High Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a– OVMS3 3.3.005 | Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data is not properly validated, allowing remote attackers to cause a denial of service or possibly execute arbitrary code via crafted GVRET frames. | 2026-05-01 | 10 | CVE-2026-37541 | https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| tendacn[.]com– W308R | Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the goform/AdvSetDns endpoint with a crafted admin language cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25316 | ExploitDB-44373 VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Change |
| tendacn[.]com–W3002R | Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a cookie session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient session validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin language cookie to change primary and secondary DNS servers, redirecting user traffic to malicious DNS servers. | 2026-04-29 | 9.8 | CVE-2018-25317 | ExploitDB-44380 VulnCheck Advisory: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weakness DNS Change |
| tendacn[.]com–FH303/A300 | Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulnerability that allows unauthenticated attackers to modify DNS settings by exploiting insufficient cookie validation. Attackers can send GET requests to the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS servers and redirect user traffic to malicious sites. | 2026-04-29 | 9.8 | CVE-2018-25318 | ExploitDB-44381 VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DNS Change |
| Weaver Network Co., Ltd.–E-office | Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vulnerability in the OfficeServer.php endpoint that allows remote attackers to upload malicious files by sending multipart POST requests with arbitrary filenames and disguised content types. Attackers can upload PHP webshells to the Document directory and execute them via HTTP GET requests to achieve remote code execution as the web server user. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-10-10 (UTC). | 2026-04-30 | 9.8 | CVE-2022-50993 | https://service.e-office.cn/knowledge/detail/5 https://cn-sec.com/archives/1453025.html https://bbs.chaitin.cn/topic/37 https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| synway[.]net– SMG Gateway Management | Synway SMG Gateway Management Software contains an OS command injection vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php where the radius_address POST parameter is split and interpolated directly into a sed command without sanitization. An unauthenticated remote attacker can inject arbitrary shell commands by submitting a POST request with crafted radius_address, radius_address2, shared_secret2, source_ip, timeout, or retry parameters along with save=1 and enable_radius=1 to achieve remote code execution. Exploitation evidence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC). | 2026-04-30 | 9.8 | CVE-2025-71284 | https://github.com/projectdiscovery/nuclei-templates/blob/main/http/vulnerabilities/synway/synwaysmg-radius-rce.yaml https://mrxn.net/jswz/synway-9-2radius-rce.html https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA https://www.synway.net/ https://www.vulncheck.com/advisories/synway-smg-gateway-management-software-os-command-injection-via-radius-address |
| Directorist Booking–Directorist Booking | Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) vulnerability in Directorist Booking allows SQL Injection.This issue affects Directorist Booking: from n/a before 3.0.2. | 2026-04-27 | 9.3 | CVE-2026-22336 | https://patchstack.com/database/wordpress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=cve |
| Directorist–Directorist Social Login | Incorrect Privilege Assignment vulnerability in Directorist Directorist Social Login allows Privilege Escalation.This issue affects Directorist Social Login: from n/a before 2.1.4. | 2026-04-27 | 9.8 | CVE-2026-22337 | https://patchstack.com/database/wordpress/plugin/directorist-social-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-privilege-escalation-vulnerability?_s_id=cve |
| Milesight–MS-Cxx63-PD | Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys. | 2026-04-27 | 9.8 | CVE-2026-32644 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| n/a–Automotive Grade Linux (AGL) | AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in the widget installation flow. The is_valid_filename function in wgtpkg-zip.c validates ZIP entry names but does not check for dot notation directory traversal sequences it only blocks absolute paths. The zread extraction function uses openat(workdirfd, filename, O_CREAT) which resolves dot notation values relative to the work directory, allowing files to be written anywhere on the filesystem. Critically, in function install_widget in file wgtpkg-install.c, extraction via zread occurs BEFORE signature verification via check_all_signatures. Even if signature verification fails, the error cleanup (remove_workdir) only deletes the temporary work directory files written outside via path traversal persist permanently. | 2026-05-01 | 9.8 | CVE-2026-37531 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-main https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a– cannelloni v2.0.0 | Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and decoder.cpp in function decodeFrame allowing remote attackers to cause a denial of service (crash) or possibly execute arbitrary code via crafted CAN FD frames. | 2026-05-01 | 9.8 | CVE-2026-37539 | https://github.com/mguentner/cannelloni https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| Carlson Software–VASCO-B GNSS Receiver | The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, allowing an attacker with network access to directly access and modify its configuration and operational functions without needing credentials. | 2026-04-28 | 9.4 | CVE-2026-3893 | https://www.carlsonsw.com/support-and-training/ https://www.cve.org/CVERecord?id=CVE-2026-3893 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.json |
| Mersenne–Prime95 | Prime95 29.4b8 contains a local buffer overflow vulnerability that allows attackers to execute arbitrary code by exploiting structured exception handling (SEH) mechanisms. Attackers can inject malicious payload through the optional proxy hostname field in the PrimeNet connection settings to trigger the overflow and execute system commands. | 2026-04-29 | 8.4 | CVE-2018-25299 | ExploitDB-44649 Official Product Homepage Product Reference VulnCheck Advisory: Prime95 29.4b8 Local Buffer Overflow via SEH |
| xataboost–XATABoost CMS | XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the id parameter. Attackers can send GET requests to news.php with malicious id values to extract sensitive database information. | 2026-04-29 | 8.2 | CVE-2018-25300 | ExploitDB-44622 Official Product Homepage VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php |
| Easy MPEG–Easy MPEG to DVD Burner | Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling (SEH) local buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious username string. Attackers can craft a payload containing junk data, SEH chain pointers, and shellcode that overwrites the SEH handler to redirect execution and run arbitrary commands like opening calc.exe. | 2026-04-29 | 8.4 | CVE-2018-25301 | ExploitDB-44565 Product Reference VulnCheck Advisory: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflow |
| Alloksoft–Allok Video to DVD Burner | Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overflow vulnerability in the License Name field that allows local attackers to execute arbitrary code by triggering a structured exception handler (SEH) overwrite. Attackers can craft a malicious input string with 780 bytes of junk data followed by SEH chain pointers and shellcode, then paste it into the License Name field during registration to achieve code execution. | 2026-04-29 | 8.4 | CVE-2018-25303 | ExploitDB-44518 Official Product Homepage VulnCheck Advisory: Allok Video to DVD Burner 2.6.1217 Buffer Overflow SEH |
| Filehippo–Free Download Manager | Free Download Manager 2.0 Built 417 contains a local buffer overflow vulnerability in the URL import functionality that allows attackers to trigger a structured exception handler (SEH) chain exploitation. Attackers can craft a malicious URL file that, when imported through the File > Import > Import lists of downloads menu, causes a buffer overflow in the Location header response that overwrites the SEH chain and executes arbitrary code. | 2026-04-29 | 8.4 | CVE-2018-25304 | ExploitDB-44499 Product Reference VulnCheck Advisory: Free Download Manager 2.0 Built 417 Local Buffer Overflow SEH |
| Sysgauge–SysGauge Pro | SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in the Register function that allows local attackers to overwrite the structured exception handler by supplying a crafted unlock key. Attackers can inject shellcode through the Unlock Key field during registration to execute arbitrary code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25307 | ExploitDB-44455 VulnCheck Advisory: SysGauge Pro 4.6.12 Local Buffer Overflow SEH |
| donmik–Buddypress Xprofile Custom Fields Type | BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code execution vulnerability that allows authenticated users to delete arbitrary files by manipulating unescaped POST parameters. Attackers can modify the field_hiddenfile and field_deleteimg parameters during profile editing to unlink files from the server. | 2026-04-29 | 8.8 | CVE-2018-25308 | ExploitDB-44432 Official Product Homepage VulnCheck Advisory: BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution |
| Alloksoft–WMV to AVI MPEG DVD WMV Converter | Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying an oversized string in the License Name field. Attackers can craft a malicious input containing shellcode with structured exception handler (SEH) overwrite to bypass protections and execute code with application privileges. | 2026-04-29 | 8.4 | CVE-2018-25314 | ExploitDB-44365 Official Product Homepage Product Reference VulnCheck Advisory: Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 Buffer Overflow |
| Alloksoft–Video Joiner | Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with structured exception handler (SEH) overwrite and shellcode to achieve code execution when the application processes the license registration input. | 2026-04-29 | 8.4 | CVE-2018-25315 | ExploitDB-44364 Official Product Homepage Product Reference VulnCheck Advisory: Alloksoft Video joiner 4.6.1217 Buffer Overflow via License Name |
| marketingfire–Widget Options Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets | The Widget Options – Advanced Conditional Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 4.2.2 via the Display Logic feature. This is due to the plugin using eval() on user-supplied Display Logic expressions with an insufficient blocklist/allowlist that can be bypassed using array_map with string concatenation, combined with a lack of authorization enforcement on the extended_widget_opts_block attribute. This makes it possible for authenticated attackers, with Contributor-level access and above, to execute code on the server. The vulnerability was partially patched in version 4.2.0. | 2026-05-02 | 8.8 | CVE-2026-2052 | https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a?source=cve https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gutenberg-toolbar.php#L843 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L495 https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/extras.php#L534 https://plugins.trac.wordpress.org/changeset/3481338/ https://plugins.trac.wordpress.org/changeset/3514411/ |
| Milesight–MS-Cxx63-PD | An out-of-bounds memory access vulnerability exists in specific firmware versions of Milesight AIOT cameras. | 2026-04-27 | 8.8 | CVE-2026-20766 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| wclovers–WCFM Frontend Manager for WooCommerce | The WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 6.7.25 via the ‘wcfm_delete_wcfm_customer’ due to missing validation on the ‘customerid’ user controlled key. This makes it possible for authenticated attackers, with Vendor-level access and above, to delete arbitrary users, including Administrators. | 2026-05-02 | 8.1 | CVE-2026-2554 | https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b-c465acea0796?source=cve https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer.php#L386 https://plugins.trac.wordpress.org/changeset/3483695/ |
| opencats–OpenCATS | OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerability in the installer AJAX endpoint that allows unauthenticated attackers to execute arbitrary code by injecting PHP statements into the databaseConnectivity action parameter. Attackers can break out of the define() string context in config.php using a single quote and statement separator to inject malicious PHP code that persists and executes on every subsequent page load when the installation wizard remains incomplete. | 2026-04-28 | 8.1 | CVE-2026-27760 | https://chocapikk.com/posts/2026/opencats-installer-rce/ https://github.com/opencats/OpenCATS/pull/706 https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906606b6 https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172 https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130 https://www.vulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endpoint |
| Milesight–MS-Cxx63-PD | Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials. | 2026-04-27 | 8.8 | CVE-2026-27785 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| Cockpit–Cockpit CMS | Cockpit CMS contains an authenticated remote code execution vulnerability in the /cockpit/collections/save_collection endpoint that allows authenticated attackers with collection management privileges to inject arbitrary PHP code into collection rules parameters. Attackers can inject malicious PHP code through rule parameters which is written directly to server-side PHP files and executed via include() to achieve arbitrary command execution on the underlying server. | 2026-04-29 | 8.8 | CVE-2026-34965 | https://github.com/agentejo/cockpit https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90 https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9 https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-execution-via-collections |
| n/a–(UDS) & OBD-II (On Board Diagnostics for Vehicles) | miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) receives memcpy at offset 1+pid_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=7, so 1+2+7=10 exceeds buffer by 4 bytes. No bounds check on payload_length before memcpy. | 2026-05-01 | 8.8 | CVE-2026-37536 | https://github.com/miaofng/uds-c https://github.com/openxc/uds-c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a–Open-SAE-J1939 (Daniel Martensson) | collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds write in Transport Protocol Data Transfer handling. At line 23: uint8_t index = data[0] – 1. When data[0] (sequence number from CAN frame) is 0, index underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes. | 2026-05-01 | 8.1 | CVE-2026-37537 | https://github.com/DanielMartensson/Open-SAE-J1939 https://github.com/collin80/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| openampproject[.]org–OpenAMP v2025.10.0 | OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerability in firmware image parsing. In elf_loader.c, it performs multiplication of two attacker-controlled 16-bit values from the ELF header without overflow checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap around to a small value. | 2026-05-01 | 8.4 | CVE-2026-37540 | https://github.com/OpenAMP/open-amp https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a–MixPHP Framework 2.x | Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) receives data from a TCP socket, passes it directly to OpisClosureunserialize(), then executes the result via call_user_func(). No authentication or signature verification exists on the TCP connection. An attacker with access to the localhost TCP port (server binds 127.0.0.1) can send a crafted serialized PHP closure to achieve arbitrary code execution. | 2026-05-01 | 8.4 | CVE-2026-37552 | https://github.com/mix-php/mix https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975 |
| benjaminprojas–WP Editor | The WP Editor plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.2.9.2. This is due to missing nonce verification in the ‘add_plugins_page’ and ‘add_themes_page’ functions. This makes it possible for unauthenticated attackers to overwrite arbitrary plugin and theme PHP files with attacker-controlled code via a forged request, granted they can trick a site administrator into performing an action such as clicking a link. | 2026-05-01 | 8.8 | CVE-2026-3772 | https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5de-4d66-9cc5-802ef11f886c?source=cve https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorPlugins.php#L60 https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorThemes.php#L103 https://plugins.trac.wordpress.org/changeset/3480577/ |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew allows authenticated users with access to one project to update or delete a SharePolicy record that belongs to a different project. The affected routes authorize the caller against the project in the URL path, but they never verify that policy_id belongs to that project. This permits cross-project modification of dashboard sharing rules, including visibility, password requirements, allowed parameters, and expiration settings. This issue has been patched in version 5.0.0. | 2026-04-30 | 8.1 | CVE-2026-40600 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| TRENDnet–TEW-821DAP | A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware of the component Firmware Udpate. The manipulation of the argument str leads to buffer overflow. The attack may be initiated remotely. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 8.8 | CVE-2026-7607 | VDB-360564 | TRENDnet TEW-821DAP Firmware Udpate auto_update_firmware buffer overflow VDB-360564 | CTI Indicators (IOB, IOC, IOA) Submit #806214 | Trendnet TEW-821DAP v1.12B01 CWE-120 Buffer Copy without Checking Size of Input https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_BO.md |
| carazo–Import and export users and customers | The Import and export users and customers plugin for WordPress is vulnerable to Privilege Escalation in all versions up to and including 2.0.8 via the `save_extra_user_profile_fields()` function. This is due to an incomplete blocklist that correctly restricts capability meta keys for the primary site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equivalent meta keys for any other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass the `in_array()` check and be written directly to user meta via `update_user_meta()`. This makes it possible for authenticated attackers, with Subscriber-level access and above, to escalate their privileges to Administrator on any subsite within the Multisite network by submitting a crafted profile update to `/wp-admin/profile.php`. Exploitation requires that an administrator has previously imported a CSV file containing multisite-prefixed capability column headers and has enabled the ‘Show fields in profile?’ option, which causes those keys to be stored in the `acui_columns` option and exposed as editable fields on the user profile page. | 2026-05-02 | 8.8 | CVE-2026-7641 | https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=cve https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/multisite.php#L21 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L221 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/helper.php#L150 https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisite.php#L21 https://plugins.trac.wordpress.org/changeset/3515646 |
| Cozmoslabs–Profile Builder Pro | The Profile Builder Pro plugin for WordPress is vulnerable to PHP Object Injection in all versions up to and including 3.14.5. This is due to the use of PHP’s maybe_unserialize() function on the attacker-controlled ‘args’ POST parameter within the wppb_request_users_pins_action_callback() AJAX handler, which lacked any nonce verification, type checking, or input validation before deserialization. Because the handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthenticated users. This makes it possible for unauthenticated attackers to inject arbitrary PHP objects into application memory. | 2026-05-02 | 8.1 | CVE-2026-7647 | https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f988-4515-83bc-456f041d7e2e?source=cve https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L271 https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13 https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13 |
| Shenzhen Libituo Technology–LBT-T300-HW1 | A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the function start_single_service of the component Web Management Interface. Executing a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be executed remotely. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7674 | VDB-360827 | Shenzhen Libituo Technology LBT-T300-HW1 Web Management start_single_service buffer overflow VDB-360827 | CTI Indicators (IOB, IOC, IOA) Submit #800705 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800706 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_pptp_server%EF%BC%89.md |
| Shenzhen Libituo Technology–LBT-T300-HW1 | A vulnerability has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. Impacted is the function start_lan of the file /apply.cgi. The manipulation of the argument Channel/ApCliSsid leads to buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7675 | VDB-360828 | Shenzhen Libituo Technology LBT-T300-HW1 apply.cgi start_lan buffer overflow VDB-360828 | CTI Indicators (IOB, IOC, IOA) Submit #800708 | Libtor Technology lbt-t300-hw1 <=V1.2.8 Buffer Overflow Submit #800709 | Libtor Technology <=V1.2.8 Buffer Overflow (Duplicate) https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_conf_router(Channel).md |
| Edimax–BR-6428nC | A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7684 | VDB-360843 | Edimax BR-6428nC setWAN buffer overflow VDB-360843 | CTI Indicators (IOB, IOC, IOA) Submit #801599 | Edimax BR-6428nC v1.16 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Edimax–BR-6208AC | A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 8.8 | CVE-2026-7685 | VDB-360844 | Edimax BR-6208AC setWAN buffer overflow VDB-360844 | CTI Indicators (IOB, IOC, IOA) Submit #801606 | Edimax BR-6208AC V2_1.02 Buffer Overflow https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2 |
| Alloksoft–Allok AVI to DVD SVCD VCD Converter | Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exception handling (SEH) based buffer overflow vulnerability that allows local attackers to execute arbitrary code by supplying a malicious string in the License Name field. Attackers can craft a payload with junk data, NSEH bypass, SEH handler address, and shellcode that triggers the overflow when pasted into the License Name field and the Register button is clicked, resulting in code execution. | 2026-04-29 | 7.8 | CVE-2018-25302 | ExploitDB-44549 Official Product Homepage VulnCheck Advisory: Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH |
| mybb–MyBB Recent threads | MyBB Recent threads 17.0 contains a persistent cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating threads with crafted subject lines. Attackers can create threads with script tags in the subject parameter to execute arbitrary JavaScript in the browsers of all users viewing the index page. | 2026-04-29 | 7.2 | CVE-2018-25309 | ExploitDB-44420 Product Reference VulnCheck Advisory: MyBB Recent threads 17.0 Persistent Cross-Site Scripting |
| Weaver Network Co., Ltd.–E-cology | Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitrary file read vulnerability in the XmlRpcServlet interface at the XML-RPC endpoint that allows unauthenticated remote attackers to read arbitrary files by supplying file paths to the WorkflowService.getAttachment and WorkflowService.LoadTemplateProp methods. Attackers can exploit these methods without authentication to retrieve sensitive files including system configuration files and database credentials from the server. Exploitation evidence was first observed by the Shadowserver Foundation on 2022-12-14 (UTC). | 2026-04-30 | 7.5 | CVE-2022-50992 | https://www.weaver.com.cn/cs/securityDownload.html# https://www.weaver.com.cn/cs/ecology_full_log.html https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245 https://blog.csdn.net/qq_36618918/article/details/135104295 https://blog.csdn.net/xiayu729100940/article/details/135205082 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitrary-file-read-via-xmlrpcservlet |
| n/a–django-mdeditor | All versions of the package django-mdeditor are vulnerable to Missing Authentication for Critical Function in the image upload endpoint. An attacker can upload malicious files and achieve arbitrary code execution since this endpoint lacks authentication protection and proper sanitisation of file names. | 2026-04-30 | 7.1 | CVE-2025-13030 | https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926 https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%23L25 https://github.com/pylixm/django-mdeditor/issues/151 https://github.com/pylixm/django-mdeditor/pull/185 https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe |
| CryptPad–CryptPad | CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, unauthenticated attacker can significantly degrade or deny service for all users of a CryptPad instance. Fixed in 2026.2.2. | 2026-04-30 | 7.5 | CVE-2025-51846 | url url url url |
| Zyxel–DX3301-T0 firmware | A post-authentication command injection vulnerability in the “DomainName” parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 7.2 | CVE-2026-1460 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| OPPO–ColorOS Assistant | ColorOS Assistant has an unauthenticated start-download channel, leading to file path traversal. | 2026-04-30 | 7.1 | CVE-2026-22070 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2049764240746881024 |
| VEGA Grieshaber–VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (Ethernet-APL) | An unsecured configuration interface on affected devices allows unauthenticated remote attackers to access sensitive information, including hashed credentials and access codes. | 2026-04-28 | 7.5 | CVE-2026-3323 | https://certvde.com/en/advisories/VDE-2026-016 https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.json |
| redhat[.]com–DTLS | A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with zero length and non-zero offset, leading to an integer underflow during reassembly and resulting in an out-of-bounds read. This issue is remotely exploitable and may cause information disclosure or denial of service. | 2026-04-30 | 7.5 | CVE-2026-33845 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-33845 RHBZ#2450624 |
| Dell–iDRAC10 | Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insufficiently Protected Credentials vulnerability. A race condition vulnerability exists that could allow an authenticated low‑privileged attacker to gain elevated access. | 2026-04-29 | 7.1 | CVE-2026-35155 | https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulnerability |
| n/a–Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privilege escalation vulnerability in the supervision Do command. The on_supervision_call function in src/afb-supervision.c explicitly nullifies the request credentials by calling afb_context_change_cred(&xreq->context, NULL) before dispatching an attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The NULL propagation chain through afb-context.c:110 (context->credentials = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) confirms that credentials are zeroed before the target API executes. The attacker controls both api and verb parameters via JSON input, allowing execution of any registered API with a NULL credential context. APIs that rely on context->credentials for authorization decisions may fail open when receiving NULL credentials, enabling privilege escalation. This vulnerability was introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-14. | 2026-05-01 | 7.8 | CVE-2026-37525 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a–Automotive Grade Linux (AGL) afb-daemon v19.90.0 | AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local process to execute privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, Token, slist) without authentication via the abstract Unix socket @urn:AGL:afs:supervision:socket. The on_supervision_call function in src/afb-supervision.c dispatches all 8 commands without any credential verification. The abstract socket has no DAC protection, as acknowledged in the official CAUTION comment in src/afs-supervision.h. This allows a low-privileged local process to kill the daemon (DoS via Exit command), execute arbitrary API calls (via Do command), close arbitrary user sessions (via Sclose command), or leak the entire global configuration (via Config command). The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-06-29. | 2026-05-01 | 7.8 | CVE-2026-37526 | https://gerrit.automotivelinux.org/gerrit/src/app-framework-binder https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a–Automotive Grade Linux (AGL) aglservice v17.1.12 | AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), the payload_length for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, yielding values 0-15. However, a standard CAN frame is only 8 bytes, with payload starting at data[1] (7 bytes available). When payload_length exceeds the available data (e.g., nibble=15 but only 7 payload bytes exist), memcpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the end of the data buffer. | 2026-05-01 | 7.1 | CVE-2026-37532 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a–Automotive Grade Linux (AGL) isotp-c | openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive handler, where the 4-bit payload length nibble is used directly as the memcpy size without validating it against the actual CAN data length. A malicious CAN frame with an oversized length nibble can cause memory reads beyond the buffer, allowing attackers to cause a denial of service, or gain sensitive information. | 2026-05-01 | 7.1 | CVE-2026-37535 | https://github.com/openxc/isotp-c https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a– Vanetza V2X v26.02 | An issue was discovered in Vanetza V2X v26.02 allowing remote unauthorized attackers to cause a denial of service. The vulnerability exists in the GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC point validation (invalid compressed point, point not on curve) are not properly caught by the Router::indicate() call chain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exception when OpenSSL operations fail. The parser’s catch block in parse_secured() should catch these, but the exception escapes through subsequent processing stages (indicate_common, indicate_extended). This causes std::terminate, crashing the V2X receiver. | 2026-05-01 | 7.5 | CVE-2026-37554 | https://github.com/riebl/vanetza https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes public chart retrieval and export routes that only verify project-level public access and, for exports, a team-level export toggle. The routes do not verify whether the target chart is actually allowed on the public report or whether the governing SharePolicy permits public access. An unauthenticated attacker who knows a chart identifier in a public project can read or export chart data for charts that were intentionally hidden from the report. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40595 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649 https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo–Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘sort’ parameter in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective in the `ORDER BY` context because the value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg()` allowlist-based sanitizer was added in version 1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`) and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4060 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9cd473?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1767 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1785 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query without authentication. The endpoint only checks team.allowReportRefresh and does not verify that the target chart belongs to a public report, that the project is public, or that sharing policy allows the operation. An unauthenticated attacker who knows a chart identifier can trigger a data refresh and retrieve the current data of private charts. This issue has been patched in version 5.0.0. | 2026-04-30 | 7.5 | CVE-2026-40601 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-cpr6-mhgm-893w https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| cyberhobo–Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘map_post_type’ parameter in all versions up to, and including, 1.13.18. This is due to the `SearchResults` hook explicitly calling `stripslashes_deep($_POST)` which removes WordPress magic quotes protection, followed by the unsanitized `map_post_type` value being concatenated into an `IN(…)` clause without `esc_sql()` or `$wpdb->prepare()`. The ‘any’ branch of the same code correctly applies `array_map(‘esc_sql’, …)`, but the else branch does not. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. Exploitation requires the Geo Search feature to be enabled in plugin settings. | 2026-05-02 | 7.5 | CVE-2026-4061 | https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152 https://plugins.trac.wordpress.org/changeset/3503627/ |
| cyberhobo–Geo Mashup | The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Injection via the ‘object_ids’ and ‘exclude_object_ids’ parameters in all versions up to, and including, 1.13.18. This is due to insufficient escaping on the user supplied parameters and lack of sufficient preparation on the existing SQL query. The `esc_sql()` function is applied but is ineffective because the values are placed in an unquoted `IN(…)` / `NOT IN(…)` SQL context – `esc_sql()` only escapes quote characters and provides no protection against parenthesis or SQL keyword injection. Additionally, while a numeric-only sanitizer exists in `sanitize_query_args()`, it is only applied in the AJAX code path and not in the `render-map.php` or template tag code paths. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database via a time-based blind approach. | 2026-05-02 | 7.5 | CVE-2026-4062 | https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed0a-504f-4d8c-9662-a4c9f7c7acb8?source=cve https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1755 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1759 https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#L166 https://plugins.trac.wordpress.org/changeset/3503627/ |
| n/a–libssh2 | A security vulnerability has been detected in libssh2 up to 1.11.1. The impacted element is the function userauth_password of the file src/userauth.c. Such manipulation of the argument username_len/password_len leads to integer overflow. The attack may be launched remotely. The name of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to remediate this issue. | 2026-05-01 | 7.3 | CVE-2026-7598 | VDB-360555 | libssh2 userauth.c userauth_password integer overflow VDB-360555 | CTI Indicators (IOB, IOC, IOA) Submit #805564 | libssh2 <= 1.11.1 Integer Overflow https://github.com/libssh2/libssh2/pull/1858 https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1 https://github.com/libssh2/libssh2/ |
| innocommerce–InnoShop | A vulnerability has been found in innocommerce InnoShop up to 0.7.8. The affected element is the function InstallServiceProvider::boot of the file innopacks/install/src/InstallServiceProvider.php of the component Installation Endpoint. The manipulation leads to improper authentication. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The identifier of the patch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue. | 2026-05-02 | 7.3 | CVE-2026-7630 | VDB-360576 | innocommerce InnoShop Installation Endpoint InstallServiceProvider.php boot improper authentication VDB-360576 | CTI Indicators (IOB, IOC, IOA) Submit #806484 | innocommerce innoshop <= 0.7.3 Missing Authorization https://github.com/innocommerce/innoshop/issues/314 https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458 https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9 https://github.com/innocommerce/innoshop/ |
| code-projects–Online Hospital Management System | A vulnerability was determined in code-projects Online Hospital Management System 1.0. This affects an unknown function of the file /viewappointment.php. This manipulation of the argument delid causes sql injection. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 7.3 | CVE-2026-7632 | VDB-360578 | code-projects Online Hospital Management System viewappointment.php sql injection VDB-360578 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806633 | code-projects Online Hospital Management System In PHP 1.0 SQL Injection https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md https://code-projects.org/ |
| ChatGPTNextWeb–NextChat | A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the file app/mcp/actions.ts. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 7.3 | CVE-2026-7644 | VDB-360756 | ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization VDB-360756 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806851 | ChatGPTNextWeb NextChat 2.16.1 Unauthenticated Remote Code Execution https://github.com/ChatGPTNextWeb/NextChat/issues/6757 https://github.com/ChatGPTNextWeb/NextChat/ |
| reputeinfosystems–ARMember Membership Plugin, Content Restriction, Member Levels, User Profile & User signup | The ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup plugin for WordPress is vulnerable to time-based blind SQL Injection via the ‘orderby’ parameter in all versions up to, and including, 4.0.60 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database. | 2026-05-02 | 7.5 | CVE-2026-7649 | https://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54b-4401-9d4f-29f0952deb24?source=cve https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_members_directory.php#L1019 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L434 https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shortcodes.php#L36 https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L36 |
| MikroTik–RouterOS | A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulation of the argument transactionID/messageType leads to out-of-bounds read. The attack may be initiated remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7668 | VDB-360804 | MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out-of-bounds VDB-360804 | CTI Indicators (IOB, IOC, IOA) Submit #798623 | MikroTik RouterOS 6.49.8 Out-of-Bounds Read https://github.com/ezio315/cve/issues/4 |
| Jinher–OA | A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This manipulation of the argument DeptIDList causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 7.3 | CVE-2026-7670 | VDB-360818 | Jinher OA UserSel.aspx sql injection VDB-360818 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799506 | Jinhe OA V1.0 SQL Injection https://github.com/zzlln/cvecve/issues/1 |
| YunaiV–yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01. This impacts the function getAccessToken of the file yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in improper authentication. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7679 | VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToken improper authentication VDB-360832 | CTI Indicators (IOB, IOC, IOA) Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/1 |
| Acrel Electrical–ECEMS Enterprise Microgrid Energy Efficiency Management System | A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7694 | VDB-360863 | Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql injection VDB-360863 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803271 | Acrel Electric Co., Ltd. Enterprise Microgrid Energy Efficiency Management System (ECEMS) 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb |
| Acrel Electrical–EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7695 | VDB-360864 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql injection VDB-360864 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803275 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 SQL Injection https://ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg |
| Tiandy–Easy7 Integrated Management Platform | A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7698 | VDB-360867 | Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection VDB-360867 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804048 | Tiandy Technologies Co., Ltd. Tiandy-Easy7 7.17.0 OS Command Injection https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c |
| AV Stumpfl–Pixera Two Media Server | A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised. | 2026-05-03 | 7.3 | CVE-2026-7703 | VDB-360872 | AV Stumpfl Pixera Two Media Server Websocket API code injection VDB-360872 | CTI Indicators (IOB, IOC, TTP) Submit #805274 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Remote Code Execution https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| YunaiV–yudao-cloud | A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. This affects the function doFilterInternal of the file JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of the argument mock-token results in improper authentication. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7710 | VDB-360886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java doFilterInternal improper authentication VDB-360886 | CTI Indicators (IOB, IOC, IOA) Submit #806493 | YunaiV yudao-cloud yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness https://github.com/9str0IL/CVE/issues/5 |
| n/a–MindsDB | A weakness has been identified in MindsDB up to 26.01. This impacts the function exec of the file mindsdb/integrations/handlers/byom_handler/proc_wrapper.py of the component Engine Handler. Executing a manipulation can lead to unrestricted upload. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 7.3 | CVE-2026-7711 | VDB-360887 | MindsDB Engine proc_wrapper.py exec unrestricted upload VDB-360887 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806822 | mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.md |
Medium Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| xenial–RSVG | librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Attackers can supply crafted SVG input to the rsvg conversion tool to trigger a segmentation fault in the cairo image compositor. | 2026-04-29 | 6.2 | CVE-2018-25305 | ExploitDB-44491 VulnCheck Advisory: librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG |
| poppler-utils–PDFunite | PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Attackers can trigger a segmentation fault in the XRef::getEntry function within libpoppler by providing a specially crafted PDF file to the pdfunite utility. | 2026-04-29 | 6.2 | CVE-2018-25306 | ExploitDB-44490 Official Product Homepage Product Reference VulnCheck Advisory: PDFunite 0.41.0 Buffer Overflow via Malformed PDF |
| VideoFlow Ltd.–VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated directory traversal vulnerability that allows authenticated attackers to disclose arbitrary files by injecting path traversal sequences in the ID parameter. Attackers can submit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib.pl, or downloadFile.pl with directory traversal payloads to read sensitive system files like /etc/passwd. | 2026-04-29 | 6.5 | CVE-2018-25311 | ExploitDB-44386 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2) |
| LifeSize–ClearSea | LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities that allow authenticated attackers to download and upload arbitrary files by manipulating path parameters in the smartgui interface. Attackers can exploit the upload endpoint with directory traversal sequences to write files to arbitrary locations on the system, enabling remote code execution. | 2026-04-29 | 6.5 | CVE-2018-25312 | ExploitDB-44390 VulnCheck Advisory: LifeSize ClearSea 3.1.4 Directory Traversal Remote Code Execution |
| Sysgauge–SysGauge | SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Attackers can inject a large payload through the Proxy Server Host Name field in the Options menu to crash the application. | 2026-04-29 | 6.2 | CVE-2018-25313 | ExploitDB-44372 VulnCheck Advisory: SysGauge 4.5.18 Local Denial of Service via Proxy Configuration |
| sebet–Go Fetch Jobs (for WP Job Manager) | Multiple plugins and/or themes for WordPress are vulnerable to Reflected Cross-Site Scripting via the url parameter in various versions due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that execute if they can successfully trick a user into performing an action such as clicking on a link. | 2026-05-01 | 6.1 | CVE-2024-13362 | https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-4418-805a-db792ea4f712?source=cve https://plugins.trac.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/menu-image/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/add-search-to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/master-addons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/internal-links/trunk/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21/vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/spotlight-social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/woo-permalink-manager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricing.js https://plugins.trac.wordpress.org/browser/pdf-poster/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.3.4/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/trunk/provider/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js https://plugins.trac.wordpress.org/changeset/3235286/ https://plugins.trac.wordpress.org/changeset/3249130/ https://plugins.trac.wordpress.org/changeset/3229060/ |
| WSO2–WSO2 Identity Server | The authentication endpoint accepts user-supplied input without enforcing expected validation constraints, leading to a lack of proper output encoding. This allows for the injection of malicious JavaScript payloads, enabling reflected cross-site scripting. An attacker can leverage this vulnerability to redirect the user’s browser to a malicious website, modify the user interface of the web page, retrieve information from the browser, or cause other harmful actions. However, due to the protection of session-related cookies with the httpOnly flag, session hijacking is not possible. | 2026-04-29 | 6.1 | CVE-2025-10503 | https://security.docs.wso2.com/en/latest/security-announcements/security-advisories/2026/WSO2-2025-4577/ |
| trustindex–Widgets for Social Photo Feed | The Widgets for Social Photo Feed plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a missing capability check on the ‘/trustindex_feed_hook_instagram/troubleshooting’ and ‘/trustindex_feed_hook_instagram/submit-data’ REST API endpoints in all versions up to, and including, 1.8. This makes it possible for unauthenticated attackers to access and update plugin settings. | 2026-05-02 | 6.5 | CVE-2025-14726 | https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=cve https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widget |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes DB2 Connect Server) could allow an authenticated user to cause a denial of service using a specially crafted SQL query due to improper allocation of system resources. | 2026-04-30 | 6.5 | CVE-2025-36122 | https://www.ibm.com/support/pages/node/7267642 |
| IBM–watsonx.data intelligence | IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user. | 2026-04-30 | 6.2 | CVE-2025-36335 | https://www.ibm.com/support/pages/node/7270923 |
| xlplugins–NextMove Lite Thank You Page for WooCommerce | The NextMove Lite – Thank You Page for WooCommerce plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s ‘xlwcty_current_date’ shortcode in all versions up to, and including, 2.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | 2026-05-02 | 6.4 | CVE-2026-0703 | https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=cve https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79 https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87 https://plugins.trac.wordpress.org/changeset/3482613/ |
| Zyxel–DX3300-T0 firmware | A post-authentication command injection vulnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker with administrator privileges to execute OS commands on an affected device. | 2026-04-28 | 6.8 | CVE-2026-0711 | https://www.zyxel.com/global/en/support/security-advisories/zyxel-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026 |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic. | 2026-04-30 | 6.5 | CVE-2026-1577 | https://www.ibm.com/support/pages/node/7269434 |
| Dell–Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary Privileges vulnerability in the AWCC. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 6.7 | CVE-2026-25908 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| wazuh–wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 4.0.0 to before version 4.14.4, Wazuh’s server API brute-force protection for POST /security/user/authenticate can be bypassed by sending concurrent authentication requests. Although the configured threshold (max_login_attempts, default 50) is enforced correctly for sequential requests, a parallel burst allows significantly more failed login attempts to be processed before the IP block is applied. This enables an attacker to perform more password guesses than the configured policy intends (e.g., 100 attempts processed where 50 should be allowed). This issue has been patched in version 4.14.4. | 2026-04-29 | 6.5 | CVE-2026-26206 | https://github.com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhhv-jx58 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Dell–Dell/Alienware Purchased Apps | Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an Improper Link Resolution Before File Access (‘Link Following’) vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Arbitrary File Write | 2026-04-29 | 6.3 | CVE-2026-27105 | https://www.dell.com/support/kbdoc/en-us/000438321/dsa-2026-131-security-update-for-dell-alienware-purchased-apps-for-an-improper-link-resolution-before-file-access-vulnerability |
| Milesight–MS-Cxx63-PD | A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras. | 2026-04-27 | 6.8 | CVE-2026-32649 | https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json https://www.milesight.com/support/download/firmware |
| IBM–Langflow Desktop | IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to server-side request forgery (SSRF). This may allow an authenticated attacker to send unauthorized requests from the system, potentially leading to network enumeration or facilitating other attacks. | 2026-04-30 | 6.5 | CVE-2026-3340 | https://www.ibm.com/support/pages/node/7271096 |
| IBM–Langflow Desktop | IBM Langflow Desktop <=1.8.4 Langflow could allow a remote attacker to traverse directories on the system. An attacker could send a specially crafted URL request containing “dot dot” sequences (/../) to view arbitrary files on the system. | 2026-04-30 | 6.5 | CVE-2026-3345 | https://www.ibm.com/support/pages/node/7271094 |
| IBM–Langflow Desktop | IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to stored cross-site scripting. This vulnerability allows an authenticated user to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. | 2026-04-30 | 6.4 | CVE-2026-3346 | https://www.ibm.com/support/pages/node/7271095 |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, the endpoint POST /user/invited does not validate any invite token, authentication header, or session. Any unauthenticated attacker can call this endpoint directly to create a fully active account and receive a valid JWT – even when the instance has existing users and signupRestricted is enabled. This bypass is distinct from the normal registration endpoint (POST /user) which enforces signupRestricted and sets active: false pending verification. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-35514 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| n/a– V2Board v1.7.4 | Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field in theme configuration is rendered using Blade unescaped output in public/theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript via the saveThemeConfig API. All site visitors execute the payload, enabling cookie theft, session hijacking, or phishing. | 2026-05-01 | 6.9 | CVE-2026-37503 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| redhat[.]com–gnutls | A flaw was found in gnutls. This vulnerability occurs because gnutls performs case-sensitive comparisons of `nameConstraints` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker can exploit this by crafting a leaf certificate with casing differences in the Subject Alternative Name (SAN), leading to a policy bypass where a certificate that should be rejected is instead accepted. This could result in unauthorized access or information disclosure. | 2026-04-30 | 6.5 | CVE-2026-3833 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3833 RHBZ#2445763 https://gitlab.com/gnutls/gnutls/-/issues/1803 |
| chartbrew–chartbrew | Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that returns a project’s report data to any authenticated member of the same team, even when that user does not have access to the specific project. The route bypasses project-level authorization and returns the raw project object. As a result, a low-privileged same-team user can read another project’s dashboard data and recover the project’s stored report password from the response. This issue has been patched in version 5.0.0. | 2026-04-30 | 6.5 | CVE-2026-40603 | https://github.com/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0 |
| nextlevelbuilder–ui-ux-pro-max-skill | A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability is the function _format_plugins of the file .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the component Tailwind Config Generator. This manipulation causes code injection. The attack is possible to be carried out remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 6.3 | CVE-2026-7595 | VDB-360548 | nextlevelbuilder ui-ux-pro-max-skill Tailwind Config Generator tailwind_config_gen.py _format_plugins code injection VDB-360548 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805509 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config Generator Code Injection Leading to RCE https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| mem0ai–mem0 | A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. Performing a manipulation results in deserialization. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a patch is the recommended action to fix this issue. | 2026-05-01 | 6.3 | CVE-2026-7597 | VDB-360550 | mem0ai mem0 faiss.py pickle.dump deserialization VDB-360550 | CTI Indicators (IOB, IOC, IOA) Submit #805562 | Mem0 <= v1.0.11 Unsafe Deserialization https://github.com/mem0ai/mem0/issues/3778 https://github.com/mem0ai/mem0/pull/4833 https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86b7a https://github.com/mem0ai/mem0/ |
| Dayoooun–hwpx-mcp | A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects the function save_document/export_to_text/export_to_html of the file mcp-server/src/index.ts of the component MCP Interface. Performing a manipulation of the argument output_path results in path traversal. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-01 | 6.3 | CVE-2026-7599 | VDB-360556 | Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal VDB-360556 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805608 | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae914a15d Path Traversal https://github.com/Dayoooun/hwpx-mcp/issues/3 https://github.com/BruceJqs/public_exp/issues/28 https://github.com/Dayoooun/hwpx-mcp/ |
| ArtMin96–yii2-mcp-server | A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts the function yii_command_help/yii_execute_command of the file src/index.ts of the component MCP Interface. Executing a manipulation can lead to os command injection. The attack can be executed remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7600 | VDB-360557 | ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os command injection VDB-360557 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805613 | ArtMin96 yii2-mcp-server 1.0.2 Command Injection https://github.com/ArtMin96/yii2-mcp-server/issues/3 https://github.com/BruceJqs/public_exp/issues/29 https://github.com/ArtMin96/yii2-mcp-server/ |
| n/a–JeecgBoot | A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vulnerability is an unknown functionality of the file /sys/fillRule/edit of the component FillRuleUtil Component. The manipulation of the argument ruleClass results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. You should upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7602 | VDB-360559 | JeecgBoot FillRuleUtil edit improper authorization VDB-360559 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805706 | jeecgboot JeecgBoot <= v3.9.1 Remote Code Execution https://github.com/jeecgboot/JeecgBoot/issues/9552 https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment-4251391314 https://github.com/jeecgboot/JeecgBoot/ |
| n/a–JeecgBoot | A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by this issue is the function checkPathTraversalBatch of the file FileDownloadUtils.jav of the component LoadFile Endpoint. This manipulation of the argument files causes server-side request forgery. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The affected component should be upgraded. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7603 | VDB-360560 | JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTraversalBatch server-side request forgery VDB-360560 | CTI Indicators (IOB, IOC, IOA) Submit #805707 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9553 https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014 https://github.com/jeecgboot/JeecgBoot/ |
| n/a–JeecgBoot | A vulnerability was identified in JeecgBoot up to 3.9.1. This affects the function OpenApiController.add/OpenApiController.call of the file OpenApiController.java of the component OpenApi Service. Such manipulation of the argument originUrl database leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is suggested to upgrade the affected component. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7604 | VDB-360561 | JeecgBoot OpenApi Service OpenApiController.java OpenApiController.call server-side request forgery VDB-360561 | CTI Indicators (IOB, IOC, IOA) Submit #805708 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9554 https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151 https://github.com/jeecgboot/JeecgBoot/ |
| n/a–JeecgBoot | A security flaw has been discovered in JeecgBoot up to 3.9.1. This vulnerability affects the function CommonController.uploadImgByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downloadImageData of the file CommonController.java of the component uploadImgByHttpEndpoint. Performing a manipulation results in server-side request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Upgrading the affected component is recommended. The vendor confirmed the issue and will provide a fix in the upcoming release. | 2026-05-02 | 6.3 | CVE-2026-7605 | VDB-360562 | JeecgBoot uploadImgByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downloadImageData server-side request forgery VDB-360562 | CTI Indicators (IOB, IOC, IOA) Submit #805709 | jeecgboot JeecgBoot <= v3.9.1 SSRF https://github.com/jeecgboot/JeecgBoot/issues/9555 https://github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271 https://github.com/jeecgboot/JeecgBoot/ |
| TRENDnet–TEW-821DAP | A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacted element is the function tools_diagnostic of the file /tmp/diagnostic of the component Firmware Udpate. This manipulation causes os command injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 6.3 | CVE-2026-7609 | VDB-360566 | TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diagnostic os command injection VDB-360566 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806216 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an O https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md |
| 8nite–metatrader-4-mcp | A security vulnerability has been detected in 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function CallToolRequestSchema of the file src/index.ts of the component sync_ea_from_file. Such manipulation of the argument ea_name leads to path traversal. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7627 | VDB-360573 | 8nite metatrader-4-mcp sync_ea_from_file index.ts CallToolRequestSchema path traversal VDB-360573 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806286 | 8nite metatrader-4-mcp 1.0.0 Path Traversal https://github.com/8nite/metatrader-4-mcp/issues/1 https://github.com/8nite/metatrader-4-mcp/ |
| crazyrabbitLTC–mcp-code-review-server | A vulnerability was detected in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects the function executeRepomix of the file src/repomix.ts of the component RepoMix Command Handler. Performing a manipulation results in command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7628 | VDB-360574 | crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts executeRepomix command injection VDB-360574 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806469 | crazyrabbitLTC mcp-code-review-server <=0.1.0 Command Injection https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4 https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5 https://github.com/user-attachments/files/26018245/mcp-code-review-server_bug.pdf https://github.com/crazyrabbitLTC/mcp-code-review-server/ |
| kleneway–awesome-cursor-mpc-server | A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeReviewTool of the file src/tools/codeReview.ts of the component Ccode-Review Tool. Executing a manipulation can lead to command injection. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-02 | 6.3 | CVE-2026-7629 | VDB-360575 | kleneway awesome-cursor-mpc-server Ccode-Review Tool codeReview.ts runCodeReviewTool command injection VDB-360575 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806470 | kleneway awesome-cursor-mpc-server <=2.0.1 Command Injection https://github.com/kleneway/awesome-cursor-mpc-server/issues/6 https://github.com/kleneway/awesome-cursor-mpc-server/pull/14 https://github.com/user-attachments/files/26019723/awesome-cursor-mpc-server_bug.pdf https://github.com/kleneway/awesome-cursor-mpc-server/ |
| Totolink–N300RH | A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to file inclusion. The attack may be performed from remote. The exploit is publicly available and might be used. | 2026-05-02 | 6.5 | CVE-2026-7633 | VDB-360579 | Totolink N300RH cstecgi.cgi setUploadSetting file inclusion VDB-360579 | CTI Indicators (IOB, IOC, IOA) Submit #806597 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of System or Configuration Setting https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP https://www.totolink.net/ |
| pskill9–website-downloader | A vulnerability was detected in pskill9 website-downloader up to 0.1.0. This affects the function download_website of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument outputPath results in os command injection. The attack may be initiated remotely. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7642 | VDB-360754 | pskill9 website-downloader MCP index.ts download_website os command injection VDB-360754 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806812 | pskill9 website-downloader Commit 5b399bebad1800ac6df5052b63eaea37117092b6 Command Injection https://github.com/pskill9/website-downloader/issues/7 https://github.com/BruceJqs/public_exp/issues/31 https://github.com/pskill9/website-downloader/ |
| ruvnet–sublinear-time-solver | A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affected by this vulnerability is the function export_state of the file src/consciousness-explorer/mcp/server.js of the component MCP Interface. The manipulation results in path traversal. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.5 | CVE-2026-7645 | VDB-360757 | ruvnet sublinear-time-solver MCP server.js export_state path traversal VDB-360757 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806895 | ruvnet sublinear-time-solver / consciousness-explorer sublinear-time-solver 1.5.0, consciousness-explorer 1.1.1, commit 1210646955f33abe5c91f894cc7b04d024f62408 Path Traversal https://github.com/ruvnet/sublinear-time-solver/issues/19 https://github.com/ruvnet/sublinear-time-solver/ |
| r-huijts–mcp-server-rijksmuseum | A security flaw has been discovered in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function open_image_in_browser of the file src/index.ts of the component MCP Interface. Performing a manipulation of the argument imageUrl results in os command injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 6.3 | CVE-2026-7653 | VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts open_image_in_browser os command injection VDB-360778 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806909 | r-huijts mcp-server-rijksmuseum 1.0.4 Command Injection https://github.com/r-huijts/rijksmuseum-mcp/issues/9 |
| youlaitech–youlai-boot | A security vulnerability has been detected in youlaitech youlai-boot up to 2.21.1. This affects the function getUserList of the file src/main/java/com/youlai/boot/system/controller/UserController.java of the component Users Endpoint. Such manipulation of the argument order leads to sql injection. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7672 | VDB-360825 | youlaitech youlai-boot Users Endpoint UserController.java getUserList sql injection VDB-360825 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800658 | youlaitech youlai-boot v2.21.1 SQL Injection https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=from_copylink |
| YunaiV–yudao-cloud | A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. This affects the function getDataBySQL of the file yudao-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. Such manipulation leads to sql injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7678 | VDB-360831 | YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL sql injection VDB-360831 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800865 | YunaiV yudao-cloud yudao-cloud up to 2026.01 SQL Injection https://github.com/9str0IL/CVE/issues/2 |
| jsbroks–COCO Annotator | A security vulnerability has been detected in jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an unknown functionality of the file backend/webserver/api/datasets.py of the component Dataset API. The manipulation of the argument DatasetId leads to authorization bypass. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.5 | CVE-2026-7681 | VDB-360834 | jsbroks COCO Annotator Dataset API datasets.py authorization VDB-360834 | CTI Indicators (IOB, IOC, IOA) Submit #801408 | jsbroks COCO Annotator 0.11.1 Authorization Bypass https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing%20Authentication |
| Edimax–BR-6208AC | A security flaw has been discovered in Edimax BR-6208AC 1.02. The impacted element is the function setWAN of the file /goform/setWAN of the component L2TP Mode. The manipulation of the argument L2TPUserName results in command injection. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7682 | VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f |
| Edimax–BR-6428nC | A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7683 | VDB-360842 | Edimax BR-6428nC Web setWAN command injection VDB-360842 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801597 | Edimax BR-6428nC v1.16 v1.16 Command Injection Submit #801598 | Edimax BR-6428nC v1.16 v1.16 Command Injection (Duplicate) https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-Command-Injection-33db5c52018a80dab299ef508e810d00 https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName-Command-Injection-33db5c52018a80949cfbcc2091340c80 |
| langflow-ai–langflow | A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7687 | VDB-360857 | langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection VDB-360857 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #798731 | langflow-ai langflow 1.8.4 Command Injection https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc=#g4kyb |
| Wavlink–WL-WN570HA1 | A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, “that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7690 | VDB-360860 | Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection VDB-360860 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807805 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_adm-34753a41781f809d8043f0a7a3e07e50?source=copy_link |
| Wavlink–WL-WN570HA1 | A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, “that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7691 | VDB-360861 | Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection VDB-360861 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807806 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_cmd-34753a41781f80ab88a1d95d4f798d1f?source=copy_link |
| Wavlink–WL-WN570HA1 | A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, “that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website.” This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-03 | 6.3 | CVE-2026-7692 | VDB-360862 | Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection VDB-360862 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807807 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns-34753a41781f80c0a6c6c1b09b7cdf1c?source=copy_link |
| Acrel Electrical–EEMS Enterprise Power Operation and Maintenance Cloud Platform | A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7696 | VDB-360865 | Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform uploadH5Files unrestricted upload VDB-360865 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #807944 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 Unrestricted Upload of File with Dangerous Type https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=from_copylink |
| Dromara–MaxKey | A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7699 | VDB-360868 | Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection VDB-360868 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804260 | Dromara MaxKey 3.5.13 SQL Injection https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection |
| langflow-ai–langflow | A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7700 | VDB-360869 | langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection VDB-360869 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #804305 | langflow-ai Langflow Desktop 1.8.3 Execution with Unnecessary Privileges https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20eval()/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B |
| JD Cloud–JDCOS | A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function set_iptv_info of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7705 | VDB-360881 | JD Cloud JDCOS Service jdcap set_iptv_info command injection VDB-360881 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805644 | jdcloud 京东云无线宝ER1 太乙 有线路由 千兆路由器 JDCOS-JDC08-4.5.1.r4518 Remote code execution https://www.notion.so/3430c75766a8802dbde3dc8a372c7f46 |
| janeczku–Calibre-Web | A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. The impacted element is the function generate_auth_token of the file cps/kobo_auth.py of the component Endpoint. Such manipulation of the argument user_id leads to improper authorization. The attack may be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7709 | VDB-360885 | janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_token improper authorization VDB-360885 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805823 | Janeczku Calibre-web V0.6.7-V0.6.26 IDOR in auth-token generation leading to account takeover / user https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?usp=drive_link |
| n/a–MindsDB | A security vulnerability has been detected in MindsDB up to 26.01. Affected is the function pickle.loads of the component Pickle Handler. The manipulation leads to deserialization. The attack is possible to be carried out remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 6.3 | CVE-2026-7712 | VDB-360888 | MindsDB Pickle pickle.loads deserialization VDB-360888 | CTI Indicators (IOB, IOC, IOA) Submit #806827 | https://github.com/mindsdb/mindsdb <=26.01 Remote Code Execution https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md |
| Merge–Merge PACS | Merge PACS 7.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized actions by crafting malicious HTML forms targeting the merge-viewer endpoint. Attackers can submit POST requests to /servlet/actions/merge-viewer/summary with login credentials to hijack user sessions and gain unauthorized access to the PACS system. | 2026-04-29 | 5.3 | CVE-2018-25298 | ExploitDB-44681 Official Product Homepage VulnCheck Advisory: Merge PACS 7.0 Cross-Site Request Forgery via merge-viewer |
| IBM–Db2 | IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNIX and Windows (includes Db2 Connect Server) could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic when certain configurations exist. | 2026-04-30 | 5.3 | CVE-2025-14688 | https://www.ibm.com/support/pages/node/7269424 |
| IBM–watsonx.data | IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restrict communication between pods which could allow an attacker to transfer data between pods without restrictions. | 2026-04-30 | 5.3 | CVE-2025-36180 | https://www.ibm.com/support/pages/node/7270593 |
| Dell–Alienware Command Center (AWCC) | Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Elevation of Privileges. | 2026-04-27 | 5.3 | CVE-2026-32655 | https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities |
| Elastic–Elastic Package Registry | Improper Verification of Cryptographic Signature (CWE-347) in Elastic Package Registry could allow an attacker positioned to intercept network traffic, or to otherwise influence the contents served to a self-hosted registry, to substitute a tampered package without the integrity check failing closed. | 2026-04-28 | 5.9 | CVE-2026-33467 | https://discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081 |
| dokaninc–Dokan: AI Powered WooCommerce Multivendor Marketplace Solution Build Your Own Amazon, eBay, Etsy | The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 4.3.1 via the ‘/dokan/v1/stores/{id}/reviews’ REST API endpoint. This is due to the ‘prepare_reviews_for_response’ method including reviewer email addresses, usernames, and user IDs in the API response. This makes it possible for unauthenticated attackers to extract email addresses, usernames, and user IDs of all customers who left reviews on any vendor’s store. The Pro version of the plugin must be installed and activated, with store reviews enabled, in order to exploit the vulnerability. | 2026-05-02 | 5.3 | CVE-2026-3504 | https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=cve https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L125 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L835 https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#L854 https://plugins.trac.wordpress.org/changeset/3481799/ |
| n/a– V2Board v1.7.4 | Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyController.php, the server authentication token is accepted via GET parameter transmission. The token appears in URLs such as /api/v1/server/UniProxy/user?token=SECRET, causing it to be recorded in web server access logs, browser history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains access to any log source can extract the token and impersonate a proxy server node, potentially intercepting all user traffic. | 2026-05-01 | 5.3 | CVE-2026-37504 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| complianz–Complianz GDPR/CCPA Cookie Consent | The Complianz – GDPR/CCPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data access in all versions up to, and including, 7.4.5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} using __return_true as the permission_callback, allowing any unauthenticated user to access it. The cmplz_rest_consented_content() function retrieves a post by ID via get_post() and returns the consentedContent attribute of any complianz/consent-area block found in it, without checking if the post is published or if the user has permission to read it. This makes it possible for unauthenticated attackers to read the consent area block content from private, draft, or unpublished posts. | 2026-04-29 | 5.3 | CVE-2026-4019 | https://www.wordfence.com/threat-intel/vulnerabilities/id/3892489e-6ff7-4664-bb06-b8edff6dd659?source=cve https://github.com/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54 https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L61 https://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/rest-api/rest-api.php https://plugins.trac.wordpress.org/changeset?old_path=%2Fcomplianz-gdpr/tags/7.4.5&new_path=%2Fcomplianz-gdpr/tags/7.4.6 |
| diplodoc-platform–@diplodoc/search-extension | @diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .md file. | 2026-05-01 | 5.4 | CVE-2026-40201 | https://github.com/diplodoc-platform/search-extension/releases https://github.com/diplodoc-platform/search-extension/pull/41 https://github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3 https://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md |
| wproyal–Royal Addons for Elementor Addons and Templates Kit for Elementor | The Royal Addons for Elementor plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the `wpr_update_form_action_meta` AJAX action in all versions up to, and including, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopriv` hooks, making it accessible to unauthenticated users. Although a nonce is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, rendering the protection ineffective. The endpoint also lacks any capability or ownership checks and directly calls `update_post_meta()` with user-controlled input on a whitelisted set of form action meta keys. This makes it possible for unauthenticated attackers to modify form action configuration metadata (email, submissions, Mailchimp, and webhook settings) on any post, potentially leading to webhook/email action tampering and data exfiltration via modified webhook URLs. | 2026-05-02 | 5.3 | CVE-2026-4024 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=cve https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L21 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/forms/wpr-actions-status.php#L73 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin.php#L592 https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.php#L592 |
| MIT–Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer dereference if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, causing the process to terminate in parse_nego_message. | 2026-04-28 | 5.9 | CVE-2026-40355 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| MIT–Kerberos 5 | In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underflow and resultant out-of-bounds read if an application calls gss_accept_sec_context() on a system with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, possibly causing the process to terminate in parse_message. | 2026-04-28 | 5.9 | CVE-2026-40356 | https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.html https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f |
| SmarterTools Inc.–SmarterMail | SmarterTools SmarterMail builds prior to 9610 contain a cryptographic weakness in the file and email sharing endpoints that use DES-CBC encryption with keys and initialization vectors derived from System.Random seeded with insufficient entropy, reducing the seed space to approximately 19,000 possible values. An unauthenticated attacker can use the attachment download endpoint as an oracle to determine the seed in use and derive encryption keys and initialization vectors to forge sharing tokens for arbitrary emails, attachments, or file storage contents without prior access to the targeted content. | 2026-04-27 | 5.9 | CVE-2026-40514 | https://www.smartertools.com/smartermail/release-notes/current https://www.vulncheck.com/advisories/smartertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng |
| Exim–Exim | In Exim before 4.99.2, on systems using musl libc (not glibc), an attacker can crash the connection instance when malformed DNS data is present in PTR records. This is caused by a dn_expand oddity in octal printing. | 2026-04-30 | 5.9 | CVE-2026-40684 | https://www.openwall.com/lists/oss-security/2026/04/30/21 https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81 https://exim.org/static/doc/security/CVE-2026-40684.txt |
| TRENDnet–TEW-821DAP | A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The affected element is the function tools_diagnostic. The manipulation results in os command injection. The exploit is now public and may be used. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 5.5 | CVE-2026-7608 | VDB-360565 | TRENDnet TEW-821DAP tools_diagnostic os command injection VDB-360565 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806215 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization of Special Elements used in an OS https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI1.md |
| code-projects–Online Hospital Management System | A vulnerability was found in code-projects Online Hospital Management System 1.0. The impacted element is an unknown function of the component Registration Handler. The manipulation of the argument Username results in improper authorization. The attack can be executed remotely. The exploit has been made public and could be used. | 2026-05-02 | 5.4 | CVE-2026-7631 | VDB-360577 | code-projects Online Hospital Management System Registration improper authorization VDB-360577 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806565 | Code-projects Online Hospital Management System V1.0 unauthorized access https://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md https://code-projects.org/ |
| appcheap–App Builder Create Native Android & iOS Apps On The Flight | The App Builder – Create Native Android & iOS Apps On The Flight plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to and including 5.6.0. This is due to missing authorization validation in the `upload_avatar()` function, which accepts an attacker-controlled `user_id` parameter from the POST request body and uses it to update user meta without verifying that the authenticated requester owns or has permission to modify the target account. This makes it possible for authenticated attackers, with Subscriber-level access and above, to overwrite the profile avatar of any arbitrary user on the site, including administrators, by supplying a target `user_id` in the request body to the `/wp-json/app-builder/v1/upload-avatar` endpoint. | 2026-05-02 | 5.3 | CVE-2026-7638 | https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=cve https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L80 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Auth/UploadAvatar.php#L161 https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33 |
| sgl-project–SGLang | A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacted is the function get_tokenizer of the file python/sglang/srt/utils/hf_transformers_utils.py of the component HuggingFace Transformer Handler. The manipulation of the argument trust_remote_code with the input False as part of Boolean results in code injection. The attack can be executed remotely. A high complexity level is associated with this attack. The exploitability is considered difficult. In get_tokenizer(), when the caller passes trust_remote_code=False and HuggingFace transformers v5 returns a TokenizersBackend instance (the generic fallback for tokenizer classes not in the registry), SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remote_code=True, overriding the caller’s explicit security setting. A model repository containing a malicious tokenizer.py referenced via auto_map in tokenizer_config.json will execute arbitrary Python in the SGLang process during this second call. No log line or warning is emitted. The override affects all current SGLang versions because transformers==5.3.0 is pinned in pyproject.toml. Both tokenizer_mode=”auto” and tokenizer_mode=”slow” are affected. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 5.6 | CVE-2026-7669 | VDB-360817 | sgl-project SGLang HuggingFace Transformer hf_transformers_utils.py get_tokenizer code injection VDB-360817 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799263 | sgl-project sglang <=0.5.9 Protection Mechanism Failure https://github.com/gouldnicholas/CVE-2026-7669-PoC |
| eyeo–Adblock Plus | A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: “The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher’s claim of permanently unlocking all Premium features is therefore incorrect. (…) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal.” | 2026-05-03 | 5.3 | CVE-2026-7686 | VDB-360856 | eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control VDB-360856 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #793551 | Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalation https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md https://adblockplus.org/en/download |
| Dolibarr–ERP CRM | A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5 | CVE-2026-7688 | VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection |
| toeverything–AFFiNE | A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 5.3 | CVE-2026-7702 | VDB-360871 | toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization VDB-360871 | CTI Indicators (IOB, IOC, IOA) Submit #804455 | AFFiNE AFFiNE (https://github.com/toeverything/AFFiNE) 0.26.3 Authorization Bypass https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4 |
| VideoFlow Ltd.–VideoFlow Digital Video Protection | VideoFlow Digital Video Protection DVP 2.10 contains an authenticated remote code execution vulnerability that allows authenticated attackers to execute arbitrary system commands by exploiting a cross-site request forgery flaw in the web management interface. Attackers with valid credentials can leverage the CSRF vulnerability to inject and execute system commands through the Tools > System > Shell interface, gaining root-level access to the device. | 2026-04-29 | 4.3 | CVE-2018-25310 | ExploitDB-44387 Vulnerability Advisory VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated Remote Code Execution |
| gnu–wget2 | wget2 accepts a server certificate with incorrect Key Usage (KU) or Extended Key Usage (EKU). If the attackers compromise a certificate (with the associated private key) issued for a different purpose, they may be able to reuse it for TLS server authentication. | 2026-04-29 | 4.8 | CVE-2026-1858 | https://www.tenable.com/security/research/tra-2026-37 |
| wazuh–wazuh | Wazuh is a free and open source platform used for threat prevention, detection, and response. From version 1.0.0 to before version 4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NULL byte exactly 1 byte before the start of the buffer allocated by strdup. Due to unsigned integer underflow and pointer arithmetic wrapping, the write lands at offset -1 from the buffer, corrupting heap metadata. A malicious actor can potentially leverage this issue through a compromised agent to cause denial of service or heap corruption by injecting a specially crafted alert into the alerts log file monitored by wazuh-logcollector. This issue has been patched in version 4.14.4. | 2026-04-29 | 4.4 | CVE-2026-26204 | https://github.com/wazuh/wazuh/security/advisories/GHSA-j4c7-hwjw-8857 https://github.com/wazuh/wazuh/releases/tag/v4.14.4 |
| Oracle Corporation–Oracle Linux | An unprivileged attacker can craft a user-space process with a malicious ELF binary containing an out-of-range sh_link field. When root-level dtrace attaches to — or instruments — that process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap memory beyond the allocated section cache array without any bounds check. This results in an uninitialized/out-of-bounds heap read that can cause a NULL pointer dereference crash of the dtrace process (DoS), or — depending on heap layout — a read-then-use of a garbage pointer controlled by adjacent allocations, providing a foothold toward further exploitation in a privileged context. | 2026-05-01 | 4.4 | CVE-2026-35233 | Oracle Advisory |
| n/a– V2Board v1.7.4 | SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort parameter from user input is passed directly to User::orderBy($sort, $sortType) without validation. An authenticated admin can sort users by any database column including password, remember_token, and other sensitive fields, enabling information disclosure through ordering analysis. | 2026-05-01 | 4.9 | CVE-2026-37505 | https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9 |
| nextlevelbuilder–ui-ux-pro-max-skill | A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issue is the function data.get of the file .claude/skills/design-system/scripts/generate-slide.py of the component Slide Generator. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through a pull request but has not reacted yet. | 2026-05-01 | 4.3 | CVE-2026-7596 | VDB-360549 | nextlevelbuilder ui-ux-pro-max-skill Slide Generator generate-slide.py data.get cross site scripting VDB-360549 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805510 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Slide Generator Multiple Stored XSS https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/ |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.6. Affected is an unknown function of the file src/amf/gmm-handler.c of the component AMF. The manipulation of the argument reg_type leads to denial of service. The attack is possible to be carried out remotely. Upgrading to version 2.7.7 is able to address this issue. The identifier of the patch is ebc66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component. | 2026-05-02 | 4.3 | CVE-2026-7601 | VDB-360558 | Open5GS AMF gmm-handler.c denial of service VDB-360558 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805675 | Open5GS v.2.7.6 Denial of Service https://github.com/open5gs/open5gs/issues/4321 https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426 https://github.com/open5gs/open5gs/releases/tag/v2.7.7 https://github.com/open5gs/open5gs/ |
| itsourcecode–Courier Management System | A vulnerability was determined in itsourcecode Courier Management System 1.0. Affected is an unknown function of the file /edit_user.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. | 2026-05-02 | 4.7 | CVE-2026-7612 | VDB-360569 | itsourcecode Courier Management System edit_user.php sql injection VDB-360569 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806275 | itsourcecode Courier Management System V1.0 SQL Injection https://github.com/ltranquility/submit/issues/12 https://itsourcecode.com/ |
| ChatGPTNextWeb–NextChat | A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This impacts an unknown function of the file Next.js of the component API Endpoint. Executing a manipulation can lead to permissive cross-domain policy with untrusted domains. The attack may be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-02 | 4.3 | CVE-2026-7643 | VDB-360755 | ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain policy VDB-360755 | CTI Indicators (IOB, IOC, IOA) Submit #806833 | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Policy https://github.com/ChatGPTNextWeb/NextChat/issues/6756 https://github.com/ChatGPTNextWeb/NextChat/ |
| n/a–crmeb_java | A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerability affects unknown code of the file crmeb/crmeb-service/src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upload. Performing a manipulation of the argument model results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7673 | VDB-360826 | crmeb_java Admin Upload UploadServiceImpl.java unrestricted upload VDB-360826 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800684 | crmeb crmeb_java 1.3.4 Unrestricted Upload https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=from_copylink |
| kerwincui–FastBee | A vulnerability was found in kerwincui FastBee up to 1.2.1. The affected element is the function ToolController.download of the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.java of the component Tool Download Endpoint. The manipulation of the argument fileName results in path traversal. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7676 | VDB-360829 | kerwincui FastBee Tool Download Endpoint ToolController.java ToolController.download path traversal VDB-360829 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800723 | kerwincui FastBee ≤ 1.2.1 Path Traversal https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=from_copylink |
| jsbroks–COCO Annotator | A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. Affected is an unknown function of the file backend/webserver/api/datasets.py of the component Data Endpoint. Executing a manipulation of the argument folder can lead to path traversal. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7680 | VDB-360833 | jsbroks COCO Annotator Data Endpoint datasets.py path traversal VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter |
| AMTT–Hotel Broadband Operation System | A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.7 | CVE-2026-7697 | VDB-360866 | AMTT Hotel Broadband Operation System cardhand_submit.php sql injection VDB-360866 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #803272 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadband Operation System v1.0 SQL Injection https://github.com/testnet0/testnet/issues/74 |
| Telegram–Desktop | A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 4.3 | CVE-2026-7701 | VDB-360870 | Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference VDB-360870 | CTI Indicators (IOB, IOC, IOA) Submit #804341 | Telegram Telegram Desktop <= 6.7.5 NULL Pointer Dereference https://www.youtube.com/watch?v=xo9Bplsy1K8 |
| AV Stumpfl–Pixera Two Media Server | A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component. | 2026-05-03 | 4.3 | CVE-2026-7704 | VDB-360873 | AV Stumpfl Pixera Two Media Server Service Port 1338 path traversal VDB-360873 | CTI Indicators (IOB, IOC, TTP) Submit #805275 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Arbitrary File Read https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog |
| n/a–Open5GS | A vulnerability has been found in Open5GS up to 2.7.7. This issue affects the function gmm_handle_service_request of the file /src/amf/gmm-handler.c of the component AMF. The manipulation leads to denial of service. The attack can be initiated remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7706 | VDB-360882 | Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service VDB-360882 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805698 | Open5GS AMF v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4409 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was found in Open5GS up to 2.7.7. Impacted is the function udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handler.c of the component UDR. The manipulation of the argument pei results in denial of service. The attack can be launched remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7707 | VDB-360883 | Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_context denial of service VDB-360883 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805699 | Open5gs UDR v2.7.7 Denial of Service Submit #805700 | Open5gs UDR v2.7.7 Denial of Service (Duplicate) https://github.com/open5gs/open5gs/issues/4410 https://github.com/open5gs/open5gs/issues/4411 https://github.com/open5gs/open5gs/ |
| n/a–Open5GS | A vulnerability was determined in Open5GS up to 2.7.7. The affected element is the function ogs_dbi_subscription_data in the library /lib/dbi/subscription.c of the component UDR. This manipulation of the argument supi_id causes denial of service. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet. | 2026-05-03 | 4.3 | CVE-2026-7708 | VDB-360884 | Open5GS UDR subscription.c ogs_dbi_subscription_data denial of service VDB-360884 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #805701 | Open5gs UDR v2.7.7 Denial of Service https://github.com/open5gs/open5gs/issues/4412 https://github.com/open5gs/open5gs/ |
Low Vulnerabilities
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| Oracle Corporation–Oracle Linux | An unprivileged attacker can reliably trigger a crash of the dtrace process with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild_file_symtab() | 2026-05-01 | 3.3 | CVE-2026-21996 | Oracle Advisory |
| redhat[.]com–gnutls | A flaw was found in gnutls. A remote attacker could exploit this vulnerability by presenting a specially crafted Online Certificate Status Protocol (OCSP) response during a TLS handshake. Due to a logic error in how gnutls processes multi-record OCSP responses, a client with OCSP verification enabled may incorrectly accept a revoked server certificate, potentially leading to a compromise of trust. | 2026-04-30 | 3.7 | CVE-2026-3832 | RHSA-2026:13274 https://access.redhat.com/security/cve/CVE-2026-3832 RHBZ#2445762 https://gitlab.com/gnutls/gnutls/-/issues/1801 |
| TRENDnet–TEW-821DAP | A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_firmware of the component Firmware Update Handler. Executing a manipulation of the argument dest can lead to insufficient verification of data authenticity. The attack can be launched remotely. Attacks of this nature are highly complex. The exploitability is assessed as difficult. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7606 | VDB-360563 | TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware data authenticity VDB-360563 | CTI Indicators (IOB, IOC, IOA) Submit #806213 | Trendnet TEW-821DAP v1.12B01 CWE-287 Improper Authentication https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Auth.md |
| TRENDnet–TEW-821DAP | A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi of the component Firmware Update. Such manipulation leads to cleartext transmission of sensitive information. The attack can be executed remotely. This attack is characterized by high complexity. The exploitability is reported as difficult. The exploit has been disclosed to the public and may be used. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7610 | VDB-360567 | TRENDnet TEW-821DAP Firmware Update ssi cleartext transmission VDB-360567 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #806217 | Trendnet TEW-821DAP v1.12B01 CWE-319: Cleartext Transmission of Sensitive Information https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Down.md |
| TRENDnet–TEW-821DAP | A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh of the component Firmware Update Handler. Performing a manipulation results in insufficient verification of data authenticity. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is said to be difficult. The vendor explains: “That firmware version will only work on our hardware version v1.xR. We have already EOL that product 8 years ago and are no longer selling”. This vulnerability only affects products that are no longer supported by the maintainer. | 2026-05-02 | 3.7 | CVE-2026-7611 | VDB-360568 | TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do_upgrade_cameo_dev data authenticity VDB-360568 | CTI Indicators (IOB, IOC, IOA) Submit #806218 | Trendnet TEW-821DAP v1.12B01 CWE-327 Use of a Broken or Risky Cryptographic Algorithm https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md |
| CodeWise–Tornet Scooter Mobile App | A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted element is an unknown function of the file /TwoFactor. Such manipulation leads to improper restriction of excessive authentication attempts. The attack may be performed from remote. Attacks of this nature are highly complex. The exploitability is regarded as difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-02 | 3.7 | CVE-2026-7671 | VDB-360819 | CodeWise Tornet Scooter Mobile App TwoFactor excessive authentication VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP) 4.75 Improper Restriction of Excessive Authentication Attempts (CWE-3 https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO |
| kerwincui–FastBee | A vulnerability was determined in kerwincui FastBee up to 1.2.1. The impacted element is the function Add of the file springboot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNoticeController.java of the component System Notice Handler. This manipulation of the argument noticeContent causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.5 | CVE-2026-7677 | VDB-360830 | kerwincui FastBee System Notice SysNoticeController.java add cross site scripting VDB-360830 | CTI Indicators (IOB, IOC, TTP, IOA) Submit #800724 | kerwincui FastBee ≤ 1.2.1 Improper Neutralization of Alternate XSS Syntax https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=from_copylink |
| Dolibarr–ERP CRM | A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way. | 2026-05-03 | 3.7 | CVE-2026-7689 | VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification VDB-360859 | CTI Indicators (IOB, IOC, IOA) Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Issues https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158 |
Severity Not Yet Assigned
| Primary Vendor — Product |
Description | Published | CVSS Score | Source Info | Patch Info |
|---|---|---|---|---|---|
| n/a–Sourcecodester Online Job Portal phppdo 1.0 | SQL Injection vulnerability exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category parameter in /jobportal/index.php. | 2026-04-27 | not yet calculated | CVE-2021-36438 | https://www.linkedin.com/in/mohamed-elobeid-oscp-ewptxv2-crtp-cissp-mba-537ba485/ https://thecyberpost.com/tools/exploits-cve/online-job-portal-in-php-pdo-1-0-sql-injection/ |
| Lobster GmbH–Lobster_pro | Unauthenticated attackers can exploit a weakness in the XML parser functionality of Lobster_pro prior to version 4.12.6-GA. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-13971 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/ |
| 4D–4D Server | Unauthenticated attackers can exploit a weakness in the XML parser functionality of the SOAP endpoints in 4D server. This allows them to obtain read access to files on the application server and adjacent network shares, and perform HTTP GET requests to arbitrary services. | 2026-04-30 | not yet calculated | CVE-2024-39847 | https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/ https://4d.com |
| n/a–NASA EOSDIS MODAPS | NASA Earth Observing System Data and Information System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection vulnerability in the category parameter | 2026-04-27 | not yet calculated | CVE-2024-46636 | https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/ https://bugcrowd.com/Xnu11 https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS |
| Hanwha Vision–QND-8080R | Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests, causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54011 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision–QND-8080R | Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to the manufacturer’s report for details and workarounds. | 2026-04-28 | not yet calculated | CVE-2024-54012 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| Hanwha Vision–QND-8080R | Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer’s report for details and workarounds | 2026-04-28 | not yet calculated | CVE-2024-54013 | https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf |
| DeskTime–DeskTime Time Tracking App | Due to improper TLS certificate validation in the DeskTime Time Tracking App before version 1.3.674, attackers who can position themselves in the network path between the client and the DeskTime update servers can return a malicious executable in response to an update request. This allows the attacker to achieve user-level remote code execution on the affected client. | 2026-04-28 | not yet calculated | CVE-2025-10539 | https://r.sec-consult.com/desktime https://desktime.com/download |
| RTI–Connext Professional | Improper Restriction of XML External Entity Reference vulnerability in Connext Professional (Core Libraries) allows Serialized Data External Linking.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. | 2026-04-30 | not yet calculated | CVE-2025-14543 | https://www.rti.com/vulnerabilities/#cve-2025-14543 |
| The Qt Company–Qt | Insufficient validation of node IDs in Qt SVG module allows arbitrary QML/JavaScript code injection when loading malicious SVG files through the VectorImage component in Qt Quick. While QML execution is typically more restricted than native code execution, this could still lead to denial of service, information disclosure, or other impacts depending on the application’s privilege level and data access. | 2026-04-30 | not yet calculated | CVE-2025-14576 | Qt Code Review – Fix for QTBUG-142556 |
| Ribblr–Crotchet and Knitting | Authenticated user can bypass authorization in Ribblr – Crochet & Knitting iOS application | 2026-04-27 | not yet calculated | CVE-2025-15626 | https://ribblr.com/ |
| Apache Software Foundation–Apache Thrift | Mismatched Memory Management Routines vulnerability in Apache Thrift c_glib language bindings. This issue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade to version 0.23.0, which fixes the issue. Description: Specially crafted requests can crash an c_glib-based Thrift server with a clean but fatal “free(): invalid pointer” error message. | 2026-04-28 | not yet calculated | CVE-2025-48431 | https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql |
| n/a–B1 Free Archiver v1.5.86 | A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from downloaded archives to bypass Windows Mark of the Web (MotW) protections. When an archive is downloaded from the internet and extracted using B1 Free Archiver, the software fails to propagate the ‘Zone.Identifier’ alternate data stream to the extracted files. As a result, these files can be executed without triggering Windows Defender SmartScreen warnings or security prompts, enabling untrusted code execution without standard security restrictions. | 2026-04-29 | not yet calculated | CVE-2025-50328 | https://b1.org/ https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version |
| passmark[.]com– BurnInTest v11.0 | An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel memory and escalate privileges via a crafted IOCTL 0x8011E044 call. | 2026-05-01 | not yet calculated | CVE-2025-52347 | https://www.passmark.com/products/performancetest/history.php https://www.osforensics.com/whats-new.html https://www.passmark.com/products/burnintest/history.php https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2025-52347 |
| n/a–Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a crafted packet to the MTU length field | 2026-05-01 | not yet calculated | CVE-2025-63547 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a–Eprosima Micro-XREC-DDS Agent v.3.0.1 | An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of service via a packet specially crafted to bear a non-valid value in any Boolean field. | 2026-05-01 | not yet calculated | CVE-2025-63548 | https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389 https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md |
| n/a–Pro-Bit | An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to directly access sensitive directory and its subdirectories. | 2026-04-27 | not yet calculated | CVE-2025-69428 | https://github.com/jasetpen/CVE-2025-69428 |
| n/a–GSVoIP web panel v2.0.90 | Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP web panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/error` endpoint does not properly sanitize user-supplied input, allowing attackers to inject arbitrary JavaScript into the HTML response. A remote attacker can exploit this vulnerability by sending a crafted URL to a victim, leading to unauthorized script execution, session hijacking, phishing, or other client-side attacks. | 2026-05-01 | not yet calculated | CVE-2025-69606 | https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E https://www.solutionsvoip.com.br/ https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS |
| getfancontrol[.]com–Fan Control App v251 | The Fan Control application V251 contains an improper privilege handling vulnerability in its Open File Dialog. The dialog processes user-supplied paths with elevated permissions, which can be exploited by a local attacker to perform actions with administrator-level privileges. | 2026-04-27 | not yet calculated | CVE-2025-69689 | https://getfancontrol.com https://github.com/Rem0o/FanControl.Releases https://github.com/Rem0o/FanControl.Releases/releases/tag/V251 https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529 |
| SonicWall–SonicOS | A vulnerability in the access control mechanism of SonicOS may allow certain management interface functions to be accessible under specific conditions. | 2026-04-29 | not yet calculated | CVE-2026-0204 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall–SonicOS | A post-authentication Path Traversal vulnerability in SonicOS allows an attacker to interact with usually restricted services. | 2026-04-29 | not yet calculated | CVE-2026-0205 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| SonicWall–SonicOS | A post-authentication Stack-based Buffer Overflow vulnerabilities in SonicOS allows a remote attacker to crash a firewall. | 2026-04-29 | not yet calculated | CVE-2026-0206 | https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004 |
| Wolters Kluwer Polska–LEX Baza Dokumentw | LEX Baza Dokumentów is vulnerable to DOM-based XSS in “em” cookie parameter. The application unsafely processes the parameter on the client side, allowing an attacker to execute arbitrary JavaScript in the context of the victim’s browser. An attacker with ability to set a cookie can perform a more severe attack, so we evaluate the impact and risk of exploitation as minimal. However, the vendor considered this a vulnerability and released a security patch. This issue was fixed in version 1.3.4. | 2026-04-30 | not yet calculated | CVE-2026-1493 | https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumentow https://cert.pl/posts/2026/04/CVE-2025-1493 |
| Samsung Mobile–Samsung Mobile Devices | Insufficient verification of data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 allows local attackers to modify the installation restriction of specific application. | 2026-04-29 | not yet calculated | CVE-2026-21023 | https://security.samsungmobile.com/securityUpdate.smsb?year=2026&month=03 |
| OPPO–OPPO Wallet APP | OPPO Wallet APP contains a trusted domain validation flaw that allows attackers to bypass protected interface access restrictions, which may lead to account token hijacking and sensitive information disclosure. | 2026-04-27 | not yet calculated | CVE-2026-22077 | https://security.oppo.com/en/noticeDetail?notice_only_key=NOTICE-2048652556296790016 |
| Imagination Technologies–Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger a write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable further exploits on the device. | 2026-05-01 | not yet calculated | CVE-2026-22165 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies–Graphics DDK | A web page that contains unusual WebGPU content loaded into the GPU GLES render process and can trigger write UAF crash in the GPU GLES user-space shared library. On certain platforms, when the process executing graphics workload has system privileges this could enable subsequent exploit on the system. | 2026-05-01 | not yet calculated | CVE-2026-22166 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Imagination Technologies–Graphics DDK | Software installed and run as a non-privileged user may conduct improper GPU system calls to force GPU to write to arbitrary physical memory pages. Under certain circumstances this exploit could be used to corrupt data pages not allocated by the GPU driver but memory pages in use by the kernel and drivers running on the platform altering their behaviour. This attack can lead the GPU to perform write operations on restricted internal GPU buffers that can lead to a second order affect of corrupted arbitrary physical memory. | 2026-05-01 | not yet calculated | CVE-2026-22167 | https://www.imaginationtech.com/gpu-driver-vulnerabilities/ |
| Acronis–Acronis DeviceLock DLP | Local privilege escalation due to DLL hijacking vulnerability. The following products are affected: Acronis DeviceLock DLP (Windows) before build 9.0.93212. | 2026-04-29 | not yet calculated | CVE-2026-25852 | SEC-7217 |
| arc53–DocsGPT | DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to before version 0.16.0, an attacker accessing both the official DocsGPT website or any local and public deployment, can craft a malicious payload bypassing the “MCP test” behavior to achieve arbitrary remote code execution (RCE). This issue has been patched in version 0.16.0. | 2026-04-29 | not yet calculated | CVE-2026-26015 | https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f296-2j74 https://github.com/arc53/DocsGPT/releases/tag/0.16.0 |
| aver[.]com– web mgt interface v0.1.0000.65 | A Command Injection vulnerability in the web management interface in Aver PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbitrary commands via a crafted web request. | 2026-05-01 | not yet calculated | CVE-2026-26461 | https://www.aver.com/Downloads/search?q=PTC320UV2 https://github.com/spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md |
| Apache Software Foundation–Apache Camel | The ConsulRegistry in the camel-consul component (class org.apache.camel.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deserialize method) read Java-serialized values from the Consul KV store and passed them to ObjectInputStream.readObject() without configuring an ObjectInputFilter. An attacker who can write to the Consul KV store backing a Camel ConsulRegistry instance could inject a malicious serialized Java object that is deserialized the next time Camel performs a lookup against that registry, leading to arbitrary code execution in the Camel process. The issue mirrors the class of vulnerability already addressed for other Camel components in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked during the original remediation of those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.1. | 2026-04-27 | not yet calculated | CVE-2026-27172 | https://camel.apache.org/security/CVE-2026-27172.html |
| Netskope–Client | Netskope was notified about a potential gap in the Endpoint DLP Module for Netskope Client on Windows systems. The successful exploitation of the gap can potentially allow an unprivileged user to trigger an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful exploitation would require the Endpoint DLP module to be enabled in the client configuration. A successful exploit can potentially result in a denial-of-service for the local machine. | 2026-04-29 | not yet calculated | CVE-2026-2810 | https://www.netskope.com/resources/netskope-resources/netskope-security-advisory-nskpsa-2026-002 https://support.netskope.com/s/article/Netskope-Security-Advisory-NSKPSA-2026-002-Netskope-Endpoint-DLP-Driver-Security-Advisory |
| elixir-plug–plug_cowboy | Allocation of Resources Without Limits or Throttling vulnerability in elixir-plug plug_cowboy allows unauthenticated remote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supplied :scheme pseudo-header value through verbatim without validation. Each unique value permanently allocates a new entry in the BEAM atom table. Since atoms are never garbage-collected and the atom table has a fixed limit (default 1,048,576), an unauthenticated attacker can exhaust the table by sending HTTP/2 requests with unique :scheme values, causing the Erlang VM to abort with system_limit and taking down the entire node. This vulnerability does not affect HTTP/1.1, where cowboy derives the scheme from the listener type rather than from a client-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.1. | 2026-04-27 | not yet calculated | CVE-2026-32688 | https://github.com/elixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2 https://cna.erlef.org/cves/CVE-2026-32688.html https://osv.dev/vulnerability/EEF-CVE-2026-32688 https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b |
| CRM Sistemas de Fidelizacin–MegaCMS | SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the “id_territorio” parameter of the “/web_comunications/cms/get_provincias” endpoint. The vulnerability arises from inadequate validation and sanitisation of user input. Specifically, via a POST request, the “id_territorio” parameter, used immediately after the registration form is submitted, could be manipulated by an unauthenticated attacker to execute arbitrary SQL queries. | 2026-04-29 | not yet calculated | CVE-2026-3325 | https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fidelizacion |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)–LogonTracer | An OS command Injection issue exists in LogonTracer prior to v2.0.0. An arbitrary OS command may be executed by a logged-in user. | 2026-04-27 | not yet calculated | CVE-2026-33277 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| Absolute Software–Secure Access | CVE-2026-33446 is a buffer overflow in the authentication sub-system of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33446 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33446 |
| Absolute Software–Secure Access | CVE-2026-33447 is a buffer overflow in a message parsing function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a special packet that can overwrite a small portion of memory conceivably leading to memory corruption or denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33447 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33447 |
| Absolute Software–Secure Access | CVE-2026-33448 is a format string vulnerability in the logging subsystem of Secure Access client for MacOS prior to 14.50. Attackers with control of a modified server can force the client to dump the contents of a small portion of memory to the log files potentially revealing secrets. | 2026-04-30 | not yet calculated | CVE-2026-33448 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33448 |
| Absolute Software–Secure Access | CVE-2026-33449 is a buffer overflow in a message handling function of the Secure Access client prior to 14.50. Attackers with control of a modified server can send a cryptographically valid message to the client, overwriting a small portion of memory conceivably leading to a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33449 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33449 |
| Absolute Software–Secure Access | CVE-2026-33450 is an out of bounds read vulnerability in the Secure Access MacOS client prior to 14.50. Attackers with control of a modified server can send a malformed packet to the client causing a denial of service. | 2026-04-30 | not yet calculated | CVE-2026-33450 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33450 |
| Absolute Software–Secure Access | CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can send malformed data to an API and elevate their level of privilege to system. | 2026-04-30 | not yet calculated | CVE-2026-33451 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33451 |
| Absolute Software–Secure Access | CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access Windows client prior to 14.50. Attackers with local control of the Windows client can use it to ‘blue screen’ the system. | 2026-04-30 | not yet calculated | CVE-2026-33452 | https://www.absolute.com/platform/security-information/vulnerability-archive/cve-2026-33452 |
| Apache Software Foundation–Apache Camel | Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel’s camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy. Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(…) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer’s behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer’s output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration. Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue. | 2026-04-27 | not yet calculated | CVE-2026-33453 | https://camel.apache.org/security/CVE-2026-33453.html |
| Apache Software Foundation–Apache Camel | The Camel-Mail component is vulnerable to Camel message header injection. The custom header filter strategy used by the component (MailHeaderFilterStrategy) only filters the ‘out’ direction via setOutFilterStartsWith, while it does not configure the ‘in’ direction via setInFilterStartsWith. As a result, when a Camel application consumes mail through camel-mail (for example via from(“imap://…”) or from(“pop3://…”)) the inbound filter check is skipped and Camel-prefixed MIME headers are mapped unfiltered into the Exchange. An attacker who can deliver an email to a mailbox monitored by such a consumer can inject Camel-specific headers that, for some Camel components downstream of the mail consumer (such as camel-bean, camel-exec, or camel-sql), can alter the behaviour of the route. This is the same pattern that was previously addressed in camel-undertow (CVE-2025-30177) and the broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0, which fixes the issue. If users are on the 4.18.x LTS releases stream, then they are suggested to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. | 2026-04-27 | not yet calculated | CVE-2026-33454 | https://camel.apache.org/security/CVE-2026-33454.html |
| Japan Computer Emergency Response Team Coordination Center (JPCERT/CC)–LogonTracer | There is a cypher injection issue in LogonTracer prior to v2.0.0. If specially crafted Windows event log data is loaded, the contents of the database may be altered. | 2026-04-27 | not yet calculated | CVE-2026-33566 | https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/ |
| traefik–traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerability in Traefik’s ForwardAuth middleware when trustForwardHeader=false is configured and Traefik is deployed behind a trusted upstream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-35051 | https://github.com/traefik/traefik/security/advisories/GHSA-6384-m2mw-rf54 https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| FreeBSD–FreeBSD | When processing the header of an incoming message, libnv failed to properly validate the message size. The lack of validation allows a malicious program to write outside the bounds of a heap allocation. This can trigger a crash or system panic, and it may be possible for an unprivileged user to exploit the bug to elevate their privileges. | 2026-04-30 | not yet calculated | CVE-2026-35547 | https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.asc |
| merkurysmart[.]com– MIPC252W v1.0.5 | A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authenticated attacker to trigger session termination by repeatedly sending SETUP requests for the same media track within a single RTSP session. This causes the server to reset the RTSP connection, leading to a denial-of-service condition. | 2026-04-27 | not yet calculated | CVE-2026-35901 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md |
| merkurysmart[.]com– MIPC252W v1.0.5 | The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest authentication attempts. By repeatedly sending RTSP requests with invalid authentication parameters, an unauthenticated attacker can cause the RTSP service to enter a persistent authentication failure state, preventing legitimate clients from authenticating and leading to a denial of service. | 2026-04-27 | not yet calculated | CVE-2026-35902 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md |
| merkurysmart[.]com– MIPC252W v1.0.5 | MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an improper authentication vulnerability in the RTSP service. After successful Digest authentication in an initial DESCRIBE request, the device does not verify the Digest response parameter in subsequent RTSP requests within the same session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN can be processed even when the Authorization header contains an empty or invalid response value, as long as the nonce and session identifier correspond to a previously authenticated session. This allows an attacker with network access to reuse session parameters and issue unauthorized RTSP control commands without computing a valid Digest response. | 2026-04-27 | not yet calculated | CVE-2026-35903 | https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md |
| n/a–Krayin CRM v.2.1.5 | An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote attacker to execute arbitrary code via the compose email function | 2026-04-30 | not yet calculated | CVE-2026-36340 | https://drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/cybercrewinc/CVE-2026-36340 |
| n/a–halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36756 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md |
| n/a–halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36757 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md |
| n/a–halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36758 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md |
| n/a–halo v2.22.14 | A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36759 | https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md |
| n/a–JeeSite v5.15.1 | An issue in the fileMd5 parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations while chunked upload is enabled. | 2026-04-30 | not yet calculated | CVE-2026-36760 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/530 |
| n/a–JeeSite v5.15.1 | A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the msgContent parameter. | 2026-04-30 | not yet calculated | CVE-2026-36761 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/528 |
| n/a–JeeSite v5.15.1 | An issue in the fileEntityId parameter in the /a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with file upload permissions to execute a path traversal and write arbitrary files with whitelisted suffixes to arbitrary filesystem locations. | 2026-04-30 | not yet calculated | CVE-2026-36762 | https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/529 |
| n/a–SpringBlade v4.8.0 | A stored cross-site scripting (XSS) vulnerability in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted input into the content parameter. | 2026-04-30 | not yet calculated | CVE-2026-36763 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/38 https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| n/a–SpringBlade v4.8.0 | A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows authenticated attackers to scan internal resources via a crafted GET request. | 2026-04-30 | not yet calculated | CVE-2026-36764 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/36 |
| n/a–SpringBlade v4.8.0 | An XML external entity (XXE) vulnerability in the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute arbitrary code via injecting a crafted payload. | 2026-04-30 | not yet calculated | CVE-2026-36765 | https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/37 |
| n/a–shopizer v3.2.5 | Multiple authenticated cross-site scripting (XSS) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to execute arbitrary web scripts or HTML via injecting a crafted payload into the getInputStream() or getReader() functions. | 2026-04-30 | not yet calculated | CVE-2026-36766 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1093 |
| n/a–shopizer v3.2.5 | A path traversal vulnerability in the /content/images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary files to any writeable path via a crafted POST request. | 2026-04-30 | not yet calculated | CVE-2026-36767 | https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1091 |
| Totolink[.]net — TOTOLINK A3002RU v3 | TOTOLINK A3002RU V3 <= V3.0.0-B20220304.1804 was discovered to contain a stack-based buffer overflow via the hostname parameter in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36837 | https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-formMapDelDevice-StackOverflow |
| Totolink[.]net — TOTOLINK N200RE v5 | TOTOLINK N200RE V5 was discovered to contain a command injection vulnerability via the macstr and bandstr parameters in the formMapDelDevice function. | 2026-04-29 | not yet calculated | CVE-2026-36841 | https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDevice-CommandInjection |
| Dbitnet[.]com — Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the Dbit N300 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints such as /api/setWlan. If an authenticated administrator visits the malicious webpage, the victim’s browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36956 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36956 |
| Dbitnet[.]com — Dbit N300 router v.1.0 | Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa web server URI handler. By initiating a high-volume flood of HTTP GET requests to non-existent URIs, an attacker can exhaust critical system resources, including file descriptors and memory buffers. This results in a kernel deadlock or system hang that disables the web management portal and all routing capabilities. | 2026-04-30 | not yet calculated | CVE-2026-36957 | http://dbit.com https://github.com/kirubel-cve/CVE-2026-36957 |
| Dbitnet[.]com — Dbit N300 router v.1.0 | A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large number of concurrent HTTP requests to random or non-existent endpoints on the web management interface, an attacker can exhaust system resources in the embedded Boa HTTP server. This causes the router web interface to become unresponsive and may require manual reboot to restore normal operation. | 2026-04-30 | not yet calculated | CVE-2026-36958 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36958 |
| Dbitnet[.]com — Dbit N300 router v.1.0 | U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthorized access to the router management interface. | 2026-04-30 | not yet calculated | CVE-2026-36959 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36959 |
| Dbitnet[.]com — Dbit N300 router v.1.0 | A Cross-Site Request Forgery (CSRF) vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft a malicious webpage that sends forged HTTP requests to configuration endpoints. If an authenticated administrator visits the malicious webpage, the victim’s browser automatically includes the valid session cookie in the request, allowing the router to process the request as a legitimate administrative action. | 2026-04-30 | not yet calculated | CVE-2026-36960 | http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36960 |
| n/a–FlowSpec operator array | An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Service (DoS) via supplying a crafted FlowSpec component. | 2026-05-01 | not yet calculated | CVE-2026-37457 | https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c |
| n/a–Automotive Grade Linux (AGL) | AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer overflow in the uds-c library. The send_diagnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack overflow. The payload_length field (uint8_t) has no bounds check against the destination buffer. On 32-bit ARM automotive ECUs without stack canaries, this can lead to return address overwrite and RCE. | 2026-05-01 | not yet calculated | CVE-2026-37530 | https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-low-level https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643 |
| n/a–Automotive Open SAE J1939 protocol CAN-Bus) | Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,allows attackers to write to arbitrary memory via crafted sequence number from the CAN frame. | 2026-05-01 | not yet calculated | CVE-2026-37534 | https://github.com/DanielMartensson/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a–socketcand 0.4.2 | Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c in function main allows attackers to cause a denial of service or other unspecified impacts via crafted bus_name. | 2026-05-01 | not yet calculated | CVE-2026-37538 | https://github.com/dschanoeh/socketcand https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381 |
| n/a–libsndfile 1.2.2 | An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) cast, but the WAV code path (line 235) and close path (line 167) were not. When samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before being assigned to sf.frames (sf_count_t/int64). With samplesperblock=50000 and blocks=50000, the product 2500000000 overflows to -1794967296. This causes incorrect frame count leading to heap buffer overflow or denial of service. Both values come from the WAV file header and are attacker-controlled. This issue was discovered after an incomplete fix for CVE-2022-33065. | 2026-04-29 | not yet calculated | CVE-2026-37555 | https://github.com/libsndfile/libsndfile/issues/833 https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4b7df151 https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1 |
| n/a–School Management System | A reflected Cross-Site Scripting (XSS) vulnerability in School Management System by mahmoudai1 allows unauthenticated remote attackers to execute arbitrary JavaScript in victim’s browsers via the unsanitized type parameter in register.php. | 2026-04-28 | not yet calculated | CVE-2026-37750 | https://github.com/mahmoudai1/school-management-system https://github.com/mahmoudai1/school-management-system/blob/main/register.php https://github.com/menevarad007/CVE-2026-37750 |
| n/a–Netmaker v1.5.0 | Authentication Bypass vulnerability exists in Netmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate the JWT signature when verifying host tokens. An attacker can forge a JWT signed with any arbitrary key and use it to impersonate any host in the network, gaining access to sensitive information | 2026-04-28 | not yet calculated | CVE-2026-38651 | https://github.com/gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b https://www.zyenra.com/blog/netmaker-jwt-verification-bypass https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass |
| Moxa–EDR-8010 Series | An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition – when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3867 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| Moxa–EDR-8010 Series | An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa’s Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified. | 2026-04-27 | not yet calculated | CVE-2026-3868 | https://www.moxa.com/en/support/product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-improper-handling-of-length-parameter-incons |
| n/a–diskoverdata v.2.3.5 | Cross Site Request Forgery vulnerability in diskoverdata diskover-community v.2.3.5. and before allows a remote attacker to escalate privileges and obtain sensitive information via the public/settings_process.php | 2026-04-27 | not yet calculated | CVE-2026-38934 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934 |
| n/a–diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/view.php via the doctype parameter | 2026-04-27 | not yet calculated | CVE-2026-38935 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38935 |
| n/a–diskoverdata v.2.3.5 | A reflected cross-site scripting (XSS) vulnerability exists in diskover-community <= 2.3.5 in public/selectindices.php via the namecontains parameter | 2026-04-27 | not yet calculated | CVE-2026-38936 | http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38936 |
| n/a–mvc-ecommerce v.1.0 | Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary code and obtain sensitive information via the product_catalogue.php component | 2026-04-30 | not yet calculated | CVE-2026-38939 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a–TOKO-ONLINE-ROTI v.1.0 | Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary code via the detail_produk.php component | 2026-04-30 | not yet calculated | CVE-2026-38940 | https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8 |
| n/a–FUEL CMS v1.5.2 | Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and before within the asset upload functionality. The application fails to properly sanitize uploaded SVG files, allowing a low-privileged authenticated user to upload a crafted SVG file containing malicious code. | 2026-04-28 | not yet calculated | CVE-2026-38948 | https://github.com/daylightstudio/FUEL-CMS https://www.youtube.com/watch?v=lLCF0xbjecQ https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md |
| n/a–HTMLy v3.1.1 | Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 in the content creation functionality at the /add/content?type=image endpoint. The application fails to properly sanitize user input, allowing injection of arbitrary code | 2026-04-28 | not yet calculated | CVE-2026-38949 | https://github.com/danpros/htmly https://youtu.be/3e-tzUMCox8 https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md |
| n/a–Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is affected by a misconfiguration within the Bucket component _isFileTypeAllowed function where a specially crafted filename bypasses an extension filter. This allows an authenticated attacker to rename arbitrary files with the .php file extension enabling arbitrary code to be executed on the underlying server. | 2026-04-29 | not yet calculated | CVE-2026-38991 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a–Cockpit v2.13.5 | Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution via the filter parameter within multiple endpoints. This vulnerability allows an attacker to run system commands on the underlying infrastructure via the MongoLite $func operator. | 2026-04-29 | not yet calculated | CVE-2026-38992 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| n/a–Cockpit v2.13.5 | Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the Buckets component. This vulnerability allows authenticated attackers to write files to arbitrary locations within the uploads directory or overwrite assets with malicious versions. | 2026-04-29 | not yet calculated | CVE-2026-38993 | https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/ |
| FreeBSD–FreeBSD | When exchanging data over a socket, libnv uses select(2) to wait for data to arrive. However, it does not verify whether the provided socket descriptor fits in select(2)’s file descriptor set size limit of FD_SETSIZE (1024). An attacker who is able to force a libnv application to allocate large file descriptors, e.g., by opening many descriptors and executing a program which is not careful to close them upon startup, can trigger stack corruption. If the target application is setuid-root, then this could be used to elevate local privileges. | 2026-04-30 | not yet calculated | CVE-2026-39457 | https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc |
| mtrudel–bandit | Allocation of Resources Without Limits or Throttling vulnerability in mtrudel bandit allows unauthenticated remote denial of service via memory exhaustion when WebSocket permessage-deflate compression is enabled. ‘Elixir.Bandit.WebSocket.PerMessageDeflate’:inflate/2 in lib/bandit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materializes the entire decompressed payload as a single binary via IO.iodata_to_binary/1. The websocket_options.max_frame_size option only bounds the on-the-wire (compressed) frame size, not the decompressed output. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under any wire-size limit while forcing GiB-scale heap allocations in the connection process before any application code runs. An unauthenticated attacker who can open a WebSocket connection can send a single such frame to exhaust the BEAM node’s memory and trigger an OOM kill. This vulnerability requires both Bandit’s server-level websocket_options.compress and the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock Phoenix and LiveView applications are not affected as they default to compress: false. This issue affects bandit: from 0.5.9 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39804 | https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-6pv6-rc8j https://cna.erlef.org/cves/CVE-2026-39804.html https://osv.dev/vulnerability/EEF-CVE-2026-39804 https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e |
| mtrudel–bandit | Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel bandit allows HTTP request smuggling via duplicate Content-Length headers. ‘Elixir.Bandit.Headers’:get_content_length/1 in lib/bandit/headers.ex uses List.keyfind/3, which returns only the first matching header. When a request contains two Content-Length headers with different values, Bandit silently accepts it, uses the first value to read the body, and dispatches the remaining bytes as a second pipelined request on the same keep-alive connection. RFC 9112 §6.3 requires recipients to treat this as an unrecoverable framing error. When Bandit sits behind a proxy that picks the last Content-Length value and forwards the request rather than rejecting it, an unauthenticated attacker can smuggle requests past edge WAF rules, path-based ACLs, rate limiting, and audit logging. This issue affects bandit: before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39805 | https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-gc9j-2qf7 https://cna.erlef.org/cves/CVE-2026-39805.html https://osv.dev/vulnerability/EEF-CVE-2026-39805 https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1 |
| mtrudel–bandit | Reliance on Untrusted Inputs in a Security Decision vulnerability in mtrudel bandit allows unauthenticated transport-state spoofing on plaintext HTTP connections. ‘Elixir.Bandit.Pipeline’:determine_scheme/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the transport’s secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both attacker-controlled strings that flow through this function. Over a plaintext TCP connection, a client can declare https and Bandit will set conn.scheme = :https even though no TLS was negotiated. Downstream Plug consumers that branch on conn.scheme are silently misled: Plug.SSL’s already-secure branch skips its HTTP→HTTPS redirect, cookies emitted with secure: true are sent over plaintext, audit logs record requests as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issue affects bandit: from 1.0.0 before 1.11.0. | 2026-05-01 | not yet calculated | CVE-2026-39807 | https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-4r2h-f99j https://cna.erlef.org/cves/CVE-2026-39807.html https://osv.dev/vulnerability/EEF-CVE-2026-39807 https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667 |
| traefik–traefik | Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication bypass vulnerability in Traefik’s ForwardAuth and snippet-based authentication middleware. Traefik’s forwarded-header sanitization logic targets only canonical header names (e.g., X-Forwarded-Proto) and does not strip or normalize alias variants that use underscores instead of dashes (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded intact to the authentication backend. When the backend normalizes underscore and dash header forms equivalently, an attacker can inject spoofed trust context – such as a trusted scheme or host – through the alias headers and bypass authentication on protected routes without valid credentials. This issue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. | 2026-04-30 | not yet calculated | CVE-2026-39858 | https://github.com/traefik/traefik/security/advisories/GHSA-5m6w-wvh7-57vm https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2 |
| Apache Software Foundation–Apache Camel Platform HTTP Main | When authentication is enabled on the Apache Camel embedded HTTP server or embedded management server (camel-platform-http-main) and a non-root context path such as /api or /admin is configured via camel.server.path or camel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer classes derive the authentication path from properties.getPath() when camel.server.authenticationPath / camel.management.authenticationPath is not explicitly set. Combined with the Vert.x sub-router mounting model – the sub-router is mounted at _path_* and the authentication handler is registered inside the sub-router at the resolved path – this causes the authentication handler to match only the exact configured context path, not its subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /admin/observe/info therefore reach protected business routes and management endpoints without being challenged for credentials. The /observe/info endpoint can disclose runtime metadata such as the user, working directory, home directory, process ID, JVM and operating system information. This issue affects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. If users are on the 4.18.x LTS releases stream, they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40022 | https://camel.apache.org/security/CVE-2026-40022.html |
| Apache Software Foundation–Apache Camel PQC | The Camel-PQC FileBasedKeyLifecycleManager class deserializes the contents of `<keyId>.key` files in the configured key directory using java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. The cast to `java.security.KeyPair` is evaluated only after `readObject()` has already returned, so any `readObject()` side effects in the deserialized object run before the type check. An attacker who can write to the key directory used by a Camel application – for example through a path traversal into the directory, misconfigured filesystem permissions on the volume where keys are stored, a compromised key provisioning pipeline, or a symlink attack – can place a crafted serialized Java object that, when deserialized during normal key lifecycle operations, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based key and metadata storage with standard PKCS#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40048 | https://camel.apache.org/security/CVE-2026-40048.html |
| helpyio–helpy | Helpy contains a stored cross-site scripting vulnerability in the post author display logic. Any registered user can persist arbitrary HTML in their account name field and cause it to be rendered unescaped in public forum threads where they participate, in the admin ticket view, and in HTML notification emails sent to other users.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40229 | https://fluidattacks.com/es/advisories/offspring https://github.com/helpyio/helpy |
| helpyio–helpy | Helpy contains a stored cross-site scripting vulnerability in the knowledge base Doc rendering logic. An authenticated attacker with admin or agent editor privileges can persist arbitrary HTML or JavaScript in the body field of a knowledge base Doc.This issue affects helpy: 2.8.0. | 2026-04-29 | not yet calculated | CVE-2026-40230 | https://fluidattacks.com/es/advisories/prisioneros https://github.com/helpyio/helpy |
| Apache Software Foundation–Apache Camel JMS | The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as ‘CAmelExecCommandExecutable’ are filtered out alongside ‘CamelExecCommandExecutable’. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith(‘Camel’/’camel’) filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40453 | https://camel.apache.org/security/CVE-2026-40453.html |
| Apache Software Foundation–Apache Camel Mina | The camel-mina component’s MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. | 2026-04-27 | not yet calculated | CVE-2026-40473 | https://camel.apache.org/security/CVE-2026-40473.html |
| BinSoft–mpGabinet | mpGabinet is vulnerable to Privilege Escalation due to excessive database privileges assigned to the user used by the application. An attacker with access to any running application instance connected to the backend server can extract database credentials from the application’s memory by inspecting the running process. While ability to retrieve credentials from memory is expected behavior, the exposed credentials grant administrative access to the database, exceeding the privileges required for normal application functionality. This allows an attacker to perform actions beyond those permitted through the application interface. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40550 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft–mpGabinet | mpGabinet performs client-side authentication. An attacker with access to any application instance connected to the backend server can bypass the login verification process by manipulating the application binary and authenticate as an arbitrary user. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40551 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| BinSoft–mpGabinet | mpGabinet is vulnerable to Remote Command Execution. An authorized user with access to the application and direct access to the backend database can achieve system command execution by uploading an attachment and modifying its storage path in the database to reference an attacker-controlled remote network resource. Alternatively, it is possible to use a previously uploaded file and change its reference. When the application processes the attachment, and a user tries to open it, the referenced resource is executed by the system. Critically, this vulnerability can be exploited by any unauthenticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, which allows obtaining database access, and logging onto any account. This issue affects mpGabinet version 23.12.19 and below. | 2026-04-28 | not yet calculated | CVE-2026-40552 | https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/ |
| Apache Software Foundation–Apache Storm Prometheus Reporter | Improper Certificate Validation via Global SSL Context Downgrade in Apache Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description: In production deployments where an administrator enables storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation (by default it is disabled) intending to affect only the Prometheus reporter, the undocumented global side effect creates an attack surface across every TLS-protected communication channel in the Storm daemon. The PrometheusPreparableReporter class implements an INSECURE_TRUST_MANAGER that accepts all SSL certificates without validation, with empty checkClientTrusted and checkServerTrusted methods. Most critically, when the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation configuration option is enabled (default = disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally replaces the JVM’s default SSL context rather than applying the insecure context only to the Prometheus connection. This payload flows through storm.yaml configuration → PrometheusPreparableReporter.prepare() → INSECURE_CONNECTION_FACTORY → SSLContext.setDefault(), resulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connections in the process – including ZooKeeper, Thrift, Netty, and UI connections – silently trust all certificates, including self-signed, expired, and attacker-generated ones, enabling man-in-the-middle interception of cluster state, topology submissions, tuple data, and administrative credentials. Mitigation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used. Prometheus Metrics Reporter Users who cannot upgrade immediately should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validation: true setting from their storm.yaml configuration and instead configure a proper truststore containing the PushGateway’s certificate. | 2026-04-27 | not yet calculated | CVE-2026-40557 | https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq |
| MIYAGAWA–Starman | Starman versions before 0.4018 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starman incorrectly prioritizes “Content-Length” over “Transfer-Encoding: chunked” when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-04-28 | not yet calculated | CVE-2026-40560 | https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patch https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 |
| KAZUHO–Starlet | Starlet versions through 0.31 for Perl allows HTTP Request Smuggling via Improper Header Precedence. Starlet incorrectly prioritizes “Content-Length” over “Transfer-Encoding: chunked” when both headers are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An attacker could exploit this to smuggle malicious HTTP requests via a front-end reverse proxy. | 2026-05-03 | not yet calculated | CVE-2026-40561 | https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3 https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch |