2-sensitive-data-exposure-vulnerability?_s_id=cve |
| ILLID–Share This Image | Missing Authorization vulnerability in ILLID Share This Image share-this-image allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Share This Image: from n/a through <= 2.09. | 2026-02-03 | not yet calculated | CVE-2026-25010 | https://patchstack.com/database/Wordpress/Plugin/share-this-image/vulnerability/wordpress-share-this-image-plugin-2-09-broken-access-control-vulnerability?_s_id=cve |
| Northern Beaches Websites–WP Custom Admin Interface | Missing Authorization vulnerability in Northern Beaches Websites WP Custom Admin Interface wp-custom-admin-interface allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Custom Admin Interface: from n/a through <= 7.41. | 2026-02-03 | not yet calculated | CVE-2026-25011 | https://patchstack.com/database/Wordpress/Plugin/wp-custom-admin-interface/vulnerability/wordpress-wp-custom-admin-interface-plugin-7-41-broken-access-control-vulnerability?_s_id=cve |
| gfazioli–WP Bannerize Pro | Missing Authorization vulnerability in gfazioli WP Bannerize Pro wp-bannerize-pro allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Bannerize Pro: from n/a through <= 1.11.0. | 2026-02-03 | not yet calculated | CVE-2026-25012 | https://patchstack.com/database/Wordpress/Plugin/wp-bannerize-pro/vulnerability/wordpress-wp-bannerize-pro-plugin-1-11-0-broken-access-control-vulnerability?_s_id=cve |
| themelooks–Enter Addons | Cross-Site Request Forgery (CSRF) vulnerability in themelooks Enter Addons enteraddons allows Cross Site Request Forgery. This issue affects Enter Addons: from n/a through <= 2.3.2. | 2026-02-03 | not yet calculated | CVE-2026-25014 | https://patchstack.com/database/Wordpress/Plugin/enteraddons/vulnerability/wordpress-enter-addons-plugin-2-3-2-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Stiofan–UsersWP | Cross-Site Request Forgery (CSRF) vulnerability in Stiofan UsersWP userswp allows Cross Site Request Forgery. This issue affects UsersWP: from n/a through <= 1.2.53. | 2026-02-03 | not yet calculated | CVE-2026-25015 | https://patchstack.com/database/Wordpress/Plugin/userswp/vulnerability/wordpress-userswp-plugin-1-2-53-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| Nelio Software–Nelio Popups | Missing Authorization vulnerability in Nelio Software Nelio Popups nelio-popups allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Nelio Popups: from n/a through <= 1.3.5. | 2026-02-03 | not yet calculated | CVE-2026-25016 | https://patchstack.com/database/Wordpress/Plugin/nelio-popups/vulnerability/wordpress-nelio-popups-plugin-1-3-5-broken-access-control-vulnerability?_s_id=cve |
| Vito Peleg–Atarim | Missing Authorization vulnerability in Vito Peleg Atarim atarim-visual-collaboration allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Atarim: from n/a through <= 4.3.1. | 2026-02-03 | not yet calculated | CVE-2026-25019 | https://patchstack.com/database/Wordpress/Plugin/atarim-visual-collaboration/vulnerability/wordpress-atarim-plugin-4-3-1-broken-access-control-vulnerability?_s_id=cve |
| WP connect–WP Sync for Notion | Missing Authorization vulnerability in WP connect WP Sync for Notion wp-sync-for-notion allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects WP Sync for Notion: from n/a through <= 1.7.0. | 2026-02-03 | not yet calculated | CVE-2026-25020 | https://patchstack.com/database/Wordpress/Plugin/wp-sync-for-notion/vulnerability/wordpress-wp-sync-for-notion-plugin-1-7-0-broken-access-control-vulnerability?_s_id=cve |
| Mizan Themes–Mizan Demo Importer | Missing Authorization vulnerability in Mizan Themes Mizan Demo Importer mizan-demo-importer allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Mizan Demo Importer: from n/a through <= 0.1.3. | 2026-02-03 | not yet calculated | CVE-2026-25021 | https://patchstack.com/database/Wordpress/Plugin/mizan-demo-importer/vulnerability/wordpress-mizan-demo-importer-plugin-0-1-3-broken-access-control-vulnerability?_s_id=cve |
| Iqonic Design–KiviCare | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Iqonic Design KiviCare kivicare-clinic-management-system allows Blind SQL Injection. This issue affects KiviCare: from n/a through <= 3.6.16. | 2026-02-03 | not yet calculated | CVE-2026-25022 | https://patchstack.com/database/Wordpress/Plugin/kivicare-clinic-management-system/vulnerability/wordpress-kivicare-plugin-3-6-16-sql-injection-vulnerability?_s_id=cve |
| mdedev–Run Contests, Raffles, and Giveaways with ContestsWP | Exposure of Sensitive System Information to an Unauthorized Control Sphere vulnerability in mdedev Run Contests, Raffles, and Giveaways with ContestsWP contest-code-checker allows Retrieve Embedded Sensitive Data. This issue affects Run Contests, Raffles, and Giveaways with ContestsWP: from n/a through <= 2.0.7. | 2026-02-03 | not yet calculated | CVE-2026-25023 | https://patchstack.com/database/Wordpress/Plugin/contest-code-checker/vulnerability/wordpress-run-contests-raffles-and-giveaways-with-contestswp-plugin-2-0-7-sensitive-data-exposure-vulnerability?_s_id=cve |
| Blair Williams–ThirstyAffiliates | Cross-Site Request Forgery (CSRF) vulnerability in Blair Williams ThirstyAffiliates thirstyaffiliates allows Cross Site Request Forgery. This issue affects ThirstyAffiliates: from n/a through <= 3.11.9. | 2026-02-03 | not yet calculated | CVE-2026-25024 | https://patchstack.com/database/Wordpress/Plugin/thirstyaffiliates/vulnerability/wordpress-thirstyaffiliates-plugin-3-11-9-cross-site-request-forgery-csrf-vulnerability?_s_id=cve |
| ThemeMove–Unicamp | Improper Control of Filename for Include/Require Statement in PHP Program (‘PHP Remote File Inclusion’) vulnerability in ThemeMove Unicamp unicamp allows PHP Local File Inclusion. This issue affects Unicamp: from n/a through <= 2.7.1. | 2026-02-03 | not yet calculated | CVE-2026-25027 | https://patchstack.com/database/Wordpress/Theme/unicamp/vulnerability/wordpress-unicamp-theme-2-7-1-local-file-inclusion-vulnerability?_s_id=cve |
| Element Invader–ElementInvader Addons for Elementor | Missing Authorization vulnerability in Element Invader ElementInvader Addons for Elementor elementinvader-addons-for-elementor allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects ElementInvader Addons for Elementor: from n/a through <= 1.4.1. | 2026-02-03 | not yet calculated | CVE-2026-25028 | https://patchstack.com/database/Wordpress/Plugin/elementinvader-addons-for-elementor/vulnerability/wordpress-elementinvader-addons-for-elementor-plugin-1-4-1-broken-access-control-vulnerability?_s_id=cve |
| WP Chill–Passster | Missing Authorization vulnerability in WP Chill Passster content-protector allows Exploiting Incorrectly Configured Access Control Security Levels. This issue affects Passster: from n/a through <= 4.2.25. | 2026-02-03 | not yet calculated | CVE-2026-25036 | https://patchstack.com/database/Wordpress/Plugin/content-protector/vulnerability/wordpress-passster-plugin-4-2-25-broken-access-control-vulnerability?_s_id=cve |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.17 and 2.5.2, an authenticated user with permission to create or modify workflows could abuse crafted expressions in workflow parameters to trigger unintended system command execution on the host running n8n. This issue has been patched in versions 1.123.17 and 2.5.2. | 2026-02-04 | not yet calculated | CVE-2026-25049 | https://github.com/n8n-io/n8n/security/advisories/GHSA-6cqr-8cfr-67f8 https://github.com/n8n-io/n8n/commit/7860896909b3d42993a36297f053d2b0e633235d https://github.com/n8n-io/n8n/commit/936c06cfc1ad269a89e8ef7f8ac79c104436d54b |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to version 1.123.2, a Cross-Site Scripting (XSS) vulnerability has been identified in the handling of webhook responses and related HTTP endpoints. Under certain conditions, the Content Security Policy (CSP) sandbox protection intended to isolate HTML responses may not be applied correctly. An authenticated user with permission to create or modify workflows could abuse this to execute malicious scripts with same-origin privileges when other users interact with the crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in version 1.123.2. | 2026-02-04 | not yet calculated | CVE-2026-25051 | https://github.com/n8n-io/n8n/security/advisories/GHSA-825q-w924-xhgx https://github.com/n8n-io/n8n/commit/ced34c0f93ab4c759a56065965986094d8ef7323 https://github.com/n8n-io/n8n/commit/e8cf4d6bb3af94dc296cbb67bc3dd20e9b508ac9 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.18 and 2.5.0, a vulnerability in the file access controls allows authenticated users with permission to create or modify workflows to read sensitive files from the n8n host system. This can be exploited to obtain critical configuration data and user credentials, leading to complete account takeover of any user on the instance. This issue has been patched in versions 1.123.18 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25052 | https://github.com/n8n-io/n8n/security/advisories/GHSA-gfvg-qv54-r4pc |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.10 and 2.5.0, vulnerabilities in the Git node allowed authenticated users with permission to create or modify workflows to execute arbitrary system commands or read arbitrary files on the n8n host. This issue has been patched in versions 1.123.10 and 2.5.0. | 2026-02-04 | not yet calculated | CVE-2026-25053 | https://github.com/n8n-io/n8n/security/advisories/GHSA-9g95-qf3f-ggrw |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.9 and 2.2.1, a Cross-Site Scripting (XSS) vulnerability existed in a markdown rendering component used in n8n’s interface, including workflow sticky notes and other areas that support markdown content. An authenticated user with permission to create or modify workflows could abuse this to execute scripts with same-origin privileges when other users interact with a maliciously crafted workflow. This could lead to session hijacking and account takeover. This issue has been patched in versions 1.123.9 and 2.2.1. | 2026-02-04 | not yet calculated | CVE-2026-25054 | https://github.com/n8n-io/n8n/security/advisories/GHSA-qpq4-pw7f-pp8w |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.123.12 and 2.4.0, when workflows process uploaded files and transfer them to remote servers via the SSH node without validating their metadata the vulnerability can lead to files being written to unintended locations on those remote systems potentially leading to remote code execution on those systems. As a prerequisites an unauthenticated attacker needs knowledge of such workflows existing and the endpoints for file uploads need to be unauthenticated. This issue has been patched in versions 1.123.12 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25055 | https://github.com/n8n-io/n8n/security/advisories/GHSA-m82q-59gv-mcr9 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to versions 1.118.0 and 2.4.0, a vulnerability in the Merge node’s SQL Query mode allowed authenticated users with permission to create or modify workflows to write arbitrary files to the n8n server’s filesystem potentially leading to remote code execution. This issue has been patched in versions 1.118.0 and 2.4.0. | 2026-02-04 | not yet calculated | CVE-2026-25056 | https://github.com/n8n-io/n8n/security/advisories/GHSA-hv53-3329-vmrm |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to version 2.4.8, a vulnerability in the Python Code node allows authenticated users to break out of the Python sandbox environment and execute code outside the intended security boundary. This issue has been patched in version 2.4.8. | 2026-02-04 | not yet calculated | CVE-2026-25115 | https://github.com/n8n-io/n8n/security/advisories/GHSA-8398-gmmx-564h |
| Intermesh–groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to 6.8.150, 25.0.82, and 26.0.5, the MaintenanceController exposes an action zipLanguage which takes a lang parameter and passes it directly to a system zip command via exec(). This can be combined with uploading a crafted zip file to achieve remote code execution. This vulnerability is fixed in 6.8.150, 25.0.82, and 26.0.5. | 2026-02-02 | not yet calculated | CVE-2026-25134 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-v39j-549w-8849 https://github.com/Intermesh/groupoffice/commit/d28490a6a29936db7888aa841ab8ade88800540b |
| RIOT-OS–RIOT | RIOT is an open-source microcontroller operating system, designed to match the requirements of Internet of Things (IoT) devices and other embedded devices. In version 2025.10 and prior, multiple out-of-bounds read allow any unauthenticated user, with ability to send or manipulate input packets, to read adjacent memory locations, or crash a vulnerable device running the 6LoWPAN stack. The received packet is cast into a sixlowpan_sfr_rfrag_t struct and dereferenced without validating the packet is large enough to contain the struct object. At time of publication, no known patch exists. | 2026-02-04 | not yet calculated | CVE-2026-25139 | https://github.com/RIOT-OS/RIOT/security/advisories/GHSA-c8fh-23qr-97mc |
| QwikDev–qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, a Cross-Site Scripting vulnerability in Qwik.js’ server-side rendering virtual attribute serialization allows a remote attacker to inject arbitrary web scripts into server-rendered pages via virtual attributes. Successful exploitation permits script execution in a victim’s browser in the context of the affected origin. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25148 | https://github.com/QwikDev/qwik/security/advisories/GHSA-m6jq-g7gq-5w3c https://github.com/QwikDev/qwik/commit/fe2d9232c0bcec99411d51a00dae29295871d094 |
| QwikDev–qwik | Qwik is a performance focused javascript framework. Prior to version 1.19.0, an Open Redirect vulnerability in Qwik City’s default request handler middleware allows a remote attacker to redirect users to arbitrary protocol-relative URLs. Successful exploitation permits attackers to craft convincing phishing links that appear to originate from the trusted domain but redirect the victim to an attacker-controlled site. This issue has been patched in version 1.19.0. | 2026-02-03 | not yet calculated | CVE-2026-25149 | https://github.com/QwikDev/qwik/security/advisories/GHSA-92j7-wgmg-f32m https://github.com/QwikDev/qwik/commit/9959eab30a3ad9cc03689eaa080fcfbc33df71ed |
| web2py–web2py | web2py versions 2.27.1-stable+timestamp.2023.11.16.08.03.57 and prior contain an open redirect vulnerability. If this vulnerability is exploited, the user may be redirected to an arbitrary website when accessing a specially crafted URL. As a result, the user may become a victim of a phishing attack. | 2026-02-05 | not yet calculated | CVE-2026-25198 | https://github.com/web2py/web2py/commit/b4e1ddbd6d40fb30863f6263a67bcdf411a0c6df https://github.com/web2py/web2py/releases https://web2py.com/ https://jvn.jp/en/jp/JVN46925341/ |
| polarnl–PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, the OAuth 2.0 implementation for GitHub and Google login providers is vulnerable to Login Cross-Site Request Forgery (CSRF). The application fails to implement and verify the state parameter during the authentication flow. This allows an attacker to pre-authenticate a session and trick a victim into logging into the attacker’s account. Any data the victim then enters or academic progress they make is stored on the attacker’s account, leading to data loss for the victim and information disclosure to the attacker. | 2026-02-02 | not yet calculated | CVE-2026-25221 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-fhhm-574m-7rpw https://github.com/polarnl/PolarLearn/commit/44669bbb5b647c7625f22dd82f3121c7d7bfbe19 |
| polarnl–PolarLearn | PolarLearn is a free and open-source learning program. In 0-PRERELEASE-15 and earlier, a timing attack vulnerability in the sign-in process allows unauthenticated attackers to determine if a specific email address is registered on the platform. By measuring the response time of the login endpoint, an attacker can distinguish between valid and invalid email addresses. This occurs because the server only performs the computationally expensive Argon2 password hashing if the user exists in the database. Requests for existing users take significantly longer (~650ms) than requests for non-existent users (~160ms). | 2026-02-02 | not yet calculated | CVE-2026-25222 | https://github.com/polarnl/PolarLearn/security/advisories/GHSA-wcr9-mvr9-4qh5 https://github.com/polarnl/PolarLearn/commit/6c276855172c7310cce0df996cb47ffe0d886741 |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, logic bug in the roadmap role check allows non-lead maintainers to create, update, or delete roadmaps. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25233 | https://github.com/pear/pearweb/security/advisories/GHSA-p92v-9j73-fxx3 |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in category deletion can allow an attacker with access to the category manager workflow to inject SQL via a category id. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25234 | https://github.com/pear/pearweb/security/advisories/GHSA-q28j-3p7r-6722 |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, predictable verification hashes may allow attackers to guess verification tokens and potentially verify election account requests without authorization. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25235 | https://github.com/pear/pearweb/security/advisories/GHSA-477r-4cmw-3cgf |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection risk exists in karma queries due to unsafe literal substitution for an IN (…) list. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25236 | https://github.com/pear/pearweb/security/advisories/GHSA-95mc-p966-c29f |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, use of preg_replace() with the /e modifier in bug update email handling can enable PHP code execution if attacker-controlled content reaches the evaluated replacement. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25237 | https://github.com/pear/pearweb/security/advisories/GHSA-vhw6-hqh9-8r23 |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in bug subscription deletion may allow attackers to inject SQL via a crafted email value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25238 | https://github.com/pear/pearweb/security/advisories/GHSA-cv3c-27h5-7gmv |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability in apidoc queue insertion can allow query manipulation if an attacker can influence the inserted filename value. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25239 | https://github.com/pear/pearweb/security/advisories/GHSA-f9mg-x463-3vxg |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, a SQL injection vulnerability can occur in user::maintains() when role filters are provided as an array and interpolated into an IN (…) clause. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25240 | https://github.com/pear/pearweb/security/advisories/GHSA-xw9g-5gr2-c44f |
| pear–pearweb | PEAR is a framework and distribution system for reusable PHP components. Prior to version 1.33.0, an unauthenticated SQL injection in the /get/<package>/<version> endpoint allows remote attackers to execute arbitrary SQL via a crafted package version. This issue has been patched in version 1.33.0. | 2026-02-03 | not yet calculated | CVE-2026-25241 | https://github.com/pear/pearweb/security/advisories/GHSA-63fv-vpq5-gv8p |
| langroid–langroid | Langroid is a framework for building large-language-model-powered applications. Prior to version 0.59.32, there is a bypass to the fix for CVE-2025-46724. TableChatAgent can call pandas_eval tool to evaluate the expression. There is a WAF in langroid/utils/pandas_utils.py introduced to block code injection CVE-2025-46724. However it can be bypassed due to _literal_ok() returning False instead of raising UnsafeCommandError on invalid input, combined with unrestricted access to dangerous dunder attributes (__init__, __globals__, __builtins__). This allows chaining whitelisted DataFrame methods to leak the eval builtin and execute arbitrary code. This issue has been patched in version 0.59.32. | 2026-02-04 | not yet calculated | CVE-2026-25481 | https://github.com/langroid/langroid/security/advisories/GHSA-x34r-63hx-w57f https://github.com/langroid/langroid/security/advisories/GHSA-jqq5-wc57-f8hj https://github.com/langroid/langroid/commit/30abbc1a854dee22fbd2f8b2f575dfdabdb603ea |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored DOM XSS vulnerability exists in the “Recent Orders” dashboard widget. The Order Status Name is rendered via JavaScript string concatenation without proper escaping, allowing script execution when any admin visits the dashboard. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25482 | https://github.com/craftcms/commerce/security/advisories/GHSA-frj9-9rwc-pw9j https://github.com/craftcms/commerce/commit/d94d1c9832a47a1c383e375ae87c46c13935ba65 https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability exists in Craft Commerce’s Order Status History Message. The message is rendered using the |md filter, which permits raw HTML, enabling malicious script execution. If a user has database backup utility permissions (which do not require an elevated session), an attacker can exfiltrate the entire database, including all user credentials, customer PII, order history, and 2FA recovery codes. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25483 | https://github.com/craftcms/commerce/security/advisories/GHSA-8478-rmjg-mjj5 https://github.com/craftcms/commerce/commit/4665a47c0961aee311a42af2ff94a7c470f0ad8c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, there is a Stored XSS via Product Type names. The name is not sanitized when displayed in user permissions settings. The vulnerable input (source) is in Commerce (Product Type settings), but the sink is in CMS user permissions settings. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25484 | https://github.com/craftcms/commerce/security/advisories/GHSA-2h2m-v2mg-656c https://github.com/craftcms/commerce/commit/7e1dedf06038c8e70dce0187b7048d4ab8ffb75c https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25485 | https://github.com/craftcms/commerce/security/advisories/GHSA-w8gw-qm8p-j9j3 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. From version 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Methods Name field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in version 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25486 | https://github.com/craftcms/commerce/security/advisories/GHSA-g92v-wpv7-6w22 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Rates ‘Name’ field in the Store Management section is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25487 | https://github.com/craftcms/commerce/security/advisories/GHSA-wqc5-485v-3hqh https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Tax Categories (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25488 | https://github.com/craftcms/commerce/security/advisories/GHSA-p6w8-q63m-72c8 https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Name & Description fields in Tax Zones are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25489 | https://github.com/craftcms/commerce/security/advisories/GHSA-v585-mf6r-rqrc https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the ‘Address Line 1’ field in Inventory Locations is not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25490 | https://github.com/craftcms/commerce/security/advisories/GHSA-wq2m-r96q-crrf https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| bpg–terraform-provider-proxmox | Terraform / OpenTofu Provider adds support for Proxmox Virtual Environment. Prior to version 0.93.1, in the SSH configuration documentation, the sudoer line suggested is insecure and can result in escaping the folder using ../, allowing any files on the system to be edited. This issue has been patched in version 0.93.1. | 2026-02-04 | not yet calculated | CVE-2026-25499 | https://github.com/bpg/terraform-provider-proxmox/security/advisories/GHSA-gwch-7m8v-7544 https://github.com/bpg/terraform-provider-proxmox/commit/bd604c41a31e2a55dd6acc01b0608be3ea49c023 |
| Intermesh–groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, an authenticated user within the System Administrator group can trigger a full SSRF via the WOPI service discovery URL, including access to internal hosts/ports. The SSRF response body can be exfiltrated via the built‑in debug system, turning it into a visible SSRF. This also allows full server-side file read. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25511 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-r9v4-jm2r-r9pm https://github.com/Intermesh/groupoffice/commit/5ac199dce758e1ce0d1cdb6905df5da3c2af42b3 |
| Intermesh–groupoffice | Group-Office is an enterprise customer relationship management and groupware tool. Prior to versions 6.8.150, 25.0.82, and 26.0.5, there is a remote code execution (RCE) vulnerability in Group-Office. The endpoint email/message/tnefAttachmentFromTempFile directly concatenates the user-controlled parameter tmp_file into an exec() call. By injecting shell metacharacters into tmp_file, an authenticated attacker can execute arbitrary system commands on the server. This issue has been patched in versions 6.8.150, 25.0.82, and 26.0.5. | 2026-02-04 | not yet calculated | CVE-2026-25512 | https://github.com/Intermesh/groupoffice/security/advisories/GHSA-579w-jvg7-frr4 http://github.com/Intermesh/groupoffice/commit/6c612deca97a6cd2a1bd4feea0ce7e8e9d907792 |
| NeoRazorX–facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the REST API that allows authenticated API users to execute arbitrary SQL queries through the sort parameter. The vulnerability exists in the ModelClass::getOrderBy() method where user-supplied sorting parameters are directly concatenated into the SQL ORDER BY clause without validation or sanitization. This affects all API endpoints that support sorting functionality. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25513 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-cjfx-qhwm-hf99 https://github.com/NeoRazorX/facturascripts/commit/1b6cdfa9ee1bb3365ea4a4ad753452035a027605 |
| NeoRazorX–facturascripts | FacturaScripts is open-source enterprise resource planning and accounting software. Prior to version 2025.81, FacturaScripts contains a critical SQL injection vulnerability in the autocomplete functionality that allows authenticated attackers to extract sensitive data from the database including user credentials, configuration settings, and all stored business data. The vulnerability exists in the CodeModel::all() method where user-supplied parameters are directly concatenated into SQL queries without sanitization or parameterized binding. This issue has been patched in version 2025.81. | 2026-02-04 | not yet calculated | CVE-2026-25514 | https://github.com/NeoRazorX/facturascripts/security/advisories/GHSA-pqqg-5f4f-8952 https://github.com/NeoRazorX/facturascripts/commit/5c070f82665b98efd2f914a4769c6dc9415f5b0f |
| wagtail–wagtail | Wagtail is an open source content management system built on Django. Prior to versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3, due to a missing permission check on the preview endpoints, a user with access to the Wagtail admin and knowledge of a model’s fields can craft a form submission to obtain a preview rendering of any page, snippet or site setting object for which previews are enabled, consisting of any data of the user’s choosing. The existing data of the object itself is not exposed, but depending on the nature of the template being rendered, this may expose other database contents that would otherwise only be accessible to users with edit access over the model. The vulnerability is not exploitable by an ordinary site visitor without access to the Wagtail admin. This issue has been patched in versions 6.3.6, 7.0.4, 7.1.3, 7.2.2, and 7.3. | 2026-02-04 | not yet calculated | CVE-2026-25517 | https://github.com/wagtail/wagtail/security/advisories/GHSA-4qvv-g3vr-m348 https://github.com/wagtail/wagtail/commit/01fd3477365a193e6a8270311defb76e890d2719 https://github.com/wagtail/wagtail/commit/5f09b6da61e779b0e8499bdbba52bf2f7bd3241f https://github.com/wagtail/wagtail/commit/73f070dbefbd3b39ea6649ce36bd2d2a6eef2190 https://github.com/wagtail/wagtail/commit/7dfe8de5f8b3f112c73c87b6729197db16454915 https://github.com/wagtail/wagtail/commit/dd824023a031f1b82a6b6f83a97a5c73391b7c03 |
| locutusjs–locutus | Locutus brings stdlibs of other programming languages to JavaScript for educational purposes. In versions from 2.0.12 to before 2.0.39, a prototype pollution vulnerability exists in locutus. Despite a previous fix that attempted to mitigate prototype pollution by checking whether user input contained a forbidden key, it is still possible to pollute Object.prototype via a crafted input using String.prototype. This issue has been patched in version 2.0.39. | 2026-02-04 | not yet calculated | CVE-2026-25521 | https://github.com/locutusjs/locutus/security/advisories/GHSA-rxrv-835q-v5mh https://github.com/locutusjs/locutus/commit/042af9ca7fde2ff599120783e720a17f335bb01c |
| craftcms–commerce | Craft Commerce is an ecommerce platform for Craft CMS. In versions from 4.0.0-RC1 to 4.10.0 and from 5.0.0 to 5.5.1, a stored XSS vulnerability in Craft Commerce allows attackers to execute malicious JavaScript in an administrator’s browser. This occurs because the Shipping Zone (Name & Description) fields in the Store Management section are not properly sanitized before being displayed in the admin panel. This issue has been patched in versions 4.10.1 and 5.5.2. | 2026-02-03 | not yet calculated | CVE-2026-25522 | https://github.com/craftcms/commerce/security/advisories/GHSA-h9r9-2pxg-cx9m https://github.com/craftcms/commerce/commit/fa273330807807d05b564d37c88654cd772839ee https://github.com/craftcms/commerce/releases/tag/4.10.1 https://github.com/craftcms/commerce/releases/tag/5.5.2 |
| agentfront–enclave | Enclave is a secure JavaScript sandbox designed for safe AI agent code execution. Prior to 2.10.1, the existing layers of security in enclave-vm are insufficient: The AST sanitization can be bypassed with dynamic property accesses, the hardening of the error objects does not cover the peculiar behavior or the vm module and the function constructor access prevention can be side-stepped by leveraging host object references. This vulnerability is fixed in 2.10.1. | 2026-02-06 | not yet calculated | CVE-2026-25533 | https://github.com/agentfront/enclave/security/advisories/GHSA-x39w-8vm5-5m3p https://github.com/agentfront/enclave/commit/2fcf5da81e7e2578ede6f94cae4f379165426dca https://www.staicu.org/publications/usenixSec2023-SandDriller.pdf |
| Keats–jsonwebtoken | jsonwebtoken is a JWT lib in rust. Prior to version 10.3.0, there is a Type Confusion vulnerability in jsonwebtoken, specifically, in its claim validation logic. When a standard claim (such as nbf or exp) is provided with an incorrect JSON type (Like a String instead of a Number), the library’s internal parsing mechanism marks the claim as “FailedToParse”. Crucially, the validation logic treats this “FailedToParse” state identically to “NotPresent”. This means that if a check is enabled (like: validate_nbf = true), but the claim is not explicitly marked as required in required_spec_claims, the library will skip the validation check entirely for the malformed claim, treating it as if it were not there. This allows attackers to bypass critical time-based security restrictions (like “Not Before” checks) and commit potential authentication and authorization bypasses. This issue has been patched in version 10.3.0. | 2026-02-04 | not yet calculated | CVE-2026-25537 | https://github.com/Keats/jsonwebtoken/security/advisories/GHSA-h395-gr6q-cpjc https://github.com/Keats/jsonwebtoken/commit/abbc3076742c4161347bc6b8bf4aa5eb86e1dc01 |
| devtron-labs–devtron | Devtron is an open source tool integration platform for Kubernetes. In version 2.0.0 and prior, a vulnerability exists in Devtron’s Attributes API interface, allowing any authenticated user (including low-privileged CI/CD Developers) to obtain the global API Token signing key by accessing the /orchestrator/attributes?key=apiTokenSecret endpoint. After obtaining the key, attackers can forge JWT tokens for arbitrary user identities offline, thereby gaining complete control over the Devtron platform and laterally moving to the underlying Kubernetes cluster. This issue has been patched via commit d2b0d26. | 2026-02-04 | not yet calculated | CVE-2026-25538 | https://github.com/devtron-labs/devtron/security/advisories/GHSA-8wpc-j9q9-j5m2 https://github.com/devtron-labs/devtron/commit/d2b0d260d858ab1354b73a8f50f7f078ca62706f |
| tokio-rs–bytes | Bytes is a utility library for working with bytes. From version 1.2.1 to before 1.11.1, Bytes is vulnerable to integer overflow in BytesMut::reserve. In the unique reclaim path of BytesMut::reserve, if the condition “v_capacity >= new_cap + offset” uses an unchecked addition. When new_cap + offset overflows usize in release builds, this condition may incorrectly pass, causing self.cap to be set to a value that exceeds the actual allocated capacity. Subsequent APIs such as spare_capacity_mut() then trust this corrupted cap value and may create out-of-bounds slices, leading to UB. This behavior is observable in release builds (integer overflow wraps), whereas debug builds panic due to overflow checks. This issue has been patched in version 1.11.1. | 2026-02-04 | not yet calculated | CVE-2026-25541 | https://github.com/tokio-rs/bytes/security/advisories/GHSA-434x-w66g-qw3r https://github.com/tokio-rs/bytes/commit/d0293b0e35838123c51ca5dfdf468ecafee4398f https://github.com/tokio-rs/bytes/releases/tag/v1.11.1 https://rustsec.org/advisories/RUSTSEC-2026-0007.html |
| mganss–HtmlSanitizer | HtmlSanitizer is a .NET library for cleaning HTML fragments and documents from constructs that can lead to XSS attacks. Prior to versions 9.0.892 and 9.1.893-beta, if the template tag is allowed, its contents are not sanitized. The template tag is a special tag that does not usually render its contents, unless the shadowrootmode attribute is set to open or closed. This issue has been patched in versions 9.0.892 and 9.1.893-beta. | 2026-02-04 | not yet calculated | CVE-2026-25543 | https://github.com/mganss/HtmlSanitizer/security/advisories/GHSA-j92c-7v7g-gj3f https://github.com/mganss/HtmlSanitizer/commit/0ac53dca30ddad963f2b243669a5066933d82b81 https://www.nuget.org/packages/HtmlSanitizer/9.0.892 https://www.nuget.org/packages/HtmlSanitizer/9.1.893-beta |
| isaacs–brace-expansion | @isaacs/brace-expansion is a hybrid CJS/ESM TypeScript fork of brace-expansion. Prior to version 5.0.1, @isaacs/brace-expansion is vulnerable to a denial of service (DoS) issue caused by unbounded brace range expansion. When an attacker provides a pattern containing repeated numeric brace ranges, the library attempts to eagerly generate every possible combination synchronously. Because the expansion grows exponentially, even a small input can consume excessive CPU and memory and may crash the Node.js process. This issue has been patched in version 5.0.1. | 2026-02-04 | not yet calculated | CVE-2026-25547 | https://github.com/isaacs/brace-expansion/security/advisories/GHSA-7h2j-956f-4vf2 |
| Artifex Software–MuPDF | MuPDF versions 1.23.0 through 1.27.0 contain a double-free vulnerability in fz_fill_pixmap_from_display_list() when an exception occurs during display list rendering. The function accepts a caller-owned fz_pixmap pointer but incorrectly drops the pixmap in its error handling path before rethrowing the exception. Callers (including the barcode decoding path in fz_decode_barcode_from_display_list) also drop the same pixmap in cleanup, resulting in a double-free that can corrupt the heap and crash the process. This issue affects applications that enable and use MuPDF barcode decoding and can be triggered by processing crafted input that causes a rendering-time error while decoding barcodes. | 2026-02-06 | not yet calculated | CVE-2026-25556 | https://bugs.ghostscript.com/show_bug.cgi?id=709029 https://cgit.ghostscript.com/cgi-bin/cgit.cgi/mupdf.git/commit/?id=d4743b6092d513321c23c6f7fe5cff87cde043c1 https://mupdf.com/ https://www.vulncheck.com/advisories/mupdf-barcode-decoding-double-free |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication. | 2026-02-07 | not yet calculated | CVE-2026-25560 | https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an authorization weakness in the attachment upload API. The API does not fully validate that provided identifiers (such as boardId, cardId, swimlaneId, and listId) are consistent and refer to a coherent card/board relationship, enabling attempts to upload attachments with mismatched object relationships. | 2026-02-07 | not yet calculated | CVE-2026-25561 | https://github.com/wekan/wekan/commit/1d16955b6d4f0a0282e89c2c1b0415c7597019b8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachment-upload-object-relationship-validation-bypass |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an information disclosure vulnerability in the attachments publication. Attachment metadata can be returned without properly scoping results to boards and cards accessible to the requesting user, potentially exposing attachment metadata to unauthorized users. | 2026-02-07 | not yet calculated | CVE-2026-25562 | https://github.com/wekan/wekan/commit/6dfa3beb2b6ab23438d0f4395b84bf0749eb4820 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-attachments-publication-information-disclosure |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25563 | https://github.com/wekan/wekan/commit/5cd875813fdec5a3c40a0358b30a347967c85c14 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-creation-cross-board-idor |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in checklist creation and related checklist routes. The implementation does not verify that the supplied cardId belongs to the supplied boardId, allowing cross-board ID tampering by manipulating identifiers. | 2026-02-07 | not yet calculated | CVE-2026-25564 | https://github.com/wekan/wekan/commit/08a6f084eba09487743a7c807fb4a9000fcfa9ac https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-checklist-deletion-idor-via-missing-relationship-validation |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability where certain card update API paths validate only board read access rather than requiring write permission. This can allow users with read-only roles to perform card updates that should require write access. | 2026-02-07 | not yet calculated | CVE-2026-25565 | https://github.com/wekan/wekan/commit/181f837d8cbae96bdf9dcbd31beaa3653c2c0285 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-read-only-board-roles-can-update-cards |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an authorization vulnerability in card move logic. A user can specify a destination board/list/swimlane without adequate authorization checks for the destination and without validating that destination objects belong to the destination board, potentially enabling unauthorized cross-board moves. | 2026-02-07 | not yet calculated | CVE-2026-25566 | https://github.com/wekan/wekan/commit/198509e7600981400353aec6259247b3c04e043e https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-cross-board-card-move-without-destination-authorization |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an insecure direct object reference (IDOR) in the card comment creation API. The endpoint accepts an authorId from the request body, allowing an authenticated user to spoof the recorded comment author by supplying another user’s identifier. | 2026-02-07 | not yet calculated | CVE-2026-25567 | https://github.com/wekan/wekan/commit/67cb47173c1a152d9eaf5469740992b2dacdf62d https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-card-comment-author-spoofing-via-user-controlled-authorid |
| WeKan–WeKan | WeKan versions prior to 8.19 contain an authorization logic vulnerability where the instance configuration setting allowPrivateOnly is not sufficiently enforced at board creation time. When allowPrivateOnly is enabled, users can still create public boards due to incomplete server-side enforcement. | 2026-02-07 | not yet calculated | CVE-2026-25568 | https://github.com/wekan/wekan/commit/7ed76c180ede46ab1dac6b8ad27e9128a272c2c8 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-allowprivateonly-setting-enforcement-bypass |
| TUM-Dev–NavigaTUM | NavigaTUM is a website and API to search for rooms, buildings and other places. Prior to commit 86f34c7, there is a path traversal vulnerability in the propose_edits endpoint allows unauthenticated users to overwrite files in directories writable by the application user (e.g., /cdn). By supplying unsanitized file keys containing traversal sequences (e.g., ../../) in the JSON payload, an attacker can escape the intended temporary directory and replace public facing images or fill the server’s storage. This issue has been patched via commit 86f34c7. | 2026-02-04 | not yet calculated | CVE-2026-25575 | https://github.com/TUM-Dev/NavigaTUM/security/advisories/GHSA-59hj-f48w-hjfm https://github.com/TUM-Dev/NavigaTUM/pull/2650 https://github.com/TUM-Dev/NavigaTUM/commit/86f34c72886a59ec8f1e6c00f78a5ab889a70fd0 |
| navidrome–navidrome | Navidrome is an open source web-based music collection server and streamer. Prior to version 0.60.0, authenticated users can crash the Navidrome server by supplying an excessively large size parameter to /rest/getCoverArt or to a shared-image URL (/share/img/<token>). When processing such requests, the server attempts to create an extremely large resized image, causing uncontrolled memory growth. This triggers the Linux OOM killer, terminates the Navidrome process, and results in a full service outage. If the system has sufficient memory and survives the allocation, Navidrome then writes these extremely large resized images into its cache directory, allowing an attacker to rapidly exhaust server disk space as well. This issue has been patched in version 0.60.0. | 2026-02-04 | not yet calculated | CVE-2026-25579 | https://github.com/navidrome/navidrome/security/advisories/GHSA-hrr4-3wgr-68×3 https://github.com/navidrome/navidrome/releases/tag/v0.60.0 |
| n8n-io–n8n | n8n is an open source workflow automation platform. Prior to 1.121.0, there is a vulnerability in the HTTP Request node’s credential domain validation allowed an authenticated attacker to send requests with credentials to unintended domains, potentially leading to credential exfiltration. This only might affect user who have credentials that use wildcard domain patterns (e.g., *.example.com) in the “Allowed domains” setting. This issue is fixed in version 1.121.0 and later. | 2026-02-06 | not yet calculated | CVE-2026-25631 | https://github.com/n8n-io/n8n/security/advisories/GHSA-2xcx-75h9-vr9h |
| smn2gnt–MCP-Salesforce | MCP Salesforce Connector is a Model Context Protocol (MCP) server implementation for Salesforce integration. Prior to 0.1.10, arbitrary attribute access leads to disclosure of Salesforce auth token. This vulnerability is fixed in 0.1.10. | 2026-02-06 | not yet calculated | CVE-2026-25650 | https://github.com/smn2gnt/MCP-Salesforce/security/advisories/GHSA-vf6j-c56p-cq58 https://github.com/smn2gnt/MCP-Salesforce/commit/a1e3a5a786f48508d066b6d40b58201ebf9b7fd6 https://github.com/smn2gnt/MCP-Salesforce/releases/tag/v0.1.10 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.57, Claude Code failed to properly validate directory changes when combined with write operations to protected folders. By using the cd command to navigate into sensitive directories like .claude, it was possible to bypass write protection and create or modify files without user confirmation. Reliably exploiting this required the ability to add untrusted content into a Claude Code context window. This issue has been patched in version 2.0.57. | 2026-02-06 | not yet calculated | CVE-2026-25722 | https://github.com/anthropics/claude-code/security/advisories/GHSA-66q4-vfjg-2qhh |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.0.55, Claude Code failed to properly validate commands using piped sed operations with the echo command, allowing attackers to bypass file write restrictions. This vulnerability enabled writing to sensitive directories like the .claude folder and paths outside the project scope. Exploiting this required the ability to execute commands through Claude Code with the “accept edits” feature enabled. This issue has been patched in version 2.0.55. | 2026-02-06 | not yet calculated | CVE-2026-25723 | https://github.com/anthropics/claude-code/security/advisories/GHSA-mhg7-666j-cqg4 |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.7, Claude Code failed to strictly enforce deny rules configured in settings.json when accessing files through symbolic links. If a user explicitly denied Claude Code access to a file (such as /etc/passwd) and Claude Code had access to a symbolic link pointing to that file, it was possible for Claude Code to read the restricted file through the symlink without triggering deny rule enforcement. This issue has been patched in version 2.1.7. | 2026-02-06 | not yet calculated | CVE-2026-25724 | https://github.com/anthropics/claude-code/security/advisories/GHSA-4q92-rfm6-2cqx |
| anthropics–claude-code | Claude Code is an agentic coding tool. Prior to version 2.1.2, Claude Code’s bubblewrap sandboxing mechanism failed to properly protect the .claude/settings.json configuration file when it did not exist at startup. While the parent directory was mounted as writable and .claude/settings.local.json was explicitly protected with read-only constraints, settings.json was not protected if it was missing. This allowed malicious code running inside the sandbox to create this file and inject persistent hooks (such as SessionStart commands) that would execute with host privileges when Claude Code was restarted. This issue has been patched in version 2.1.2. | 2026-02-06 | not yet calculated | CVE-2026-25725 | https://github.com/anthropics/claude-code/security/advisories/GHSA-ff64-7w26-62rf |
| time-rs–time | time provides date and time handling in Rust. From 0.3.6 to before 0.3.47, when user-provided input is provided to any type that parses with the RFC 2822 format, a denial of service attack via stack exhaustion is possible. The attack relies on formally deprecated and rarely-used features that are part of the RFC 2822 format used in a malicious manner. Ordinary, non-malicious input will never encounter this scenario. A limit to the depth of recursion was added in v0.3.47. From this version, an error will be returned rather than exhausting the stack. | 2026-02-06 | not yet calculated | CVE-2026-25727 | https://github.com/time-rs/time/security/advisories/GHSA-r6v5-fh4h-64xc https://github.com/time-rs/time/commit/1c63dc7985b8fa26bd8c689423cc56b7a03841ee https://github.com/time-rs/time/blob/main/CHANGELOG.md#0347-2026-02-05 https://github.com/time-rs/time/releases/tag/v0.3.47 |
| lintsinghua–DeepAudit | DeepAudit is a multi-agent system for code vulnerability discovery. In 3.0.4 and earlier, there is an improper access control vulnerability in the /api/v1/users/ endpoint allows any authenticated user to enumerate all users in the system and retrieve sensitive information including email addresses, phone numbers, full names, and role information. | 2026-02-06 | not yet calculated | CVE-2026-25729 | https://github.com/lintsinghua/DeepAudit/security/advisories/GHSA-vmmm-48w2-q56q https://github.com/lintsinghua/DeepAudit/commit/b2a3b26579d3fdbab5236ae12ed67ae2313175fd |
| frangoteam–FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An information disclosure vulnerability in FUXA allows an unauthenticated, remote attacker to retrieve sensitive administrative database credentials. Exploitation allows an unauthenticated, remote attacker to obtain the full system configuration, including administrative credentials for the InfluxDB database. Possession of these credentials may allow an attacker to authenticate directly to the database service, enabling them to read, modify, or delete all historical process data, or perform a Denial of Service by corrupting the database. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25751 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-c5gq-4h56-4mmx https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| frangoteam–FUXA | FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. An authorization bypass vulnerability in FUXA allows an unauthenticated, remote attacker to modify device tags via WebSockets. Exploitation allows an unauthenticated, remote attacker to bypass role-based access controls and overwrite arbitrary device tags or disable communication drivers, exposing connected ICS/SCADA environments to follow-on actions. This may allow an attacker to manipulate physical processes and disconnected devices from the HMI. This affects FUXA through version 1.2.9. This issue has been patched in FUXA version 1.2.10. | 2026-02-06 | not yet calculated | CVE-2026-25752 | https://github.com/frangoteam/FUXA/security/advisories/GHSA-ggxw-g3cp-mgf8 https://github.com/frangoteam/FUXA/releases/tag/v1.2.10 |
| Praskla-Technology–assessment-placipy | PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application uses a hard-coded, static default password for all newly created student accounts. This results in mass account takeover, allowing any attacker to log in as any student once the password is known. | 2026-02-06 | not yet calculated | CVE-2026-25753 | https://github.com/Praskla-Technology/assessment-placipy/security/advisories/GHSA-6537-cf56-j9w2 |
| spree–spree | Spree is an open source e-commerce solution built with Ruby on Rails. Prior to versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2, unauthenticated users can view completed guest orders by Order ID. This issue may lead to disclosure of PII of guest users (including names, addresses and phone numbers). This issue has been patched in versions 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25757 | https://github.com/spree/spree/security/advisories/GHSA-p6pv-q7rc-g4h9 https://github.com/spree/spree/commit/3e00be64c128ef4bd4b99731f0c3ab469509cfab https://github.com/spree/spree/commit/6b32ed7d474aa55fa441990e6aa39740152aa1be https://github.com/spree/spree/commit/6f6b8a7a28a8bff24a6e20eab04b4bbbdf39384d https://github.com/spree/spree/commit/ea4a5db590ca753dbc986f2a4e818d9e0edfb1ad https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L14 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/storefront/app/controllers/spree/orders_controller.rb#L51C1-L55C8 https://github.com/spree/spree/blob/a878eb4a782ce0445d218ea86fb12075b0e3d7cc/core/lib/spree/core/number_generator.rb#L45 |
| spree–spree | Spree is an open source e-commerce solution built with Ruby on Rails. A critical IDOR vulnerability exists in Spree Commerce’s guest checkout flow that allows any guest user to bind arbitrary guest addresses to their order by manipulating address ID parameters. This enables unauthorized access to other guests’ personally identifiable information (PII) including names, addresses and phone numbers. The vulnerability bypasses existing ownership validation checks and affects all guest checkout transactions. This vulnerability is fixed in 4.10.3, 5.0.8, 5.1.10, 5.2.7, and 5.3.2. | 2026-02-06 | not yet calculated | CVE-2026-25758 | https://github.com/spree/spree/security/advisories/GHSA-87fh-rc96-6fr6 https://github.com/spree/spree/commit/15619618e43b367617ec8d2d4aafc5e54fa7b734 https://github.com/spree/spree/commit/29282d1565ba4f7bc2bbc47d550e2c0c6d0ae59f https://github.com/spree/spree/commit/6650f96356faa0d16c05bcb516f1ffd5641741b8 https://github.com/spree/spree/commit/902d301ac83fd2047db1b9a3a99545162860f748 https://github.com/spree/spree/commit/ff7cfcfcfe0c40c60d03317e1d0ee361c6a6b054 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/address_book.rb#L16-L38 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/models/spree/order/checkout.rb#L241-L254 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/app/services/spree/checkout/update.rb#L33-L48 https://github.com/spree/spree/blob/1341623f2ae92685cdbe232885bf5808fc8f9ca8/core/lib/spree/permitted_attributes.rb#L92-L96 |
| opf–openproject | OpenProject is an open-source, web-based project management software. Prior to versions 16.6.7 and 17.0.3, an arbitrary file write vulnerability exists in OpenProject’s repository changes endpoint (/projects/:project_id/repository/changes) when rendering the “latest changes” view via git log. By supplying a specially crafted rev value (for example, rev=–output=/tmp/poc.txt), an attacker can inject git log command-line options. When OpenProject executes the SCM command, Git interprets the attacker-controlled rev as an option and writes the output to an attacker-chosen path. As a result, any user with the :browse_repository permission on the project can create or overwrite arbitrary files that the OpenProject process user is permitted to write. The written contents consist of git log output, but by crafting custom commits the attacker can still upload valid shell scripts, ultimately leading to RCE. The RCE lets the attacker create a reverse shell to the target host and view confidential files outside of OpenProject, such as /etc/passwd. This issue has been patched in versions 16.6.7 and 17.0.3. | 2026-02-06 | not yet calculated | CVE-2026-25763 | https://github.com/opf/openproject/security/advisories/GHSA-x37c-hcg5-r5m7 https://github.com/opf/openproject/releases/tag/v16.6.7 https://github.com/opf/openproject/releases/tag/v17.0.3 |
| slackhq–nebula | Nebula is a scalable overlay networking tool. In versions from 1.7.0 to 1.10.2, when using P256 certificates (which is not the default configuration), it is possible to evade a blocklist entry created against the fingerprint of a certificate by using ECDSA Signature Malleability to use a copy of the certificate with a different fingerprint. This issue has been patched in version 1.10.3. | 2026-02-06 | not yet calculated | CVE-2026-25793 | https://github.com/slackhq/nebula/security/advisories/GHSA-69×3-g4r3-p962 https://github.com/slackhq/nebula/commit/f573e8a26695278f9d71587390fbfe0d0933aa21 |
| antrea-io–antrea | Antrea is a Kubernetes networking solution intended to be Kubernetes native. Prior to versions 2.3.2 and 2.4.3, Antrea’s network policy priority assignment system has a uint16 arithmetic overflow bug that causes incorrect OpenFlow priority calculations when handling a large numbers of policies with various priority values. This results in potentially incorrect traffic enforcement. This issue has been patched in versions 2.4.3. | 2026-02-06 | not yet calculated | CVE-2026-25804 | https://github.com/antrea-io/antrea/security/advisories/GHSA-86×4-wp9f-wrr9 https://github.com/antrea-io/antrea/pull/7496 https://github.com/antrea-io/antrea/commit/86c4b6010f3be536866f339b632621c23d7186fa |
| Shenzhen Tenda Technology–Tenda G300-F | Tenda G300-F router firmware versio 16.01.14.2 and prior contain an OS command injection vulnerability in the WAN diagnostic functionality (formSetWanDiag). The implementation constructs a shell command that invokes curl and incorporates attacker-controlled input into the command line without adequate neutralization. As a result, a remote attacker with access to the affected management interface can inject additional shell syntax and execute arbitrary commands on the device with the privileges of the management process. | 2026-02-07 | not yet calculated | CVE-2026-25857 | https://blog.evan.lat/blog/cve-2026-25857/ https://www.tendacn.com/material/show/736333682028613 https://www.vulncheck.com/advisories/tenda-g300-f-command-injection-via-formsetwandiag |
| macrozheng–mall | macrozheng mall version 1.0.3 and prior contains an authentication vulnerability in the mall-portal password reset workflow that allows an unauthenticated attacker to reset arbitrary user account passwords using only a victim’s telephone number. The password reset flow exposes the one-time password (OTP) directly in the API response and validates password reset requests solely by comparing the provided OTP to a value stored by telephone number, without verifying user identity or ownership of the telephone number. This enables remote account takeover of any user with a known or guessable telephone number. | 2026-02-07 | not yet calculated | CVE-2026-25858 | https://github.com/macrozheng/mall/issues/946 https://www.macrozheng.com/ https://www.vulncheck.com/advisories/macrozheng-mall-unauthenticated-password-reset-via-otp-disclosure |
| WeKan–WeKan | Wekan versions prior to 8.20 allow non-administrative users to access migration functionality due to insufficient permission checks, potentially resulting in unauthorized migration operations. | 2026-02-07 | not yet calculated | CVE-2026-25859 | https://github.com/wekan/wekan/commit/cbb1cd78de3e40264a5e047ace0ce27f8635b4e6 https://wekan.fi/ https://www.vulncheck.com/advisories/wekan-migration-functionality-insufficient-permission-checks |