SingCERT Security Bulletin Summarizes NIST Vulnerability Database

SecurityBulletin15April2026

Generatedon15April2026

SingCERT'sSecurityBulletinsummarisesthelistofvulnerabilitiescollatedfromtheNationalInstituteofStandardsandTechnology(NIST)'sNational VulnerabilityDatabase(NVD)inthepastweek. Thevulnerabilitiesaretabledbasedonseverity,inaccordancetotheirCVSSv3basescores: vulnerabilitieswithabasescoreof9.0toCritical 10.0 vulnerabilitieswithabasescoreof7.0toHigh 8.9 vulnerabilitieswithabasescoreof4.0toMedium 6.9 vulnerabilitieswithabasescoreof0.1toLow 3.9 None vulnerabilitieswithabasescoreof0.0 ForthosevulnerabilitieswithoutassignedCVSSscores,pleasevisitNVDfortheupdatedCVSSvulnerabilityentries.

CRITICALVULNERABILITIES

CVE Base Description ReferenceNumber Score

AxiosisapromisebasedHTTPclientforthebrowserandNode.js.Priorto1.15.0and0.3.1,theAxioslibraryis CVE-2026-vulnerabletoaspecific"Gadget"attackchainthatallowsPrototypePollutioninanythird-partydependencyto 10.0 MoreDetails40175beescalatedintoRemoteCodeExecution(RCE)orFullCloudCompromise(viaAWSIMDSv2bypass).This vulnerabilityisfixedin1.15.0and0.3.1. SonicverseisaSelf-hostedDockerComposestackforliveradiostreaming.TheSonicverseRadioAudio StreamingStackdashboardcontainsaServer-SideRequestForgery(SSRF)vulnerabilityinitsAPIclient (apps/dashboard/lib/api.ts).Installationscreatedusingtheprovidedinstall.shscript(includingtheone‑liner CVE-2026-bash<(curl-fsSLhttps://sonicverse.short.gy/install-audiostack))areaffected.Inthesedeployments,the 9.9 MoreDetails40089dashboardacceptsuser-controlledURLsandpassesthemdirectlytoaserver-sideHTTPclientwithout sufficientvalidation.AnauthenticatedoperatorcanabusethistomakearbitraryHTTPrequestsfromthe dashboardbackendtointernalorexternalsystems.Thisvulnerabilityisfixedwithcommit cb1ddbacafcb441549fe87d3eeabdb6a085325e4. DuetoinsufficientauthorizationchecksinSAPBusinessPlanningandConsolidationandSAPBusinessCVE-2026-Warehouse,anauthenticatedusercanexecutecraftedSQLstatementstoread,modify,anddeletedatabase 9.9 MoreDetails27681data.Thisleadstoahighimpactontheconfidentiality,integrity,andavailabilityofthesystem. AxiosisapromisebasedHTTPclientforthebrowserandNode.js.Priorto1.15.0and0.31.0,Axiosdoesnot correctlyhandlehostnamenormalizationwhencheckingNOPROXYrules.Requeststoloopbackaddresseslike localhost.(withatrailingdot)or[::1](IPv6literal)skipNOPROXYmatchingandgothroughtheconfiguredCVE-2025-proxy.Thisgoesagainstwhatdevelopersexpectandletsattackersforcerequeststhroughaproxy,evenif 9.9 MoreDetails62718NOPROXYissetuptoprotectloopbackorinternalservices.Thisissueleadstothepossibilityofproxybypass andSSRFvulnerabilitiesallowingattackerstoreachsensitiveloopbackorinternalservicesdespitethe configuredprotections.Thisvulnerabilityisfixedin1.15.0and0.31.0. PraisonAIisamulti-agentteamssystem.Priorto1.5.115,executecode()inpraisonaiagents.tools.pythontools defaultstosandboxmode="sandbox",whichrunsusercodeinasubprocesswrappedwitharestricted builtinsdictandanAST-basedblocklist.TheASTblocklistembeddedinsidethesubprocesswrapper (blockedattrsofpythontools.py)containsonly11attributenames--astrictsubsetofthe30+namesCVE-2026-blockedinthedirect-executionpath.Thefourattributesthatformaframe-traversalchainoutofthesandbox 9.9 MoreDetails39888areallabsentfromthesubprocesslist(traceback,tbframe,fback,andf_builtins).Chainingthese attributesthroughacaughtexceptionexposestherealPythonbuiltinsdictofthesubprocesswrapperframe, fromwhichexeccanberetrievedandcalledunderanon-blockedvariablename--bypassingeveryremaining securitylayer.Thisvulnerabilityisfixedin1.5.115. CVE-2026-Anauthenticatedarbitraryfileuploadvulnerabilityinthe/admin/tinymce/uploadendpointofWebkulKrayin 9.9 MoreDetails38526CRMv2.2.xallowsattackerstoexecutearbitrarycodeviauploadingacraftedPHPfile. InJujuversionspriorto2.9.57and3.6.21,anauthorizationissueexistsintheControllerfacade.An

CVE-2026- authenticatedusercancalltheCloudSpecAPImethodtoextractthecloudcredentialsusedtobootstrapthe 9.9 MoreDetails controller.Thisallowsalow-privilegedusertoaccesssensitivecredentials.ThisissueisresolvedinJuju versions2.9.57and3.6.21. Jellyfinisanopensourceselfhostedmediaserver.Versionspriorto10.11.7containavulnerabilitychaininthe subtitleuploadendpoint(POST/Videos/{itemId}/Subtitles),wheretheFormatfieldisnotvalidated,allowing pathtraversalviathefileextensionandenablingarbitraryfilewrite.Thisarbitraryfilewritecanbechained CVE-2026- intoarbitraryfilereadvia.strmfiles,databaseextraction,adminprivilegeescalation,andultimatelyremote 9.9 MoreDetails35031 codeexecutionasrootviald.so.preload.Exploitationrequiresanadministratoraccountorauserthathasbeen explicitlygrantedthe"UploadSubtitles"permission.Thisissuehasbeenfixedinversion10.11.7.Ifusersare unabletoupgradeimmediately,theycangrantnon-administratorusersSubtitleuploadpermissionstoreduce attacksurface. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Affectedisthefunction CVE-2026- setWiFiAclRulesofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationoftheargument 5978 modeleadstooscommandinjection.Theattackcanbeinitiatedremotely.Theexploithasbeendisclosed publiclyandmaybeused. AvulnerabilitywasdetectedinTotolinkA7100RU7.4cu.2313b20191024.Theaffectedelementisthefunction CVE-2026- setVpnAccountCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationofthe 6029 argumentUserresultsinoscommandinjection.Theattackmaybelaunchedremotely.Theexploitisnow publicandmaybeused. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Impactedisthe CVE-2026- functionsetPptpServerCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationofthe 6028 argumentenableleadstooscommandinjection.Theattackmaybeinitiatedremotely.Theexploithasbeen disclosedpubliclyandmaybeused. AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.Thisaffectsthefunction CVE-2026- setStorageCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulationofthe 5976 argumentsambaEnabledresultsinoscommandinjection.Itispossibletoinitiatetheattackremotely.The exploithasbeenreleasedtothepublicandmaybeusedforattacks. AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Thisissueaffectsthefunction CVE-2026- setUrlFilterRulesofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Executingamanipulationofthe 6027 argumentenablecanleadtooscommandinjection.Theattackcanbelaunchedremotely.Theexploithas beenmadeavailabletothepublicandcouldbeusedforattacks. AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.Thisvulnerabilityaffectsthe functionsetPortalConfWeChatofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.PerformingaCVE-2026- manipulationoftheargumentenableresultsinoscommandinjection.Theattackcanbeinitiatedremotely.6026 Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. AvulnerabilitywasidentifiedinTotolinkA7100RU7.4cu.2313_b20191024.Thisaffectsthefunction CVE-2026- setSyslogCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Suchmanipulationoftheargument 6025 enableleadstooscommandinjection.Itispossibletolaunchtheattackremotely.Theexploitispublicly

AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Thisimpactsthefunction CVE-2026-setWiFiBasicCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Executingamanipulationofthe 5977argumentwifiOffcanleadtooscommandinjection.Itispossibletolaunchtheattackremotely.Theexploithas beenmadeavailabletothepublicandcouldbeusedforattacks. AUseofDefaultPasswordvulnerabilityintheJuniperNetworksSupportInsights(JSI)VirtualLightweight Collector(vLWC)allowsanunauthenticated,network-basedattackertotakefullcontrolofthedevice.vLWCCVE-2026-softwareimagesshipwithaninitialpasswordforahighprivilegedaccount.Achangeofthispasswordisnot33784enforcedduringtheprovisioningofthesoftware,whichcanmakefullaccesstothesystembyunauthorized actorspossible.ThisissueaffectsallversionsofvLWCbefore3.0.94. AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.Theaffectedelementisthe CVE-2026-functionsetWizardCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulation 6154oftheargumentwizardresultsinoscommandinjection.Theattackmaybeinitiatedremotely.Theexploithas beenreleasedtothepublicandmaybeusedforattacks. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Theaffectedelement CVE-2026-isthefunctionsetAdvancedInfoShowofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.The 5996manipulationoftheargumentttyserverleadstooscommandinjection.Itispossibletoinitiatetheattack remotely.Theexploithasbeendisclosedpubliclyandmaybeused. AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Impactedisthefunction CVE-2026-setMiniuiHomeInfoShowofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Executingamanipulation 5995oftheargumentlaninfocanleadtooscommandinjection.Theattackmaybeperformedfromremote.The exploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. CVE-2026-Arithmeticoverinductionvariablesinloopswerenotcorrectlycheckedforunderfloworoverflow.Asaresult, 27143thecompilerwouldallowforinvalidindexingtooccuratruntime,potentiallyleadingtomemorycorruption.

AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.Thisissueaffectsthe CVE-2026-functionsetTelnetCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulation oftheargumenttelnetenabledresultsinoscommandinjection.Theattackispossibletobecarriedout remotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. AvulnerabilitywasidentifiedinTotolinkA7100RU7.4cu.2313_b20191024.Thisvulnerabilityaffectsthe CVE-2026-functionsetWiFiGuestCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Suchmanipulationofthe 5993argumentwifiOffleadstooscommandinjection.Theattackcanbeexecutedremotely.Theexploitispublicly

SmartSlider3Proversion3.5.1.35forWordPressandJoomlacontainsamulti-stageremoteaccesstoolkit injectedthroughacompromisedupdatesystemthatallowsunauthenticatedattackerstoexecutearbitrary CVE-2026-codeandcommands.Attackerscantriggerpre-authenticationremoteshellexecutionviaHTTPheaders, 34424establishauthenticatedbackdoorsacceptingarbitraryPHPcodeorOScommands,createhiddenadministrator accounts,exfiltratecredentialsandaccesskeys,andmaintainpersistencethroughmultipleinjectionpoints includingmust-usepluginsandcorefilemodifications. AvulnerabilitywasdetectedinTotolinkA7100RU7.4cu.2313b20191024.Theimpactedelementisthe CVE-2026-functionsetLoginPasswordCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationof 5997theargumentadmpassresultsinoscommandinjection.Itispossibletolaunchtheattackremotely.The exploitisnowpublicandmaybeused. CVE-2026-FalkorDBBrowser1.9.3containsanunauthenticatedpathtraversalvulnerabilityinthefileuploadAPIthat 6057allowsremoteattackerstowritearbitraryfilesandachieveremotecodeexecution. CVE-2025-owntone-server2ca10d9isvulnerabletoBufferOverflowduetolackofrecursivechecking. 9.8 MoreDetails44560 AflawhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.Theimpactedelementisthefunction CVE-2026-setAccessDeviceCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Thismanipulationofthe 6138argumentmaccausesoscommandinjection.Theattackcanbeinitiatedremotely.Theexploithasbeen publishedandmaybeused. AvulnerabilityhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.Thisvulnerabilityaffectsthe CVE-2026-functionsetDiagnosisCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationofthe 6116argumentipleadstooscommandinjection.Remoteexploitationoftheattackispossible.Theexploithasbeen disclosedtothepublicandmaybeused. AflawhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.ThisaffectsthefunctionsetAppCfgofthe CVE-2026-file/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Executingamanipulationoftheargumentenablecan 6115leadtooscommandinjection.Theattackmaybelaunchedremotely.Theexploithasbeenpublishedandmay beused. AvulnerabilitywasdetectedinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythisissueisthefunction CVE-2026-setNetworkCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulationofthe 6114argumentprotoresultsinoscommandinjection.Theattackmaybeinitiatedremotely.Theexploitisnow publicandmaybeused. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythis CVE-2026-vulnerabilityisthefunctionsetTtyServiceCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Such 6113manipulationoftheargumentttyEnableleadstooscommandinjection.Theattackcanbelaunchedremotely. Theexploithasbeendisclosedpubliclyandmaybeused. AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Affectedisthefunction CVE-2026-setRadvdCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Thismanipulationoftheargument 6112maxRtrAdvIntervalcausesoscommandinjection.Theattackcanbeinitiatedremotely.Theexploithasbeen madeavailabletothepublicandcouldbeusedforattacks. AvulnerabilitywasdeterminedinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythisissueisthe CVE-2026-functionsetLedCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Thismanipulationofthe 6132argumentenablecausesoscommandinjection.Remoteexploitationoftheattackispossible.Theexploithas beenpubliclydisclosedandmaybeutilized. goshsisaSimpleHTTPServerwritteninGo.Priorto2.0.0-beta.4,goshsenforcesthedocumentedper-folder .goshsACL/basic-authmechanismfordirectorylistingsandfilereads,butitdoesnotenforcethesame authorizationchecksforstate-changingroutes.AnunauthenticatedattackercanuploadfileswithPUT,uploadCVE-2026-fileswithmultipartPOST/upload,createdirectorieswith?mkdir,anddeletefileswith?deleteinsidea.goshs-40189protecteddirectory.Bydeletingthe.goshsfileitself,theattackercanremovethefolder'sauthpolicyandthen accesspreviouslyprotectedcontentwithoutcredentials.Thisresultsinacriticalauthorizationbypassaffecting confidentiality,integrity,andavailability.Thisvulnerabilityisfixedin2.0.0-beta.4. AvulnerabilityhasbeenfoundinTotolinkA7100RU7.4cu.2313b20191024.Thisaffectsthefunction CVE-2026-UploadOpenVpnCertofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Suchmanipulationofthe argumentFileNameleadstooscommandinjection.Theattackcanbelaunchedremotely.Theexploithasbeen disclosedtothepublicandmaybeused. AvulnerabilitywasidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Theimpactedelementisthe

CVE-2026- functionsetDmzCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Suchmanipulationofthe argumentwanIdxleadstooscommandinjection.Theattackmaybeperformedfromremote.Theexploitis publiclyavailableandmightbeused. AvulnerabilitywasfoundinTotolinkA7100RU7.4cu.2313b20191024.Thisimpactsthefunction CVE-2026- UploadFirmwareFileofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulationof 6140 theargumentFileNameresultsinoscommandinjection.Theattackmaybeinitiatedremotely.Theexploithas beenmadepublicandcouldbeused. AnissuewasdiscoveredinBMCControl-M/MFT9.0.20through9.0.22.AsetofdefaultdebugusercredentialsisCVE-2026- hardcodedincleartextwithintheapplicationpackage.Ifleftunchanged,thesecredentialscanbeeasily23781 obtainedandmayallowunauthorizedaccesstotheMFTAPIdebuginterface. CVE-2026- SourceCodesterEngineersOnlinePortalv1.0isvulnerabletoSQLInjectioninupdatepassword.phpviathe 36236 newpasswordparameter. ASQLinjectionvulnerabilitywasfoundinthescheduleSubList.phpfileofitsourcecodeOnlineStudentCVE-2026- EnrollmentSystemv1.0.Thereasonforthisissueisthatthe'subjcode'parameterisdirectlyembeddedinto36235 theSQLqueryviastringinterpolationwithoutanysanitizationorvalidation. CVE-2026- itsourcecodeOnlineStudentEnrollmentSystemv1.0isvulnerabletoSQLInjectioninnewCourse.phpviathe 36234 'coursename'parameter. ASQLinjectionvulnerabilitywasfoundintheassignInstructorSubjects.phpfileofitsourcecodeOnlineStudentCVE-2026- EnrollmentSystemv1.0.Thereasonforthisissueisthatattackerscaninjectmaliciouscodeviatheparameter36233 "subjcode"anduseitdirectlyinSQLquerieswithouttheneedforappropriatecleaningorvalidation. ASQLinjectionvulnerabilitywasfoundintheinstructorClasses.phpfileofitsourcecodeOnlineStudentCVE-2026- EnrollmentSystemv1.0.Thereasonforthisissueisthatthe'classId'parameterfrom$GET['classId']is36232 directlyconcatenatedintotheSQLquerywithoutanysanitizationorvalidation. CVE-2026- PHP-MYSQL-User-Login-Systemv1.0wasdiscoveredtocontainaSQLinjectionvulnerabilityviatheusername 29861 parameteratlogin.php. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Thisaffectsthe CVE-2026- functionsetIpQosRulesofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationofthe 6156 argumentCommentleadstooscommandinjection.Remoteexploitationoftheattackispossible.Theexploit hasbeendisclosedpubliclyandmaybeused. AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313.Theimpactedelementisthefunction CVE-2026- setWanCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Executingamanipulationofthe 6155 argumentpppoeServiceNamecanleadtooscommandinjection.Theattackmaybelaunchedremotely.The exploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. AvulnerabilitywasfoundinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythisvulnerabilityisthe CVE-2026- functionsetTracerouteCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationofthe 6131 argumentcommandresultsinoscommandinjection.Theattackmaybelaunchedremotely.Theexploithas beenmadepublicandcouldbeused. RaceinMediainGoogleChromeonAndroidpriorto147.0.7727.55allowedaremoteattackerwhohadCVE-2026- compromisedtherendererprocesstocorruptmediastreammetadataviaacraftedHTMLpage.(Chromium5902 securityseverity:Low) PraisonAIisamulti-agentteamssystem.Inversionsbelow4.5.139ofPraisonAIand1.5.140ofpraisonaiagents, theworkflowengineisvulnerabletoarbitrarycommandandcodeexecutionthroughuntrustedYAMLfiles. Whenpraisonaiworkflowrun loadsaYAMLfilewithtype:job,theJobWorkflowExecutorin jobworkflow.pyprocessesstepsthatsupportrun:(shellcommandsviasubprocess.run()),script:(inlinePython viaexec()),andpython:(arbitraryPythonscriptexecution)--allwithoutanyvalidation,sandboxing,oruserCVE-2026- confirmation.Theaffectedcodepathsincludeactionrun()inworkflow.pyandexecshell(),40288 execinlinepython(),andexecpythonscript()injobworkflow.py.Anattackerwhocansupplyorinfluencea workflowYAMLfile(particularlyinCIpipelines,sharedrepositories,ormulti-tenantdeploymentenvironments) canachievefullarbitrarycommandexecutiononthehostsystem,compromisingthemachineandany accessibledataorcredentials.Thisissuehasbeenfixedinversions4.5.139ofPraisonAIand1.5.140of praisonaiagents. CVE-2025- Improperinputhandlingin/Grocery/searchproductsitname.php,inanirudhkannanGroceryStore 63939 ManagementSystem1.0,allowsSQLinjectionviathesitemnamePOSTparameter. PraisonAIisamulti-agentteamssystem.Priorto4.5.115,theAgentService.loadAgentFromFilemethoduses thejs-yamllibrarytoparseYAMLfileswithoutdisablingdangeroustags(suchas!!js/functionandCVE-2026- !!js/undefined).ThisallowsanattackertocraftamaliciousYAMLfilethat,whenparsed,executesarbitrary39890 JavaScriptcode.Anattackercanexploitthisvulnerabilitybyuploadingamaliciousagentdefinitionfileviathe APIendpoint,leadingtoremotecodeexecution(RCE)ontheserver.Thisvulnerabilityisfixedin4.5.115. CVE-2025- Inmanikandan580School-management-system1.0,atime-basedblindSQLinjectionvulnerabilityexistsin 65135 /studentms/admin/between-date-reprtsdetails.phpthroughthefromdatePOSTparameter. TheProSolutionWPClientpluginforWordPressisvulnerabletoarbitraryfileuploadsduetomissingfiletype

CVE-2026- validationinthe'proSolfileUploadProcess'functioninallversionsupto,andincluding,1.9.9.Thismakesit possibleforunauthenticatedattackerstouploadarbitraryfilesontheaffectedsite'sserverwhichmaymake remotecodeexecutionpossible. CVE-2025- TendaAC615.03.05.16multiisvulnerabletoBufferOverflowintheformSetCfmfunctionviathefuncname, 52221 funcpara1,andfuncpara2parameters. Aimproperneutralizationofspecialelementsusedinanoscommand('oscommandinjection')vulnerabilityinCVE-2026- FortinetFortiSandbox4.4.0through4.4.8mayallowattackertoexecuteunauthorizedcodeorcommandsvia39808 XWikiPlatformisagenericwikiplatformofferingruntimeservicesforapplicationsbuiltontopofit.Priorto 17.4.8and17.10.1,animproperlyprotectedscriptingAPIallowsanyuserwithscriptrighttobypassthe CVE-2026- sandboxingoftheVelocityscriptingAPIandexecute,e.g.,arbitraryPythonscripts,allowingfullaccesstothe 33229 XWikiinstanceandtherebycompromisingtheconfidentiality,integrityandavailabilityofthewholeinstance. Notethatscriptrightalreadyconstitutesahighlevelofaccessthatwedon'trecommendgivingtountrusted users.Thisvulnerabilityisfixedin17.4.8and17.10.1. CVE-2026- Avulnerabilitywasidentifiedinstata-mcppriortov1.13.0whereinsufficientvalidationofuser-suppliedStata 31040 do-filecontentcanleadtocommandexecution. CVE-2026- Apathtraversal:'../filedir'vulnerabilityinFortinetFortiSandbox5.0.0through5.0.5,FortiSandbox4.4.0 39813 through4.4.8mayallowattackertoescalationofprivilegevia CVE-2026- DoublefreeinWindowsIKEExtensionallowsanunauthorizedattackertoexecutecodeoveranetwork. 9.833824 TheDSGVOGoogleWebFontsGDPRpluginforWordPressisvulnerabletoarbitraryfileuploadduetomissing filetypevalidationintheDSGVOGWPdownloadGoogleFonts()functioninallversionsupto,andincluding,1.1. Thefunctionisexposedviaawp_ajax_nopriv_hook,requiringnoauthentication.Itfetchesauser-suppliedCVE-2026- URLasaCSSfile,extractsURLsfromitscontent,anddownloadsthosefilestoapubliclyaccessibledirectory3535 withoutvalidatingthefiletype.Thismakesitpossibleforunauthenticatedattackerstouploadarbitraryfiles includingPHPwebshells,leadingtoremotecodeexecution.Theexploitrequiresthesitetouseoneofa handfulofspecificthemes(twentyfifteen,twentyseventeen,twentysixteen,storefront,salient,orshapely). TheUsersmanager-PNpluginforWordPressisvulnerabletoPrivilegeEscalationviaArbitraryUserMeta Updateinallversionsuptoandincluding1.1.15.Thisisduetoaflawedauthorizationlogiccheckinthe userspnajaxnoprivserver()functionwithinthe'userspnformsave'case.Theconditionalonlyblocks unauthenticateduserswhentheuseridisempty,butwhenanon-emptyuseridissupplied,executionCVE-2026- bypassesthischeckentirelyandproceedstoupdatearbitraryusermetaviaupdateusermeta()withoutany4003 authenticationorauthorizationverification.Additionally,thenoncerequiredforthisAJAXendpoint('userspn- nonce')isexposedtoallvisitorsviawplocalizescriptonthepublicwpenqueuescriptshook,renderingthe noncecheckineffectiveasasecuritycontrol.Thismakesitpossibleforunauthenticatedattackerstoupdate arbitraryusermetadataforanyuseraccount,includingtheuserspnsecrettokenfield. TheEverestFormspluginforWordPressisvulnerabletoPHPObjectInjectioninallversionsupto,and including,3.4.3viadeserializationofuntrustedinputfromformentrymetadata.Thisisduetothehtml-admin- page-entries-view.phpfilecallingPHP'snativeunserialize()onstoredentrymetavalueswithoutpassingthe CVE-2026- allowedclassesparameter.ThismakesitpossibleforunauthenticatedattackerstoinjectaserializedPHP 3296 objectpayloadthroughanypublicEverestFormsformfield.Thepayloadsurvivessanitizetextfield() sanitization(serializationcontrolcharactersarenotstripped)andisstoredinthewpevfentrymetadatabase table.Whenanadministratorviewsentriesorviewsanindividualentry,theunsafeunserialize()callprocesses thestoreddatawithoutclassrestrictions. TheQuickPlaygroundpluginforWordPressisvulnerabletoRemoteCodeExecutioninallversionsupto,and CVE-2026- including,1.3.1.ThisisduetoinsufficientauthorizationchecksonRESTAPIendpointsthatexposeasynccode 1830 andallowarbitraryfileuploads.Thismakesitpossibleforunauthenticatedattackerstoretrievethesynccode, uploadPHPfileswithpathtraversal,andachieveremotecodeexecutionontheserver. AvulnerabilitywasidentifiedinTotolinkA7100RU7.4cu.2313b20191024.Thisaffectsthefunction CVE-2026- setVpnPassCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationoftheargument 5850 pptpPassThruleadstooscommandinjection.Remoteexploitationoftheattackispossible.Theexploitis publiclyavailableandmightbeused. AsecurityflawhasbeendiscoveredinTotolinkA7100RU7.4cu.2313b20191024.Thisimpactsthefunction CVE-2026- setUPnPCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Themanipulationoftheargument 5851 enableresultsinoscommandinjection.Theattackcanbeexecutedremotely.Theexploithasbeenreleasedto thepublicandmaybeusedforattacks. AweaknesshasbeenidentifiedinTotolinkA7100RU7.4cu.2313_b20191024.Affectedisthefunction CVE-2026- setIptvCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Thismanipulationoftheargument 5852 igmpVercausesoscommandinjection.Theattackispossibletobecarriedoutremotely.Theexploithasbeen madeavailabletothepublicandcouldbeusedforattacks. CVE-2025- Anattackercouldusedataobtainedbysniffingthenetworktraffictoforgepacketsinordertomakearbitrary 13926 requeststoContemporaryControlsBASC20T.

TotaraLMSv19.1.5andbeforeisvulnerabletoIncorrectAccessControl.TheloginpagecodecanbeCVE-2026-manipulatedtorevealtheloginform.Anattackercanchainthatwithmissingrate-limitontheloginformto31282launchabruteforceattack. CVE-2026-AnissuewasdiscoveredinToToLinkA3300Rfirmwarev17.0.0cu.557B20221024allowingattackerstoexecute 31170arbitrarycommandsviathestun-passparameterto/cgi-bin/cstecgi.cgi. CVE-2026-InTotaraLMSv19.1.5andbefore,theforgotpasswordAPIdoesnotimplementratelimitingforthetargetemail 31283address.whichcanbeusedforanEmailBombingattack. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythisissue CVE-2026-isthefunctionsetPasswordCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Suchmanipulation 6195oftheargumentadmpassleadstooscommandinjection.Theattackcanbeexecutedremotely.Theexploit hasbeendisclosedpubliclyandmaybeused. Pachno1.0.6containsanXMLexternalentityinjectionvulnerabilitythatallowsunauthenticatedattackersto CVE-2026-readarbitraryfilesbyexploitingunsafeXMLparsingintheTextParserhelper.Attackerscaninjectmalicious 40042XMLentitiesthroughwikitablesyntaxandinlinetagsinissuedescriptions,comments,andwikiarticlesto triggerentityresolutionviasimplexmlloadstring()withoutLIBXMLNONETrestrictions. Pachno1.0.6containsadeserializationvulnerabilitythatallowsunauthenticatedattackerstoexecutearbitrary CVE-2026-codebyinjectingmaliciousserializedobjectsintocachefiles.AttackerscanwritePHPobjectpayloadstoworld- 40044writablecachefileswithpredictablenamesinthecachedirectory,whichareunserializedduringframework bootstrapbeforeauthenticationchecksoccur. AheapbufferoverflowvulnerabilityexistsduringthedecodingofPALETTECOLORDICOMimages.Pixel CVE-2026-lengthvalidationuses32-bitmultiplicationforwidthandheightcalculations.Ifthesevaluesoverflow,the 5443validationcheckincorrectlysucceeds,allowingthedecodertoreadandwritetomemorybeyondallocated buffers. AheapbufferoverflowvulnerabilityexistsintheDICOMimagedecoder.Dimensionfieldsareencodedusing CVE-2026-ValueRepresentation(VR)UnsignedLong(UL),insteadoftheexpectedVRUnsignedShort(US),whichallows 5442extremelylargedimensionstobeprocessed.Thiscausesanintegeroverflowduringframesizecalculationand resultsinout-of-boundsmemoryaccessduringimagedecoding. AmaliciousactorwithaccesstotheUniFiPlaynetworkcouldexploitaPathTraversalvulnerabilityfoundinthe devicefirmwaretowritefilesonthesystemthatcouldbeusedforaremotecodeexecution(RCE).AffectedCVE-2026-Products:UniFiPlayPowerAmp(Version1.0.35andearlier)UniFiPlayAudioPort(Version1.0.24andearlier)22562Mitigation:UpdateUniFiPlayPowerAmptoVersion1.0.38orlaterUpdateUniFiPlayAudioPorttoVersion1.1.9 orlater AseriesofImproperInputValidationvulnerabilitiescouldallowaCommandInjectionbyamaliciousactorwith CVE-2026-accesstotheUniFiPlaynetwork.AffectedProducts:UniFiPlayPowerAmp(Version1.0.35andearlier)UniFi 22563PlayAudioPort(Version1.0.24andearlier)Mitigation:UpdateUniFiPlayPowerAmptoVersion1.0.38orlater UpdateUniFiPlayAudioPorttoVersion1.1.9orlater AnImproperAccessControlvulnerabilitycouldallowamaliciousactorwithaccesstotheUniFiPlaynetworkto CVE-2026-enableSSHtomakeunauthorizedchangestothesystem.AffectedProducts:UniFiPlayPowerAmp(Version 225641.0.35andearlier)UniFiPlayAudioPort(Version1.0.24andearlier)Mitigation:UpdateUniFiPlayPowerAmpto Version1.0.38orlaterUpdateUniFiPlayAudioPorttoVersion1.1.9orlater AcriticalvulnerabilityintheTalendJobServerandTalendRuntimeallowsunauthenticatedremotecode executionviatheJMXmonitoringport.TheattackvectoristheJMXmonitoringportoftheTalendJobServer. CVE-2026-ThevulnerabilitycanbemitigatedfortheTalendJobServerbyrequiringTLSclientauthenticationforthe 6264monitoringport;however,thepatchmustbeappliedforfullmitigation.ForTalendESBRuntime,the vulnerabilitycanbemitigatedbydisablingtheJobServerJMXmonitoringport,whichisdisabledbydefaultfrom theR2024-07-RTpatch. AvulnerabilitywasdetectedinTotolinkA7100RU7.4cu.2313b20191024.Affectedbythisissueisthefunction CVE-2026-setWiFiEasyCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Performingamanipulationofthe 5854argumentmergeresultsinoscommandinjection.Itispossibletoinitiatetheattackremotely.Theexploitis nowpublicandmaybeused. AsecurityvulnerabilityhasbeendetectedinTotolinkA7100RU7.4cu.2313_b20191024.Affectedbythis CVE-2026-vulnerabilityisthefunctionsetIpv6LanCfgofthefile/cgi-bin/cstecgi.cgiofthecomponentCGIHandler.Such 5853manipulationoftheargumentaddrPrefixLenleadstooscommandinjection.Theattackmaybeperformedfrom remote.Theexploithasbeendisclosedpubliclyandmaybeused. CFImageHostingScript1.6.5allowsunauthenticatedattackerstodownloadanddecodetheapplicationCVE-2019-databasebyaccessingtheimgdb.dbfileintheupload/datadirectory.AttackerscanextractdeleteIDsstoredin25709plaintextfromthedeserializeddatabaseandusethemtodeleteallpicturesviathedparameter. AdobeConnectversions2025.3,12.10andearlierareaffectedbyaDeserializationofUntrustedDataCVE-2026-vulnerabilitythatcouldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthis 9.6 MoreDetails27303issuedoesnotrequireuserinteraction.Scopeischanged. NuGetGalleryisapackagerepositorythatpowersnuget.org.AsecurityvulnerabilityexistsintheNuGetGallery

backendjob'shandlingof.nuspecfileswithinNuGetpackages.Anattackercansupplyacraftednuspecfile withmaliciousmetadata,leadingtocrosspackagemetadatainjectionthatmayresultinremotecodeCVE-2026- 9.6 MoreDetailsexecution(RCE)and/orarbitraryblobwritesduetoinsufficientinputvalidation.TheissueisexploitableviaURI39399 fragmentinjectionusingunsanitizedpackageidentifiers,allowinganattackertocontroltheresolvedblobpath. Thisenableswritestoarbitraryblobswithinthestoragecontainer,notlimitedto.nupkgfiles,resultingin potentialtamperingofexistingcontent.Thisissuehasbeenpatchedincommit 0e80f87628349207cdcaf55358491f8a6f1ca276. UseafterfreeinPrivateAIinGoogleChromepriorto147.0.7727.55allowedaremoteattackerwhoconvincedaCVE-2026-usertoengageinspecificUIgesturestopotentiallyperformasandboxescapeviaacraftedHTMLpage. 9.6 MoreDetails5874 Chartbrewisanopen-sourcewebapplicationthatcanconnectdirectlytodatabasesandAPIsandusethedata tocreatecharts.Priorto4.8.5,ChartbrewallowsauthenticateduserstocreateAPIdataconnectionswithCVE-2026-arbitraryURLs.TheserverfetchestheseURLsusingrequest-promisewithoutanyIPaddressvalidation, 9.6 MoreDetails30232enablingServer-SideRequestForgeryattacksagainstinternalnetworksandcloudmetadataendpoints.This vulnerabilityisfixedin4.8.5. CVE-2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinpriyanshumittalBluestreetbluestreetallowsCrossSite 9.6 MoreDetails39617RequestForgery.ThisissueaffectsBluestreet:fromn/athrough<=1.7.3. PraisonAIisamulti-agentteamssystem.Priorto4.5.121,theexecute_commandfunctionandworkflowshell CVE-2026-executionareexposedtouser-controlledinputviaagentworkflows,YAMLdefinitions,andLLM-generatedtool 9.6 MoreDetails40088calls,allowingattackerstoinjectarbitraryshellcommandsthroughshellmetacharacters.Thisvulnerabilityis fixedin4.5.121. CVE-2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinpriyanshumittalBusiprofbusiprofallowsUploadaWebShell 9.6 MoreDetails39619toaWebServer.ThisissueaffectsBusiprof:fromn/athrough<=2.5.2. CVE-2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinpriyanshumittalAppointmentappointmentallowsUploada 9.6 MoreDetails39620WebShelltoaWebServer.ThisissueaffectsAppointment:fromn/athrough<=3.5.5. CVE-2026-Cross-SiteRequestForgery(CSRF)vulnerabilityinmndpsingh287ThemeEditortheme-editorallowsCode 9.639640Injection.ThisissueaffectsThemeEditor:fromn/athrough<=3.2.

ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,thedefaultpasswordreset CVE-2026-mechanismgeneratestokensusingsha1($email)withnorandomcomponent,noexpiration,andnorate 9.4 MoreDetails33707limiting.Anattackerwhoknowsauser'semailcancomputetheresettokenandchangethevictim'spassword withoutauthentication.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. ColdFusionversions2023.18,2025.6andearlierareaffectedbyanImproperInputValidationvulnerabilitythatCVE-2026-couldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuedoesnot 9.3 MoreDetails27304requireuserinteraction. CVE-2026-SandboxEscapeVulnerabilityinTerrariumallowsarbitrarycodeexecutionwithrootprivilegesonahost 9.3 MoreDetails5752processviaJavaScriptprototypechaintraversal. AdobeConnectversions2025.3,12.10andearlierareaffectedbyaDeserializationofUntrustedDataCVE-2026-vulnerabilitythatcouldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthis 9.3 MoreDetails34615issuedoesnotrequireuserinteraction.Scopeischanged. AdobeConnectversions2025.3,12.10andearlierareaffectedbyaDOM-basedCross-SiteScripting(XSS) CVE-2026-vulnerability.AnattackercouldexploitthisissuebymanipulatingtheDOMenvironmenttoexecutemalicious 9.3 MoreDetails27246JavaScriptwithinthecontextofthevictim'sbrowser.Exploitationofthisissuerequiresuserinteractioninthat avictimmustvisitacraftedwebpage.Scopeischanged. AdobeConnectversions2025.3,12.10andearlierareaffectedbyareflectedCross-SiteScripting(XSS)CVE-2026-vulnerability.IfanattackerisabletoconvinceavictimtovisitaURLreferencingavulnerablepage,malicious 9.3 MoreDetails27245JavaScriptcontentmaybeexecutedwithinthecontextofthevictim'sbrowser.Scopeischanged. AdobeConnectversions2025.3,12.10andearlierareaffectedbyareflectedCross-SiteScripting(XSS)CVE-2026-vulnerability.IfanattackerisabletoconvinceavictimtovisitaURLreferencingavulnerablepage,malicious 9.3 MoreDetails27243JavaScriptcontentmaybeexecutedwithinthecontextofthevictim'sbrowser.Scopeischanged. Areflectedcross-sitescripting(XSS)vulnerabilityexistsinRukovoditelCRMversion3.6.4andearlierinthe ZadarmatelephonyAPIendpoint(/api/tel/zadarma.php).Theapplicationdirectlyreflectsuser-suppliedinput fromthe'zdecho'GETparameterintotheHTTPresponsewithoutpropersanitization,outputencoding,or CVE-2026-content-typerestrictions.Thevulnerablecodeis:if(isset($GET['zdecho']))exit($GET['zd_echo']);An 9.3 MoreDetails31845unauthenticatedattackercanexploitthisissuebycraftingamaliciousURLcontainingJavaScriptpayloads. Whenavictimvisitsthelink,thepayloadexecutesinthecontextoftheapplicationwithinthevictim'sbrowser, potentiallyleadingtosessionhijacking,credentialtheft,phishing,oraccounttakeover.Theissueisfixedin version3.7,whichintroducesproperinputvalidationandoutputencodingtopreventscriptinjection. IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0 CVE-2026-through10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0 9.3 MoreDetailsthrough10.0.9.1couldallowalocallyauthenticatedusertoescalatetheirprivilegestorootduetoexecution

withunnecessaryprivilegesthanrequired. PraisonAIisamulti-agentteamssystem.Priorto4.5.128,PraisonAItreatsremotelyfetchedtemplatefilesasCVE-2026-trustedexecutablecodewithoutintegrityverification,originvalidation,oruserconfirmation,enablingsupply 9.3 MoreDetails40154chainattacksthroughmalicioustemplates.Thisvulnerabilityisfixedin4.5.128. InCanonicalLXDbefore6.8,thebackupimportpathvalidatesprojectrestrictionsagainstbackup/index.yamlin thesuppliedtararchivebutcreatestheinstancefrombackup/container/backup.yaml,aseparatefileinthe CVE-2026-samearchivethatisnevercheckedagainstprojectrestrictions.Anauthenticatedremoteattackerwith 9.1 MoreDetails34178instance-creationpermissioninarestrictedprojectcancraftabackuparchivewherebackup.yamlcarries restrictedsettingssuchassecurity.privileged=trueorraw.lxcdirectives,bypassingallprojectrestriction enforcementandallowingfullhostcompromise. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,ChamiloLMScontainsanOS CommandInjectionvulnerabilityinthefilemovefunction.Themove()functioninfileManage.lib.phppasses user-controlledpathvaluesdirectlyintoexec()shellcommandswithoutusingescapeshellarg().Whenauser movesadocumentviadocument.php,themovetoPOSTparameter--whichonlypassesthrough Security::removeXSS()(anHTML-onlyfilter)--isconcatenateddirectlyintoshellcommandssuchasexec("mvCVE-2026-$source$target").Bydefault,Chamiloallowsallauthenticateduserstocreatecourses 9.1 MoreDetails32892(allowuserstocreatecourses=true).Anyuserwhoisateacherinacourse(includingself-createdcourses) canmovedocuments,makingthisvulnerabilityexploitablebyanyauthenticateduser.Theattackermustfirst placeadirectorywithshellmetacharactersinitsnameonthefilesystem(achievableviaCourseBackup Import),thenmoveadocumentintothatdirectorytotriggerarbitrarycommandexecutionasthewebserver user(www-data).Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. OAuth2ProxyisareverseproxythatprovidesauthenticationusingOAuth2providers.Versionspriorto7.15.2 containaconfiguration-dependentauthenticationbypassindeploymentswhereOAuth2Proxyisusedwithan authrequest-styleintegration(suchasnginxauthrequest)andeither--ping-user-agentissetor--gcp- CVE-2026-healthchecksisenabled.Inaffectedconfigurations,OAuth2Proxytreatsanyrequestwiththeconfiguredhealth 9.1 MoreDetails34457checkUser-Agentvalueasasuccessfulhealthcheckregardlessoftherequestedpath,allowingan unauthenticatedremoteattackertobypassauthenticationandaccessprotectedupstreamresources. Deploymentsthatdonotuseauthrequest-stylesubrequestsorthatdonotenable--ping-user-agent/--gcp- healthchecksarenotaffected.Thisissueisfixedin7.15.2. CLIENTCERTauthenticationdoesnotfailasexpectedforsomescenarioswhensoftfailisdisabledvulnerability inApacheTomcat,ApacheTomcatNative.ThisissueaffectsApacheTomcat:from11.0.0-M1through11.0.18, CVE-2026-from10.1.0-M7through10.1.52,from9.0.83through9.0.115;ApacheTomcatNative:from1.1.23through 9.1 MoreDetails291451.1.34,from1.2.0through1.2.39,from1.3.0through1.3.6,from2.0.0through2.0.13.Usersare recommendedtoupgradetoversionTomcatNative1.3.7or2.0.14andTomcat11.0.20,10.1.53and9.0.116, whichfixtheissue. Solstice::Sessionversionsthrough1440forPerlgeneratessessionidsinsecurely.ThegenerateSessionID methodreturnsanMD5digestseededbytheepochtime,arandomhashreference,acalltothebuilt-inrand() functionandtheprocessid.ThesamemethodisusedinthegenerateIDmethodinSolstice::Subsession,CVE-2026-whichispartofthesamedistribution.Theepochtimemaybeguessed,ifitisnotleakedintheHTTPDate 9.1 MoreDetails5085header.Stringifiedhashrefenceswillcontainpredictablecontent.Thebuilt-inrand()functionisseededby16- bitsandisunsuitableforsecuritypurposes.Theprocessidcomesfromasmallsetofnumbers.Predictable sessionidscouldallowanattackertogainaccesstosystems. V2Board1.6.1through1.7.4andXboardthrough0.1.9exposeauthenticationtokensinHTTPresponsebodies oftheloginWithMailLinkendpointwhentheloginwithmaillinkenablefeatureisactive.UnauthenticatedCVE-2026-attackerscanPOSTtotheloginWithMailLinkendpointwithaknownemailaddresstoreceivethefull 9.1 MoreDetails39912authenticationURLintheresponse,thenexchangethetokenatthetoken2Loginendpointtoobtainavalid bearertokenwithcompleteaccountaccessincludingadminprivileges. OpenCTIisanopensourceplatformformanagingcyberthreatintelligenceknowledgeandobservables.Prior CVE-2026-to6.9.5,thesafeEjs.tsfiledoesnotproperlysanitizeEJStemplates.UserswiththeManagecustomization 9.1 MoreDetails39980capabilitycanrunarbitraryJavaScriptinthecontextoftheOpenCTIplatformprocessduringnotifiertemplate execution.Thisvulnerabilityisfixedin6.9.5. omaisapackagemanagerforAOSCOS.Priorto1.25.2,oma-topicsisresponsibleforfetchingmetadatafor testingrepositories(topics)named"TopicManifests"({mirror}/debs/manifest/topics.json)fromremote repositoryservers,registeringthemasAPTsourceentries.However,thenamefieldinsaidmetadatawerenotCVE-2026-checkedfortransliteration.Inthiscase,amaliciouspartymaysupplyamalformedTopicManifest,whichmay 9.1 MoreDetails39958causemaliciousAPTsourceentriestobeaddedto/etc/apt/sources.list.d/atm.listasoma-topicsfinishes fetchingandregisteringmetadata.Thisvulnerabilityisfixedin1.25.2.

CVE-2026- ADynamic-linkLibraryInjectionvulnerabilityinOSGeoProjectMapServerbeforev8.0allowsattackersto 9.1 MoreDetails30479 executearbitrarycodeviaacraftedexecutable. Anout-of-boundsreadvulnerabilityexistsintheDecodeLookupTablefunctionwithin DicomImageDecoder.cpp.Thelookup-tabledecodinglogicusedforPALETTECOLORimagesdoesnotCVE-2026- validatepixelindicesagainstthelookuptablesize.Craftedimagescontainingindiceslargerthanthepalette 9.1 MoreDetails sizecausethedecodertoreadbeyondallocatedlookuptablememoryandexposeheapcontentsintheoutput image.

InCanonicalLXDversions4.12through6.7,thedoCertificateUpdatefunctioninlxd/certificates.godoesnotCVE-2026- 9.1 MoreDetailsvalidatetheTypefieldwhenhandlingPUT/PATCHrequeststo/1.0/certificates/{fingerprint}forrestrictedTLS34179certificateusers,allowingaremoteauthenticatedattackertoescalateprivilegestoclusteradmin. CVE-2025-Jizhicmsv2.5.4isvulnerabletoServer-SideRequestForgery(SSRF)inUserEvaluation,Message,andComment 9.1 MoreDetails50228modules. CVE-2023-QD20230821isvulnerabletoServer-siderequestforgery(SSRF)viaacraftedrequest 9.1 MoreDetails46945 AServer-SideRequestForgery(SSRF)vulnerabilityexistsinthePrintFormatfunctionalityofERPNextv16.0.1 andFrappeFrameworkv16.1.1,whereuser-suppliedHTMLisinsufficientlysanitizedbeforebeingrenderedinto PDF.WhengeneratingPDFsfromuser-controlledHTMLcontent,theapplicationallowstheinclusionofHTMLCVE-2026-elementssuchas

CVE-2026- Improperneutralizationofescape,meta,orcontrolsequencesinMicrosoftPowerAppsallowsanauthorized 9.0 MoreDetails26149 attackertobypassasecurityfeatureoveranetwork.

OTHERVULNERABILITIES

CVE Base Description ReferenceNumber Score

CVE- CrossSiteRequestForgeryvulnerabilityinPhpbbphbb3v.3.3.15allowsalocalattackertoexecutearbitrarycodevia More2025- 8.8 theloginfunctionandtheauthenticationmechanism Details70810 AvulnerabilitywasfoundinTendaAC915.03.02.13.TheaffectedelementisthefunctiondecodePwdofthefileCVE- /goform/WizardHandleofthecomponentPOSTRequestHandler.PerformingamanipulationoftheargumentWANS More2026- 8.8 resultsinstack-basedbufferoverflow.Theattackcanbeinitiatedremotely.Theexploithasbeenmadepublicand Details6016 couldbeused. CVE- AflawhasbeenfoundinTendaF4511.0.0.7.AffectedbythisvulnerabilityisthefunctionWrlclientSetofthefile More2026- /goform/WrlclientSetofthecomponenthttpd.ThismanipulationoftheargumentGOcausesstack-basedbuffer 8.8 Details6121 overflow.Theattackmaybeinitiatedremotely.Theexploithasbeenpublishedandmaybeused. CVE- AvulnerabilitywasdetectedinTendaF4511.0.0.7.AffectedisthefunctionfromDhcpListClientofthefile More2026- /goform/DhcpListClientofthecomponenthttpd.Themanipulationoftheargumentpageresultsinstack-basedbuffer 8.8 Details6120 overflow.Theattackcanbelaunchedremotely.Theexploitisnowpublicandmaybeused. TheBuddyPressGroupblogpluginforWordPressisvulnerabletoPrivilegeEscalationinallversionsupto,and including,1.9.3.Thisisduetothegroupblogsettingshandleracceptingthegroupblog-blogid,default-member, andgroupblog-silent-addparametersfromuserinputwithoutproperauthorizationchecks.Thegroupblog-blogid CVE- parameterallowsanygroupadmin(includingSubscriberswhocreatetheirowngroup)toassociatetheirgroupwith More2026- anyblogontheMultisitenetwork,includingthemainsite(blogID1).Thedefault-memberparameteracceptsany 8.8 Details5144 WordPressrole,includingadministrator,withoutvalidationagainstawhitelist.Whencombinedwithgroupblog- silent-add,anyuserwhojoinstheattacker'sgroupisautomaticallyaddedtothetargetedblogwiththeinjectedrole. Thismakesitpossibleforauthenticatedattackers,withSubscriber-levelaccessandabove,toescalateanyuser (includingthemselvesviaasecondaccount)toAdministratoronthemainsiteoftheMultisitenetwork. CVE- InsufficientlyprotectedcredentialsinAzureLogicAppsallowsanauthorizedattackertoelevateprivilegesovera More2026- 8.8 network. Details32171 ChamiloLMSisalearningmanagementsystem.Priorto.0.0-RC.3,the CVE- PlatformConfigurationController::decodeSettingArray()methodusesPHP'seval()toparseplatformsettingsfromthe More2026- database.Anattackerwithadminaccess(obtainableviaAdvisory1)caninjectarbitraryPHPcodeintothesettings, 8.8 Details33618 whichisthenexecutedwhenanyuser(includingunauthenticated)requests/platform-config/list.Thisvulnerabilityis fixedin2.0.0-RC.3. CVE- OpenClawbefore2026.3.25containsaprivilegeescalationvulnerabilityingateway-authenticatedpluginHTTProutes More2026- thatincorrectlymintoperator.adminruntimescoperegardlessofcaller-grantedscopes.Attackerscanexploitthis 8.8 Details35669 scopeboundarybypasstogainelevatedprivilegesandperformunauthorizedadministrativeactions. CVE- OpenClawbefore2026.3.22containsanallowlistbypassvulnerabilityinsystem.runapprovalsthatfailstounwrap More2026- /usr/bin/timewrappers.Attackerscanbypassexecutablebindingrestrictionsbyusinganunregisteredtimewrapper 8.8 Details35666 toreuseapprovalstateforinnercommands. CVE- OpenClawbefore2026.3.25containsaprivilegeescalationvulnerabilityallowingnon-adminoperatorstoself-request More2026- broaderscopesduringbackendreconnect.Attackerscanbypasspairingrequirementstoreconnectas 8.8 Details35663 operator.admin,gainingunauthorizedadministrativeprivileges. CVE- OpenClawbefore2026.3.22containsanunvalidatedWebViewJavascriptInterfacevulnerabilityallowingattackersto More2026- injectarbitraryinstructions.Untrustedpagescaninvokethecanvasbridgetoexecutemaliciouscodewithinthe 8.8 Details35643 Androidapplicationcontext. AnissuewasdiscoveredinBMCControl-M/MFT9.0.20through9.0.22.ASQLinjectionvulnerabilityintheMFTAPI'sCVE- debuginterfaceallowsanauthenticatedattackertoinjectmaliciousqueriesduetoimproperinputvalidationand More2026- 8.8 unsafedynamicSQLhandling.Successfulexploitationcanenablearbitraryfileread/writeoperationsandpotentially Details23780 leadtoremotecodeexecution. CVE- LiteLLMthrough2026-04-08allowsremoteattackerstoexecutearbitrarycodeviabytecoderewritingatthe More2026- 8.8 /guardrails/testcustomcodeURI. Details40217 AvulnerabilityhasbeenfoundinTendaAC915.03.02.13.ImpactedisthefunctionformQuickIndexofthefileCVE- /goform/QuickIndexofthecomponentPOSTRequestHandler.SuchmanipulationoftheargumentPPPOEPassword More 8.8 leadstostack-basedbufferoverflow.Itispossibletolaunchtheattackremotely.Theexploithasbeendisclosedto Details thepublicandmaybeused. CVE- UseafterfreeinWebRTCinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrary More

codeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) 8.8 Details

PraisonAIisamulti-agentteamssystem.Priorto4.5.115,thecreateagentcentrictools()functionreturnstools(likeCVE-acpcreatefile)thatprocessfilecontentusingtemplaterendering.Whenuserinputfromagent.start()ispassed More 8.8directlyintothesetoolswithoutescaping,templateexpressionsintheinputareexecutedratherthantreatedas Details39891literaltext.Thisvulnerabilityisfixedin4.5.115. AflawhasbeenfoundinD-LinkDIR-5131.10.ThisissueaffectsthefunctionformAdvanceSetupofthefileCVE-/goform/formAdvanceSetupofthecomponentPOSTRequestHandler.Thismanipulationoftheargumentwebpage More2026- 8.8causesbufferoverflow.Itispossibletoinitiatetheattackremotely.Theexploithasbeenpublishedandmaybeused. Details6014 AvulnerabilitywasdetectedinD-LinkDIR-5131.10.ThisvulnerabilityaffectsthefunctionformSetRouteofthefileCVE-/goform/formSetRouteofthecomponentPOSTRequestHandler.ThemanipulationoftheargumentcurTimeresultsin More2026- 8.8bufferoverflow.Theattackmaybeperformedfromremote.Theexploitisnowpublicandmaybeused.This Details6013 AsecurityvulnerabilityhasbeendetectedinD-LinkDIR-5131.10.ThisaffectsthefunctionformSetPasswordoftheCVE-file/goform/formSetPasswordofthecomponentPOSTRequestHandler.ThemanipulationoftheargumentcurTime More2026- 8.8leadstobufferoverflow.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedpubliclyand Details6012maybeused.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythemaintainer. CVE-AvulnerabilitywasdeterminedinTendaF4511.0.0.7.ThisaffectsthefunctionfromP2pListFilterofthefile More2026-/goform/P2pListFilter.Thismanipulationoftheargumentpagecausesstack-basedbufferoverflow.Remote 8.8 Details5992exploitationoftheattackispossible.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE-AvulnerabilitywasfoundinTendaF4511.0.0.7.AffectedbythisissueisthefunctionformWrlExtraSetofthefile More2026-/goform/WrlExtraSet.ThemanipulationoftheargumentGOresultsinstack-basedbufferoverflow.Theattackmaybe 8.8 Details5991launchedremotely.Theexploithasbeenmadepublicandcouldbeused. CVE-AvulnerabilityhasbeenfoundinTendaF4511.0.0.7.AffectedbythisvulnerabilityisthefunctionfromSafeEmailFilter More2026-ofthefile/goform/SafeEmailFilter.Themanipulationoftheargumentpageleadstostack-basedbufferoverflow.The 8.8 Details5990attackmaybeinitiatedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE-AflawhasbeenfoundinTendaF4511.0.0.7.AffectedisthefunctionfromRouteStaticofthefile/goform/RouteStatic. More2026-Executingamanipulationoftheargumentpagecanleadtostack-basedbufferoverflow.Theattackcanbelaunched 8.8 Details5989remotely.Theexploithasbeenpublishedandmaybeused. CVE-IntegersizetruncationinWindowsAdvancedRasterizationPlatform(WARP)allowsanunauthorizedattackerto More2026- 8.8 Details26178 CVE-AvulnerabilitywasdetectedinTendaF4511.0.0.7.ThisimpactsthefunctionformWrlsafesetofthefile More2026-/goform/AdvSetWrlsafeset.Performingamanipulationoftheargumentmitssidresultsinstack-basedbufferoverflow. 8.8 Details5988Theattackcanbeinitiatedremotely.Theexploitisnowpublicandmaybeused. CVE-HeapbufferoverflowinWebMLinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecute More2026- 8.8arbitrarycodeviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details5858 CVE-AvulnerabilityhasbeenfoundinTendaF4511.0.0.7.AffectedbythisissueisthefunctionfrmL7ProtFormofthefile More2026-/goform/L7Protofthecomponenthttpd.Suchmanipulationoftheargumentpageleadstostack-basedbuffer 8.8 Details6122overflow.Theattackmaybelaunchedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE-AvulnerabilitywasfoundinTendaF4511.0.0.7.ThisaffectsthefunctionfromAddressNatofthefile More2026-/goform/addressNatofthecomponenthttpd.Performingamanipulationoftheargumententrysresultsinstack-based 8.8 Details6123bufferoverflow.Remoteexploitationoftheattackispossible.Theexploithasbeenmadepublicandcouldbeused. AvulnerabilitywasdeterminedinTendaF4511.0.0.7.ThisvulnerabilityaffectsthefunctionfromSafeMacFilteroftheCVE-file/goform/SafeMacFilterofthecomponenthttpd.Executingamanipulationoftheargumentpage/menufacturercan More2026- 8.8leadtostack-basedbufferoverflow.Theattackcanbeexecutedremotely.Theexploithasbeenpubliclydisclosed Details6124andmaybeutilized. CVE-AvulnerabilitywasidentifiedinTendaF4511.0.0.7cnsvn7958.ThisaffectsthefunctionfromSafeUrlFilterofthefile More2026-/goform/SafeUrlFilter.Suchmanipulationoftheargumentpageleadstostack-basedbufferoverflow.Theattackcan 8.8 Details6133beexecutedremotely.Theexploitispubliclyavailableandmightbeused. CVE- More2026- 8.8 Details26167 CVE-Aimproperneutralizationofspecialelementsusedinansqlcommand('sqlinjection')vulnerabilityinFortinet MoreFortiDDoS-F7.2.1through7.2.2mayallowattackertoexecuteunauthorizedcodeorcommandsviasendingcrafted 8.8 Details39815HTTPrequests CVE-ABrokenObject-LevelAuthorization(BOLA)inthe/Settings/UserController.phpendpointofWebkulKrayinCRMv2.2.x More allowsauthenticatedattackerstoarbitrarilyresetuserpasswordsandperformafullaccounttakeoverviasupplyinga 8.8 Details

38529 craftedHTTPrequest. CVE- AvulnerabilityhasbeenidentifiedinRUGGEDCOMCROSSBOWSecureAccessManagerPrimary(SAM-P)(Allversions More <V5.8).UserAdministratorsareallowedtoadministergroupstheybelongto.ThiscouldallowanauthenticatedUser 8.8 Details27668 Administratortoescalatetheirownprivilegesandgrantthemselvesaccesstoanydevicegroupatanyaccesslevel. CVE- AvulnerabilityhasbeenidentifiedinSINECNMS(Allversions<V4.0SP3).Affectedproductsdonotproperlyvalidate More2026- userauthorizationwhenprocessingpasswordresetrequests.Thiscouldallowanauthenticatedremoteattackerto 8.8 Details25654 bypassauthorizationchecks,leadingtotheabilitytoresetthepasswordofanyarbitraryuseraccount. CVE- AvulnerabilitywasdeterminedinTendaF4561.0.0.5.Theaffectedelementisthefunctionformwebtypelibraryofthe More2026- file/goform/webtypelibrary.Thismanipulationoftheargumentmenufacturer/Gocausesstack-basedbufferoverflow. 8.8 Details6200 Theattackcanbeinitiatedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE- AvulnerabilitywasfoundinTendaF4561.0.0.5.Impactedisthefunctionfromqossettingofthefile More2026- /goform/qossetting.Themanipulationoftheargumentpageresultsinstack-basedbufferoverflow.Itispossibleto 8.8 Details6199 launchtheattackremotely.Theexploithasbeenmadepublicandcouldbeused. CVE- AvulnerabilityhasbeenfoundinTendaF4561.0.0.5.ThisissueaffectsthefunctionfromNatStaticSettingofthefile More2026- /goform/NatStaticSetting.Themanipulationoftheargumentpageleadstostack-basedbufferoverflow.Itispossible 8.8 Details6198 toinitiatetheattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE- AflawhasbeenfoundinTendaF4561.0.0.5.ThisvulnerabilityaffectsthefunctionformWrlsafesetofthefile More2026- /goform/AdvSetWrlsafeset.Executingamanipulationoftheargumentmitssidcanleadtostack-basedbuffer 8.8 Details6197 overflow.Theattackmaybeperformedfromremote.Theexploithasbeenpublishedandmaybeused. CVE- Pachno1.0.6containsanunrestrictedfileuploadvulnerabilitythatallowsauthenticateduserstouploadarbitraryfile More2026- typesbybypassingineffectiveextensionfilteringtothe/uploadfileendpoint.Attackerscanuploadexecutablefiles 8.8 Details40040 .php5scriptstoweb-accessibledirectoriesandexecutethemtoachieveremotecodeexecutionontheserver. CVE- AvulnerabilitywasdetectedinTendaF4561.0.0.5.ThisaffectsthefunctionfromexeCommandofthefile More2026- /goform/exeCommand.Performingamanipulationoftheargumentcmdinputresultsinstack-basedbufferoverflow. 8.8 Details6196 Theattackispossibletobecarriedoutremotely.Theexploitisnowpublicandmaybeused. AweaknesshasbeenidentifiedinTotolinkA3002MUB20211125.1046.AffectedbythisvulnerabilityisthefunctionCVE- sub410188ofthefile/boafrm/formWlanSetupofthecomponentHTTPRequestHandler.Thismanipulationofthe More2026- 8.8 argumentwan-urlcausesstack-basedbufferoverflow.Remoteexploitationoftheattackispossible.Theexploithas Details6194 beenmadeavailabletothepublicandcouldbeusedforattacks. CVE- AsecurityvulnerabilityhasbeendetectedinUTTHiPER1200GWupto2.5.3-170306.Thisvulnerabilityaffectsthe More2026- functionstrcpyofthefile/goform/formNatStaticMap.ThemanipulationoftheargumentNatBindleadstobuffer 8.8 Details6186 overflow.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedpubliclyandmaybeused. CVE- DagAuthors,whonormallyshouldnotbeabletoexecutecodeinthewebservercontextcouldcraftXCompayload More2026- causingthewebservertoexecutearbitrarycode.SinceDagAuthorsarealreadyhighlytrusted,severityofthisissue 8.8 Details33858 isLow.UsersarerecommendedtoupgradetoApacheAirflow3.2.0,whichresolvesthisissue. DeserializationofUntrustedDatavulnerabilityinApacheStorm.VersionsAffected:before2.8.6.Description:When processingtopologycredentialssubmittedviatheNimbusThriftAPI,Stormdeserializesthebase64-encodedTGTblob usingObjectInputStream.readObject()withoutanyclassfilteringorvalidation.Anauthenticateduserwithtopology CVE- submissionrightscouldsupplyacraftedserializedobjectinthe"TGT"credentialfield,leadingtoremotecode More2026- executioninboththeNimbusandWorkerJVMs.Mitigation:2.xusersshouldupgradeto2.8.6.Userswhocannot 8.8 Details35337 upgradeimmediatelyshouldmonkey-patchanObjectInputFilterallow-listto ClientAuthUtils.deserializeKerberosTicket()restrictingdeserializedclassesto javax.security.auth.kerberos.KerberosTicketanditsknowndependencies.Aguideonhowtodothisisavailableinthe releasenotesof2.8.6.Credit:ThisissuewasdiscoveredbyK. CVE- AflawhasbeenfoundinTOTOLINKA7000Rupto9.1.0u.6115.Theaffectedelementisthefunction More2026- setWiFiEasyGuestCfgofthefile/cgi-bin/cstecgi.cgi.Thismanipulationoftheargumentssid5gcausesstack-based 8.8 Details6168 bufferoverflow.Remoteexploitationoftheattackispossible.Theexploithasbeenpublishedandmaybeused. CVE- AvulnerabilitywasdetectedinTotolinkA800R4.1.2cu.5137B20200730.Thisimpactsthefunction More2026- setAppEasyWizardConfiginthelibrary/lib/cstemodules/app.so.ThemanipulationoftheargumentapcliSsidresultsin 8.8 Details6157 bufferoverflow.Theattackcanbeexecutedremotely.Theexploitisnowpublicandmaybeused. TheAdvancedMembersforACFpluginforWordPressisvulnerabletoarbitraryfiledeletionduetoinsufficientfile CVE- pathvalidationinthecreatecropfunctioninallversionsupto,andincluding,1.2.5.Thismakesitpossiblefor More2026- authenticatedattackers,withSubscriber-levelaccessandabove,todeletearbitraryfilesontheserver,whichcan 8.8 Details3243 easilyleadtoremotecodeexecutionwhentherightfileisdeleted(suchaswp-config.php).Thevulnerabilitywas partiallypatchedinversion1.2.5. CVE- AvulnerabilitywasdetectedinTendaF4511.0.0.7cnsvn7958.TheaffectedelementisthefunctionfromAdvSetWan More2026- ofthefile/goform/AdvSetWan.Themanipulationoftheargumentwanmode/PPPOEPasswordresultsinstack-based 8.8 Details bufferoverflow.Itispossibletolaunchtheattackremotely.Theexploitisnowpublicandmaybeused. CVE- AsecurityvulnerabilityhasbeendetectedinTendaF4511.0.0.7cn_svn7958.ImpactedisthefunctionfrmL7ImForm More ofthefile/goform/L7Im.Themanipulationoftheargumentpageleadstostack-basedbufferoverflow.Itispossibleto 8.8 Details initiatetheattackremotely.Theexploithasbeendisclosedpubliclyandmaybeused.

AweaknesshasbeenidentifiedinTendaF4511.0.0.7cnsvn7958.ThisissueaffectsthefunctionfromSetIpBindofCVE-thefile/goform/SetIpBind.Executingamanipulationoftheargumentpagecanleadtostack-basedbufferoverflow. More 8.8Theattackmaybeperformedfromremote.Theexploithasbeenmadeavailabletothepublicandcouldbeusedfor Details attacks. AsecurityflawhasbeendiscoveredinTendaF4511.0.0.7cnsvn7958.ThisvulnerabilityaffectsthefunctionCVE-fromqossettingofthefile/goform/qossetting.Performingamanipulationoftheargumentqosresultsinstack-based More2026- 8.8bufferoverflow.Theattackispossibletobecarriedoutremotely.Theexploithasbeenreleasedtothepublicand Details6134maybeusedforattacks. CVE- More2026-UseafterfreeinRemoteDesktopClientallowsanunauthorizedattackertoexecutecodeoveranetwork. 8.8 Details32157 CVE-IntegeroverflowinWebMLinGoogleChromepriorto147.0.7727.55allowedaremoteattackertopotentiallyexploit More2026- 8.8heapcorruptionviaacraftedHTMLpage.(Chromiumsecurityseverity:Critical) Details5859 CVE-ProtectionmechanismfailureinWindowsShellallowsanunauthorizedattackertobypassasecurityfeatureovera More2026- 8.8network. Details32225 CVE-UseafterfreeinV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 Details5861 CVE-IntegeroverflowinWebRTCinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoperformanoutof More2026- 8.8boundsmemorywriteviaacraftedHTMLpage.(Chromiumsecurityseverity:Low) Details5912 AflawhasbeenfoundinD-LinkDIR-605L2.13B01.AffectedbythisissueisthefunctionformSetMACFilterofthefileCVE-/goform/formSetMACFilterofthecomponentPOSTRequestHandler.ThismanipulationoftheargumentcurTime More2026- 8.8causesbufferoverflow.Theattackmaybeinitiatedremotely.Theexploithasbeenpublishedandmaybeused.This Details5980 CVE-InappropriateimplementationinV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecute More2026- 8.8arbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details5862 CVE-UseafterfreeinV8inGoogleChromepriorto147.0.7727.55allowedanattackerwhoconvincedausertoinstalla More2026-maliciousextensiontopotentiallyexploitheapcorruptionviaacraftedChromeExtension.(Chromiumsecurity 8.8 Details5904 ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversionspriorto2.0.0-RC.3,anOSCommand Injectionvulnerabilityexistsinthemain/inc/ajax/gradebook.ajax.phpendpointwithintheexportallcertificates action,wherethecoursecoderetrievedfromthesessionvariable$SESSION['cid']viaapigetcourseid()isCVE-concatenateddirectlyintoashellexec()commandstringwithoutsanitizationorescapingusingescapeshellarg().If More2026- 8.8anattackercanmanipulateorpoisontheirsessiondatatoinjectshellmetacharactersintothecidvariable,theycan Details35196achievearbitrarycommandexecutionontheunderlyingserver.Successfulexploitationgrantsfullaccesstoread systemfilesandcredentials,alterstheapplicationanddatabase,ordisruptsserveravailability.Thisissuehasbeen fixedinversion2.0.0-RC.3. ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversionspriorto2.0.0-RC.3,aninsecuredirect objectmodificationvulnerabilityinthePUT/api/users/{id}endpointallowsanyauthenticateduserwith CVE-ROLESTUDENTtoescalatetheirprivilegestoROLEADMINbymodifyingtherolesfieldontheirownuserrecord.The More2026-APIPlatformsecurityexpressionisgranted('EDIT',object)onlyverifiesrecordownership,andtherolesfieldis 8.8 Details40291includedinthewritableserializationgroup,enablinganyusertosetarbitraryrolessuchasROLEADMIN.Successful exploitationgrantsfulladministrativecontroloftheplatform,includingaccesstoallcourses,userdata,grades,and administrativesettings.Thisissuehasbeenfixedinversion2.0.0-RC.3. CVE-IntegeroverflowinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattackertopotentiallyexploit More2026- 8.8heapcorruptionviaacraftedvideofile.(Chromiumsecurityseverity:Low) Details5908 CVE-IntegeroverflowinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattackertopotentiallyexploit More2026- 8.8heapcorruptionviaacraftedvideofile.(Chromiumsecurityseverity:Low) Details5909 CVE-IntegeroverflowinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattackertopotentiallyexploit More2026- 8.8heapcorruptionviaacraftedvideofile.(Chromiumsecurityseverity:Low) Details5910 TheProductFeedPROforWooCommercebyAdTribes-ProductFeedsforWooCommercepluginforWordPressis vulnerabletoCross-SiteRequestForgeryinversions13.4.6through13.5.2.1.Thisisduetomissingorincorrectnonce validationontheajaxmigratetocustomposttype,ajaxadtclearcustomattributesproductmetakeys,CVE- Moreajaxupdatefileurltolowercase,ajaxuselegacyfiltersandrules,andajaxfixduplicate_feedfunctions.This 8.8

3499 makesitpossibleforunauthenticatedattackerstotriggerfeedmigration,clearcustom-attributetransientcaches, Details rewritefeedfileURLstolowercase,togglelegacyfilterandrulesettings,anddeleteduplicatedfeedpostsviaa forgedrequestgrantedtheycantrickasiteadministratorintoperforminganactionsuchasclickingonalink.

CVE- TypeConfusioninCSSinGoogleChromepriorto147.0.7727.55allowedanattackerwhoconvincedausertoinstalla More2026- maliciousextensiontopotentiallyexploitheapcorruptionviaacraftedChromeExtension.(Chromiumsecurity 8.8 Details5914 OpenClawbefore2026.3.22containsaprivilegeescalationvulnerabilityintheControlUIthatallowsunauthenticatedCVE- sessionstoretainself-declaredprivilegedscopeswithoutdeviceidentityverification.Attackerscanexploitthe More2026- 8.8 device-lessallowpathinthetrusted-proxymechanismtomaintainelevatedpermissionsbydeclaringarbitrary Details35638 scopes,bypassingdeviceidentityrequirements. AvulnerabilitywasdetectedinD-LinkDIR-6451.01/1.02/1.03.ImpactedisthefunctionhedwigcgimainofthefileCVE- /cgi-bin/hedwig.cgi.Themanipulationresultsinstack-basedbufferoverflow.Theattackcanbelaunchedremotely. More2026- 8.8 Theexploitisnowpublicandmaybeused.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedby Details5815 themaintainer. TheVertexAddonsforElementorpluginforWordPressisvulnerabletoMissingAuthorizationinallversionsuptoand including1.6.4.Thisisduetoimproperauthorizationenforcementintheactivaterequiredplugins()function. CVE- Specifically,thecurrentusercan('installplugins')capabilitycheckdoesnotterminateexecutionwhenitfails--it More2026- onlysetsanerrormessagevariablewhileallowingtheplugininstallationandactivationcodetoexecute.Theerror 8.8 Details4326 responseisonlysentaftertheinstallationandactivationhavealreadycompleted.Thismakesitpossiblefor authenticatedattackers,withSubscriber-levelaccessandabove,toinstallandactivatearbitrarypluginsfromthe WordPress. CVE- AvulnerabilitywasidentifiedinTendaAC1515.03.05.18.ThisaffectsthefunctionwebsGetVarofthefile More2026- /goform/SysToolChangePwd.SuchmanipulationoftheargumentoldPwd/newPwd/cfmPwdleadstostack-basedbuffer 8.8 Details5830 overflow.Theattackcanbeexecutedremotely.Theexploitispubliclyavailableandmightbeused. CVE- SWIGfilenamescontaining'cgo'andwell-craftedpayloadscouldleadtocodesmugglingandarbitrarycode More2026- 8.8 executionatbuildtimeduetotrustlayerbypass. Details27140 AGiXTisadynamicAIAgentAutomationPlatform.Priorto1.9.2,thesafejoin()functionintheessentialabilitiesCVE- extensionfailstovalidatethatresolvedfilepathsremainwithinthedesignatedagentworkspace.Anauthenticated More2026- 8.8 attackercanusedirectorytraversalsequencestoread,write,ordeletearbitraryfilesontheserverhostingtheAGiXT Details39981 instance.Thisvulnerabilityisfixedin1.9.2. CVE- IBMLangflowDesktop1.6.0through1.8.2Langflowcouldallowanauthenticatedusertoexecutearbitrarycodeon More2026- thesystem,causedbyaninsecuredefaultsettingwhichpermitsthedeserializationofuntrusteddataintheFAISS 8.8 Details3357 component. HashgraphGuardianthroughversion3.5.0containsanunsandboxedJavaScriptexecutionvulnerabilityintheCustom LogicpolicyblockworkerthatallowsauthenticatedStandardRegistryuserstoexecutearbitrarycodebypassingCVE- user-suppliedJavaScriptexpressionsdirectlytotheNode.jsFunction()constructorwithoutisolation.Attackerscan More2026- 8.8 importnativeNode.jsmodulestoreadarbitraryfilesfromthecontainerfilesystem,accessprocessenvironment Details39911 variablescontainingsensitivecredentialssuchasRSAprivatekeys,JWTsigningkeys,andAPItokens,andforgevalid authenticationtokensforanyuserincludingadministrators. CVE- ADynamic-linkLibraryInjectionvulnerabilityinGatewayGeoMapServerforWindowsversion5allowsattackersto More2026- 8.8 escalateprivilegesviaacraftedexecutable. Details30478 CVE- AnissuewasdiscoveredinKiamobefore8.4allowingauthenticatedadministrativeattackerstoexecutearbitraryPHP More2025- 8.8 codeontheserver. Details70364 AMissingAuthorizationvulnerabilityintheCLIofJuniperNetworksJunosOSonMXSeriesallowsalocal, authenticateduserwithlowprivilegestoexecutespecificcommandswhichwillleadtoacompletecompromiseof CVE- manageddevices.Anyuserloggedin,withoutrequiringspecificprivileges,canissue'requestcsds'CLIoperational More2026- commands.ThesecommandsareonlymeanttobeexecutedbyhighprivilegedorusersdesignatedforJuniper 8.8 Details33785 DeviceManager(JDM)/ConnectedSecurityDistributedServices(CSDS)operationsastheywillimpactallaspectsof thedevicesmanagedviatherespectiveMX.ThisissueaffectsJunosOSonMXSeries:24.4releasesbefore24.4R2- S3,25.2releasesbefore25.2R2.ThisissuedoesnotaffectJunosOSreleasesbefore24.4. AvulnerabilitywasdetectedinD-LinkDIR-605L2.13B01.AffectedbythisvulnerabilityisthefunctionformVirtualServCVE- ofthefile/goform/formVirtualServofthecomponentPOSTRequestHandler.Themanipulationoftheargument More2026- 8.8 curTimeresultsinbufferoverflow.Theattackcanbelaunchedremotely.Theexploitisnowpublicandmaybeused. Details5979 CVE- IntegeroverflowinSkiainGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More 8.8 Details AvulnerabilityhasbeenfoundinD-LinkDIR-605L2.13B01.ThisaffectsthefunctionformAdvFirewallofthefileCVE-

/goform/formAdvFirewallofthecomponentPOSTRequestHandler.SuchmanipulationoftheargumentcurTimeleads More 8.8 tobufferoverflow.Theattackmaybelaunchedremotely.Theexploithasbeendisclosedtothepublicandmaybe Details used.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythemaintainer. CVE-InappropriateimplementationinV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecute More 8.8arbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details5863 CVE- More2026-UntrustedpointerdereferenceinSQLServerallowsanauthorizedattackertoexecutecodeoveranetwork. 8.8 Details33120 AvulnerabilitywasidentifiedinD-LinkDIR-605L2.13B01.ImpactedisthefunctionformSetLogofthefileCVE-/goform/formSetLogofthecomponentPOSTRequestHandler.ThemanipulationoftheargumentcurTimeleadsto More2026- 8.8bufferoverflow.Theattackispossibletobecarriedoutremotely.Theexploitispubliclyavailableandmightbeused. Details5984 CVE-TypeConfusioninV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 Details5865 CVE-UseafterfreeinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 Details5866 AvulnerabilitywasdeterminedinD-LinkDIR-605L2.13B01.ThisissueaffectsthefunctionformSetDDNSofthefileCVE-/goform/formSetDDNSofthecomponentPOSTRequestHandler.ExecutingamanipulationoftheargumentcurTime More2026- 8.8canleadtobufferoverflow.Theattackcanbeexecutedremotely.Theexploithasbeenpubliclydisclosedandmaybe Details5983utilized.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythemaintainer. CVE-HeapbufferoverflowinANGLEinGoogleChromeonMacpriorto147.0.7727.55allowedaremoteattackertoexecute More2026- 8.8arbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details5868 AvulnerabilitywasfoundinD-LinkDIR-605L2.13B01.ThisvulnerabilityaffectsthefunctionformAdvNetworkoftheCVE-file/goform/formAdvNetworkofthecomponentPOSTRequestHandler.Performingamanipulationoftheargument More2026- 8.8curTimeresultsinbufferoverflow.Remoteexploitationoftheattackispossible.Theexploithasbeenmadepublic Details5982andcouldbeused.Thisvulnerabilityonlyaffectsproductsthatarenolongersupportedbythemaintainer. CVE-TypeConfusioninV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 Details5871 CVE-UseafterfreeinBlinkinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrarycode More2026- 8.8 Details5872 CVE-OutofboundsreadandwriteinV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecute More2026- 8.8arbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:High) Details5873 CVE-Cross-SiteRequestForgery(CSRF)vulnerabilityinspicethemesSpicePressspicepressallowsUploadaWebShelltoa More2026- 8.8WebServer.ThisissueaffectsSpicePress:fromn/athrough<=2.3.2.5. Details39621 CVE-UseafterfreeinNavigationinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoexecutearbitrary More2026- 8.8codeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details5877 CVE-InsufficientvalidationofuntrustedinputinANGLEinGoogleChromeonMacpriorto147.0.7727.55allowedaremote More2026- 8.8attackertoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details5879 openITCOCKPITisanopensourcemonitoringtoolbuiltfordifferentmonitoringengines.openITCOCKPITCommunity Editionpriortoversion5.5.2containsacommandinjectionvulnerabilitythatallowsanauthenticateduserwithCVE-permissiontoaddormodifyhoststoexecutearbitraryOScommandsonthemonitoringbackend.Thevulnerability More2026- 8.8arisesbecauseuser-controlledhostattributes(specificallythehostaddress)areexpandedintomonitoringcommand Details24893templateswithoutvalidation,escaping,orquoting.Thesetemplatesarelaterexecutedbythemonitoringengine (Nagios/Icinga)viaashell,resultinginremotecodeexecution.Version5.5.2patchestheissue. CVE-InsufficientvalidationofuntrustedinputinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattacker More2026-whohadcompromisedtherendererprocesstoexecutearbitrarycodeinsideasandboxviaacraftedHTMLpage. 8.8 Details5884 OpenClawbefore2026.3.22containsaprivilegeescalationvulnerabilityinthedevice.pair.approvemethodthatCVE- allowsanoperator.pairingapprovertoapprovependingdevicerequestswithbroaderoperatorscopesthanthe More 8.8approveractuallyholds.Attackerscanexploitinsufficientscopevalidationtoescalateprivilegestooperator.admin Details35639 andachieveremotecodeexecutionontheNodeinfrastructure.

CVE- project-managementforneuroimagingresearch.Fromtobefore27.0.3and28.0.1,thehelpeditormoduleofLORIS More didnotproperlysanitizesomeusersuppliedvariableswhichcouldresultinareflectedcross-sitescriptingattackifa 8.7 Details35169 useristrickedintofollowinganinvalidlink.Thesameinputvectorcouldalsoallowanattackertodownloadarbitrary markdownfilesonanunpatchedserver.Thisvulnerabilityisfixedin27.0.3and28.0.1. CVE- ImproperinputvalidationinWindowsHelloallowsanunauthorizedattackertobypassasecurityfeatureovera More2026- 8.7 network. Details27928 AKeyExchangewithoutEntityAuthenticationvulnerabilityintheSSHimplementationofJuniperNetworksApstra CVE- allowsaunauthenticated,MITMattackertoimpersonatemanageddevices.DuetoinsufficientSSHhostkeyvalidation More2025- anattackercanperformamachine-in-the-middleattackontheSSHconnectionsfromApstratomanageddevices, 8.7 Details13914 enablinganattackertoimpersonateamanageddeviceandcaptureusercredentials.Thisissueaffectsallversions ofApstrabefore6.1.1. AdobeConnectversions2025.3,12.10andearlierareaffectedbyaCross-SiteScripting(XSS)vulnerabilitythatcould CVE- resultinprivilegeescalation.Alow-privilegedattackercouldexploitthisvulnerabilitytoinjectmaliciousscriptsintoa More2026- webpage,potentiallygainingelevatedaccessorcontroloverthevictim'saccountorsession.Exploitationofthis 8.7 Details34617 issuerequiresuserinteractioninthatavictimmustvisitamaliciouslycraftedURLorinteractwithacompromised webpage.Scopeischanged. ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversionspriorto2.0.0-RC.3,thePENS(Package ExchangeNotificationServices)pluginendpointatpublic/plugin/Pens/pens.phpisaccessiblewithoutauthentication andacceptsauser-controlledpackage-urlparameterthattheserverfetchesusingcurlwithoutfilteringprivateorCVE- internalIPaddresses,enablingunauthenticatedServer-SideRequestForgery(SSRF).Anattackercanexploitthisto More2026- 8.6 probeinternalnetworkservices,accesscloudmetadataendpoints(suchas169.254.169.254)tostealIAMcredentials Details34160 andsensitiveinstancemetadata,ortriggerstate-changingoperationsoninternalservicesviathereceiptandalerts callbackparameters.NoauthenticationisrequiredtoexploiteitherSSRFvector,significantlyincreasingtheattack surface.Thisissuehasbeenfixedinversion2.0.0-RC.3. AcrobatReaderversions26.001.21411,24.001.30360,24.001.30362andearlierareaffectedbyanImproperlyCVE- ControlledModificationofObjectPrototypeAttributes('PrototypePollution')vulnerabilitythatcouldresultinarbitrary More2026- 8.6 codeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteractioninthatavictim Details34622 mustopenamaliciousfile. AcrobatReaderversions24.001.30356,26.001.21367andearlierareaffectedbyanImproperlyControlledCVE- ModificationofObjectPrototypeAttributes('PrototypePollution')vulnerabilitythatcouldresultinarbitrarycode More2026- 8.6 executioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteractioninthatavictimmust Details34621 openamaliciousfile. ColdFusionversions2023.18,2025.6andearlierareaffectedbyanImproperLimitationofaPathnametoaRestrictedCVE- Directory('PathTraversal')vulnerabilitythatcouldleadtoarbitraryfilesystemread.Anattackercouldexploitthis More2026- 8.6 vulnerabilitytoaccesssensitivefilesanddirectoriesoutsidetheintendedaccessscope.Exploitationofthisissuedoes Details27305 notrequireuserinteraction. CVE- Alow-privilegedremoteattackercansendModbuspacketstomanipulateregistervaluesthatareinputstothe More2026- 8.6 odorantinjectionlogicsuchthattoomuchortoolittleodorantisinjectedintoagasline. Details4436 PraisonAIisamulti-agentteamssystem.Priorto4.5.128,PraisonAI'sAST-basedPythonsandboxcanbebypassed usingtype.getattributetrampoline,allowingarbitrarycodeexecutionwhenrunninguntrustedagentcode.The _executecodedirectfunctioninpraisonaiagents/tools/pythontools.pyusesASTfilteringtoblockdangerousPythonCVE- attributeslikesubclasses,globals,andbases.However,thefilteronlychecksast.Attributenodes,allowing More2026- 8.6 abypass.ThesandboxreliesonAST-basedfilteringofattributeaccessbutfailstoaccountfordynamicattribute Details40158 resolutionviabuilt-inmethodssuchastype.getattribute,resultinginincompleteenforcementofsecurityrestrictions. Thestring'subclasses'isanast.Constant,notanast.Attribute,soitisnevercheckedagainsttheblockedlist.This vulnerabilityisfixedin4.5.128. basic-ftpisanFTPclientforNode.js.Priorto5.2.1,basic-ftpallowsFTPcommandinjectionviaCRLFsequences(\r\n) infilepathparameterspassedtohigh-levelpathAPIssuchascd(),remove(),rename(),uploadFrom(),downloadTo(),CVE- list(),andremoveDir().Thelibrary'sprotectWhitespace()helperonlyhandlesleadingspacesandreturnsotherpaths More2026- 8.6 unchanged,whileFtpContext.send()writestheresultingcommandstringdirectlytothecontrolsocketwith\r\n Details39983 appended.Thisletsattacker-controlledpathstringssplitoneintendedFTPcommandintomultiplecommands.This vulnerabilityisfixedin5.2.1. AdobeFramemakerversions2022.8andearlierareaffectedbyanUntrustedSearchPathvulnerabilitythatmight CVE- allowattackerstoexecutearbitrarycodeinthecontextofthecurrentuser.Iftheapplicationusesasearchpathto More2026- locatecriticalresourcessuchasprograms,thenanattackercouldmodifythatsearchpathtopointtoamalicious 8.6 Details27290 program,whichthetargetedapplicationwouldthenexecute.Exploitationofthisissuedoesnotrequireuser interaction. CVE- TheProductFilterforWooCommercebyWBWWordPresspluginbefore3.1.3doesnotsanitizeandescapea More 8.6 parameterbeforeusingitinaSQLstatement,allowingunauthenticateduserstoperformSQLinjectionattacks Details

Rapid7Velociraptorversionspriorto0.76.2containanimproperinputvalidationvulnerabilityintheclientmonitoring CVE-messagehandlerontheVelociraptorserver(primarilyLinux)thatallowsanauthenticatedremoteattackertowriteto More 8.5arbitraryinternalserverqueuesviaacraftedmonitoringmessagewithamaliciousqueuename.Theserverhandler Detailsthatreceivesclientmonitoringmessagesdoesnotsufficientlyvalidatethequeuenamesuppliedbytheclient, allowingarogueclienttowritearbitrarymessagestoprivilegedinternalqueues.Thismayleadtoremotecode executionontheVelociraptorserver.Rapid7HostedVelociraptorinstancesarenotaffectedbythisvulnerability. CVE-AServer-SideRequestForgery(SSRF)inthe/settings/webhooks/createcomponentofWebkulKrayinCRMv2.2.x More2026- 8.5allowsattackerstoscaninternalresourcesviasupplyingacraftedPOSTrequest. Details38527 n8n-MCPisaModelContextProtocol(MCP)serverthatprovidesAIassistantswithcomprehensiveaccesston8nnode documentation,properties,andoperations.Priorto2.47.4,anauthenticatedServer-SideRequestForgeryinn8n-mcp allowsacallerholdingavalidAUTHTOKENtocausetheservertoissueHTTPrequeststoarbitraryURLssupplied CVE-throughmulti-tenantHTTPheaders.ResponsebodiesarereflectedbackthroughJSON-RPC,soanattackercanread More2026-thecontentsofanyURLtheservercanreach--includingcloudinstancemetadataendpoints(AWSIMDS,GCP,Azure, 8.5 Details39974Alibaba,Oracle),internalnetworkservices,andanyotherhosttheserverprocesshasnetworkaccessto.Theprimary at-riskdeploymentsaremulti-tenantHTTPinstallationswheremorethanoneoperatorcanpresentavalid AUTHTOKEN,orwhereatokenissharedwithless-trustedclients.Single-tenantstdiodeploymentsandHTTP deploymentswithoutmulti-tenantheadersarenotaffected.Thisvulnerabilityisfixedin2.47.4. Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.17.0,thePATCHCVE-/files/{id}endpointacceptsauser-controlledfilenamediskparameter.Bysettingthisvaluetomatchthestorage More2026- 8.5pathofanotheruser'sfile,anattackercanoverwritethatfile'scontentwhilemanipulatingmetadatafieldssuchas Details39942uploadedbytoobscurethetampering.Thisvulnerabilityisfixedin11.17.0. Anattackercancontrolaserver-sideHTTPrequestbysupplyingacraftedURL,causingtheservertoinitiaterequestsCVE-toarbitrarydestinations.Thisbehaviormaybeexploitedtoprobeinternalnetworkservices,accessotherwise More2026- 8.5unreachableendpoints(e.g.,cloudmetadataservices),orbypassnetworkaccesscontrols,potentiallyleadingto Details5936sensitiveinformationdisclosureandfurthercompromiseoftheinternalenvironment. CVE-GitLabhasremediatedanissueinGitLabCE/EEaffectingallversionsfrom16.9.6before18.8.9,18.9before18.9.5, More2026-and18.10before18.10.3thatcouldhaveallowedanauthenticatedusertoinvokeunintendedserver-sidemethods 8.5 Details5173throughwebsocketconnectionsduetoimproperaccesscontrol. CVE-Aflawwasfoundinodh-dashboardinRedHatOpenshiftAI.Thisvulnerabilityintheodh-dashboardcomponentof More2026-RedHatOpenShiftAI(RHOAI)allowsforthedisclosureofKubernetesServiceAccounttokensthroughaNodeJS 8.5 Details5483endpoint.ThiscouldenableanattackertogainunauthorizedaccesstoKubernetesresources. CVE-IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0through More2026-10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0through10.0.9.1 8.5 Details1342couldallowalocallyauthenticatedusertoexecutemaliciousscriptsfromoutsideofitscontrolsphere. CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinNSquared More2026-SimplyScheduleAppointmentssimply-schedule-appointmentsallowsBlindSQLInjection.ThisissueaffectsSimply 8.5 Details39495ScheduleAppointments:fromn/athrough<=1.6.9.27. CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinSyedBalkhi More2026-UserFeedbackuserfeedback-liteallowsBlindSQLInjection.ThisissueaffectsUserFeedback:fromn/athrough<= 8.5 Details394751.10.1. CVE-HTML5VideoPlayer1.2.5containsalocalbufferoverflowvulnerabilitythatallowsattackerstoexecutearbitrarycode More2019-bysupplyinganoversizedkeycodestring.Attackerscancraftamaliciouspayloadexceeding997bytesandpasteit 8.4 Details25689intotheKEYCODEfieldintheHelpRegisterdialogtotriggercodeexecutionandspawnacalculatorprocess. FaleemiDesktopSoftware1.8containsalocalbufferoverflowvulnerabilityintheSystemSetupdialogthatallowsCVE-attackerstobypassDEPprotectionsthroughstructuredexceptionhandlingexploitation.Attackerscaninjectacrafted More2019- 8.4payloadintotheSavePathforSnapshotandRecordfilefieldtotriggerabufferoverflowandexecutearbitrarycode Details25691viaROPchaingadgets. PraisonAIisamulti-agentteamssystem.Priorto4.5.128,deploy.pyconstructsasinglecomma-delimitedstringfor thegcloudrundeploy--set-env-varsargumentbydirectlyinterpolatingopenaimodel,openaikey,andopenaibaseCVE-withoutvalidatingthatthesevaluesdonotcontaincommas.gcloudusesacommaasthekey-valuepairseparatorfor More2026- 8.4--set-env-vars.AcommainanyofthethreevaluescausesgcloudtoparsethetrailingtextasadditionalKEY=VALUE Details40113definitions,injectingarbitraryenvironmentvariablesintothedeployedCloudRunservice.Thisvulnerabilityisfixedin 4.5.128. PraisonAIisamulti-agentteamssystem.Versions4.5.138andbelowarevulnerabletoarbitrarycodeexecution throughautomatic,unsanitizedimportofatools.pyfilefromthecurrentworkingdirectory.Componentsincluding call.py(importtoolsfromfile()),toolresolver.py(loadlocaltools()),andCLItool-loadingpathsblindlyimportCVE-./tools.pyatstartupwithoutanyvalidation,sandboxing,oruserconfirmation.Anattackerwhocanplaceamalicious More2026- 8.4tools.pyinthedirectorywherePraisonAIislaunched(suchasthroughasharedproject,clonedrepository,orwritable Details40287workspace)achievesimmediatearbitraryPythoncodeexecutioninthehostenvironment.Thiscompromisesthefull PraisonAIprocess,thehostsystem,andanyconnecteddataorcredentials.Thisissuehasbeenfixedinversion 4.5.139. CVE-

UseafterfreeinMicrosoftOfficeWordallowsanunauthorizedattackertoexecutecodelocally. 8.4 More 33115 Details CVE- MoreUntrustedpointerdereferenceinMicrosoftOfficeWordallowsanunauthorizedattackertoexecutecodelocally. 8.4 Details33114 CVE-Heap-basedbufferoverflowinMicrosoftGraphicsComponentallowsanunauthorizedattackertoexecutecode More2026- 8.4locally. Details32221 CVE-ColdFusionversions2023.18,2025.6andearlierareaffectedbyanImproperInputValidationvulnerabilitythatcould More2026-resultinarbitrarycodeexecutioninthecontextofthecurrentuser.Attackerrequireselevatedprivileges.Exploitation 8.4 Details27306ofthisissuerequiresuserinteractioninthatavictimmustopenamaliciousfile. CVE-AcceptanceofextraneousuntrusteddatawithtrusteddatainWindowsCOMallowsanunauthorizedattackerto More2026- 8.4 Details32162 NitroPDFProforWindows14.41.1.4containsaheapuse-after-freevulnerabilityintheimplementationofthe CVE-JavaScriptmethodthis.mailDoc().Duringexecution,aninternalXIDobjectisallocatedandthenfreedprematurely, More2025-afterwhichthefreedpointerisstillpassedintoUIandlogginghelperfunctions.Becausethefreedmemoryregion 8.4 Details69627maycontainunpredictableheapdataorremnantsofattacker-controlledJavaScriptstrings,downstreamroutinessuch aswcscmp()mayprocessinvalidorstalepointers.Thiscanresultinaccessviolationsandnon-deterministiccrashes. CVE- More2026-UseafterfreeinMicrosoftOfficeallowsanunauthorizedattackertoexecutecodelocally. 8.4 Details32190 RGui3.5.0containsalocalbufferoverflowvulnerabilityintheGUIpreferencesdialogthatallowsattackerstobypassCVE-DEPprotectionsthroughstructuredexceptionhandlingexploitation.Attackerscancraftmaliciousinputinthe More2018- 8.4Languageformenusandmessagesfieldtotriggerastack-basedbufferoverflow,executeaROPchainforVirtualAlloc Details25258allocation,andachievearbitrarycodeexecution. CVE-Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inMicrosoftBrokering More2026- 8.4FileSystemallowsanunauthorizedattackertoelevateprivilegeslocally. Details32091 R3.4.4containsalocalbufferoverflowvulnerabilitythatallowsattackerstoexecutearbitrarycodebyinjectingCVE-maliciousinputintotheGUIPreferenceslanguagefield.Attackerscancraftapayloadwitha292-byteoffsetandJMP More2019- 8.4ESPinstructiontoexecutecommandslikecalc.exewhenthepayloadispastedintotheLanguageformenusand Details25695messagesfield. CVE-EasyVideotoiPodConverter1.6.20containsalocalbufferoverflowvulnerabilityintheuserregistrationfieldthat More2019-allowslocalattackerstooverwritethestructuredexceptionhandler.Attackerscaninputacraftedpayloadexceeding 8.4 Details25701996bytesintheusernamefieldtotriggerSEHoverwriteandexecutearbitrarycodewithuserprivileges. CVE-IBMTivoliNetcoolImpact7.1.0.0through7.1.0.37storessensitiveinformationinlogfilesthatcouldbereadbya More2026- 8.4localuser. Details4788 EchoMirage3.1containsastackbufferoverflowvulnerabilitythatallowslocalattackerstocrashtheapplicationorCVE-executearbitrarycodebysupplyinganoversizedstringintheRulesactionfield.Attackerscancreateamalicioustext More2019- 8.4filewithacraftedpayloadexceedingbufferboundariesandpasteitintotheactionfieldthroughtheRulesdialogto Details25705triggertheoverflowandoverwritethereturnaddress. CVE-ChamiloLMSisalearningmanagementsystem.Priorto1.11.38,thereisapathtraversalin More2026-main/exercise/savescores.phpleadingtoarbitraryfilefeletion.Userinputfrom$REQUEST['test']isconcatenated 8.3 Details31939directlyintofilesystempathwithoutcanonicalizationortraversalchecks.Thisvulnerabilityisfixedin1.11.38. InvenTreeisanOpenSourceInventoryManagementSystem.From0.16.0tobefore1.2.7,anyauthenticated CVE-InvenTreeusercancreateavalidAPItokenattributedtoanyotheruserinthesystem--includingadministratorsand More2026-superusers--bysupplyingthetarget'suserIDintheuserfieldofaPOST/api/user/tokens/request.Thereturned 8.3 Details35478tokenisimmediatelyusableforfullAPIauthenticationasthetargetuser,fromanynetworklocation,withnofurther interactionrequired.Thisvulnerabilityisfixedin1.2.7and1.3.0. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priorto2.3.0,theCanUpdatecheckat pkg/models/projectpermissions.go:139-148onlyrequiresCanWriteonthenewparentprojectwhenchanging parentprojectid.However,Vikunja'spermissionmodelusesarecursiveCTEthatwalksuptheprojecthierarchytoCVE- Morecomputepermissions.Movingaprojectunderadifferentparentchangesthepermissioninheritancechain.Whena2026- 8.3 DetailsuserhasinheritedWriteaccess(fromaparentprojectshare)andreparentsthechildprojectundertheirownproject35595 tree,theCTEresolvestheirownershipofthenewparentasAdmin(permissionlevel2)onthemovedproject.This vulnerabilityisfixedin2.3.0. kcpisaKubernetes-likecontrolplaneforform-factorsanduse-casesbeyondKubernetesandcontainerworkloads.CVE-Priorto0.30.3and0.29.3,thecacheserverisdirectlyexposedbytherootshardandhasnoauthenticationor More 8.2authorizationinplace.Thisallowsanyonewhocanaccesstherootshardtoreadandwritetothecacheserver.This Details

vulnerabilityisfixedin0.30.3and0.29.3.39429 CVE-CommandinjectioninalertsinCoolerControl/coolercontrold<4.0.0allowsauthenticatedattackerstoexecute More 8.2arbitrarycodeasrootviainjectedbashcommandsinalertnames Details WordPressadivahaTravelPlugin2.3containsatime-basedblindSQLinjectionvulnerabilitythatallowsCVE-unauthenticatedattackerstomanipulatedatabasequeriesbyinjectingSQLcodethroughthe'pid'GETparameter. More2023- 8.2Attackerscansendrequeststothe/mobile-app/v3/endpointwithcrafted'pid'valuesusingXOR-basedpayloadsto Details54359extractsensitivedatabaseinformationorcausedenialofservice. PostizisanAIsocialmediaschedulingtool.Priorto2.21.5,the/api/public/streamendpointisvulnerabletoSSRF.CVE-AlthoughtheapplicationvalidatestheinitiallysuppliedURLandblocksdirectprivate/internalhosts,itdoesnotre- More2026- 8.2validatethefinaldestinationafterHTTPredirects.Asaresult,anattackercansupplyapublicHTTPSURLthatpasses Details40168validationandthenredirectstheserver-siderequesttoaninternalresource. CVE-CMSsite1.0containsanSQLinjectionvulnerabilitythatallowsunauthenticatedattackerstomanipulatedatabase More2019-queriesbyinjectingSQLcodethroughthecatidparameter.AttackerscansendGETrequeststocategory.phpwith 8.2 Details25697maliciouscatidvaluestoextractsensitivedatabaseinformationincludingusernamesandcredentials. Saltcornisanextensible,opensource,no-codedatabaseapplicationbuilder.Priorto1.4.5,1.5.5,and1.6.0-beta.4, CVE-thePOST/sync/offlinechangesendpointallowsanunauthenticatedattackertocreatearbitrarydirectoriesandwrite More2026-achanges.jsonfilewithattacker-controlledJSONcontentanywhereontheserverfilesystem.TheGET 8.2 Details40163/sync/uploadfinishedendpointallowsanunauthenticatedattackertolistarbitrarydirectorycontentsandread specificJSONfiles.Thisvulnerabilityisfixedin1.4.5,1.5.5,and1.6.0-beta.4. CVE-DolibarrERP-CRM8.0.4containsanSQLinjectionvulnerabilityintherowidparameteroftheadmindict.phpendpoint More2019-thatallowsattackerstoexecutearbitrarySQLqueries.AttackerscaninjectmaliciousSQLcodethroughtherowid 8.2 Details25710POSTparametertoextractsensitivedatabaseinformationusingerror-basedSQLinjectiontechniques. OPNsenseisaFreeBSDbasedfirewallandroutingplatform.Priorto26.1.6,OPNsense'sLDAPauthentication connectorpassestheloginusernamedirectlyintoanLDAPsearchfilterwithoutcallingldapescape().An CVE-unauthenticatedattackercaninjectLDAPfiltermetacharactersintotheusernamefieldoftheWebGUIloginpageto More2026-enumeratevalidLDAPusernamesintheconfigureddirectory.WhentheLDAPserverconfigurationincludesan 8.2 Details34578ExtendedQuerytorestrictlogintomembersofaspecificgroup,thesameinjectioncanbeusedtobypassthatgroup membershiprestrictionandauthenticateasanyLDAPuserwhosepasswordisknown,regardlessofgroup membership.Thisvulnerabilityisfixedin26.1.6. jqisacommand-lineJSONprocessor.Anintegeroverflowvulnerabilityexiststhroughversion1.8.1withinthe jvpstringappend()andjvpstringcopyreplacebadfunctions,whereconcatenatingstringswithacombinedlength exceeding2^31bytescausesa32-bitunsignedintegeroverflowinthebufferallocationsizecalculation,resultingin CVE-adrasticallyundersizedheapbuffer.Subsequentmemorycopyoperationsthenwritethefullstringdataintothis More2026-undersizedbuffer,causingaheapbufferoverflowclassifiedasCWE-190(IntegerOverflow)leadingtoCWE-122 8.2 Details32316(Heap-basedBufferOverflow).Anysystemevaluatinguntrustedjqqueriesisaffected,asanattackercancrashthe processorpotentiallyachievefurtherexploitationthroughheapcorruptionbycraftingqueriesthatproduce extremelylargestrings.Therootcauseistheabsenceofstringsizeboundschecking,unlikearraysandobjectswhich alreadyhavesizelimits.Theissuehasbeenaddressedincommite47e56d226519635768e6aab2f38f0ab037c09e5. Aheap-basedbufferoverflowvulnerabilityinFortinetFortiAnalyzerCloud7.6.2through7.6.4,FortiManagerCloudCVE-7.6.2through7.6.4mayallowaremoteunauthenticatedattackertoexecutearbitrarycodeorcommandsvia More2026- 8.1specificallycraftedrequests.Successfulexploitationwouldrequirealargeamountofeffortinpreparationbecauseof Details22828ASLRandnetworksegmentation CVE-Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsTCP/IP More2026- 8.1allowsanunauthorizedattackertoexecutecodeoveranetwork. Details33827 Anissuewasdiscoveredinmusllibc0.7.10through1.2.6.Stack-basedmemorycorruptioncanoccurduringqsortofCVE-verylargearrays,duetoincorrectlyimplementeddouble-wordprimitives.Thenumberofelementsmustexceed More2026- 8.1aboutsevenmillion,i.e.,the32ndLeonardonumberon32-bitplatforms(orthe64thLeonardonumberon64-bit Details40200platforms,whichisnotpractical). CVE- More2025- 8.1inCactusThemesVideoProallowsPHPLocalFileInclusion.ThisissueaffectsVideoPro:fromn/athrough2.3.8.1. Details58913 TheMWWPFormpluginforWordPressisvulnerabletoArbitraryFileMove/Readinallversionsuptoandincluding 5.1.1.Thisisduetoinsufficientvalidationofthe$nameparameter(uploadfieldkey)passedtothe generateuserfiledirpath()function,whichusesWordPress'spathjoin()--afunctionthatreturnsabsolutepaths unchanged,discardingtheintendedbasedirectory.Theattacker-controlledkeyisinjectedviathemwfuploadfiles[] POSTparameter,whichisloadedintotheplugin'sDatamodelviasetrequestvaliables().Duringformprocessing, CVE-regenerateuploadfilekeys()iteratesoverthesekeysandcallsgenerateuserfilepath()withtheattacker-supplied More 8.1keyasthe$nameargument--thekeysurvivesvalidationbecausethetargetedfile(e.g.,wp-config.php)genuinely Details existsattheabsolutepath.Thegetattachments()methodthenre-readsthesamesurvivingkeysandpassesthe resolvedfilepathtomovetempfiletouploaddir(),whichcallsrename()tomovethefileintotheuploadsfolder. Thismakesitpossibleforunauthenticatedattackerstomovearbitraryfilesontheserver,whichcaneasilyleadto

remotecodeexecutionwhentherightfileismoved(suchaswp-config.php).Thevulnerabilityisonlyexploitableifa fileuploadfieldisaddedtotheformandthe"Savinginquirydataindatabase"optionisenabled. CVE-AplaintextstorageofapasswordvulnerabilityinSynologySSLVPNClientbefore1.4.5-0684allowsremoteattackers Moretoaccessorinfluencetheuser'sPINcodeduetoinsecurestorage.ThismayleadtounauthorizedVPNconfiguration 8.1 Details47961andpotentialinterceptionofsubsequentVPNtrafficwhencombinedwithuserinteraction. OpenClawbefore2026.3.23containsaninsufficientaccesscontrolvulnerabilityintheGatewayagent/resetendpointCVE-thatallowscallerswithoperator.writepermissiontoresetadminsessions.Attackerswithoperator.writeprivilegescan More2026- 8.1invoke/resetor/newmessageswithanexplicitsessionKeytobypassoperator.adminrequirementsandreset Details35660arbitrarysessions. OpenClawbefore2026.3.24containsanincorrectauthorizationvulnerabilityinthePOST/reset-profileendpointthatCVE-allowsauthenticatedcallerswithoperator.writeaccesstobrowser.requesttobypassprofilemutationrestrictions. More2026- 8.1AttackerscaninvokePOST/reset-profilethroughthebrowser.requestsurfacetostoptherunningbrowser,close Details35653Playwrightconnections,andmoveprofiledirectoriestoTrash,crossingintendedprivilegeboundaries. ThePerfmatterspluginforWordPressisvulnerabletoarbitraryfileoverwriteviapathtraversalinallversionsupto, andincluding,2.5.9.ThisisduetothePMCS::action_handler()methodprocessingthebulkaction CVE-activate/deactivatehandlerswithoutanyauthorizationcheckornonceverification.The$_GET['snippets'][] More2026-valuesarepassedunsanitizedtoSnippet::activate()/Snippet::deactivate()whichcallSnippet::update()then 8.1 Details4351file_put_contents()withthetraversedpath.Thismakesitpossibleforauthenticatedattackers,withSubscriber-level accessandabove,tooverwritearbitraryfilesontheserverwithafixedPHPdocblockcontent,potentiallycausing denialofservicebycorruptingcriticalfileslike.htaccessorindex.php. CVE-ABrokenObject-LevelAuthorization(BOLA)inthe/Contact/Persons/PersonController.phpendpointofWebkulKrayin More2026-CRMv2.2.xallowsauthenticatedattackerstoarbitrarilyread,modify,andpermanentlydeleteanycontactownedby 8.1 Details38532otherusersviasupplyingacraftedGETrequest. simple-gitenablesrunningnativeGitcommandsfromJavaScript.Versionsuptoandincluding3.31.1allowexecution ofarbitrarycommandsthroughGitoptionmanipulation,bypassingsafetychecksmeanttoblockdangerousoptions CVE-like-uand--upload-pack.TheflawstemsfromanincompletefixforCVE-2022-25860,asGit'sflexibleoptionparsing More2026-allowsnumerouscharactercombinations(e.g.,-vu,-4u,-nu)tocircumventtheregular-expression-basedblocklistin 8.1 Details28291theunsafeoperationsplugin.DuetothevirtuallyinfinitenumberofvalidoptionvariantsthatGitaccepts,acomplete blocklist-basedmitigationmaybeinfeasiblewithoutfullyemulatingGit'soptionparsingbehavior.Thisissuehasbeen fixedinversion3.32.0. OpenClawbefore2026.3.25containsaprivilegeescalationvulnerabilityinthegatewaypluginsubagentfallbackCVE-deleteSessionfunctionthatusesasyntheticoperator.adminruntimescope.Attackerscanexploitthisbytriggering More2026- 8.1sessiondeletionwithoutarequest-scopedclienttoexecuteprivilegedoperationswithunintendedadministrative Details35645scope. CVE-OutofboundsreadinBlinkinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoperformanoutof More2026- 8.1boundsmemoryreadviaacraftedHTMLpage.(Chromiumsecurityseverity:Low) Details5913 CVE-InsufficientdatavalidationinMediainGoogleChromepriorto147.0.7727.55allowedaremoteattackertoperform More2026- 8.1anoutofboundsmemoryreadviaacraftedvideofile.(Chromiumsecurityseverity:Low) Details5907 nimiq-blockchainprovidespersistentblockstorageforNimiq'sRustimplementation.In1.3.0andearlier,block timestampvalidationenforcesthattimestamp>=parent.timestampfornon-skipblocksandtimestamp==CVE-parent.timestamp+MINPRODUCERTIMEOUTforskipblocks,butthereisnovisibleupperboundcheckagainstthe More2026- 8.1wallclock.Amaliciousblock-producingvalidatorcansetblocktimestampsarbitrarilyfarinthefuture.Thisdirectly Details40093affectsrewardcalculationsviaPolicy::supplyat()andbatchdelay()inblockchain/src/reward.rs,inflatingthe monetarysupplybeyondtheintendedemissionschedule.

authorizationandthemesupport.Priorto0.31.4.0,theinstallrouteguardinci4msreliessolelyonavolatilecacheCVE-check(cache('settings'))combinedwith.envfileexistencetoblockpost-installationaccesstothesetupwizard.When More2026- 8.1thedatabaseistemporarilyunreachableduringacachemiss(TTLexpiryoradmin-triggeredcacheclear),theguard Details39393failsopen,allowinganunauthenticatedattackertooverwritethe.envfilewithattacker-controlleddatabase credentials,achievingfullapplicationtakeover.Thisvulnerabilityisfixedin0.31.4.0. CVE-ABrokenObject-LevelAuthorization(BOLA)inthe/Controllers/Lead/LeadController.phpendpointofWebkulKrayin More2026-CRMv2.2.xallowsauthenticatedattackerstoarbitrarilyread,modify,andpermanentlydeleteanyleadownedby 8.1 Details38530otherusersviasupplyingacraftedGETrequest. CVE-InsufficientvalidationofuntrustedinputinWebMLinGoogleChromepriorto147.0.7727.55allowedaremote More 2026- 8.1attackertoperformanoutofboundsmemorywriteviaacraftedHTMLpage.(Chromiumsecurityseverity:Low) Details 5915 OpenClawbefore2026.3.25containsanimproperaccesscontrolvulnerabilityintheHTTP/sessions/:sessionKey/killCVE-routethatallowsanybearer-authenticatedusertoinvokeadmin-levelsessionterminationfunctionswithoutproper More 8.1scopevalidation.Attackerscanexploitthisbysendingauthenticatedrequeststokillarbitrarysubagentsessionsvia Details34512thekillSubagentRunAdminfunction,bypassingownershipandoperatorscoperestrictions.

BSVRubySDKistheRubySDKfortheBSVblockchain.From0.3.1tobefore0.8.2, BSV::Wallet::WalletClient#acquirecertificatepersistscertificaterecordstostoragewithoutverifyingthecertifier'sCVE-signatureoverthecertificatecontents.Inacquisitionprotocol:'direct',thecallersuppliesallcertificatefields More 8.1(includingsignature:)andtherecordiswrittentostorageverbatim.Inacquisitionprotocol:'issuance',theclient Details40070POSTstoacertifierURLandwriteswhateversignaturetheresponsebodycontains,alsowithoutverification.An attackerwhocanreacheitherAPI(orwhocontrolsacertifierendpointtargetedbytheissuancepath)canforge identitycertificatesthatsubsequentlyappearauthentictolistcertificatesandprove_certificate. CVE-IntegeroverflowvulnerabilityinSamsungOpenSourceEscargotallowsOverflowBuffers.ThisissueaffectsEscargot: More2026- 8.197e8115ab1110bc502b4b5e4a0c689a71520d335. Details25208 CVE-InMesabefore25.3.6and26before26.0.1,out-of-boundsmemoryaccesscanoccurinWebGPUbecausetheamount More2026- 8.1ofto-be-allocateddatadependsonanuntrustedparty,andisthenusedforalloca. Details40393 ImproperLimitationofaPathnametoaRestrictedDirectory(CWE-22)inLogstashcanleadtoarbitraryfilewriteand potentiallyremotecodeexecutionviaRelativePathTraversal(CAPEC-139).ThearchiveextractionutilitiesusedbyCVE-Logstashdonotproperlyvalidatefilepathswithincompressedarchives.Anattackerwhocanserveaspecially More2026- 8.1craftedarchivetoLogstashthroughacompromisedorattacker-controlledupdateendpointcanwritearbitraryfilesto Details33466thehostfilesystemwiththeprivilegesoftheLogstashprocess.Incertainconfigurationswhereautomaticpipeline reloadingisenabled,thiscanbeescalatedtoremotecodeexecution.

authorizationandthemesupport.Priorto0.31.4.0,theInstall::index()controllerreadsthehostPOSTparameter CVE-withoutanyvalidationandpassesitdirectlyintoupdateEnvSettings(),whichwritesitintothe.envfilevia More2026-pregreplace().Becausenewlinecharactersinthevaluearenotstripped,anattackercaninjectarbitrary 8.1 Details39394configurationdirectivesintothe.envfile.TheinstallrouteshaveCSRFprotectionexplicitlydisabled,andthe InstallFiltercanbebypassedwhencache('settings')isempty(cacheexpiryorfreshdeployment).Thisvulnerabilityis fixedin0.31.4.0. nanobotisapersonalAIassistant.Versionspriorto0.1.5containaCross-SiteWebSocketHijacking(CSWSH) vulnerabilityexistsinthebridge'sWebSocketserverinbridge/src/server.ts,resultingfromanincompleteremediation ofCVE-2026-2577.Theoriginalfixchangedthebindingfrom0.0.0.0to127.0.0.1andaddedanoptional CVE-BRIDGETOKENparameter,buttokenauthenticationisdisabledbydefaultandtheserverdoesnotvalidatetheOrigin More2026-headerduringtheWebSockethandshake.BecausebrowsersdonotenforcetheSame-OriginPolicyonWebSockets 8.0 Details35589unlesstheserverexplicitlydeniescross-originconnections,anywebsitevisitedbyauserrunningthebridgecan establishaWebSocketconnectiontows://127.0.0.1:3001/andgainfullaccesstothebridgeAPI.Thisallowsan attackertohijacktheWhatsAppsession,readincomingmessages,stealauthenticationQRcodes,andsend messagesonbehalfoftheuser.Thisissuehasbeefixedinversion0.1.5. CVE-ImproperinputvalidationinWindowsActiveDirectoryallowsanauthorizedattackertoexecutecodeoveranadjacent More2026- 8.0network. Details33826 CVE-ImproperauthorizationinWindowsKerberosallowsanauthorizedattackertoelevateprivilegesoveranadjacent More2026- 8.0network. Details27912 CVE-TotaraLMSv19.1.5andbeforeisvulnerabletoHTLMInjection.AnattackercaninjectmaliciousHTLMcodeina More2026-messageandsendittoalltheusersintheapplication,resultinginexecutingthecodeandmayleadtosession 8.0 Details31281hijackingandexecutingcommandsonthevictim'sbrowser. AnOScommandinjectionvulnerabilityinthednsmasqmoduleofTP-LinkArcherAX53v1.0allowsanauthenticatedCVE-adjacentattackertoexecutearbitrarycodewhenaspeciallycraftedconfigurationfileisprocessedduetoinsufficient More2026- 8.0inputvalidation.Successfulexploitationmayallowtheattackertomodifydeviceconfiguration,accesssensitive Details30818information,orfurthercompromisesystemintegrity.ThisissueaffectsAX53v1.0:before1.7.1Build20260213. AnOScommandinjectionvulnerabilityintheOpenVPNmoduleofTP-LinkArcherAX53v1.0allowsanauthenticated CVE-adjacentattackertoexecutesystemcommandswhenaspeciallycraftedconfigurationfileisprocesseddueto More2026-insufficientinputvalidation.Successfulexploitationmayallowmodificationofconfigurationfiles,disclosureof 8.0 Details30815sensitiveinformation,orfurthercompromiseofdeviceintegrity.ThisissueaffectsAX53v1.0:before1.7.1Build 20260213. Astack-basedbufferoverflowinthetmpServermoduleofTP-LinkArcherAX53v1.0allowsanauthenticatedadjacent CVE-attackertotriggerasegmentationfaultandpotentiallyexecutearbitrarycodeviaaspeciallycraftedconfiguration More2026-file.Successfulexploitationmaycauseacrashandcouldallowarbitrarycodeexecution,enablingmodificationof 8.0 Details30814devicestate,exposureofsensitivedata,orfurthercompromiseofdeviceintegrity.ThisissueaffectsAX53v1.0: before1.7.1Build20260213. PraisonAIisamulti-agentteamssystem.Priorto4.5.128,thegateway's/api/approval/allow-listendpointpermits unauthenticatedmodificationofthetoolapprovalallowlistwhennoauthtokenisconfigured(thedefault).ByaddingCVE- Moredangeroustoolnames(e.g.,shellexec,file_write)totheallowlist,anattackercancausetheExecApprovalManagerto 7.9 Detailsauto-approveallfutureagentinvocationsofthosetools,bypassingthehuman-in-the-loopsafetymechanismthatthe40149 approvalsystemisspecificallydesignedtoenforce.Thisvulnerabilityisfixedin4.5.128.

CVE- More UseafterfreeinMicrosoftOfficeExcelallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details 32189 OpenClawbefore2026.3.24containsanarbitrarycodeexecutionvulnerabilityinlocalpluginandhookinstallationCVE- thatallowsattackerstoexecutemaliciouscodebycraftinga.npmrcfilewithagitexecutableoverride.Duringnpm More2026- 7.8 installexecutioninthestagedpackagedirectory,attackerscanleveragegitdependenciestotriggerexecutionof Details35641 arbitraryprogramsspecifiedintheattacker-controlled.npmrcconfigurationfile. CVE- ImproperhandlingofinsufficientpermissionsorprivilegesinWindowsInstallerallowsanauthorizedattackerto More2026- 7.8 Details27910 CVE- More2026- 7.8 Details32159 CVE- More2026- 7.8 Details32160 CVE- DeserializationofuntrusteddatainMicrosoftHighPerformanceComputePack(HPC)allowsanauthorizedattackerto More2026- 7.8 Details32184 CVE- Improperneutralizationofspecialelementsusedinacommand('commandinjection')inWindowsSnippingTool More2026- 7.8 allowsanunauthorizedattackertoexecutecodelocally. Details32183 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsUser More2026- 7.8 InterfaceCoreallowsanauthorizedattackertoelevateprivilegeslocally. Details32164 PraisonAIisamulti-agentteamssystem.Priorto4.5.128,PraisonAIautomaticallyloadsafilenamedtools.pyfromthe currentworkingdirectorytodiscoverandregistercustomagenttools.Thisloadingprocessuses importlib.util.specfromfilelocationandimmediatelyexecutesmodule-levelcodeviaspec.loader.execmodule() withoutexplicituserconsent,validation,orsandboxing.Thetools.pyfileisloadedimplicitly,evenwhenitisnotCVE- referencedinconfigurationfilesorexplicitlyrequestedbytheuser.Asaresult,merelyplacingafilenamedtools.py More2026- 7.8 intheworkingdirectoryissufficienttotriggercodeexecution.Thisbehaviorviolatestheexpectedsecurityboundary Details40156 betweenuser-controlledprojectfiles(e.g.,YAMLconfigurations)andexecutablecode,asuntrustedcontentinthe workingdirectoryistreatedastrustedandexecutedautomatically.Ifanattackercanplaceamalicioustools.pyfile intoadirectorywhereauserorautomatedsystem(e.g.,CI/CDpipeline)runspraisonai,arbitrarycodeexecution occursimmediatelyuponstartup,beforeanyagentlogicbegins.Thisvulnerabilityisfixedin4.5.128. CVE- More2026- UseafterfreeinWindowsUserInterfaceCoreallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32165 CVE- More2026- ImproperinputvalidationinAzureMonitorAgentallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32168 Fleetisopensourcedevicemanagementsoftware.Priorto4.81.1,theOrbitagent'sFileVaultdiskencryptionkey CVE- rotationflowoncollectsalocaluser'spasswordviaaGUIdialogandinterpolatesitdirectlyintoaTcl/expectscript More2026- executedviaexec.Command("expect","-c",script).BecausethepasswordisinsertedintoTclbrace-quotedsend 7.8 Details27806 {%s},apasswordcontaining}terminatestheliteralandinjectsarbitraryTclcommands.SinceOrbitrunsasroot,this allowsalocalunprivilegedusertoescalatetorootprivileges.Thisvulnerabilityisfixedin4.81.1. CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsUser More2026- 7.8 InterfaceCoreallowsanauthorizedattackertoelevateprivilegeslocally. Details32163 MemProcFSbefore5.17containsmultipleunsafelibrary-loadingpatternsthatenableDLLandshared-libraryhijackingCVE- acrosssixattacksurfaces,includingbare-nameLoadLibraryUanddlopencallswithoutpathqualificationforvmmpyc, More2026- 7.8 libMSCompression,andpluginDLLs.AnattackerwhoplacesamaliciousDLLorsharedlibraryintheworkingdirectory Details40031 ormanipulatesLDLIBRARYPATHcanachievearbitrarycodeexecutionwhenMemProcFSloads. CVE- More2026- DeserializationofuntrusteddatainAzureMonitorAgentallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32192 CVE- More2026- UseafterfreeinMicrosoftOfficeExcelallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details32197 CVE- More inarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteractionin 7.8 Details

34630 thatavictimmustopenamaliciousfile. InCopyversions20.5.2,21.2andearlierareaffectedbyanout-of-boundsreadvulnerabilitywhenparsingacraftedCVE- file,whichcouldresultinareadpasttheendofanallocatedmemorystructure.Anattackercouldleveragethis More 7.8 vulnerabilitytoexecutecodeinthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteractionin Details27287 OpenClawbefore2026.3.25containsaprivilegeescalationvulnerabilitywheresilentlocalshared-authreconnectsCVE- auto-approvescope-upgraderequests,wideningpaireddevicepermissionsfromoperator.readtooperator.admin. More2026- 7.8 Attackerscanexploitthisbytriggeringlocalreconnectiontosilentlyescalateprivilegesandachieveremotecode Details35625 executiononthenode. AnExecutionwithUnnecessaryPrivilegesvulnerabilityintheUserInterface(UI)ofJuniperNetworksJunosOSand JunosOSEvolvedallowsalocal,low-privilegedattackertogainrootprivileges,thuscompromisingthesystem.When aconfigurationthatallowsunsignedPythonopscriptsispresentonthedevice,anon-rootuserisabletoexecuteCVE- maliciousopscriptsasaroot-equivalentuser,leadingtoprivilegeescalation.ThisissueaffectsJunosOS:All More2026- 7.8 versionsbefore22.4R3-S7,from23.2before23.2R2-S4,from23.4before23.4R2-S6,from24.2before24.2R1- Details33793 S2,24.2R2,from24.4before24.4R1-S2,24.4R2;JunosOSEvolved:Allversionsbefore22.4R3-S7-EVO,from 23.2before23.2R2-S4-EVO,from23.4before23.4R2-S6-EVO,from24.2before24.2R2-EVO,from24.4before 24.4R1-S1-EVO,24.4R2-EVO. AMissingAuthenticationforCriticalFunctionvulnerabilityintheFlexiblePICConcentrators(FPCs)ofJuniperNetworks JunosOSEvolvedonPTXSeriesallowsalocal,authenticatedattackerwithlowprivilegestogaindirectaccesstoFPCs CVE- installedinthedevice.AlocaluserwithlowprivilegescangaindirectaccesstotheinstalledFPCsasahighprivileged More2026- user,whichcanpotentiallyleadtoafullcompromiseoftheaffectedcomponent.ThisissueaffectsJunosOSEvolved 7.8 Details33788 onPTX10004,PTX10008,PTX100016,withJNP10K-LC1201orJNP10K-LC1202:Allversionsbefore21.2R3-S8-EVO, 21.4-EVOversionsbefore21.4R3-S7-EVO,22.2-EVOversionsbefore22.2R3-S4-EVO,22.3-EVOversionsbefore 22.3R3-S3-EVO,22.4-EVOversionsbefore22.4R3-S2-EVO,23.2-EVOversionsbefore23.2R2-EVO. CVE- InCopyversions20.5.2,21.2andearlierareaffectedbyanout-of-boundswritevulnerabilitythatcouldresultin More2026- 7.8 Details34631 CVE- AdobeFramemakerversions2022.8andearlierareaffectedbyaUseAfterFreevulnerabilitythatcouldresultin More2026- 7.8 Details27292 CVE- More2026- ASDA-SoftStack-basedBufferOverflowVulnerability 7.8 Details5726 CVE- AdobeFramemakerversions2022.8andearlierareaffectedbyaHeap-basedBufferOverflowvulnerabilitythatcould More2026- resultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteraction 7.8 Details27293 AdobeFramemakerversions2022.8andearlierareaffectedbyanout-of-boundsreadvulnerabilitywhenparsingaCVE- More2026- 7.8 Details27294 CVE- AdobeFramemakerversions2022.8andearlierareaffectedbyanout-of-boundswritevulnerabilitythatcouldresult More2026- 7.8 Details27295 HDF5issoftwareformanagingdata.In1.14.1-2andearlier,aheap-use-after-freewasfoundintheh5dumphelperCVE- utility.Anattackerwhocansupplyamalicioush5filecantriggeraheapuse-after-free.Thefreedobjectisreferenced More2026- 7.8 inamemmovecallfromH5Tconv_struct.TheoriginalobjectwasallocatedbyH5Dtypeinfoinitphase3andfreed Details34734 byH5D_typeinfoterm. CVE- Thepstrip64.sysdriverinEnTechTaiwanPowerStrip<=3.90.736allowslocaluserstoescalateprivilegestoSYSTEM More2026- viaacraftedIOCTLrequestenablingunprivilegeduserstomaparbitraryphysicalmemoryintotheiraddressspace 7.8 Details29923 andmodifycriticalkernelstructures. WasmtimeisaruntimeforWebAssembly.From32.0.0tobefore36.0.7,42.0.2,and43.0.1,Wasmtime'sCranelift compilationbackendcontainsabugonaarch64whenperformingacertainshapeofheapaccesseswhichmeansthat thewrongaddressisaccessed.WhencombinedwithexplicitboundschecksaguestWebAssemblymodulethiscan createasituationwheretherearetwodivergingcomputationsforthesameaddress:onefortheaddresstobounds- checkandonefortheaddresstoload.Thisdifferenceinaddressbeingoperatedonmeansthataguestmodulecan passaboundscheckbutthenloadadifferentaddress.Combinedtogetherthisenablesanarbitraryread/write primitiveforguestWebAssemblywhenaccesssinghostmemory.Thisisasandboxescapeasguestsareableto read/writearbitraryhostmemory.Thisvulnerabilityhasafewingredients,allofwhichmustbemet,forthissituation CVE- tooccurandbypassthesandboxrestrictions.Thismiscompiledshapeofloadonlyoccurson64-bitWebAssembly More2026- 7.8 linearmemories,orwhenConfig::wasm_memory64isenabled.32-bitWebAssemblyisnotaffected.Spectre Details34971 mitigationsorsignals-based-trapsmustbedisabled.Whenspectremitigationsareenabledthentheoffendingshape ofloadisnotgenerated.Whensignals-based-trapsaredisabledthenspectremitigationsarealsoautomatically disabled.ThespecificbuginCraneliftisamiscompileofaloadoftheshapeload(iadd(base,ishl(index,amt)))where amtisaconstant.Theamtvalueismaskedincorrectlytotestifit'sacertainvalue,andthisincorrectmaskmeans

thatCraneliftcanpattern-matchthisloweringruleduringinstructionselectionerroneously,divergingfrom WebAssembly'sandCranelift'ssemantics.Thisincorrectloweringwould,forexample,loadanaddressmuchfurther awaythanintendedasthecorrectaddress'scomputationwouldhavewrappedaroundtoasmallervalueinsetad. Thisvulnerabilityisfixedin36.0.7,42.0.2,and43.0.1. CVE-AdobeFramemakerversions2022.8andearlierareaffectedbyanIntegerUnderflow(WraporWraparound) More2026-vulnerabilitythatcouldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissue 7.8 Details27296requiresuserinteractioninthatavictimmustopenamaliciousfile. CVE-AdobeFramemakerversions2022.8andearlierareaffectedbyanIntegerUnderflow(WraporWraparound) More2026-vulnerabilitythatcouldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissue 7.8 Details27297requiresuserinteractioninthatavictimmustopenamaliciousfile. CVE-AdobeFramemakerversions2022.8andearlierareaffectedbyanAccessofResourceUsingIncompatibleType More2026-('TypeConfusion')vulnerabilitythatcouldresultinarbitrarycodeexecutioninthecontextofthecurrentuser. 7.8 Details27298 libsixelisaSIXELencoder/decoderimplementationderivedfromkmiya'ssixel.Inversions1.8.7andprior,whenbuilt withthe--with-gdk-pixbuf2option,ause-after-freevulnerabilityexistsinloadwithgdkpixbuf()inloader.c.The cleanuppathmanuallyfreesthesixelframetobjectanditsinternalbufferswithoutconsultingthereferencecount, eventhoughtheobjectwascreatedviatherefcountedconstructorsixelframenew()andexposedtothepublic CVE-callback.Acallbackthatcallssixelframeref(frame)toretainalogicallyvalidreferencewillholdadanglingpointer More2026-aftersixelhelperloadimagefile()returns,andanysubsequentaccesstotheframeoritsfieldstriggersause-after- 7.8 Details33023freeconfirmedbyAddressSanitizer.Therootcauseisaconsistencyfailurebetweentwocleanupstrategiesinthe samecodebase:sixelframeunref()isusedinloadwithbuiltin()butrawfree()isusedinloadwithgdkpixbuf().An attackersupplyingacraftedimagetoanyapplicationbuiltagainstlibsixelwithgdk-pixbuf2supportcantriggerthis reliably,potentiallyleadingtoinformationdisclosure,memorycorruption,orcodeexecution.Thisissuehasbeen

osslsigncodeisatoolthatimplementsAuthenticodesigningandtimestamping.Priorto2.12,Astackbufferoverflow vulnerabilityexistsinosslsigncodeinseveralsignatureverificationpaths.DuringverificationofaPKCS#7signature, thecodecopiesthedigestvaluefromaparsedSpcIndirectDataContentstructureintoafixed-sizestackbufferCVE-(mdbuf[EVPMAXMD_SIZE],64bytes)withoutvalidatingthatthesourcelengthfitswithinthedestinationbuffer.This More2026- 7.8patternispresentintheverificationhandlersforPE,MSI,CAB,andscriptfiles.Anattackercancraftamalicious Details39853signedfilewithanoversizeddigestfieldinSpcIndirectDataContent.Whenauserverifiessuchafilewithosslsigncode verify,theunboundedmemcpycanoverflowthestackbufferandcorruptadjacentstackstate.Thisvulnerabilityis fixedin2.12. CVE-Illustratorversions30.2,29.8.5andearlierareaffectedbyanout-of-boundswritevulnerabilitythatcouldresultin More2026- 7.8 Details34618 CVE- More2026- 7.8 Details27313 CVE- More2026- 7.8 Details27312 CVE- More2026-UntrustedpointerdereferenceinWindowsWin32K-ICOMPallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32222 CVE- More2026-UseafterfreeinMicrosoftOfficeExcelallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details32198 CVE- More2026-UseafterfreeinMicrosoftOfficeExcelallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details32199 CVE- More2026-UseafterfreeinMicrosoftOfficePowerPointallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details32200 CVE-SamsungMagicINFO9ServerIncorrectDefaultPermissionsLocalPrivilegeEscalationVulnerabilityThisissueaffects More2026- 7.8MagicINFO9Server:lessthan21.1091.1. Details25203 parseusbsbefore1.9containsanOScommandinjectionvulnerabilityinparseUSBs.pywhereLNKfilepathsareCVE-passedunsanitizedintoanos.popen()shellcommand,allowingarbitrarycommandexecutionviacrafted.lnk More 7.8filenamescontainingshellmetacharacters.Anattackercancrafta.lnkfilenamewithembeddedshellmetacharacters Details40029thatexecutearbitrarycommandsontheforensicexaminer'smachineduringUSBartifactparsing. parseusbsbefore1.9containsanOScommandinjectionvulnerabilitywherethevolumelistingpathargument(-vCVE-

flag)ispassedunsanitizedintoanos.popen()shellcommandwithls,allowingarbitrarycommandinjectionviacrafted More 7.8 volumepathargumentscontainingshellmetacharacters.Anattackercanprovideacraftedvolumepathviathe-v Details40030 flagthatinjectsarbitrarycommandsduringvolumecontentenumeration. CVE- More Details32155 UAC(Unix-likeArtifactsCollector)before3.3.0-rc1containsacommandinjectionvulnerabilityintheplaceholder substitutionandcommandexecutionpipelinewheretheruncommand()functionpassesconstructedcommandCVE-stringsdirectlytoevalwithoutpropersanitization.Attackerscaninjectshellmetacharactersorcommand More2026- 7.8substitutionsthroughattacker-controlledinputsincluding%line%valuesfromforeachiteratorsand%user%/ Details40032%user_home%valuesderivedfromsystemfilestoachievearbitrarycommandexecutionwiththeprivilegesofthe UACprocess. CVE- More2026-UseafterfreeinMicrosoftOfficeWordallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details33095 CVE- More2026- 7.8 Details27311 CVE-UseafterfreeinWindowsContainerIsolationFSFilterDriverallowsanauthorizedattackertoelevateprivileges More2026- 7.8locally. Details33098 CVE- More2026-UseafterfreeinWindowsPrintSpoolerComponentsallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details33101 CVE-InsufficientgranularityofaccesscontrolinMicrosoftDefenderallowsanauthorizedattackertoelevateprivileges More2026- 7.8locally. Details33825 CVE- More2026-couldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuser 7.8 Details34627interactioninthatavictimmustopenamaliciousfile. CVE- More2026-couldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuser 7.8 Details34628interactioninthatavictimmustopenamaliciousfile. CVE- More2026-couldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuser 7.8 Details34629interactioninthatavictimmustopenamaliciousfile. PhotoshopDesktopversions27.4andearlierareaffectedbyanout-of-boundsreadvulnerabilitywhenparsingaCVE- More2026- 7.8 Details27289 CVE- More2026- 7.8 Details27310 CVE- More2026- 7.8 Details32158 CVE-Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsUser More2026- 7.8InterfaceCoreallowsanauthorizedattackertoelevateprivilegeslocally. Details27911 CVE- More2026-Out-of-boundsreadinWindowsStorageSpacesControllerallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32076 CVE-InDesignDesktopversions20.5.2,21.2andearlierareaffectedbyanout-of-boundswritevulnerabilitythatcould More 2026-resultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuserinteraction 7.8 Details 27291 CVE- MoreDoublefreeinWindowsKernelallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26179 CVE-UntrustedpointerdereferenceinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattacker More 7.8

27919 toelevateprivilegeslocally. Details CVE- Out-of-boundsreadinWindowsEncryptingFileSystem(EFS)allowsanauthorizedattackertoelevateprivileges More 7.8 locally. Details26153 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsShellallows More2026- 7.8 anauthorizedattackertoelevateprivilegeslocally. Details27918 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsSpeech More2026- 7.8 BrokeredApiallowsanauthorizedattackertoelevateprivilegeslocally. Details32090 CVE- UseafterfreeinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattackertoelevate More2026- 7.8 Details27916 CVE- Heap-basedbufferoverflowinWindowsClientSideCachingdriver(csc.sys)allowsanauthorizedattackertoelevate More2026- 7.8 Details26176 CVE- More2026- couldresultinarbitrarycodeexecutioninthecontextofthecurrentuser.Exploitationofthisissuerequiresuser 7.8 Details27238 interactioninthatavictimmustopenamaliciousfile. CVE- InDesignDesktopversions20.5.2,21.2andearlierareaffectedbyaUseAfterFreevulnerabilitythatcouldresultin More2026- 7.8 Details27283 InDesignDesktopversions20.5.2,21.2andearlierareaffectedbyanout-of-boundsreadvulnerabilitywhenparsingaCVE- More2026- 7.8 Details27284 CVE- More2026- 7.8 Details26172 CVE- UseafterfreeinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattackertoelevate More2026- 7.8 Details27915 CVE- More2026- Heap-basedbufferoverflowinWindowsKernelallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26180 CVE- More2026- ImproperinputvalidationinMicrosoftPowerShellallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26170 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsAncillary More2026- 7.8 FunctionDriverforWinSockallowsanauthorizedattackertoelevateprivilegeslocally. Details26168 CVE- More2026- ImproperaccesscontrolinMicrosoftManagementConsoleallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details27914 CVE- More2026- DoublefreeinWindowsKernelallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26163 CVE- Accessofresourceusingincompatibletype('typeconfusion')inWindowsOLEallowsanauthorizedattackerto More2026- 7.8 Details26162 CVE- UntrustedpointerdereferenceinWindowsSensorDataServiceallowsanauthorizedattackertoelevateprivileges More2026- 7.8 locally. Details26161 CVE- MissingauthenticationforcriticalfunctioninWindowsRemoteDesktopLicensingServiceallowsanauthorized More2026- 7.8 attackertoelevateprivilegeslocally. Details26160 CVE- MissingauthenticationforcriticalfunctioninWindowsRemoteDesktopLicensingServiceallowsanauthorized More 7.8 attackertoelevateprivilegeslocally. Details26159

CVE- More Heap-basedbufferoverflowinWindowsHyper-Vallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details26156 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindows More2026- 7.8 ManagementServicesallowsanauthorizedattackertoelevateprivilegeslocally. Details20930 CVE- More2026- UseafterfreeinMicrosoftOfficeWordallowsanunauthorizedattackertoexecutecodelocally. 7.8 Details23657 CVE- UntrustedpointerdereferenceinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattacker More2026- 7.8 toelevateprivilegeslocally. Details27920 CVE- More2026- ImproperinputvalidationinMicrosoftPowerShellallowsanunauthorizedattackertobypassasecurityfeaturelocally. 7.8 Details26143 CVE- More2026- Bufferover-readinWindowsProjectedFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26184 DellElasticCloudStorage,version3.8.1.7andprior,andDellObjectScale,versionspriorto4.1.0.3andversionCVE- 4.2.0.0,containsanInsertionofSensitiveInformationintoLogFilevulnerability.Alowprivilegedattackerwithlocal More2026- 7.8 accesscouldpotentiallyexploitthisvulnerability,leadingtosecretexposure.Theattackermaybeabletousethe Details28261 exposedsecrettoaccessthevulnerablesystemwithprivilegesofthecompromisedaccount. CVE- Integerunderflow(wraporwraparound)inWindowsStorageSpacesControllerallowsanauthorizedattackerto More2026- 7.8 Details27907 CVE- More2026- Details27923 CVE- More2026- Details32152 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsProjected More2026- 7.8 FileSystemallowsanauthorizedattackertoelevateprivilegeslocally. Details27927 CVE- More2026- DoublefreeinWindowsProjectedFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32069 CVE- More2026- DoublefreeinWindowsProjectedFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32074 CVE- UntrustedpointerdereferenceinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattacker More2026- 7.8 toelevateprivilegeslocally. Details32077 CVE- More2026- UseafterfreeinWindowsProjectedFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32078 CVE- More2026- UseafterfreeinMicrosoftWindowsSpeechallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details32153 CVE- More2026- ImproperaccesscontrolinWindowsRPCAPIallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26183 CVE- More2026- UseafterfreeinMicrosoftWindowsSearchComponentallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details27909 CVE- More Details32154

CVE- UseafterfreeinWindowsSpeechBrokeredApiallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 More Details 32089 CVE- More UseafterfreeinMicrosoftBrokeringFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.8 Details26181 CVE- More2026- Details27924 CVE- project-managementforneuroimagingresearch.From24.0.0tobefore27.0.3and28.0.1,anincorrectorderof More2026- 7.7 operationsintheFilesDownloadHandlercouldresultinanattackerescapingtheintendeddownloaddirectories.This Details35446 ColdFusionversions2023.18,2025.6andearlierareaffectedbyanImproperLimitationofaPathnametoaRestrictedCVE- Directory('PathTraversal')vulnerabilitythatcouldresultinaSecurityfeaturebypass.Anattackercouldleveragethis More2026- 7.7 vulnerabilitytoaccessunauthorizedfilesordirectoriesoutsidetheintendedrestrictions.Exploitationofthisissue Details34619 doesnotrequireuserinteraction. InOpenStackKeystonebefore28.0.1,theLDAPidentitybackenddoesnotconverttheuserenabledattributetoa booleanwhentheuserenabledinvertconfigurationoptionisFalse(thedefault).Theldaprestomodelmethodin CVE- theUserApiclassonlyperformedstring-to-booleanconversionwhenuserenabledinvertwasTrue.WhenFalse,the More2026- rawstringvaluefromLDAP(e.g.,"FALSE")wasuseddirectly.Sincenon-emptystringsaretruthyinPython,users 7.7 Details40683 markedasdisabledinLDAPweretreatedasenabledbyKeystone,allowingthemtoauthenticateandperformactions. AlldeploymentsusingtheLDAPidentitybackendwithoutuserenabledinvert=Trueoruserenabledemulationare affected. CVE- More2026- ImproperinputvalidationinWindowsBitLockerallowsanunauthorizedattackertobypassasecurityfeaturelocally. 7.7 Details27913 Planeisananopen-sourceprojectmanagementtool.From0.28.0tobefore1.3.0,theremediationofGHSA-jcc6-f9v6- f7jwisincompletewhichcouldleadtothesamefullreadServer-SideRequestForgerywhenanormalhtmlpageCVE- containsalinktagwithanhrefthatredirectstoaprivateIPaddressissuppliedtoAddlinkbyanauthenticated More2026- 7.7 attackerwithlowprivileges.RedirectsforthemainpageURLarevalidated,butnotthefaviconfetchpath. Details39843 fetchandencodefavicon()stillusesrequests.get(faviconurl,...)withthedefaultredirect-following.This vulnerabilityisfixedin1.3.0. Chartbrewisanopen-sourcewebapplicationthatcanconnectdirectlytodatabasesandAPIsandusethedatato createcharts.Priorto4.9.0,across-tenantauthorizationbypassexistsinChartbrewinGET CVE- /team/:teamid/template/generate/:projectid.TheGEThandlercallscheckAccess(req,"updateAny","chart")without More2026- awaitingthereturnedpromise,anditdoesnotverifythatthesuppliedprojectidbelongstoreq.params.teamidorto 7.7 Details32252 thecaller'steam.Asaresult,anauthenticatedattackerwithvalidtemplate-generationpermissionsintheirownteam canrequestthetemplatemodelforaprojectbelongingtoanotherteamandreceivevictimprojectdata.This vulnerabilityisfixedin4.9.0. CVE- PermissionbypassvulnerabilityintheLBSmodule.Impact:Successfulexploitationofthisvulnerabilitymayaffect More2026- 7.7 Details34853 CVE- goshsisaSimpleHTTPServerwritteninGo.From1.0.7tobefore2.0.0-beta.4,theSFTPcommandrenamesanitizes More2026- onlythesourcepathandnotthedestination,soitispossibletowriteoutsideoftherootdirectoryoftheSFTP.This 7.7 Details40188 vulnerabilityisfixedin2.0.0-beta.4. PraisonAIAgentsisamulti-agentteamssystem.Priorto1.5.128,thewebcrawl()functionin CVE- praisonaiagents/tools/webcrawltools.pyacceptsarbitraryURLsfromAIagentswithzerovalidation.Noscheme More2026- allowlisting,hostname/IPblocklisting,orprivatenetworkchecksareappliedbeforefetching.Thisallowsanattacker 7.7 Details40150 (orpromptinjectionincrawledcontent)toforcetheagenttofetchcloudmetadataendpoints,internalservices,or localfilesviafile://URLs.Thisvulnerabilityisfixedin1.5.128. OpenClawbefore2026.3.24containsapathtraversalvulnerabilityinsandboxenforcementallowingsandboxed CVE- agentstoreadarbitraryfilesfromotheragents'workspacesviaunnormalizedmediaUrlorfileUrlparameterkeys. More2026- AttackerscanexploitincompleteparametervalidationinnormalizeSandboxMediaParamsandmissing 7.7 Details35668 mediaLocalRootscontexttoaccesssensitivefilesincludingAPIkeysandconfigurationdataoutsidedesignated sandboxroots. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,ChamiloLMScontainsaServer-Side RequestForgery(SSRF)vulnerabilityintheSocialWallfeature.TheendpointreadurlwithopengraphacceptsaURLCVE- fromtheuserviathesocialwallnewmsg_mainPOSTparameterandperformstwoserver-sideHTTPrequeststothat More2026- 7.7 URLwithoutvalidatingwhetherthetargetisaninternalorexternalresource.Thisallowsanauthenticatedattackerto Details31941 forcetheservertomakearbitraryHTTPrequeststointernalservices,scaninternalports,andaccesscloudinstance metadata.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. ExecutionwithUnnecessaryPrivileges(CWE-250)inKibana'sFleetplugindebugroutehandlerscanleadreadingCVE-

indexdatabeyondtheirdirectElasticsearchRBACscopeviaPrivilegeAbuse(CAPEC-122).Thisrequiresan More 7.7 authenticatedKibanauserwithFleetsub-featureprivileges(suchasagents,agentpolicies,andsettings Details management). IncorrectAuthorization(CWE-863)inKibanacanleadtoinformationdisclosureviaPrivilegeAbuse(CAPEC-122).A CVE-userwithlimitedFleetprivilegescanexploitaninternalAPIendpointtoretrievesensitiveconfigurationdata, More2026-includingprivatekeysandauthenticationtokens,thatshouldonlybeaccessibletouserswithhigher-levelsettings 7.7 Details33461privileges.Theendpointcomposesitsresponsebyfetchingfullconfigurationobjectsandreturningthemdirectly, bypassingtheauthorizationchecksenforcedbythededicatedsettingsAPIs. CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinRealMag777 More2026- 7.6FOXwoocommerce-currency-switcherallowsBlindSQLInjection.ThisissueaffectsFOX:fromn/athrough<=1.4.5. Details39497 CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinWPMUDEV- More2026-YourAll-in-OneWordPressPlatformBrokenLinkCheckerbroken-link-checkerallowsBlindSQLInjection.Thisissue 7.6 Details39466affectsBrokenLinkChecker:fromn/athrough<=2.4.7. CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinameliabooking More2026- 7.6AmeliaameliabookingallowsBlindSQLInjection.ThisissueaffectsAmelia:fromn/athrough<=2.1.1. Details39487 CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinBrainstorm More2026- 7.6ForceOttoKitsuretriggersallowsBlindSQLInjection.ThisissueaffectsOttoKit:fromn/athrough<=1.1.20. Details39479 CVE-ImproperNeutralizationofSpecialElementsusedinanSQLCommand('SQLInjection')vulnerabilityinYayCommerce More2026- 7.6YayMailyaymailallowsBlindSQLInjection.ThisissueaffectsYayMail:fromn/athrough<=4.3.3. Details39496 CVE-StoredXSSinlogviewerinCoolerControl/coolercontrol-ui<4.0.0allowsunauthenticatedattackerstotakeoverthe More2026- 7.6serviceviamaliciousJavaScriptinpoisonedlogentries Details5301 AnImproperCheckforUnusualorExceptionalConditionsvulnerabilityintheflowdaemon(flowd)ofJuniperNetworks JunosOSonSRXSeriesallowsanattackersendingaspecific,malformedICMPv6packettocausethesrxpfeprocess tocrashandrestart.Continuedreceiptandprocessingofthesepacketswillrepeatedlycrashthesrxpfeprocessand CVE-sustaintheDenialofService(DoS)condition.DuringNAT64translation,receiptofaspecific,malformedICMPv6 More2026-packetdestinedtothedevicewillcausethesrxpfeprocesstocrashandrestart.Thisissuecannotbetriggeredusing 7.5 Details33790IPv4norotherIPv6traffic.ThisissueaffectsJunosOSonSRXSeries:allversionsbefore21.2R3-S10,allversionsof 21.3,from21.4before21.4R3-S12,allversionsof22.1,from22.2before22.2R3-S8,allversionsof22.4,from 22.4before22.4R3-S9,from23.2before23.2R2-S6,from23.4before23.4R2-S7,from24.2before24.2R2-S3,* from24.4before24.4R2-S3,from25.2before25.2R1-S2,25.2R2. AnImproperValidationofSyntacticCorrectnessofInputvulnerabilityintheIPseclibraryusedbykmdandikedof JuniperNetworksJunosOSonSRXSeriesandMXSeriesallowsanunauthenticated,network-basedattackertocause acompleteDenial-of-Service(DoS).IfanaffecteddevicereceivesaspecificallymalformedfirstISAKMPpacketfromCVE-theinitiator,thekmd/ikedprocesswillcrashandrestart,whichmomentarilypreventsnewsecurityassociations(SAs) More2026- 7.5forfrombeingestablished.Repeatedexploitationofthisvulnerabilitycausesacompleteinabilitytoestablishnew Details33778VPNconnections.ThisissueaffectsJunosOSonSRXSeriesandMXSeries:allversionsbefore22.4R3-S9,23.2 versionbefore23.2R2-S6,23.4versionbefore23.4R2-S7,24.2versionsbefore24.2R2-S4,24.4versionsbefore 24.4R2-S3,*25.2versionsbefore25.2R1-S2,25.2R2. jqisacommand-lineJSONprocessor.Beforecommit0c7d133c3c7e37c00b6d46b658a02244fdd3c784,jqused MurmurHash3withahardcoded,publiclyvisibleseed(0x432A9843)forallJSONobjecthashtableoperations,which allowedanattackertoprecomputekeycollisionsoffline.BysupplyingacraftedJSONobject(~100KB)whereallkeysCVE-hashedtothesamebucket,hashtablelookupsdegradedfromO(1)toO(n),turninganyjqexpressionintoanO(n²) More2026- 7.5operationandcausingsignificantCPUexhaustion.ThisaffectedcommonjqusecasessuchasCI/CDpipelines,web Details40164services,anddataprocessingscripts,andwasfarmorepracticaltoexploitthanexistingheapoverflowissuessinceit requiredonlyasmallpayload.Thisissuehasbeenpatchedincommit 0c7d133c3c7e37c00b6d46b658a02244fdd3c784. CVE- More2026-Out-of-boundsreadinWindowsHTTP.sysallowsanunauthorizedattackertodenyserviceoveranetwork. 7.5 Details33096

both7.1.2-19and6.9.13-44,MagickfreesthememoryoftheXMLtreeviatheDestroyXMLTree()function;however,CVE-thisprocessisexecutedrecursivelywithnodepthlimitimposed.WhenMagickprocessesanXMLfilewithdeeply More2026- 7.5nestedstructures,itwillexhaustthestackmemory,resultinginaDenialofService(DoS)attack.Thisissuehasbeen Details33908fixedinversions6.9.13-44and7.1.2-19.

AnImproperAccessControlvulnerabilitycouldallowamaliciousactorwithaccesstotheUniFiPlaynetworktoobtainCVE-UniFiPlayWiFicredentials.AffectedProducts:UniFiPlayPowerAmp(Version1.0.35andearlier)UniFiPlayAudioPort More 7.5(Version1.0.24andearlier)Mitigation:UpdateUniFiPlayPowerAmptoVersion1.0.38orlaterUpdateUniFiPlayAudio Details22566PorttoVersion1.1.9orlater

IntegerOverfloworWraparoundvulnerabilityinApacheActiveMQ,ApacheActiveMQAll,ApacheActiveMQMQTT.The fixfor"CVE-2025-66168:MQTTcontrolpacketremaininglengthfieldisnotproperlyvalidated"wasonlyappliedtoCVE-5.19.2(andfuture5.19.x)releasesbutwasmissedforall6.0.0+versions.ThisissueaffectsApacheActiveMQ:from More 7.56.0.0before6.2.4;ApacheActiveMQAll:from6.0.0before6.2.4;ApacheActiveMQMQTT:from6.0.0before6.2.4. Details40046Usersarerecommendedtoupgradetoversion6.2.4ora5.19.xversionstartingwith5.19.2orlater(currentlylatest is5.19.5),whichfixestheissue. CVE- More2026-inkutethemesKuteShopkuteshopallowsPHPLocalFileInclusion.ThisissueaffectsKuteShop:fromn/athrough<= 7.5 Details396114.2.9. CVE-Unfurlbefore2026.04containsanunboundedzlibdecompressionvulnerabilityinparsecompressed.pythatallows More2026-remoteattackerstocausedenialofservice.AttackerscansubmithighlycompressedpayloadsviaURLparametersto 7.5 Details40036the/json/visjsendpointthatexpandtogigabytes,exhaustingservermemoryandcrashingtheservice. AnImproperInputValidationvulnerabilitycouldallowamaliciousactorwithaccesstotheUniFiPlaynetworktocauseCVE-thedevicetostopresponding.AffectedProducts:UniFiPlayPowerAmp(Version1.0.35andearlier)UniFiPlayAudio More2026- 7.5Port(Version1.0.24andearlier)Mitigation:UpdateUniFiPlayPowerAmptoVersion1.0.38orlaterUpdateUniFiPlay Details22565AudioPorttoVersion1.1.9orlater CVE- More2026-both7.1.2-19and6.9.13-44,aheapbufferoverflowoccursintheMVGdecoderthatcouldresultinanoutofbounds 7.5 Details33901writewhenprocessingacraftedimage.Thisissuehasbeenfixedinversions6.9.13-44and7.1.2-19. UseofGETRequestMethodWithSensitiveQueryStringsvulnerabilityinApacheOpenMeetings.TheRESTloginCVE-endpointusesHTTPGETmethodwithusernameandpasswordpassedasqueryparameters.Pleasecheckreferences More2026- 7.5regardingpossibleimpactThisissueaffectsApacheOpenMeetings:from3.1.3before9.0.0.Usersarerecommended Details34020toupgradetoversion9.0.0,whichfixestheissue. nimiq/core-rs-albatrossisaRustimplementationoftheNimiqProof-of-StakeprotocolbasedontheAlbatross consensusalgorithm.Priortoversion1.3.0,anuntrustedpeercouldcrashavalidatorbypublishingasignedCVE-tendermintproposalmessagewheresigner==validators.numvalidators().ProposalSender::senduses>insteadof More2026- 7.5>=forthesignerboundscheck,sotheequalitycasepassesandreaches Details32605validators.getvalidatorbyslotband(signer),whichpanicswithanout-of-boundsindexbeforeanysignature verificationruns.Thisissuehasbeenfixedinversion1.3.0. UseofHard-codedCryptographicKeyvulnerabilityinApacheOpenMeetings.Theremember-mecookieencryption CVE-keyissettodefaultvalueinopenmeetings.propertiesandnotbeingauto-rotated.IncaseOMadminhasn'tchanged More2026-thedefaultencryptionkey,anattackerwhohasstolenacookiefromalogged-inusercangetfullusercredentials. 7.5 Details33266ThisissueaffectsApacheOpenMeetings:from6.1.0before9.0.0.Usersarerecommendedtoupgradetoversion 9.0.0,whichfixestheissue. CVE-Stack-basedbufferoverflowin.NETandVisualStudioallowsanunauthorizedattackertodenyserviceovera More2026- 7.5network. Details32203 AmemoryexhaustionvulnerabilityexistsintheHTTPserverduetounboundeduseoftheContent-Lengthheader.CVE-Theserverallocatesmemorydirectlybasedontheattackersuppliedheadervaluewithoutenforcinganupperlimit.A More2026- 7.5craftedHTTPrequestcontaininganextremelylargeContent-Lengthvaluecantriggerexcessivememoryallocation Details5440andservertermination,evenwithoutsendingarequestbody. TheTutorLMS-eLearningandonlinecoursesolutionpluginforWordPressisvulnerabletoanInsecureDirectObject Referenceinallversionsupto,andincluding,3.9.7.Thisisduetomissingauthenticationandauthorizationchecksin thepay_incomplete_order()function.Thefunctionacceptsanattacker-controlledorder_idparameterandusesitCVE-tolookuporderdata,thenwritesbillingfieldstotheorderowner'sprofile($order_data->user_id)withoutverifying More2026- 7.5therequester'sidentityorownership.BecausetheTutornonce(_tutor_nonce)isexposedonpublicfrontendpages, Details3360thismakesitpossibleforunauthenticatedattackerstooverwritethebillingprofile(name,email,phone,address)of anyuserwhohasanincompletemanualorder,bysendingacraftedPOSTrequestwithaguessedorenumerated order_id. CVE- More2026-inCreatives_PlanetEmphiresemphiresallowsPHPLocalFileInclusion.ThisissueaffectsEmphires:fromn/athrough 7.5 Details39677<=3.9. AmemoryexhaustionvulnerabilityexistsinZIParchiveprocessing.OrthancautomaticallyextractsZIParchives CVE-uploadedtocertainendpointsandtrustsmetadatafieldsdescribingtheuncompressedsizeofarchivedfiles.An More 2026-attackercancraftasmallZIParchivecontainingaforgedsizevalue,causingtheservertoallocateextremelylarge 7.5 Details 5439buffersduringextraction.

CVE- More2026- 7.5 inApusThemeFreeiofreeioallowsPHPLocalFileInclusion.ThisissueaffectsFreeio:fromn/athrough<=1.3.21. Details39679 CVE- More 7.5 inApusThemeHomeohomeoallowsPHPLocalFileInclusion.ThisissueaffectsHomeo:fromn/athrough<=1.2.59. Details39681

AgzipdecompressionbombvulnerabilityexistswhenOrthancprocessesHTTPrequestwithContent-Encoding:gzip.CVE-Theserverdoesnotenforcelimitsondecompressedsizeandallocatesmemorybasedonattacker-controlled More 7.5compressionmetadata.Aspeciallycraftedgzippayloadcantriggerexcessivememoryallocationandexhaustsystem Details memory. PraisonAIisamulti-agentteamssystem.Priorto4.5.115,theA2U(Agent-to-User)eventstreamserverinPraisonAICVE-exposesallagentactivitywithoutauthentication.Thecreatea2uroutes()functionregistersthefollowingendpoints More2026- 7.5withNOauthenticationchecks:/a2u/info,/a2u/subscribe,/a2u/events/{streamname},/a2u/events/sub/{id},and Details39889/a2u/health.Thisvulnerabilityisfixedin4.5.115. AnExposureofSensitiveInformationtoanUnauthorizedActorvulnerabilityexistsinApacheDolphinScheduler.This vulnerabilitymayallowunauthorizedactorstoaccesssensitiveinformation,includingdatabasecredentials.Thisissue affectsApacheDolphinSchedulerversions3.1..Usersarerecommendedtoupgradeto:version≥3.2.0ifusing CVE-3.1.xAsatemporaryworkaround,userswhocannotupgradeimmediatelymayrestricttheexposedmanagement More2025-endpointsbysettingthefollowingenvironmentvariable:``` 7.5 Details62188MANAGEMENTENDPOINTSWEBEXPOSUREINCLUDE=health,metrics,prometheusAlternatively,addthefollowing configurationtotheapplication.yamlfile:management:endpoints:web:exposure:include: health,metrics,prometheus``ThisissuehasbeenreportedasCVE-2023-48796: https://cveprocess.apache.org/cve5/CVE-2023-48796 FrontMCPisaTypeScript-firstframeworkfortheModelContextProtocol(MCP).Priorto2.3.0,themcp-from-openapi libraryuses@apidevtools/json-schema-ref-parsertodereference$refpointersinOpenAPIspecificationswithoutCVE-configuringanyURLrestrictionsorcustomresolvers.AmaliciousOpenAPIspecificationcontaining$refvalues More2026- 7.5pointingtointernalnetworkaddresses,cloudmetadataendpoints,orlocalfileswillcausethelibrarytofetchthose Details39885resourcesduringtheinitialize()call.ThisenablesServer-SideRequestForgery(SSRF)andlocalfilereadattackswhen processinguntrustedOpenAPIspecifications.Thisvulnerabilityisfixedin2.3.0. Anout-of-boundsreadvulnerabilityexistsinDicomStreamReaderduringDICOMmeta-headerparsing.WhenCVE-processingmalformedmetadatastructures,theparsermayreadbeyondtheboundsoftheallocatedmetadata More2026- 7.5buffer.Althoughthisissuedoesnottypicallycrashtheserverorexposedatadirectlytotheattacker,itreflects Details5437insufficientinputvalidationintheparsinglogic. WhenconfiguringSSLbundlesinSpringCloudGatewaybyusingtheconfigurationpropertyspring.ssl.bundle,the configurationwassilentlyignoredandthedefaultSSLconfigurationwasusedinstead.Note:The4.2.xbranchisnoCVE-longerunderopensourcesupport.IfyouareusingSpringCloudGateway4.2.0andarenotanenterprisecustomer, More2026- 7.5youcanupgradetoanySpringCloudGateway4.2.xreleasenewerthan4.2.0availableonMavenCenteral Details22750https://repo1.maven.org/maven2/org/springframework/cloud/spring-cloud-gateway/.Ideallyifyouarenotan enterprisecustomer,youshouldbeupgradingto5.0.2or5.1.1whicharethecurrentsupportedopensourcereleases. Aflawwasfoundingnutls.Aremote,unauthenticatedattackercanexploitthisvulnerabilitybysendingaspeciallyCVE-craftedClientHellomessagewithaninvalidPre-SharedKey(PSK)bindervalueduringtheTLShandshake.Thiscan More2026- 7.5leadtoaNULLpointerdereference,causingtheservertocrashandresultinginaremoteDenialofService(DoS) Details1584condition. TheJetEnginepluginforWordPressisvulnerabletoSQLInjectionviatheCustomContentType(CCT)RESTAPIsearch endpointinallversionsupto,andincluding,3.8.6.1.Thisisduetothecctsearchparameterbeinginterpolated CVE-directlyintoaSQLquerystringviasprintf()withoutsanitizationoruseof$wpdb->prepare().WordPressREST More2026-API'swpunslash()callon$GETstripsthewpmagic_quotes()`protection,allowingsingle-quote-basedinjection. 7.5 Details4352ThismakesitpossibleforunauthenticatedattackerstoappendadditionalSQLqueriesintoalreadyexistingqueries thatcanbeusedtoextractsensitiveinformationfromthedatabase.TheCustomContentTypesmodulemustbe enabledwithatleastoneCCTconfiguredwithapublicRESTGETendpointforexploitation. CVE-Loopwithunreachableexitcondition('infiniteloop')in.NET,.NETFramework,VisualStudioallowsanunauthorized More2026- 7.5attackertodenyserviceoveranetwork. Details33116 CVE-ImproperEncodingorEscapingofOutputvulnerabilityintheJsonAccessLogValvecomponentofApacheTomcat.This More2026-issueaffectsApacheTomcat:from11.0.0-M1through11.0.20,from10.1.0-M1through10.1.53,from9.0.40through 7.5 Details344839.0.116.Usersarerecommendedtoupgradetoversion11.0.21,10.1.54or9.0.117,whichfixtheissue. CVE-Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')in.NETFramework More2026- 7.5allowsanunauthorizedattackertodenyserviceoveranetwork. Details23666 CVE-ColdFusionversions2023.18,2025.6andearlierareaffectedbyanImproperInputValidationvulnerabilitythatcould More2026-resultinaSecurityfeaturebypass.Anattackercouldleveragethisvulnerabilitytobypasssecuritymeasuresandgain 7.5 Details27282unauthorizedaccess.Exploitationofthisissuerequiresuserinteraction. CVE- More2026-inUnThemeOrganicFoodorganicfoodallowsPHPLocalFileInclusion.ThisissueaffectsOrganicFood:fromn/athrough 7.5 Details39684<=3.6.4. CVE-WhenverifyingacertificatechaincontainingexcludedDNSconstraints,theseconstraintsarenotcorrectlyappliedto MorewildcardDNSSANswhichuseadifferentcasethantheconstraint.Thisonlyaffectsvalidationofotherwisetrusted 7.5 Details33810certificatechains,issuedbyarootCAintheVerifyOptions.RootsCertPool,orinthesystemcertificatepool.

CVE- More Uncontrolledresourceconsumptionin.NETallowsanunauthorizedattackertodenyserviceoveranetwork. 7.5 Details26171 CVE- GitLabhasremediatedanissueinGitLabCE/EEaffectingallversionsfrom13.0before18.8.9,18.9before18.9.5,and More 18.10before18.10.3thatcouldhaveallowedanunauthenticatedusertocausedenialofservicebysendingrepeated 7.5 Details12664 GraphQLqueries. CVE- GitLabhasremediatedanissueinGitLabCE/EEaffectingallversionsfrom12.10before18.8.9,18.9before18.9.5, More2026- and18.10before18.10.3thatcouldhaveallowedanunauthenticatedusertocausedenialofserviceduetoimproper 7.5 Details1092 inputvalidationofJSONpayloads. PraisonAIisamulti-agentteamssystem.Priorto4.5.128,the/media-streamWebSocketendpointinPraisonAI'scall CVE- moduleacceptsconnectionsfromanyclientwithoutauthenticationorTwiliosignaturevalidation.Eachconnection More2026- opensanauthenticatedsessiontoOpenAI'sRealtimeAPIusingtheserver'sAPIkey.Therearenolimitsonconcurrent 7.5 Details40116 connections,messagerate,ormessagesize,allowinganunauthenticatedattackertoexhaustserverresourcesand drainthevictim'sOpenAIAPIcredits.Thisvulnerabilityisfixedin4.5.128. CVE- More2026- 7.5 inkutethemesBiolifebiolifeallowsPHPLocalFileInclusion.ThisissueaffectsBiolife:fromn/athrough<=3.2.3. Details39623 InsertionofSensitiveInformationintoLogFilevulnerabilityinthecloudmembershipforclusteringcomponentofCVE- ApacheTomcatexposedtheKubernetesbearertoken.ThisissueaffectsApacheTomcat:from11.0.0-M1through More2026- 7.5 11.0.20,from10.1.0-M1through10.1.53,from9.0.13through9.0.116.Usersarerecommendedtoupgradeto Details34487 version11.0.21,10.1.54or9.0.117,whichfixtheissue. CVE- MissingEncryptionofSensitiveDatavulnerabilityinApacheTomcatduetothefixforCVE-2026-29146allowingthe More2026- bypassoftheEncryptInterceptor.ThisissueaffectsApacheTomcat:11.0.20,10.1.53,9.0.116.Usersare 7.5 Details34486 recommendedtoupgradetoversion11.0.21,10.1.54or9.0.117,whichfixtheissue. PaddingOraclevulnerabilityinApacheTomcat'sEncryptInterceptorwithdefaultconfiguration.ThisissueaffectsCVE- ApacheTomcat:from11.0.0-M1through11.0.18,from10.0.0-M1through10.1.52,from9.0.13through9..115,from More2026- 7.5 8.5.38through8.5.100,from7.0.100through7.0.109.Usersarerecommendedtoupgradetoversion11.0.19, Details29146 10.1.53and9.0.116,whichfixestheissue. Anout-of-boundswriteissueinthevirtioPCItransportinAmazonFirecracker1.13.0through1.14.3and1.15.0on x86_64andaarch64mightallowalocalguestuserwithrootprivilegestocrashtheFirecrackerVMMprocessorCVE- potentiallyexecutearbitrarycodeonthehostviamodificationofvirtioqueueconfigurationregistersafterdevice More2026- 7.5 activation.Achievingcodeexecutiononthehostrequiresadditionalpreconditions,suchastheuseofacustomguest Details5747 kernelorspecificsnapshotconfigurations.Toremediatethis,usersshouldupgradetoFirecracker1.14.4or1.15.1 andlater. CVE- ConfiguredcipherpreferenceordernotpreservedvulnerabilityinApacheTomcat.ThisissueaffectsApacheTomcat: More2026- from11.0.16through11.0.18,from10.1.51through10.1.52,from9.0.114through9.0.115.Usersarerecommended 7.5 Details29129 toupgradetoversion11.0.20,10.1.53or9.0.116,whichfixtheissue. InconsistentInterpretationofHTTPRequests('HTTPRequest/ResponseSmuggling')vulnerabilityinApacheTomcat CVE- viainvalidchunkextension.ThisissueaffectsApacheTomcat:from11.0.0-M1through11.0.18,from10.1.0-M1 More2026- through10.1.52,from9.0.0.M1through9.0.115,from8.5.0through8.5.100,from7.0.0through7.0.109.Other, 7.5 Details24880 unsupportedversionsmayalsobeaffected.Usersarerecommendedtoupgradetoversion11.0.20,10.1.52or 9.0.116,whichfixtheissue. WasmtimeisaruntimeforWebAssembly.From25.0.0tobefore36.0.7,42.0.2,and43.0.1,Wasmtime'sWinch compilerbackendcontainsabugwheretranslatingthetable.growoperatorcausestheresulttobeincorrectlytyped. For32-bittablesthismeansthattheresultoftheoperator,internallyinWinch,istaggedasa64-bitvalueinsteadof a32-bitvalue.ThisinvalidinternalrepresentationofWinch'scompilerstatecompoundsintofurtherissuesdepending onhowthevalueisconsumed.Theprimaryconsequenceofthisbugisthatbytesinthehost'saddressspacecanbe stored/readfrom.Thisisonlyapplicabletothe16bytesbeforelinearmemory,however,astheonlysignificantreturnCVE- valueoftable.growthatcanbemisinterpretedis-1.Thebytesbeforelinearmemoryare,bydefault,unmapped More2026- 7.5 memory.Wasmtimewilldetectthisfaultandaborttheprocess,however,becausewasmshouldnotbeabletoaccess Details35186 thesebytes.OverallthisthisbuginWinchrepresentsaDoSvectorbycrashingthehostprocess,acorrectnessissue withinWinch,andapossibleleakofupto16-bytesbeforelinearmemory.Wasmtime'sdefaultcompilerisCranelift, notWinch,andWasmtime'sdefaultsettingsaretoplaceguardpagesbeforelinearmemory.Thismeansthat Wasmtime'sdefaultconfigurationisnotaffectedbythisissue,andwhenexplicitlychoosingWinchWasmtime's otherwisedefaultconfigurationleadstoaDoS.Disablingguardpagesbeforelinearmemoryisrequiredtopossibly leakupto16-bytesofhostdata.Thisvulnerabilityisfixedin36.0.7,42.0.2,and43.0.1. CVE- IfonesideoftheTLSconnectionsendsmultiplekeyupdatemessagespost-handshakeinasinglerecord,the More2026- connectioncandeadlock,causinguncontrolledconsumptionofresources.Thiscanleadtoadenialofservice.This 7.5 Details32283 onlyaffectsTLS1.3. AimproperauthenticationvulnerabilityinFortinetFortiSOARPaaS7.6.0through7.6.3,FortiSOARPaaS7.5.0through CVE- 7.5.2,FortiSOARon-premise7.6.0through7.6.3,FortiSOARon-premise7.5.0through7.5.2mayallowan More unauthenticatedattackertobypassauthenticationviareplayingcaptured2FArequest.Theattackrequiresbeingable 7.5 Details23708 tointerceptanddecryptauthenticationtrafficandprecisetimingtoreplaytherequestbeforetokenexpiration,which

raisestheattackcomplexity. CVE-CleartextTransmissionofSensitiveInformationvulnerabilityinApacheAPISIX.Thiscanoccurduetossl_verifyin Moreopenid-connectpluginconfigurationbeingsettofalsebydefault.ThisissueaffectsApacheAPISIX:from0.7through 7.5 Details319233.15.0.Usersarerecommendedtoupgradetoversion3.16.0,whichfixestheissue. CVE-Validatingcertificatechainswhichusepoliciesisunexpectedlyinefficientwhencertificatesinthechaincontainavery More2026-largenumberofpolicymappings,possiblycausingdenialofservice.Thisonlyaffectsvalidationofotherwisetrusted 7.5 Details32281certificatechains,issuedbyarootCAintheVerifyOptions.RootsCertPool,orinthesystemcertificatepool. CVE-TheActivityPubWordPresspluginbefore8.0.2doesnotproperlyfilterpoststobedisplayed,allowedunauthenticated More2026- 7.5userstoaccessdrafts/scheduled/pendingposts Details4338 BSVRubySDKistheRubySDKfortheBSVblockchain.From0.1.0tobefore0.8.2,BSV::Network::ARC'sfailure CVE-detectiononlyrecognisesREJECTEDandDOUBLESPENDATTEMPTED.ARCresponseswithtxStatusvaluesof More2026-INVALID,MALFORMED,MINEDINSTALEBLOCK,oranyORPHAN-containingextraInfo/txStatusaresilentlytreatedas 7.5 Details40069successfulbroadcasts.Applicationsthatgateactionsonbroadcastersuccessaretrickedintotrustingtransactions thatwereneveracceptedbythenetwork.Thisvulnerabilityisfixedin0.8.2. CVE-Duringchainbuilding,theamountofworkthatisdoneisnotcorrectlylimitedwhenalargenumberofintermediate More2026-certificatesarepassedinVerifyOptions.Intermediates,whichcanleadtoadenialofservice.Thisaffectsbothdirect 7.5 Details32280usersofcrypto/x509andusersofcrypto/tls. CVE- More2026-inkutethemesBoutiquekute-boutiqueallowsPHPLocalFileInclusion.ThisissueaffectsBoutique:fromn/athrough 7.5 Details39613<=2.3.3. CVE-ImproperinputvalidationinWindowsServerUpdateServiceallowsanunauthorizedattackertoperformtampering More2026- 7.5overanetwork. Details26154 CVE-NullpointerdereferenceinWindowsLocalSecurityAuthoritySubsystemService(LSASS)allowsanunauthorized More2026- 7.5attackertodenyserviceoveranetwork. Details32071 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofmultipleparameters More2025-inthe/urlrule.aspendpoint.AnattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestwith 7.5 Details50661parametersname,en,ips,u,time,act,rpri,andlog. CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoinadequatevalidationofinputsizeinthe More2025- 7.5routesstaticparameterinthe/router.aspendpoint. Details50650 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthenameandmem More2025- 7.5parametersinthe/timegroup.aspendpoint. Details50653 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimpropervalidationoftheidparameterin More2025- 7.5the/thdmember.aspendpoint. Details50654 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthenameparameter More2025- 7.5inthe/thdgroup.aspendpoint. Details50655 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthepidparameterin More2025- 7.5the/trace.aspendpoint. Details50657 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthecustomerror More2025- 7.5parameterinthe/user.aspendpoint. Details50659 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthenameparameter More2025- 7.5inthe/urlmember.aspendpoint. Details50660 CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthenameparameter More2025- 7.5inthe/urlgroup.aspendpoint. Details50662 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthenameparameter More 7.5inthe/usbpaswd.aspendpoint. Details50663 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofparametersinthe More/user_group.aspendpoint.TheattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestwith 7.5

50664 parametersname,mem,pri,andattr. Details CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofinputparametersin More the/webkeyword.aspendpoint.AnattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestvia 7.5 Details50665 thename,en,time,memgb2312,andmemutf8parameters. CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofmultipleparameters More2025- inthe/webpost.aspendpoint.AnattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestin 7.5 Details50666 parameterssuchasname,en,userid,log,andtime. CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingoftheifaceparameterin More2025- 7.5 the/wanlinedetection.aspendpoint. Details50667 CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthesparameterinthe More2025- 7.5 /weblistopt.aspendpoint. Details50668 CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1andDI-8003G19.12.10A1duetoimproper More2025- 7.5 handlingofthewanpingparameterinthe/wanping.aspendpoint. Details50669 CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofparametersinthe More2025- /xwglbwr.aspendpoint.AnattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestinthename, 7.5 Details50670 qq,andtimeparameters. CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofparametersinthe More2025- /xwglref.aspendpoint.AnattackercanexploitthisvulnerabilitybysendingacraftedHTTPGETrequestwith 7.5 Details50671 excessivelylongstringsinparametersname,en,userid,shibiename,time,act,log,andrpri. CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofparametersinthe More2025- 7.5 /yyxzdlink.aspendpoint. Details50672 ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,anunrestrictedfileupload CVE- vulnerabilityintheexercisesounduploadfunctionallowsanauthenticatedteachertouploadaPHPwebshellby More2026- spoofingtheContent-Typeheadertoaudio/mpeg.Theuploadedfileretainsitsoriginal.phpextensionandisplacedin 7.5 Details32931 aweb-accessibledirectory,enablingRemoteCodeExecutionasthewebserveruser(www-data).Thisvulnerabilityis fixedin1.11.38and2.0.0-RC.3. CVE- ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,inmain/lp/aicchacp.php,user- More2026- controlledrequestparametersaredirectlyusedtosetthePHPsessionIDbeforeloadingglobalbootstrap.Thisleads 7.5 Details31940 tosessionfixation.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. CVE- AnissueinD-LinkDI-800316.07.26A1relatedtoimproperhandlingoftheidparameterinthe/saveparmusb.asp More2025- 7.5 endpoint. Details50652 CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperinputvalidationinthevlanname More2025- 7.5 parameterinthe/shutset.aspendpoint. Details50649 CVE- project-managementforneuroimagingresearch.Priorto27.0.3and28.0.1,aSQLinjectionhasbeenidentifiedin More2026- 7.5 somecodesectionsfortheMRIfeedbackpopupwindowoftheimagingbrowser.AttackerscanuseSQLingestionto Details33350 access/alterdataontheserver.Thisvulnerabilityisfixedin27.0.3and28.0.1. CVE- AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoinadequateinputvalidationinthe/tggl.asp More2025- 7.5 endpoint. Details50648 AcrossDR-810containsanunauthenticatedfiledisclosurevulnerabilitythatallowsremoteattackerstodownloadtheCVE- rom-0backupfilecontainingsensitiveinformationbysendingasimpleGETrequest.Attackerscanaccesstherom-0 More2019- 7.5 endpointwithoutauthenticationtoretrieveanddecompressthebackupfile,exposingrouterpasswordsandother Details25706 sensitiveconfigurationdata. WCAPF-WooCommerceAjaxProductFilterpluginisvulnerabletotime-basedSQLInjectionviathe'post-author' CVE- parameterinallversionsupto,andincluding,4.2.3duetoinsufficientescapingontheusersuppliedparameterand More 2026- lackofsufficientpreparationontheexistingSQLquery.Thismakesitpossibleforunauthenticatedattackersto 7.5 Details 3396 appendadditionalSQLqueriesintoalreadyexistingqueriesthatcanbeusedtoextractsensitiveinformationfromthe database. CVE- HashiCorp'sgo-getterlibraryuptov1.8.5mayallowarbitraryfilereadsonthefilesystemduringcertaingit More operationsthroughamaliciouslycraftedURL.Thisvulnerability,CVE-2026-4660,isfixedingo-getterv1.8.6.This 7.5 Details vulnerabilitydoesnotaffectthego-getter/v2branchandpackage. HonoisaWebapplicationframeworkthatprovidessupportforanyJavaScriptruntime.Priorto4.12.12,apathCVE-

traversalissueintoSSG()allowsfilestobewrittenoutsidetheconfiguredoutputdirectoryduringstaticsite More 7.5 generation.WhenusingdynamicrouteparametersviassgParams,speciallycraftedvaluescancausegeneratedfile Details39408 pathstoescapetheintendedoutputdirectory.Thisvulnerabilityisfixedin4.12.12. CVE- MoreinMikado-ThemesMikadoCoremikado-coreallowsPHPLocalFileInclusion.ThisissueaffectsMikadoCore:fromn/a 7.5 Details39538through<=1.6. OpenAirInterfaceVersion2.2.0hasaBufferOverflowvulnerabilityinprocessingUplinkNASTransportcontainingCVE-AuthenticationResponsecontainingaNASPDUwithoversizeresponse(Forexample100byte).Theresponseis More2026- 7.5decodedbyAMFandpassedtotheAUSFcomponentforverification.AUSFcrashesonreceivingthisoversize Details30075response.ThiscanprohibitusersfromfurtherregistrationandverificationandcancauseDenialofServices(DoS). CVE-OpenAirInterfacev2.2.0acceptsSecurityModeCompletewithoutanyintegrityprotection.Configurationhas More2026-supportedintegrityNIA1andNIA2.ButifanUEsendsinitialregistrationrequestwithonlysecuritycapabilityIA0, 7.5 Details30080OpenAirInterfaceacceptsandproceeds.Thisdowngradesecuritycontextcanleadtothepossibilityofreplayattack. Net::CIDR::Liteversionsbefore0.23forPerldoesnotvalidateIPv6groupcount,whichmayallowIPACLbypass. packipv6()doesnotcheckthatuncompressedIPv6addresses(without::)haveexactly8hexgroups.Inputslike "abcd","1:2:3",or"1:2:3:4:5:6:7"areacceptedandproducepackedvaluesofwronglength(3,7,or15bytesinstead CVE-of17).Thepackedvaluesareusedinternallyformaskandcomparisonoperations.find()andbinfind()usePerlstring More2026-comparison(lt/gt)onthesevalues,andcomparingstringsofdifferentlengthsgiveswrongresults.Thiscancause 7.5 Details40198find()toincorrectlyreportanaddressasinsideoroutsidearange.Example:my$cidr=Net::CIDR::Lite->new("::/8"); $cidr->find("1:2:3");#invalidinput,incorrectlyreturnstrueThisisthesameclassofinputvalidationissueasCVE- 2021-47154(IPv4leadingzeros)previouslyfixedinthismodule.SeealsoCVE-2026-40199,arelatedissueinthe samefunctionaffectingIPv4mappedIPv6addresses. CVE-D-LinkDI-8300v16.07.26A1wasdiscoveredtocontainabufferoverflowviatheipparameterintheippositionasp More2025- 7.5function.ThisvulnerabilityallowsattackerstocauseaDenialofService(DoS)viaacraftedinput. Details45057 CVE-D-LinkDI-8300v16.07.26A1wasdiscoveredtocontainabufferoverflowviathefxparameterinthejingxasp More2025- 7.5function.ThisvulnerabilityallowsattackerstocauseaDenialofService(DoS)viaacraftedinput. Details45058 CVE-D-LinkDI-8300v16.07.26A1wasdiscoveredtocontainabufferoverflowviathefnparameterinthetgfilehtm More2025- 7.5function.ThisvulnerabilityallowsattackerstocauseaDenialofService(DoS)viaacraftedinput. Details45059 D-LinkDI-8003v16.07.26A1,DI-8500v16.07.26A1;DI-8003Gv17.12.21A1,DI-8200Gv17.12.20A1,DI-8200 CVE-v16.07.26A1,DI-8400v16.07.26A1,DI-8004wv16.07.26A1,DI-8100v16.07.26A1,andDI-8100Gv17.12.20A1were More2025-discoveredtocontainabufferoverflowviatherden,rdauth,rdacct,httphadmin,httphadminpwd,rdkey,and 7.5 Details52222rdipparametersintheradiusaspfunction.ThisvulnerabilityallowsattackerstocauseaDenialofService(DoS)via acraftedrequest. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,RESTAPIkeysaregeneratedusingCVE-md5(time()+(userid5)-rand(10000,10000)).Therand(10000,10000)callalwaysreturnsexactly10000(min== More2026- 7.5max),makingtheformulaeffectivelymd5(timestamp+user_id5-10000).Anattackerwhoknowsausernameand Details33710approximatekeycreationtimecanbrute-forcetheAPIkey.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. Saleorisane-commerceplatform.From2.0.0tobefore3.23.0a3,3.22.47,3.21.54,and3.20.118,Saleorsupports CVE-querybatchingbysubmittingmultipleGraphQLoperationsinasingleHTTPrequestasaJSONarraybutwasn't More2026-enforcinganyupperlimitonthenumberofoperations.Thisallowedanunauthenticatedattackertosendasingle 7.5 Details33756HTTPrequestmanyoperations(bypassingtheperquerycomplexitylimit)toexhaustresources.Thisvulnerabilityis fixedin3.23.0a3,3.22.47,3.21.54,and3.20.118. CVE-Improperneutralizationofspecialelementsin.NETallowsanunauthorizedattackertoperformspoofingovera More2026- 7.5network. Details32178 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimpropervalidationofuserinputinthe More2025- 7.5qj.aspendpoint. Details50644 CVE-AvulnerabilityhasbeendiscoveredinD-LinkDI-800316.07.26A1,whichcanleadtoabufferoverflowwhenthes More2025-parameterinthepppoelistopt.aspendpointismanipulated.Bysendingacraftedrequestwithanexcessivelylarge 7.5 Details50645valueforthesparameter,anattackercantriggerabufferoverflowcondition. CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoinsufficientinputvalidationonthename More2025- 7.5parameterinthe/qostypeasp.aspendpoint. Details50646 CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1,specificallyinthehandlingofthewansparameter More 7.5intheqos.aspendpoint. Details50647 CVE- ImproperControlofFilenameforInclude/RequireStatementinPHPProgram('PHPRemoteFileInclusion')vulnerability More

inthemeStekLabtechCOlabtechcoallowsPHPLocalFileInclusion.ThisissueaffectsLabtechCO:fromn/athrough<= 7.5 Details 395448.3. CVE-AbufferoverflowvulnerabilityexistsinD-LinkDI-800316.07.26A1duetoimproperhandlingofthehttplanport More 7.5parameterinthe/webgl.aspendpoint. Details50673 LiquidJSisaShopify/GitHubPagescompatibletemplateengineinpureJavaScript.Priorto10.25.3,liquidjs10.25.0CVE-documentsrootasconstrainingfilenamespassedtorenderFile()andparseFile(),buttop-levelfileloadsdonot More2026- 7.5enforcethatboundary.ALiquidinstanceconfiguredwithanemptytemporarydirectoryasrootcanreturnthe Details39859contentsofarbitraryfiles.Thisvulnerabilityisfixedin10.25.3. LiquidJSisaShopify/GitHubPagescompatibletemplateengineinpureJavaScript.Priorto10.25.3,for{%include %},{%render%},and{%layout%},LiquidJScheckswhetherthecandidatepathisinsidetheconfiguredpartialsor layoutsrootsbeforereadingit.Thatcheckispath-based,notrealpath-based.Becauseofthat,afilelike CVE-partials/link.liquidpassesthedirectorycontainmentcheckaslongasitspathnameisundertheallowedroot.If More2026-link.liquidisactuallyasymlinktoafileoutsidetheallowedroot,thefilesystemfollowsthesymlinkwhenthefileis 7.5 Details35525openedandLiquidJSrenderstheexternaltarget.Sotherestrictionisappliedtothepathstringthatwasrequested, nottothefilethatisactuallyread.Thismattersinenvironmentswhereanattackercanplacetemplatesorotherwise influencefilesunderatrustedtemplateroot,includinguploadedthemes,extractedarchives,mountedcontent,or repository-controlledtemplatetrees.Thisvulnerabilityisfixedin10.25.3. OpenClawbefore2026.3.22containsanenvironmentvariableoverridehandlingvulnerabilitythatallowsattackerstoCVE-bypassthesharedhostenvironmentpolicythroughinconsistentsanitizationpaths.Attackerscansupplyblockedor More2026- 7.5malformedoverridekeysthatslipthroughinconsistentvalidationtoexecutearbitrarycodewithunintended Details35650environmentvariables. CVE-Zammadisawebbasedopensourcehelpdesk/customersupportsystem.Priorto7.0.1and6.5.4,unauthenticated More2026-remoteattackerswereabletoaccessthegettingstartedendpointtogetaccesstosensitiveinternalentitydata,even 7.5 Details34723afterthesystemsetupwascompleted.Thisvulnerabilityisfixedin7.0.1and6.5.4. NitroPDFProforWindows14.41.1.4containsaNULLpointerdereferencevulnerabilityintheJavaScript implementationofapp.alert().Whenapp.alert()iscalledwithmorethanoneargumentandthefirstargumentCVE-evaluatestonull(forexample,app.alert(app.activeDocs,true)whenapp.activeDocsisnull),theengineroutesthe More2025- 7.5callthroughafallbackpathintendedfornon-stringarguments.Inthispath,jsValueToString()isinvokedonthenull Details69624valueandreturnsaninvalidstringpointer,whichisthenpassedtoJSGetStringChars()withoutvalidation. DereferencingthispointerleadstoanaccessviolationandapplicationcrashwhenopeningacraftedPDF. CVE-Saleorisane-commerceplatform.From2.0.0tobefore3.23.0a3,3.22.47,3.21.54,and3.20.118,amaliciousactor More2026-canincludemanyGraphQLmutationsorqueriesinasingleAPIcallusingaliasesorchainingmultiplemutations, 7.5 Details35401resultinginresourceexhaustion.Thisvulnerabilityisfixedin3.23.0a3,3.22.47,3.21.54,and3.20.118. AdenialofservicevulnerabilityexistsinReactServerComponents,affectingthefollowingpackages:react-server- CVE-dom-parcel,react-server-dom-turbopackandreact-server-dom-webpack(versions19.0.0through19.0.4,19.1.0 More2026-through19.1.5,and19.2.0through19.2.4).ThevulnerabilityistriggeredbysendingspeciallycraftedHTTPrequests 7.5 Details23869toServerFunctionendpoints.ThepayloadoftheHTTPrequestcausesexcessiveCPUusageforuptoaminuteending inathrownerrorthatiscatchable. CVE-AnissuewasdiscoveredinBMCControl-M/MFT9.0.20through9.0.22.AnAPImanagementendpointallows More2026-unauthenticateduserstoobtainbothanAPIidentifieranditscorrespondingsecretvalue.Withtheseexposedsecrets, 7.5 Details23782anattackercouldinvokeprivilegedAPIoperations,potentiallyleadingtounauthorizedaccess. CVE-NASM'sdisasm()functioncontainsastackbasedbufferoverflowwhenformattingdisassemblyoutput,allowingan More2026- 7.5attackertriggeredout-of-boundswritewhenslenexceedsthebuffercapacity. Details6069 KamailioisanopensourceimplementationofaSIPSignalingServer.Priorto6.1.1,6.0.6,and5.8.8,anout-of-boundsCVE-accessinthecoreofKamailio(formerlyOpenSERandSER)allowsremoteattackerstocauseadenialofservice More2026- 7.5(processcrash)viaaspeciallycrafteddatapacketsentoverTCP.TheissueimpactsKamailioinstanceshavingTCPor Details39863TLSlisteners.Thisvulnerabilityisfixedin5.1.1,6.0.6,and5.8.8. CVE-Aheapbufferoverflowintheavbprintfinalize()functionofFFmpegv8.0.1allowsattackerstocauseaDenialof More2026- 7.5Service(DoS)viaacraftedinput. Details30999 CVE-project-managementforneuroimagingresearch.From20.0.0tobefore27.0.3and28.0.1,abuginthestaticfile More 2026- 7.5routercanallowanattackertotraverseoutsideoftheintendeddirectory,allowingunintendedfilestobedownloaded Details 34392throughthestatic,css,andjsendpoints.Thisvulnerabilityisfixedin27.0.3and28.0.1. CVE-AheapbufferoverflowvulnerabilityexistsintheNetwideAssembler(NASM)duetoalackofboundscheckinginthe More2026-objdirective()function.Thisvulnerabilitycanbeexploitedbyauserassemblingamalicious.asmfile,potentially 7.5 Detailsleadingtoheapmemorycorruption,denialofservice(crash),andarbitrarycodeexecution. DenialofServiceviaOutofMemoryvulnerabilityinApacheActiveMQClient,ApacheActiveMQBroker,Apache ActiveMQ.ActiveMQNIOSSLtransportsdonotcorrectlyhandleTLSv1.3handshakeKeyUpdatestriggeredbyclients.

ThismakesitpossibleforaclienttorapidlytriggerupdateswhichcausesthebrokertoexhaustallitsmemoryintheCVE- More 7.5SSLengineleadingtoDoS.Note:TLSversionsbeforeTLSv1.3(suchasTLSv1.2)arebrokenbutarenotvulnerableto Details OOM.PreviousTLSversionsrequireafullhandshakerenegotiationwhichcausesaconnectiontohangbutnotOOM.39304 Thisisfixedaswell.ThisissueaffectsApacheActiveMQClient:before5.19.4,from6.0.0before6.2.4;Apache ActiveMQBroker:before5.19.4,from6.0.0before6.2.4;ApacheActiveMQ:before5.19.4,from6.0.0before6.2.4. Usersarerecommendedtoupgradetoversion6.2.4or5.19.5,whichfixestheissue. CVE- More2025-inCaseThemesCaseThemeUserallowsPHPLocalFileInclusion.ThisissueaffectsCaseThemeUser:fromn/abefore 7.5 Details58041.0.4. CVE-Animproperresourcedeallocationandclosurevulnerabilityinthetools/zmqsend.ccomponentofFFmpegv8.0.1 More2026- 7.5allowsattackerstocauseaDenialofService(DoS)viasupplyingacraftedinputfile. Details30998 CVE-Anout-of-boundsreadinthereadglobalparam()function(libavcodec/av1dec.c)ofFFmpegv8.0.1allowsattackers More2026- 7.5tocauseaDenialofService(DoS)viaacraftedinput. Details30997 CVE-ANULLpointerdereferenceinNitroPDFProforWindowsv14.41.1.4allowsattackerstocauseaDenialofService More2025- 7.5(DoS)viaacraftedXFApacket. Details66769 InEclipseJetty,theHTTP/1.1parserisvulnerabletorequestsmugglingwhenchunkextensionsareused,similarto the"funkychunks"techniquesoutlinedhere:https://w4ke.info/2025/06/18/funky-chunks.htmlCVE-https://w4ke.info/2025/10/29/funky-chunks-2.htmlJettyterminateschunkextensionparsingat\r\ninsidequoted More2026- 7.4stringsinsteadoftreatingthisasanerror.POST/HTTP/1.1Host:localhostTransfer-Encoding:chunked1;ext="valX0 Details2332GET/smuggledHTTP/1.1...Notehowthechunkextensiondoesnotclosethedoublequotes,anditisabletoinjecta smuggledrequest. CVE-UseafterfreeinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanunauthorizedattackertoexecute More2026- 7.4codelocally. Details32156 Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priorto2.3.0,theOIDCcallbackhandlerissuesaCVE-fullJWTtokenwithoutcheckingwhetherthematcheduserhasTOTPtwo-factorauthenticationenabled.Whenalocal More2026- 7.4userwithTOTPenrolledismatchedviatheOIDCemailfallbackmechanism,thesecondfactoriscompletelyskipped. Details34727Thisvulnerabilityisfixedin2.3.0. CVE-Out-of-boundswritevulnerabilityinSamsungOpenSourceEscargotallowsOverflowBuffers.Thisissueaffects More2026- 7.4 Details25207 AWeakPasswordRequirementsvulnerabilityinthepasswordmanagementfunctionofJuniperNetworksCTPOS mightallowanunauthenticated,network-basedattackertoexploitweakpasswordsoflocalaccountsandpotentially CVE-takefullcontrolofthedevice.Thepasswordmanagementmenuenablestheadministratortosetpassword More2026-complexityrequirements,butthesesettingsarenotsaved.Theissuecanbeverifiedwiththemenuoption"Show 7.4 Details33771passwordrequirements".Failuretoenforcetheintendedrequirementscanleadtoweakpasswordsbeingused,which significantlyincreasesthelikelihoodthatanattackercanguesstheseandsubsequentlyattainunauthorizedaccess. ThisissueaffectsCTPOSversions9.2R1and9.2R2. CVE-Heap-basedbufferoverflowvulnerabilityinSamsungOpenSourceEscargotallowsout-of-boundswrite.Thisissue More2026- 7.4affectsEscargot:commithash97e8115ab1110bc502b4b5e4a0c689a71520d335. Details25205 PraisonAIAgentsisamulti-agentteamssystem.Priorto1.5.128,theexecutecommandfunctioninshelltools.pycalls os.path.expandvars()oneverycommandargumentatline64,manuallyre-implementingshell-levelenvironmentCVE-variableexpansiondespiteusingshell=False(line88)forsecurity.Thisallowsexfiltrationofsecretsstoredin More2026- 7.4environmentvariables(databasecredentials,APIkeys,cloudaccesskeys).Theapprovalsystemdisplaysthe Details40153unexpanded$VARreferencestohumanreviewers,creatingadeceptiveapprovalwherethedisplayedcommand differsfromwhatactuallyexecutes.Thisvulnerabilityisfixedin1.5.128. InEclipseJetty,theclassJASPIAuthenticatorinitiatestheauthenticationchecks,whichsettwoThreadLocalvariable.CVE-Uponreturningfromtheinitialchecks,thereareconditionsthatcauseanearlyreturnfromtheJASPIAuthenticator More2026- 7.4codewithoutclearingthoseThreadLocals.AsubsequentrequestusingthesamethreadinheritstheThreadLocal Details5795values,leadingtoabrokenaccesscontrolandprivilegeescalation. AnImproperInputValidationvulnerabilityinJuniperNetworksJunosOSandJunosOSEvolvedallowsan unauthenticated,adjacentattacker,sendingaspecificgenuineBGPpacketinanalreadyestablishedBGPsessionto resetonlythatsessioncausingaDenialofService(DoS).AnattackerrepeatedlysendingthepacketwillsustaintheCVE- MoreDenialofService(DoS).ThisissueaffectsJunosOS:25.2versionsbefore25.2R2Thisissuedoesn'tnotaffected2026- 7.4 DetailsJunosOSversionsbefore25.2R1.ThisissueaffectsJunosOSEvolved:25.2-EVOversionsbefore25.2R2-EVOThis33797 issuedoesn'tnotaffectedJunosOSEvolvedversionsbefore25.2R1-EVO.eBGPandiBGPareaffected.IPv4andIPv6 areaffected. CVE-OpenClawbefore2026.3.25containsaserver-siderequestforgeryvulnerabilityinmultiplechannelextensionsthat MorefailtoproperlyguardconfiguredbaseURLsagainstSSRFattacks.Attackerscanexploitunprotectedfetch()calls 7.4

35629 againstconfiguredendpointstorebindrequeststoblockedinternaldestinationsandaccessrestrictedresources. Details libsixelisaSIXELencoder/decoderimplementationderivedfromkmiya'ssixel.Versions1.8.7andpriorcontainause- after-freevulnerabilityinsixelencoderencodebytes()becausesixelframeinit()storesthecaller-ownedpixelbuffer pointerdirectlyinframe->pixelswithoutmakingadefensivecopy.Whenaresizeoperationistriggered,CVE- sixelframeconvertto_rgb888()unconditionallyfreesthiscaller-ownedbufferandreplacesitwithanewinternal More2026- 7.3 allocation,leavingthecallerwithadanglingpointer.Anysubsequentaccesstotheoriginalbufferbythecaller Details33021 constitutesause-after-free,confirmedbyAddressSanitizer.Anattackerwhocontrolsincomingframescantriggerthis bugrepeatedlyandpredictably,resultinginareliablecrashwithpotentialforcodeexecution.Thisissuehasbeen

AvulnerabilitywasdetectedinFoundationAgentsMetaGPTupto0.8.1.ThisaffectsthefunctionchecksolutionoftheCVE-componentHumanEvalBenchmark/MBPPBenchmark.Performingamanipulationresultsincodeinjection.Theattack More2026- 7.3maybeinitiatedremotely.Theexploitisnowpublicandmaybeused.Theprojectwasinformedoftheproblemearly Details5970throughapullrequestbuthasnotreactedyet. Avulnerabilitywasidentifiedintushar-2223HotelManagementSystemupto bb1f3b3666124b888f1e4bcf51b6fba9fbb01d15.AffectedbythisvulnerabilityisanunknownfunctionalityofthefileCVE-/admin/roomdelete.php.ThemanipulationoftheargumentIDleadstosqlinjection.Remoteexploitationoftheattack More2026- 7.3ispossible.Theexploitispubliclyavailableandmightbeused.Thisproductfollowsarollingreleaseapproachfor Details6142continuousdelivery,soversiondetailsforaffectedorupdatedreleasesarenotprovided.Theprojectwasinformedof theproblemearlythroughanissuereportbuthasnotrespondedyet. CVE-AsecurityvulnerabilityhasbeendetectedinPHPGurukulOnlineCourseRegistration3.1.Thisissueaffectssome More2026-unknownprocessingofthefile/admin/checkavailability.php.Themanipulationoftheargumentregnoleadstosql 7.3 Details5814injection.Theattackcanbeinitiatedremotely.Theexploithasbeendisclosedpubliclyandmaybeused. CVE-AweaknesshasbeenidentifiedinPHPGurukulOnlineCourseRegistration3.1.Thisvulnerabilityaffectsunknowncode More2026-ofthefile/checkavailability.php.Executingamanipulationoftheargumentcidcanleadtosqlinjection.Itispossible 7.3 Details5813tolaunchtheattackremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. CVE-AvulnerabilitywasfoundinPHPGurukulNewsPortalProject4.1.Thisaffectsanunknownpartofthefile/news- More2026-details.php.ThemanipulationoftheargumentCommentresultsinsqlinjection.Theattackcanbelaunched 7.3 Details5837remotely.Theexploithasbeenmadepublicandcouldbeused. CVE-Avulnerabilitywasidentifiedincode-projectsVehicleShowroomManagementSystem1.0.Thisimpactsanunknown More2026-functionofthefile/util/RegisterCustomerFunction.php.SuchmanipulationoftheargumentBRANCHIDleadstosql 7.3 Details6038injection.Theattackmaybeperformedfromremote.Theexploitispubliclyavailableandmightbeused. CVE-Avulnerabilitywasfoundincode-projectsVehicleShowroomManagementSystem1.0.Thisvulnerabilityaffects More2026-unknowncodeofthefile/util/PaymentStatusFunction.php.ThemanipulationoftheargumentCUSTOMERIDresultsin 7.3 Details6151sqlinjection.Itispossibletolaunchtheattackremotely.Theexploithasbeenmadepublicandcouldbeused. AflawhasbeenfoundinFoundationAgentsMetaGPTupto0.8.1.Thisvulnerabilityaffectsthefunction CVE-ActionNode.xmlfillofthefilemetagpt/actions/actionnode.pyofthecomponentXMLHandler.Executinga More2026-manipulationcanleadtoimproperneutralizationofdirectivesindynamicallyevaluatedcode.Theattackmaybe 7.3 Details5971launchedremotely.Theexploithasbeenpublishedandmaybeused.Theprojectwasinformedoftheproblemearly throughapullrequestbuthasnotreactedyet. CVE-Asecurityvulnerabilityhasbeendetectedincode-projectsSimpleLaundrySystem1.0.Thisaffectsanunknownpart More2026-ofthefile/userchecklogin.php.Suchmanipulationoftheargumentuseridleadstosqlinjection.Itispossibleto 7.3 Details5824launchtheattackremotely.Theexploithasbeendisclosedpubliclyandmaybeused. Aflawhasbeenfoundincode-projectsVehicleShowroomManagementSystem1.0.AffectedbythisissueissomeCVE-unknownfunctionalityofthefile/util/BookVehicleFunction.php.ExecutingamanipulationoftheargumentBRANCHID More2026- 7.3canleadtosqlinjection.Theattackmaybeperformedfromremote.Theexploithasbeenpublishedandmaybe Details6149used. CVE-Avulnerabilityhasbeenfoundincode-projectsSimpleITDiscussionForum1.0.Thisaffectsanunknownfunctionof More2026-thefile/add-category-function.php.SuchmanipulationoftheargumentCategoryleadstosqlinjection.Theattackcan 7.3 Details6031beexecutedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. Avulnerabilitywasdetectedincode-projectsVehicleShowroomManagementSystem1.0.AffectedbythisCVE-vulnerabilityisanunknownfunctionalityofthefile/util/MonthTotalReportUpdateFunction.php.Performinga More2026- 7.3manipulationoftheargumentBRANCHIDresultsinsqlinjection.Theattackispossibletobecarriedoutremotely. Details6148Theexploitisnowpublicandmaybeused. Aweaknesshasbeenidentifiedinzhayujiechatgpt-on-wechatCowAgent2.0.4.Theaffectedelementisanunknown CVE-functionofthecomponentAdministrativeHTTPEndpoint.Thismanipulationcausesmissingauthentication.Itis More2026- 7.3possibletoinitiatetheattackremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedfor Details6126attacks.Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE-AflawhasbeenfoundinTotolinkN300RH6.1c.1353B20190305.AffectedisthefunctionsetUpgradeUbootofthefile Moreupgrade.so.ThismanipulationoftheargumentFileNamecausesoscommandinjection.Theattackispossibletobe 7.3 Detailscarriedoutremotely.Theexploithasbeenpublishedandmaybeused. CVE- AvulnerabilitywasdeterminedinTendai61.0.0.7(2204).Affectedbythisissueisthefunction

R7WebsSecurityHandlerfunctionofthecomponentHTTPHandler.Thismanipulationcausespathtraversal.Itis 7.3 More possibletoinitiatetheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. Details Asecurityvulnerabilityhasbeendetectedinperfreego-fastdfs-webupto1.3.7.ThisaffectsanunknownpartoftheCVE-filesrc/main/java/com/perfree/controller/InstallController.javaofthecomponentdoInstallInterface.Themanipulation More 7.3leadstoimproperauthorization.Theattackmaybeinitiatedremotely.Theexploithasbeendisclosedpubliclyand Details6105maybeused.Thevendorwascontactedearlyaboutthisdisclosurebutdidnotrespondinanyway. CVE-Avulnerabilityhasbeenfoundincode-projectsSimpleITDiscussionForum1.0.Impactedisanunknownfunctionof More2026-thefile/question-function.php.Themanipulationoftheargumentcontentleadstosqlinjection.Theattackmaybe 7.3 Details5827initiatedremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE-Avulnerabilitywasdeterminedincode-projectsVehicleShowroomManagementSystem1.0.Thisissueaffectssome More2026-unknownprocessingofthefile/util/StaffAddingFunction.php.ThismanipulationoftheargumentSTAFFIDcausessql 7.3 Details6152injection.Theattackcanbeinitiatedremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. AvulnerabilitywasidentifiedinFoundationAgentsMetaGPTupto0.8.1.ThisaffectsthefunctiongeneratethoughtsCVE-ofthefilemetagpt/strategy/tot.pyofthecomponentTree-of-ThoughtSolver.Themanipulationleadstocode More2026- 7.3injection.Itispossibletoinitiatetheattackremotely.Theexploitispubliclyavailableandmightbeused.Theproject Details6110wasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE-Avulnerabilitywasfoundincode-projectsSimpleITDiscussionForum1.0.Theaffectedelementisanunknown More2026-functionofthefile/functions/addcomment.php.Themanipulationoftheargumentpostidresultsinsqlinjection.The 7.3 Details5828attackmaybelaunchedremotely.Theexploithasbeenmadepublicandcouldbeused. CVE- More2026- 7.3 Details34856 CVE-Avulnerabilitywasdeterminedincode-projectsSimpleITDiscussionForum1.0.Theimpactedelementisanunknown More2026-functionofthefile/pages/content.php.Thismanipulationoftheargumentpostidcausessqlinjection.Remote 7.3 Details5829exploitationoftheattackispossible.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE-Asecurityvulnerabilityhasbeendetectedincode-projectsSimpleITDiscussionForum1.0.Thisvulnerabilityaffects More2026-unknowncodeofthefile/topic-details.php.Themanipulationoftheargumentpostidleadstosqlinjection.The 7.3 Details5961attackmaybeinitiatedremotely.Theexploithasbeendisclosedpubliclyandmaybeused. CVE-AvulnerabilitywasdetectedinTendaCH221.0.0.6(468).Thisissueaffectsthefunction More2026-R7WebsSecurityHandlerfunctionofthecomponenthttpd.Themanipulationresultsinpathtraversal.Theattackmay 7.3 Details5962belaunchedremotely.Theexploitisnowpublicandmaybeused. CVE-Avulnerabilitywasdeterminedincode-projectsSimpleChatBoxupto1.0.Thisaffectsanunknownpartofthefile More2026-/chatbox/insert.phpofthecomponentEndpoint.Executingamanipulationoftheargumentmsgcanleadtosql 7.3 Details6161injection.Itispossibletolaunchtheattackremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. Aweaknesshasbeenidentifiedinatototoapi-lab-mcpupto0.2.1.Thisaffectsthefunction CVE-analyzeapispec/generatetestscenarios/testhttpendpointofthefilesrc/mcp/http-server.tsofthecomponent More2026-HTTPInterface.Thismanipulationoftheargumentsource/urlcausesserver-siderequestforgery.Theattackis 7.3 Details5832possibletobecarriedoutremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. Theprojectwasinformedoftheproblemearlythroughanissuereportbuthasnotrespondedyet. CVE-Avulnerabilitywasidentifiedincode-projectsVehicleShowroomManagementSystem1.0.Impactedisanunknown More2026-functionofthefile/util/StaffDetailsFunction.php.SuchmanipulationoftheargumentSTAFFIDleadstosqlinjection. 7.3 Details6153Theattackcanbelaunchedremotely.Theexploitispubliclyavailableandmightbeused. Avulnerabilitywasidentifiedinidachevmcp-javadcupto1.2.4.ImpactedisanunknownfunctionofthecomponentCVE-HTTPInterface.SuchmanipulationoftheargumentjarFilePathleadstooscommandinjection.Itispossibletolaunch More2026- 7.3theattackremotely.Theexploitispubliclyavailableandmightbeused.Theprojectwasinformedoftheproblem Details5802earlythroughanissuereportbuthasnotrespondedyet. CVE-Avulnerabilitywasdetectedincode-projectsSimpleITDiscussionForum1.0.Impactedisanunknownfunctionofthe More2026-file/delete-category.php.Performingamanipulationoftheargumentcatidresultsinsqlinjection.Itispossibleto 7.3 Details6004initiatetheattackremotely.Theexploitisnowpublicandmaybeused. CVE-AsecurityflawhasbeendiscoveredinPHPGurukulDailyExpenseTrackingSystem1.1.Affectedisanunknown More2026-functionofthefile/register.php.Themanipulationoftheargumentemailresultsinsqlinjection.Theattackmaybe 7.3 Details6193launchedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. CVE-Avulnerabilitywasidentifiedincode-projectsLostandFoundThingManagement1.0.Affectedbythisissueissome More2026-unknownfunctionalityofthefile/catageory.php.Suchmanipulationoftheargumentcatleadstosqlinjection.Itis 7.3 Details6163possibletolaunchtheattackremotely.Theexploitispubliclyavailableandmightbeused. CVE-Avulnerabilitywasdetectedincode-projectsFacultyManagementSystem1.0.Impactedisanunknownfunctionof Morethefile/subject-print.php.ThemanipulationoftheargumentIDresultsinsqlinjection.Theattackmaybelaunched 7.3 Detailsremotely.Theexploitisnowpublicandmaybeused. Asecurityvulnerabilityhasbeendetectedincode-projectsVehicleShowroomManagementSystem1.0.Thisissue

affectssomeunknownprocessingofthefile/util/UpdateVehicleFunction.php.Themanipulationoftheargument MoreCVE- 7.3VEHICLEIDleadstosqlinjection.Theattackmaybeinitiatedremotely.Theexploithasbeendisclosedpubliclyand Details maybeused. CVE- More2026-ImproperinputvalidationinWindowsHyper-Vallowsanauthorizedattackertoexecutecodelocally. 7.3 Details32149 Aweaknesshasbeenidentifiedincode-projectsVehicleShowroomManagementSystem1.0.ThisvulnerabilityCVE-affectsunknowncodeofthefile/util/Logincheck.php.ExecutingamanipulationoftheargumentIDcanleadtosql More2026- 7.3injection.Theattackcanbelaunchedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeused Details6165forattacks. Aflawhasbeenfoundinchatboxaichatboxupto1.20.0.ThisimpactsthefunctionStdioClientTransportofthefile src/main/mcp/ipc-stdio-transport.tsofthecomponentModelContextProtocolServerManagementSystem.ExecutingCVE- Moreamanipulationoftheargumentargs/envcanleadtooscommandinjection.Theattackcanbelaunchedremotely.2026- 7.3 DetailsTheexploithasbeenpublishedandmaybeused.Theprojectwasinformedoftheproblemearlythroughanissue6130 reportbuthasnotrespondedyet. AvulnerabilityhasbeenidentifiedinSINECNMS(Allversions<V4.0SP3withUMC).TheaffectedapplicationcontainsCVE-anauthenticationweaknessduetoinsufficientvalidationofuseridentityintheUMCcomponent.Thiscouldallowan More2026- 7.3unauthenticatedremoteattackertobypassauthenticationandgainunauthorizedaccesstotheapplication.(ZDI-CAN- Details2403227564) CVE-Avulnerabilitywasidentifiedincode-projectsSimpleContentManagementSystem1.0.Affectedbythisvulnerability More2026-isanunknownfunctionalityofthefile/web/admin/login.php.SuchmanipulationoftheargumentUserleadstosql 7.3 Details6182injection.Theattackmaybelaunchedremotely.Theexploitispubliclyavailableandmightbeused. CVE-OpenClawbefore2026.3.22performsciteexpansionbeforecompletingchannelandDMauthorizationchecks, More2026-allowingciteworkandcontenthandlingpriortofinalauthdecisions.Attackerscanexploitthistimingvulnerabilityto 7.3 Details35637accessormanipulatecontentbeforeproperauthorizationvalidationoccurs. Avulnerabilitywasdetectedinzhayujiechatgpt-on-wechatCowAgentupto2.0.4.ThisaffectsanunknownfunctionofCVE-thecomponentAgentModeService.Performingamanipulationresultsinmissingauthentication.Theattackcanbe More2026- 7.3initiatedremotely.Theexploitisnowpublicandmaybeused.Theprojectwasinformedoftheproblemearlythrough Details6129anissuereportbuthasnotrespondedyet. Asecurityflawhasbeendiscoveredincode-projectsSimpleContentManagementSystem1.0.AffectedbythisissueCVE-issomeunknownfunctionalityofthefile/web/index.php.PerformingamanipulationoftheargumentIDresultsinsql More2026- 7.3injection.Remoteexploitationoftheattackispossible.Theexploithasbeenreleasedtothepublicandmaybeused Details6183forattacks. CVE-Asecurityflawhasbeendiscoveredincode-projectsSimpleITDiscussionForum1.0.Theaffectedelementisan More2026-unknownfunctionofthefile/crud.php.ThemanipulationoftheargumentuserIdresultsinsqlinjection.Theattack 7.3 Details5985maybeperformedfromremote.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. CVE-Avulnerabilitywasfoundincode-projectsVehicleShowroomManagementSystem1.0.Theimpactedelementisan More2026-unknownfunctionofthefile/util/VehicleDetailsFunction.php.ThemanipulationoftheargumentVEHICLEIDresultsin 7.3 Details6036sqlinjection.Theattackcanbeexecutedremotely.Theexploithasbeenmadepublicandcouldbeused. Asecurityflawhasbeendiscoveredinnocobaseplugin-workflow-javascriptupto2.0.23.Thisissueaffectsthe CVE-functioncreateSafeConsoleofthefilepackages/plugins/@nocobase/plugin-workflow-javascript/src/server/Vm.js. More2026-Performingamanipulationresultsinsandboxissue.Theattackcanbeinitiatedremotely.Theexploithasbeen 7.3 Details6224releasedtothepublicandmaybeusedforattacks.Thevendorwascontactedearlyaboutthisdisclosurebutdidnot respondinanyway. AUNIXSymbolicLink(Symlink)FollowingvulnerabilityintheCLIofJuniperNetworksJunosOSallowsalocal, authenticatedattackerwithlowprivilegestoescalatetheirprivilegestorootwhichwillleadtoacompleteCVE-compromiseofthesystem.Whenafterauserhasperformedaspecific'filelink...'CLIoperation,anotheruser More2026- 7.3commits(unrelatedconfigurationchanges),thefirstusercanloginasroot.ThisissueaffectsJunosOS:allversions Details21916before23.2R2-S7,23.4versionsbefore23.4R2-S6,24.2versionsbefore24.2R2-S3,24.4versionsbefore24.4R2- S2,*25.2versionsbefore25.2R2.Thisissuedoesnotaffectversions25.4R1orlater. CVE-Avulnerabilitywasdeterminedincode-projectsVehicleShowroomManagementSystem1.0.Thisaffectsanunknown More2026-functionofthefile/util/AddVehicleFunction.php.ThismanipulationoftheargumentBRANCHIDcausessqlinjection. 7.3 Details6037Theattackispossibletobecarriedoutremotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. CVE-AvulnerabilitywasdetectedinSourceCodesterPharmacySalesandInventorySystem1.0.Thisissueaffectssome More2026-unknownprocessingofthefile/ajax.php?action=chkprodavailability.ThemanipulationoftheargumentIDresultsin 7.3 Details6187sqlinjection.Theattackmaybeperformedfromremote.Theexploitisnowpublicandmaybeused. CVE-Asecurityflawhasbeendiscoveredincode-projectsLostandFoundThingManagement1.0.Thisaffectsanunknown Morepartofthefile/addcat.php.Performingamanipulationoftheargumentcataresultsinsqlinjection.Theattackcanbe 7.3 Detailsinitiatedremotely.Theexploithasbeenreleasedtothepublicandmaybeusedforattacks. Aweaknesshasbeenidentifiedincode-projectsEasyBlogSiteupto1.0.TheimpactedelementisanunknownCVE-functionofthefile/users/contactus.php.ExecutingamanipulationoftheargumentNamecanleadtosqlinjection. More

Theattackcanbelaunchedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedfor Details 7.3 attacks. Asecurityvulnerabilityhasbeendetectedindecolua9routerupto0.3.47.TheimpactedelementisanunknownCVE-functionofthefile/apiofthecomponentAdministrativeAPIEndpoint.Themanipulationleadstoauthorization More 7.3bypass.Theattackispossibletobecarriedoutremotely.Theexploithasbeendisclosedpubliclyandmaybeused. Details5842Upgradingtoversion0.3.75issufficienttoresolvethisissue.Itissuggestedtoupgradetheaffectedcomponent. AvulnerabilityhasbeenfoundinFoundationAgentsMetaGPTupto0.8.1.Thisissueaffectsthefunction CVE-Terminal.runcommandinthelibrarymetagpt/tools/libs/terminal.py.Themanipulationleadstooscommandinjection. More2026-Remoteexploitationoftheattackispossible.Theexploithasbeendisclosedtothepublicandmaybeused.The 7.3 Details5972identifierofthepatchisd04ffc8dc67903e8b327f78ec121df5e190ffc7b.Applyingapatchistherecommendedaction tofixthisissue. AvulnerabilitywasfoundinFoundationAgentsMetaGPTupto0.8.1.ImpactedisthefunctiongetmimetypeoftheCVE-filemetagpt/utils/common.py.Themanipulationresultsinoscommandinjection.Theattackcanbeexecuted More2026- 7.3remotely.Theexploithasbeenmadepublicandcouldbeused.Theprojectwasinformedoftheproblemearly Details5973throughapullrequestbuthasnotreactedyet. CVE-AvulnerabilityhasbeenfoundinSourceCodesterPharmacySalesandInventorySystem1.0.Theaffectedelementis More2026-anunknownfunctionofthefile/ajax.php?action=login.SuchmanipulationoftheargumentUsernameleadstosql 7.3 Details6189injection.Itispossibletolaunchtheattackremotely.Theexploithasbeendisclosedtothepublicandmaybeused. CVE- More2026-SourcecodesterOnlineThesisArchivingSystemv1.0isvulneraletoSQLinjectioninthefile/otas/viewarchive.php. 7.3 Details36948 ALEAPP(AndroidLogsEventsAndProtobufParser)through3.4.0containsapathtraversalvulnerabilityinthe CVE-NQVault.pyartifactparserthatusesattacker-controlledfilenamefromvaluesfromadatabasedirectlyasthe More2026-outputfilename,allowingarbitraryfilewritesoutsidethereportoutputdirectory.Anattackercanembedapath 7.3 Details40027traversalpayloadsuchas../../../outsidewritten.bininthedatabasetowritefilestoarbitrarylocations,potentially achievingcodeexecutionbyoverwritingexecutablefilesorconfiguration. AvulnerabilitywasdeterminedinFoundationAgentsMetaGPTupto0.8.1.TheaffectedelementisthefunctionCVE-Bash.runinthelibrarymetagpt/tools/libs/terminal.py.Thismanipulationcausesoscommandinjection.Theattackis More2026- 7.3possibletobecarriedoutremotely.Theprojectwasinformedoftheproblemearlythroughapullrequestbuthasnot Details5974reactedyet. CVE-AvulnerabilitywasdeterminedinTendai121.0.0.11(3862).Theimpactedelementisanunknownfunctionofthe More2026-componentHTTPHandler.Executingamanipulationcanleadtopathtraversal.Theattackmaybelaunched 7.3 Details5849remotely.Theexploithasbeenpubliclydisclosedandmaybeutilized. immichisahighperformanceself-hostedphotoandvideomanagementsolution.Priorto2.7.0,sStoredCross-Site Scripting(XSS)inthe360°panoramaviewerallowsanyauthenticatedusertoexecutearbitraryJavaScriptintheCVE-browserofanyotheruserwhoviewsthemaliciouspanoramawiththeOCRoverlayenabled.Theattackeruploadsan More2026- 7.3equirectangularimagecontainingcraftedtext;OCRextractsit,andthepanoramaviewerrendersitviainnerHTML Details35455withoutsanitization.Thisenablessessionhijacking(viapersistentAPIkeycreation),privatephotoexfiltration,and accesstoGPSlocationhistoryandfacebiometricdata.Thisvulnerabilityisfixedin2.7.0. CVE-AflawhasbeenfoundinSourceCodesterPharmacySalesandInventorySystem1.0.Impactedisanunknownfunction More2026-ofthefile/ajax.php?action=delete_sales.ThismanipulationoftheargumentIDcausessqlinjection.Itispossibleto 7.3 Details6188initiatetheattackremotely.Theexploithasbeenpublishedandmaybeused. CVE-AweaknesshasbeenidentifiedinTendai31.0.0.6(2204).Theaffectedelementisthefunction More2026-R7WebsSecurityHandlerofthecomponentHTTPHandler.Executingamanipulationcanleadtopathtraversal.The 7.3 Details5841attackcanbeexecutedremotely.Theexploithasbeenmadeavailabletothepublicandcouldbeusedforattacks. CVE-AnobservableresponsediscrepancyvulnerabilityintheSonicWallSMA1000seriesappliancesallowsaremote More2026- 7.2attackertoenumerateSSLVPNusercredentials. Details4113 CVE-ImproperhandlingofUnicodeencodinginSonicWallSMA1000seriesappliancesallowsaremoteauthenticated More2026- 7.2SSLVPNusertobypassWorkplace/ConnectTunnelTOTPauthentication. Details4116 Animproperneutralizationofspecialelementsusedinansqlcommand('sqlinjection')vulnerabilityinFortinet FortiAnalyzer7.6.0through7.6.4,FortiAnalyzer7.4.0through7.4.8,FortiAnalyzer7.2allversions,FortiAnalyzer7.0 allversions,FortiAnalyzerCloud7.6.0through7.6.4,FortiAnalyzerCloud7.4.0through7.4.8,FortiAnalyzerCloud7.2CVE- Moreallversions,FortiAnalyzerCloud7.0allversions,FortiManager7.6.0through7.6.4,FortiManager7.4.0through7.4.8,2025- 7.2 DetailsFortiManager7.2allversions,FortiManager7.0allversions,FortiManagerCloud7.6.0through7.6.4,FortiManager61848Cloud7.4.0through7.4.8,FortiManagerCloud7.2allversions,FortiManagerCloud7.0allversionsmayallowa privilegedauthenticatedattackertoexecuteunauthorizedcodeorcommandsviaJSONRPCAPI BoidCMSisanopen-source,PHP-basedflat-fileCMSforbuildingsimplewebsitesandblogs,usingJSONasits database.Versionspriorto2.1.3arevulnerabletoacriticalLocalFileInclusion(LFI)attackviathetplparameter, whichcanleadtoRemoteCodeExecution(RCE).Theapplicationfailstosanitizethetpl(template)parameterduring

CVE- pagecreationandupdates.Thisparameterispasseddirectlytoarequireonce()statementwithoutpathvalidation. More 7.2 Anauthenticatedadministratorcanexploitthisbyinjectingpathtraversalsequences(../)intothetplvaluetoescape Details 39387 theintendedthemedirectoryandincludearbitraryfiles--specifically,filesfromtheserver'smedia/directory.When combinedwiththefileuploadfunctionality,thisbecomesafullRCEchain:anattackercanfirstuploadafilewith embeddedPHPcode(e.g.,disguisedasimagedata),thenusethepathtraversalvulnerabilitytoincludethatfilevia requireonce(),executingtheembeddedcodewithwebserverprivileges.Thisissuehasbeenfixedinversion2.1.3. TheOptimole-OptimizeImages|ConvertWebP&AVIF|CDN&LazyLoad|ImageOptimizationpluginforWordPress isvulnerabletoStoredCross-SiteScriptinginallversionsupto,andincluding,4.2.2.Thisisduetoinsufficientinput sanitizationandoutputescapingontheuser-supplied's'parameter(srcsetdescriptor)intheunauthenticated/wp- json/optimole/v1/optimizationsRESTendpoint.TheendpointvalidatesrequestsusinganHMACsignatureandCVE- timestamp,butthesevaluesareexposeddirectlyinthefrontendHTMLmakingthemaccessibletoanyvisitor.The More2026- 7.2 pluginusessanitizetextfield()onthedescriptorvalueofrest.php,whichstripsHTMLtagsbutdoesnotescape Details5217 doublequotes.Thepoisoneddescriptoristhenstoredviatransients(backedbytheWordPressoptionstable)and laterretrievedandinjectedverbatimintothesrcsetattributeoftagreplacer.phpwithoutproperescaping.This makesitpossibleforunauthenticatedattackerstoinjectarbitrarywebscriptsintopagesthatwillexecutewhenevera useraccessestheinjectedpage. Pachno1.0.6containsastoredcross-sitescriptingvulnerabilitythatallowsattackerstoexecutearbitraryHTMLand CVE- scriptcodebyinjectingmaliciouspayloadsintoPOSTparameters.Attackerscaninjectscriptsthroughthevalue, More2026- commentbody,articlecontent,description,andmessageparametersacrossmultiplecontrollers,whicharestoredin 7.2 Details40038 thedatabaseandexecutedinusers'browsersessionsduetoimpropersanitizationviaRequest::getRawParameter() orRequest::getParameter()calls. CouchCMScontainsaprivilegeescalationvulnerabilitythatallowsauthenticatedAdmin-leveluserstocreateCVE- SuperAdminaccountsbytamperingwiththefklevelslistparameterinusercreationrequests.Attackerscanmodify More2026- 7.2 theparametervaluefrom4to10intheHTTPrequestbodytobypassauthorizationvalidationandgainfull Details29002 applicationcontrol,circumventingrestrictionsonSuperAdminaccountcreationandprivilegeassignment. ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversion2.0-RC.2,thefile public/main/inc/ajax/install.ajax.phpisaccessiblewithoutauthenticationonfullyinstalledinstancesbecause,unlike otherAJAXendpoints,itdoesnotincludetheglobal.inc.phpfilethatperformsauthenticationandinstallation- CVE- completedchecks.ItstestmaileractionacceptsanarbitrarySymfonyMailerDSNstringfromPOSTdataandusesit More2026- toconnecttoanattacker-specifiedSMTPserver,enablingServer-SideRequestForgery(SSRF)intointernalnetworks 7.2 Details33715 viatheSMTPprotocol.AnunauthenticatedattackercanalsoabusethistoweaponizetheChamiloserverasanopen emailrelayforphishingandspamcampaigns,withemailsappearingtooriginatefromtheserver'sIPaddress. Additionally,errorresponsesfromfailedSMTPconnectionsmaydiscloseinformationaboutinternalnetworktopology andrunningservices.Thisissuehasbeenfixedinversion2.0.0-RC.3. TheFormMakerby10WebpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheMatrixfield(Text CVE- Boxinputtype)informsubmissionsinallversionsupto,andincluding,1.15.40.Thisisduetoinsufficientinput More2026- sanitization(`sanitizetextfieldstripstagsbutnotquotes)andmissingoutputescapingwhenrenderingsubmission 7.2 Details4388 dataintheadminSubmissionsview.ThismakesitpossibleforunauthenticatedattackerstoinjectarbitraryJavaScript throughaformsubmissionthatexecutesinthebrowserofanadministratorwhoviewsthesubmissiondetails. TheBackWPuppluginforWordPressisvulnerabletoLocalFileInclusionviatheblocknameparameterofthe/wp- json/backwpup/v1/getblockRESTendpointinallversionsupto,andincluding,5.6.6duetoanon-recursive CVE-str_replace()sanitizationofpathtraversalsequences.Thismakesitpossibleforauthenticatedattackers,with More2026- Administrator-levelaccessandabove,toincludearbitraryPHPfilesontheserverviacraftedtraversalsequences 7.2 Details6227 (e.g.,....//),whichcanbeleveragedtoreadsensitivefilessuchaswp-config.php`orachieveremotecode

executionincertainconfigurations.Administratorshavetheabilitytograntindividualuserspermissiontohandle backups,whichmaythenallowlower-leveluserstoexploitthisvulnerability. TheSmartPostShow-PostGrid,PostCarousel&Slider,andListCategoryPostspluginforWordPressisvulnerableto PHPObjectInjectioninallversionsupto,andincluding,3.0.12viadeserializationofuntrustedinputinthe CVE-importshortcodes()function.Thismakesitpossibleforauthenticatedattackers,withAdministrator-levelaccessand More2026-above,toinjectaPHPObject.NoknownPOPchainispresentinthevulnerablesoftware,whichmeansthis 7.2 Details3017vulnerabilityhasnoimpactunlessanotherpluginorthemecontainingaPOPchainisinstalledonthesite.IfaPOP chainispresentviaanadditionalpluginorthemeinstalledonthetargetsystem,itmayallowtheattackertoperform actionslikedeletearbitraryfiles,retrievesensitivedata,orexecutecodedependingonthePOPchainpresent. PraisonAIisamulti-agentteamssystem.Priorto4.5.128,the/api/v1/runsendpointacceptsanarbitrarywebhookurl intherequestbodywithnoURLvalidation.Whenasubmittedjobcompletes(successorfailure),theservermakesanCVE- MoreHTTPPOSTrequesttothisURLusinghttpx.AsyncClient.Anunauthenticatedattackercanusethistomaketheserver2026- 7.2 DetailssendPOSTrequeststoarbitraryinternalorexternaldestinations,enablingSSRFagainstcloudmetadataservices,40114 internalAPIs,andothernetwork-adjacentservices.Thisvulnerabilityisfixedin4.5.128. ArcaneisaninterfaceformanagingDockercontainers,images,networks,andvolumes.Priorto1.17.3,the CVE-/api/templates/fetchendpointacceptsacaller-suppliedurlparameterandperformsaserver-sideHTTPGETrequestto More2026-thatURLwithoutauthenticationandwithoutURLschemeorhostvalidation.Theserver'sresponseisreturneddirectly 7.2 Details40242tothecaller.type.ThisconstitutesanunauthenticatedSSRFvulnerabilityaffectinganypubliclyreachableArcane instance.Thisvulnerabilityisfixedin1.17.3. CVE-Aout-of-boundswritevulnerabilityinFortinetFortiWeb8.0.0through8.0.3,FortiWeb7.6.0through7.6.6,FortiWeb More 7.27.4.0through7.4.11mayallowattackertoexecuteunauthorizedcodeorcommandsvia Details40688

InvenTreeisanOpenSourceInventoryManagementSystem.Priorto1.2.7and1.3.0,anon-staffauthenticateduserCVE-canelevatetheiraccounttoastafflevelviaaPOSTrequestagainsttheiruseraccountendpoint.Thewrite More 7.2permissionsontheAPIendpointareimproperlyconfigured,allowinganyusertochangetheirstaffstatus.This Details35476vulnerabilityisfixedin1.2.7and1.3.0. AvulnerabilitywasfoundinD-LinkDIR-8821.01B02.Impactedisthefunctionsprintfofthefileprog.cgioftheCVE-componentHNAP1SetNetworkSettingsHandler.ThemanipulationoftheargumentIPAddressresultsinoscommand More2026- 7.2injection.Theattackmaybeperformedfromremote.Theexploithasbeenmadepublicandcouldbeused.This Details5844 CVE-AnauthenticatedremoteattackerwithhighprivilegescanexploittheOpenVPNconfigurationviatheweb-based More2024-managementinterfaceofaWAGOPLC.Ifuser-definedscriptsarepermitted,OpenVPNmayallowtheexecutionof 7.2 Details1490arbitraryshellcommandsenablingtheattackertorunarbitrarycommandsonthedevice. TheGeradordeCertificados-DevAppspluginforWordPressisvulnerabletoarbitraryfileuploadsduetomissingfileCVE-typevalidationinthemoveUploadedFile()functioninallversionsupto,andincluding,1.3.6.Thismakesitpossible More2026- 7.2forauthenticatedattackers,withAdministrator-levelaccessandabove,touploadarbitraryfilesontheaffectedsite's Details4808serverwhichmaymakeremotecodeexecutionpossible. CVE-IBMVerifyIdentityAccessContainer11.0through11.0.2andIBMSecurityVerifyAccessContainer10.0through More2026-10.0.9.1andIBMVerifyIdentityAccess11.0through11.0.2andIBMSecurityVerifyAccess10.0through10.0.9.1 7.2 Details1343allowsanattackertocontactinternalauthenticationendpointswhichareprotectedbytheReverseProxy. CVE- More2026-Out-of-boundsreadinMicrosoftOfficeExcelallowsanunauthorizedattackertodiscloseinformationlocally. 7.1 Details32188 ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,anInsecureDirectObjectReferenceCVE-(IDOR)vulnerabilityinthegradebookresultviewpageallowsanyauthenticatedteachertodeleteanystudent'sgrade More2026- 7.1resultacrosstheentireplatformbymanipulatingthedeletemarkorresultdeleteGETparameters.Noownershipor Details32894course-scopeverificationisperformed.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,anInsecureDirectObjectReferenceCVE-(IDOR)vulnerabilityinthegradebookevaluationeditpageallowsanyauthenticatedteachertoviewandmodifythe More2026- 7.1settings(name,maxscore,weight)ofevaluationsbelongingtoanyothercoursebymanipulatingtheeditevalGET Details32930parameter.Thisvulnerabilityisfixedin1.11.38and2.0.0-RC.3. Bugsinkisaself-hostederrortrackingtool.In2.1.0,anauthenticatedfilewritevulnerabilitywasidentifiedinBugsinkCVE-2.1.0intheartifactbundleassemblyflow.Auserwithavalidauthenticationtokencouldcausetheapplicationto More2026- 7.1writeattacker-controlledcontenttoafilesystemlocationwritablebytheBugsinkprocess.Thisvulnerabilityisfixedin Details401622.1.1. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38and2.0.0-RC.3,ChamiloLMScontainsanInsecure DirectObjectReference(IDOR)vulnerabilityintheLearningPathprogresssavingendpoint.Thefile CVE-lpajaxsaveitem.phpacceptsauid(userID)parameterdirectlyfrom$REQUESTandusesittoloadandmodify More2026-anotheruser'sLearningPathprogress--includingscore,status,completion,andtime--withoutverifyingthatthe 7.1 Details33702requestingusermatchesthetargetuserID.Anyauthenticateduserenrolledinacoursecanoverwriteanotheruser's LearningPathprogressbysimplychangingtheuidparameterintherequest.Thisvulnerabilityisfixedin1.11.38and 2.0.0-RC.3. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38,anyauthenticateduserwithaRESTAPIkeycanCVE-modifytheirownstatusfieldviatheupdateuserfromusernameendpoint.Astudent(status=5)canchangetheir More2026- 7.1statustoTeacher/CourseManager(status=1),gainingcoursecreationandmanagementprivileges.Thisvulnerability Details33706isfixedin1.11.38. libsixelisaSIXELencoder/decoderimplementationderivedfromkmiya'ssixel.Versions1.8.7andpriorcontainan integeroverflowleadingtoanout-of-boundsheapreadinthe--cropoptionhandlingofimg2sixel,wherepositive coordinatesuptoINTMAXareacceptedwithoutoverflow-safeboundschecking.Insixelencoderdoclip(),theCVE-expressionclipw+clipxoverflowstoalargenegativevaluewhenclipxisINTMAX,causingtheboundsguardto More2026- 7.1beskippedentirely,andtheunclampedcoordinateispassedthroughsixelframeclip()toclip(),whichcomputesa Details33019sourcepointerfarbeyondtheimagebufferandpassesittomemmove().Anattackersupplyingaspeciallycrafted cropargumentwithanyvalidimagecantriggeranout-of-boundsreadintheheap,resultinginareliablecrashand potentialinformationdisclosure.Thisissuehasbeenfixedinversion1.8.7-r1. libsixelisaSIXELencoder/decoderimplementationderivedfromkmiya'ssixel.Versions1.8.7andpriorcontainan integeroverflowwhichleadstoaheapbufferoverflowviasixelframeconverttorgb888()inframe.c,where allocationsizeandpointeroffsetcomputationsforpalettisedimages(PAL1,PAL2,PAL4)areperformedusingint arithmeticbeforecastingtosizet.ForimageswhosepixelcountexceedsINTMAX/4,theoverflowproducesanCVE- Moreundersizedheapallocationfortheconversionbufferandanegativepointeroffsetforthenormalizationsub-buffer,2026- 7.1 Detailsafterwhichsixelhelpernormalize_pixelformat()writesthefullimagedatastartingfromtheinvalidpointer,causing33020 massiveheapcorruptionconfirmedbyASAN.AnattackerprovidingaspeciallycraftedlargepalettisedPNGcan corrupttheheapofthevictimprocess,resultinginareliablecrashandpotentialarbitrarycodeexecution.Thisissue hasbeenfixedinversion1.8.7-r1. Tmds.DBusprovides.NETlibrariesforworkingwithD-Busfrom.NET.Tmds.DBusandTmds.DBus.Protocolare vulnerabletomaliciousD-Buspeers.Apeeronthesamebuscanspoofsignalsbyimpersonatingtheownerofawell-CVE-

knownname,exhaustsystemresourcesorcausefiledescriptorspilloverbysendingmessageswithanexcessive More 7.1 numberofUnixfiledescriptors,andcrashtheapplicationbysendingmalformedmessagebodiesthatcause Details39959 unhandledexceptionsontheSynchronizationContext.ThisvulnerabilityisfixedinTmds.DBus0.92.0and Tmds.DBus.Protocol0.92.0and0.21.3. MyT-PM1.5.1containsanSQLinjectionvulnerabilitythatallowsauthenticatedattackerstoexecutearbitrarySQLCVE-queriesbyinjectingmaliciouscodethroughtheCharge[grouptotal]parameter.AttackerscansubmitcraftedPOST More2019- 7.1requeststothe/charge/adminendpointwitherror-based,time-basedblind,orstackedquerypayloadstoextract Details25713sensitivedatabaseinformationormanipulatedata. ChamiloLMSisalearningmanagementsystem.Priorto1.11.38,anyauthenticateduser(includingstudents)can CVE-writearbitrarycontenttofilesontheserverviatheBigUploadendpoint.Thekeyparametercontrolsthefilenameand More2026-therawPOSTbodybecomesthefilecontent.While.phpextensionsarefilteredto.phps,the.phtextensionpasses 7.1 Details33704throughunmodified.OnApacheconfigurationswhere.phtishandledasPHP,thisleadstoRemoteCodeExecution. Thisvulnerabilityisfixedin1.11.38. LaravelPassportprovidesOAuth2serversupporttoLaravel.From13.0.0tobefore13.7.1,thereisanAuthentication CVE-Bypassforclientcredentialstokens.theleague/oauth2-serverlibrarysetstheJWTsubclaimtotheclientidentifier More2026-(sincethere'snouser).ThetokenguardthenpassesthisvaluetoretrieveById()withoutvalidatingit'sactuallyauser 7.1 Details39976identifier,potentiallyresolvinganunrelatedrealuser.Anymachine-to-machinetokencaninadvertentlyauthenticate asanactualuser.Thisvulnerabilityisfixedin13.7.1. TheZTEZXEDMiEMSproducthasapasswordresetvulnerabilityforanyuser.BecausethemanagementofthecloudCVE-EMSportaldoesnotproperlycontrolaccesstotheuserlistacquisitionfunction,attackerscanreadalluserlist More2026- 7.1informationthroughtheuserlistinterface.Attackerscanresetthepasswordsofobtaineduserinformation,causing Details40436riskssuchasunauthorizedoperations. ImpressCMS1.3.11containsatime-basedblindSQLinjectionvulnerabilitythatallowsauthenticatedattackerstoCVE-manipulatedatabasequeriesbyinjectingSQLcodethroughthe'bid'parameter.AttackerscansendPOSTrequeststo More2019- 7.1theadmin.phpendpointwithmalicious'bid'valuescontainingSQLcommandstoextractsensitivedatabase Details25703information. NewsbullHaberScript1.0.0containsmultipleSQLinjectionvulnerabilitiesinthesearchparameterthatallow CVE-authenticatedattackerstoextractdatabaseinformationthroughtime-based,blind,andboolean-basedinjection More2019-techniques.AttackerscaninjectmaliciousSQLcodethroughthesearchparameterinendpointslike 7.1 Details25699/admin/comment/records,/admin/category/records,/admin/news/records,and/admin/menu/childstomanipulate databasequeriesandretrievesensitivedata. ResourceSpace8.6containsanSQLinjectionvulnerabilitythatallowsauthenticatedattackerstoexecutearbitraryCVE-SQLqueriesbyinjectingmaliciouscodethroughthekeywordsparameterincollectionedit.php.Attackerscansubmit More2019- 7.1POSTrequestswithcraftedSQLpayloadsinthekeywordsfieldtoextractsensitivedatabaseinformationincluding Details25693schemanames,usercredentials,andotherconfidentialdata. CVE-TREKisacollaborativetravelplanner.Priorto2.7.2,TREKwasmissingauthorizationchecksontheImmichtripphoto More2026- 7.1managementroutes.Thisvulnerabilityisfixedin2.7.2. Details40185 CVE-AdiantiFramework5.5.0and5.6.0containsanSQLinjectionvulnerabilitythatallowsauthenticatedusersto More2018-manipulatedatabasequeriesbyinjectingSQLcodethroughthenamefieldinSystemProfileForm.Attackerscan 7.1 Details25257submitcraftedSQLstatementsintheprofileeditendpointtomodifyusercredentialsandgainadministrativeaccess. CVE-AflawwasfoundinRedHatQuay'shandlingofresumablecontainerimagelayeruploads.Theuploadprocessstores More2026-intermediatedatainthedatabaseusingaformatthat,iftamperedwith,couldallowanattackertoexecutearbitrary 7.1 Details32590codeontheQuayserver. ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversionspriorto2.0.0-RC.3,the /api/courserelusersendpointisvulnerabletoInsecureDirectObjectReference(IDOR),allowinganauthenticated attackertomodifytheuserparameterintherequestbodytoenrollanyarbitraryuserintoanycoursewithoutproperCVE-authorizationchecks.Thebackendtruststheuser-suppliedinputfortheuserfieldandperformsnoserver-side More2026- 7.1verificationthattherequesterownsthereferenceduserIDorhaspermissiontoactonbehalfofotherusers.This Details34602enablesunauthorizedmanipulationofuser-courserelationships,potentiallygrantingunintendedaccesstocourse materials,bypassingenrollmentcontrols,andcompromisingplatformintegrity.Thisissuehasbeenfixedinversion 2.0.0-RC.3. AflawwasfoundinRedHatQuay'scontainerimageuploadprocess.AnauthenticateduserwithpushaccesstoanyCVE-repositoryontheregistrycaninterferewithimageuploadsinprogressbyotherusers,includingthoseinrepositories More2026- 7.1theydonothaveaccessto.Thiscouldallowtheattackertoread,modify,orcancelanotheruser'sin-progressimage Details32589upload. ThewpForoForumpluginforWordPressisvulnerabletoArbitraryFileDeletioninversionsuptoandincluding3.0.2. Thisisduetoatwo-steplogicflaw:thetopicadd()andtopicedit()actionhandlersacceptarbitraryuser-supplied data[*]arraysfrom$REQUESTandstorethemaspostmetawithoutrestrictingwhichfieldsmaycontainarrayvalues. Because'body'isincludedintheallowedtopicfieldslist,anattackercansupplydata[body][fileurl]withanarbitrary CVE-filepath(e.g.,wp-config.phporanabsoluteserverpath).Thispoisonedfileurlispersistedtotheplugin'scustom Morepostmetadatabasetable.Subsequently,whentheattackersubmitswpftcfdelete[]=bodyonatopiceditrequest,the 7.1 Detailsaddfile()methodretrievesthestoredpostmetarecord,extractstheattacker-controlledfileurl,passesitthrough wpforofixuploaddir()whichonlyrewriteslegitimatewpforouploadpathsandreturnsallotherpathsunchanged,

andthencallswpdeletefile()ontheunvalidatedpath.Thismakesitpossibleforauthenticatedattackers,with subscriber-levelaccessandabove,todeletearbitraryfileswritablebythePHPprocessontheserver,including criticalfilessuchaswp-config. eBrigadeERP4.5containsanSQLinjectionvulnerabilitythatallowsauthenticatedattackerstoexecutearbitrarySQLCVE-queriesbyinjectingmaliciouscodethroughthe'id'parameter.AttackerscansendGETrequeststopdf.phpwith More2019- 7.1craftedSQLpayloadsinthe'id'parametertoextractsensitivedatabaseinformationincludingtablenamesand Details25707schemadetails. CVE-Thecompilerismeanttounwrappointerswhicharetheoperandsofamemorymove;ano-opinterfaceconversion More2026-preventedthecompilerfrommakingthecorrectdeterminationaboutnon-overlappingmoves,potentiallyleadingto 7.1 Details27144memorycorruptionatruntime. Anout-of-boundsreadvulnerabilityexistsintheDecodePsmctRle1functionofDicomImageDecoder.cpp.The CVE-PMSCT_RLE1decompressionroutine,whichdecodestheproprietaryPhilipsCompressionformat,doesnotproperly More2026-validateescapemarkersplacedneartheendofthecompresseddatastream.Acraftedsequenceattheendofthe 7.1 Details5441buffercancausethedecodertoreadbeyondtheallocatedmemoryregionandleakheapdataintotherendered imageoutput. OpenClawthrough2026.2.22containsasymlinktraversalvulnerabilityinagents.createandagents.updatehandlersCVE-thatusefs.appendFileonIDENTITY.mdwithoutsymlinkcontainmentchecks.Attackerswithworkspaceaccesscan More2026- 7.1plantsymlinkstoappendattacker-controlledcontenttoarbitraryfiles,enablingremotecodeexecutionviacrontab Details35632injectionorunauthorizedaccessviaSSHkeymanipulation. CVE-KrayinCRMv2.2.xwasdiscoveredtocontainaSQLinjectionvulnerabilityviatherotten_leadparameterat More2026- 7.1/Lead/LeadDataGrid.php. Details38528 CVE-Cross-SiteRequestForgery(CSRF)vulnerabilityinDotstoreExtraFeesPluginforWooCommercewoo-conditional- More2026-product-fees-for-checkoutallowsCrossSiteRequestForgery.ThisissueaffectsExtraFeesPluginforWooCommerce: 7.1 Details39671fromn/athrough<=4.3.3. DuetoamissingauthorizationcheckinSAPERPandSAPS/4HANA(PrivateCloudandOn-Premise),anauthenticated CVE-attackercouldexecuteaparticularABAPreporttooverwriteanyexistingeight?characterexecutableABAPreport More2026-withoutauthorization.Iftheoverwrittenreportissubsequentlyexecuted,theintendedfunctionalitycouldbecome 7.1 Details34256unavailable.Successfulexploitationimpactsavailability,withalimitedimpactonintegrityconfinedtotheaffected report,whileconfidentialityremainsunaffected. AmaliciouslycraftedHTMLpayloadinanassemblyvariantname,whendisplayedduringthedeleteconfirmationCVE-dialogandclickedbyauser,cantriggeraStoredCross-siteScripting(XSS)vulnerabilityintheAutodeskFusion More2026- 7.1desktopapplication.Amaliciousactormayleveragethisvulnerabilitytoreadlocalfilesorexecutearbitrarycodein Details4369thecontextofthecurrentprocess. AheapbufferoverflowvulnerabilityexistsinthePAMimageparsinglogic.WhenOrthancprocessesacraftedPAMCVE-imageembeddedinaDICOMfile,imagedimensionsaremultipliedusing32-bitunsignedarithmetic.Speciallychosen More2026- 7.1valuescancauseanintegeroverflowduringbuffersizecalculation,resultingintheallocationofasmallbuffer Details5444followedbyamuchlargerwriteoperationduringpixelprocessing. CVE-AmaliciouslycraftedHTMLpayload,storedinadesignnameandexportedtoCSV,cantriggeraStoredCross-site More2026-Scripting(XSS)vulnerabilityintheAutodeskFusiondesktopapplication.Amaliciousactormayleveragethis 7.1 Details4345vulnerabilitytoreadlocalfilesorexecutearbitrarycodeinthecontextofthecurrentprocess. AmaliciouslycraftedHTMLpayloadinacomponentname,whendisplayedduringthedeleteconfirmationdialogandCVE-clickedbyauser,cantriggeraStoredCross-siteScripting(XSS)vulnerabilityintheAutodeskFusiondesktop More2026- 7.1application.Amaliciousactormayleveragethisvulnerabilitytoreadlocalfilesorexecutearbitrarycodeinthe Details4344contextofthecurrentprocess. AvulnerabilityhasbeenidentifiedinIndustrialEdgeManagementProV1(Allversions>=V1.7.6<V1.15.17), IndustrialEdgeManagementProV2(Allversions>=V2.0.0<V2.1.1),IndustrialEdgeManagementVirtual(All versions>=V2.2.0<V2.8.0).Affectedmanagementsystemsdonotproperlyenforceuserauthenticationonremote CVE-connectionstodevices.Thiscouldfacilitateanunauthenticatedremoteattackertocircumventauthenticationand More2026- 7.1impersonatealegitimateuser.Successfulexploitationrequiresthattheattackerhasidentifiedtheheaderandport Details33892usedforremoteconnectionstodevicesandthattheremoteconnectionfeatureisenabledforthedevice.Exploitation allowstheattackertotunneltothedevice.Securityfeaturesonthisdeviceitself(e.g.appspecificauthentication)are notaffected. CVE-InsufficientuiwarningofdangerousoperationsinWindowsRemoteDesktopallowsanunauthorizedattackerto More2026- 7.1performspoofingoveranetwork. Details26151 TheGravitySMTPpluginforWordPressisvulnerabletoMissingAuthorizationinversionsupto,andincluding,2.1.4.CVE-Thisisduetothepluginnotproperlyverifyingthatauserisauthorizedtoperformanaction.Thismakesitpossible More 7.1forauthenticatedattackers,withsubscriber-levelaccessandabove,touninstallanddeactivatethepluginanddelete Details pluginoptions.NOTE:ThisvulnerabilityisalsoexploitableviaaCross-SiteRequestForgeryvector. CVE-Server-SideRequestForgeryviaSW-URLHeadervulnerabilityinApacheSkyWalkingMCP.ThisissueaffectsApache More 7.1

34476 SkyWalkingMCP:0.1.0.Usersarerecommendedtoupgradetoversion0.2.0,whichfixesthisissue. Details CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinZootemplate More 7.1 CeratoallowsReflectedXSS.ThisissueaffectsCerato:fromn/athrough2.2.18. Details58920 TheSleuthKitthrough4.14.0containsapathtraversalvulnerabilityintskrecoverthatallowsanattackertowrite CVE- filestoarbitrarylocationsoutsidetheintendedrecoverydirectoryviacraftedfilenamesordirectorypathswithpath More2026- traversalsequencesinafilesystemimage.Anattackercancraftamaliciousfilesystemimagewithembedded/../ 7.1 Details40024 sequencesinfilenamesthat,whenprocessedbytskrecover,writesfilesoutsidetheoutputdirectory,potentially achievingcodeexecutionbyoverwritingshellconfigurationorcronentries. CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsWin32K- More2026- 7.0 GRFXallowsanauthorizedattackertoelevateprivilegeslocally. Details33104 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsSSDP More2026- 7.0 Serviceallowsanauthorizedattackertoelevateprivilegeslocally. Details32083 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsSSDP More2026- 7.0 Serviceallowsanauthorizedattackertoelevateprivilegeslocally. Details32082 CVE- More2026- UseafterfreeinWindowsWalletServiceallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details32080 CVE- More2026- Stack-basedbufferoverflowinWindowsKernelallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details32195 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details33100 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details32073 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inFunctionDiscovery More2026- 7.0 Service(fdwsd.dll)allowsanauthorizedattackertoelevateprivilegeslocally. Details32086 CVE- Heap-basedbufferoverflowinFunctionDiscoveryService(fdwsd.dll)allowsanauthorizedattackertoelevate More2026- 7.0 Details32087 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inFunctionDiscovery More2026- 7.0 Service(fdwsd.dll)allowsanauthorizedattackertoelevateprivilegeslocally. Details32093 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details33099 CVE- More2026- UseafterfreeinWindowsServerUpdateServiceallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details32224 libsixelisaSIXELencoder/decoderimplementationderivedfromkmiya'ssixel.Versions1.8.7andpriorcontainaUse- After-Freevulnerabilityviatheloadgif()functioninfromgif.c,whereasinglesixelframetobjectisreusedacrossall framesofananimatedGIFandgifinitframe()unconditionallyfreesandreallocatesframe->pixelsbetweenframes CVE- withoutconsultingtheobject'sreferencecount.BecausethepublicAPIexplicitlyprovidessixelframeref()toretaina More2026- frameandsixelframegetpixels()toaccesstherawpixelbuffer,acallbackfollowingthisdocumentedusagepattern 7.0 Details33018 willholdadanglingpointerafterthesecondframeisdecoded,resultinginaheapuse-after-freeconfirmedbyASAN. Anyapplicationusingsixelhelperloadimagefile()withamulti-framecallbacktoprocessuser-suppliedanimated GIFsisaffected,withareliablecrashastheminimumimpactandpotentialforcodeexecution.Thisissuehasbeen

CVE- OpenTelemetry-GoistheGoimplementationofOpenTelemetry.From1.15.0to1.42.0,thefixforCVE-2026-24051 More2026- changedtheDarwinioregcommandtouseanabsolutepathbutlefttheBSDkenvcommandusingabarename, 7.0 Details39883 allowingthesamePATHhijackingattackonBSDandSolarisplatforms.Thisvulnerabilityisfixedin1.43.0. CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inFunctionDiscovery More 7.0 Service(fdwsd.dll)allowsanauthorizedattackertoelevateprivilegeslocally. Details32150

CVE- More DoublefreeinMicrosoftBrokeringFileSystemallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details32219 CVE- UseafterfreeinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanauthorizedattackertoelevate More2026- 7.0 Details32075 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsTCP/IP More2026- 7.0 allowsanauthorizedattackertoelevateprivilegeslocally. Details27921 CVE- More2026- UseafterfreeinWindowsCommonLogFileSystemDriverallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details32070 CVE- More2026- UseafterfreeinWindowsTDITranslationDriver(tdx.sys)allowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details27908 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inApplockerFilterDriver More2026- 7.0 (applockerfltr.sys)allowsanauthorizedattackertoelevateprivilegeslocally. Details25184 CVE- InsecurestorageofsensitiveinformationinWindowsCryptographicServicesallowsanauthorizedattackertoelevate More2026- 7.0 Details26152 CVE- More2026- UseafterfreeinWindowsShellallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details26165 CVE- More2026- DoublefreeinWindowsShellallowsanauthorizedattackertoelevateprivilegeslocally. 7.0 Details26166 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsAncillary More2026- 7.0 FunctionDriverforWinSockallowsanauthorizedattackertoelevateprivilegeslocally. Details26173 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsServer More2026- 7.0 UpdateServiceallowsanauthorizedattackertoelevateprivilegeslocally. Details26174 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details26177 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsSSDP More2026- 7.0 Serviceallowsanauthorizedattackertoelevateprivilegeslocally. Details32068 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details26182 CVE- UseafterfreeinWindowsWFPNDISLightweightFilterDriver(wfplwfs.sys)allowsanauthorizedattackertoelevate More2026- 7.0 Details27917 CVE- Concurrentexecutionusingsharedresourcewithimpropersynchronization('racecondition')inWindowsCloudFiles More 2026- 7.0 MiniFilterDriverallowsanauthorizedattackertoelevateprivilegeslocally. Details 27926 CVE- Time-of-checktime-of-use(toctou)raceconditioninWindowsLUAFVallowsanauthorizedattackertoelevate More2026- 7.0 Details27929 CVE- UseafterfreeinWindowsAncillaryFunctionDriverforWinSockallowsanauthorizedattackertoelevateprivileges More2026- 7.0 locally. Details27922 CVE- Vulnerabilityofimproperpermissioncontrolinthethemesettingmodule.Impact:Successfulexploitationofthis More 6.9 vulnerabilitymayaffectserviceconfidentiality. Details28553 AflawwasfoundinKeycloak,specificallyintheorganizationselectionloginpage.Aremoteattackerwithmanage- realmormanage-organizationsadministrativeprivilegescanexploitaStoredCross-SiteScripting(XSS)

vulnerability.Thisflawoccursbecausetheorganization.aliasisplacedintoaninlineJavaScriptonclickhandler, MoreCVE- 6.9 allowingacraftedJavaScriptpayloadtoexecuteinauser'sbrowserwhentheyviewtheloginpage.Successful Details exploitationenablesarbitraryJavaScriptexecution,potentiallyleadingtosessiontheft,unauthorizedaccountactions,37980 orfurtherattacksagainstusersoftheaffectedrealm. CVE-Accessofresourceusingincompatibletype('typeconfusion')vulnerabilityinSamsungOpenSourceEscargotallows More2026- 6.9PointerManipulation.ThisissueaffectsEscargot:97e8115ab1110bc502b4b5e4a0c689a71520d335. Details40446 CVE-IncorrectprivilegeassignmentinBluetoothinMaintenancemodepriortoSMRApr-2026Release1allowsphysical More2026- 6.8attackerstobypassExtendUnlock. Details21011 ApolloMCPServerisaModelContextProtocolserverthatexposesGraphQLoperationsasMCPtools.Priortoversion 1.7.0,theApolloMCPServerdidnotvalidatetheHostheaderonincomingHTTPrequestswhenusing StreamableHTTPtransport.InconfigurationswhereanHTTP-basedMCPserverisrunonlocalhostwithoutadditional authenticationornetwork-levelcontrols,thiscouldpotentiallyallowamaliciouswebsite--visitedbyauserrunningCVE-theserverlocally--touseDNSrebindingtechniquestobypasssame-originpolicyrestrictionsandissuerequeststo More2026- 6.8thelocalMCPserver.Ifsuccessfullyexploited,thiscouldallowanattackertoinvoketoolsoraccessresources Details35577exposedbytheMCPserveronbehalfofthelocaluser.ThisissueislimitedtoHTTP-basedtransportmodes (StreamableHTTP).Itdoesnotaffectserversusingstdiotransport.Thepracticalriskisfurtherreducedin deploymentsthatuseauthentication,network-levelaccesscontrols,orarenotboundtolocalhost.Thisvulnerabilityis fixedin1.7.0. CVE-TheFormMakerby10WebWordPresspluginbefore1.15.38doesnotproperlyprepareSQLquerieswhenthe"MySQL More2025- 6.8Mapping"featureisinuse,whichcouldmakeSQLInjectionattackspossibleincertaincontexts. Details15441 CVE-Heap-basedbufferoverflowinWindowsUSBPrintDriverallowsanunauthorizedattackertoelevateprivilegeswitha More2026- 6.8physicalattack. Details32223 CVE-RateLimitingforattemptingauserloginisnotbeingproperlyenforced,makingHCLDevOpsVelocitysusceptibleto More2025- 6.8brute-forceattackspasttheunsuccessfulloginattemptlimit.Thisvulnerabilityisfixedin5.1.7. Details31991 CVE-ImpropercheckforexceptionalconditionsinDeviceCarepriortoSMRApr-2026Release1allowsphysicalattackers More2026- 6.8tobypassKnoxGuard. Details21007 CVE-Boundary-unlimitedvulnerabilityintheapplicationreadmodule.Impact:Successfulexploitationofthisvulnerability More2026- 6.8mayaffectavailability. Details34864 CVE-RaceinV8inGoogleChromepriorto147.0.7727.55allowedaremoteattackertopotentiallyexploitheapcorruption More2026- 6.8viaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details5893 AivenOperatorallowsyoutoprovisionandmanageAivenServicesfromyourKubernetescluster.From0.31.0to before0.37.0,adeveloperwithcreatepermissiononClickhouseUserCRDsintheirownnamespacecanexfiltrate secretsfromanyothernamespace--productiondatabasecredentials,APIkeys,servicetokens--withasingleCVE-kubectlapply.Theoperatorreadsthevictim'ssecretusingitsClusterRoleandwritesthepasswordintoanewsecret More2026- 6.8intheattacker'snamespace.Theoperatoractsasaconfuseddeputy:itsServiceAccounthascluster-widesecret Details39961read/write(aiven-operator-roleClusterRole),andittrustsuser-suppliednamespacevaluesin spec.connInfoSecretSource.namespacewithoutvalidation.Noadmissionwebhookenforcesthisboundary--the ServiceUserwebhookreturnsnil,andnoClickhouseUserwebhookexists.Thisvulnerabilityisfixedin0.37.0. CVE-RelianceonuntrustedinputsinasecuritydecisioninWindowsBootLoaderallowsanauthorizedattackertobypassa More2026- 6.7securityfeaturelocally. Details0390 CVE-ArelativepathtraversalvulnerabilityinFortinetFortiWeb8.0.0through8.0.2,FortiWeb7.6.0through7.6.6,FortiWeb More2026-7.4.1through7.4.12,FortiWeb7.2.7through7.2.12,FortiWeb7.0.10through7.0.12mayallowattackertoexecute 6.7 Details39814unauthorizedcodeorcommandsvia CVE-Aimproperneutralizationofspecialelementsusedinansqlcommand('sqlinjection')vulnerabilityinFortinet More2026-FortiClientEMS7.4.0through7.4.5,FortiClientEMS7.2.0through7.2.12,FortiClientEMS7.0allversionsmayallow 6.7 Details39809attackertoexecuteunauthorizedcodeorcommandsviasendingcraftedrequests Aimproperlimitationofapathnametoarestricteddirectory('pathtraversal')vulnerabilityinFortinetFortiSandboxCVE-5.0.0through5.0.5,FortiSandbox4.4.0through4.4.8,FortiSandbox4.2allversions,FortiSandboxCloud5.0.4, More2026- 6.7FortiSandboxPaaS5.0.4mayallowaprivilegedattackerwithsuper-adminprofileandCLIaccesstodeletean Details25691arbitrarydirectoryviaHTTPcraftedrequests. APermissiveListofAllowedInputvulnerabilityintheCLIofJuniperNetworksSupportInsights(JSI)VirtualLightweight CVE-Collector(vLWC)allowsalocal,highprivilegedattackertoescalatetheirprivilegestoroot.TheCLImenuaccepts Moreinputwithoutcarefullyvalidatingit,whichallowsforshellcommandinjection.Theseshellcommandsareexecuted 6.7

21915 withrootpermissionsandcanbeusedtogaincompletecontrolofthesystem.ThisissueaffectsallJSIvLWCversions Details before3.0.94. CVE- Insystemd259before260,thereislocalprivilegeescalationinsystemd-machinedbecausevarlinkcanbeusedto More 6.7 reachtherootnamespace. Details40224 CVE- Improperneutralizationofspecialelementsusedinansqlcommand('sqlinjection')inSQLServerallowsan More2026- 6.7 authorizedattackertoelevateprivilegeslocally. Details32176 CVE- Improperneutralizationofspecialelementsusedinansqlcommand('sqlinjection')inSQLServerallowsan More2026- 6.7 authorizedattackertoelevateprivilegeslocally. Details32167 CVE- More2026- 6.7 authorizationandthemesupport.Priorto0.31.4.0,Thisvulnerabilityisfixedin0.31.4.0. Details39389 AMissingAuthenticationforCriticalFunctionvulnerabilityincommandprocessingofJuniperNetworksJunosOS allowsaprivilegedlocalattackertogainaccesstoLinux-basedlinecardsasroot.Thisissueaffectssystemsrunning CVE- JunosOSusingLinux-basedlinecards.Affectedlinecardsinclude:MPC7,MPC8,MPC9,MPC10,MPC11LC2101, More2025- LC2103LC480,LC4800,LC9600MX304(built-inFPC)MX-SPC3SRX5K-SPC3EX9200-40XSFPC3-PTX-U2, 6.7 Details30650 FPC3-PTX-U3FPC3-SFF-PTXLC1101,LC1102,LC1104,LC1105ThisissueaffectsJunosOS:allversionsbefore 22.4R3-S8,from23.2before23.2R2-S6,from23.4before23.4R2-S6,from24.2before24.2R2-S3,from24.4 before24.4R2,from25.2before25.2R2. Aflawwasfoundinlibcap.AlocalunprivilegedusercanexploitaTime-of-check-to-time-of-use(TOCTOU)raceCVE- conditioninthecap_set_file()function.Thisallowsanattackerwithwriteaccesstoaparentdirectorytoredirectfile More2026- 6.7 capabilityupdatestoanattacker-controlledfile.Bydoingso,capabilitiescanbeinjectedintoorstrippedfrom Details4878 unintendedexecutables,leadingtoprivilegeescalation. CVE- BluetoothACPIDriversprovidedbyDynabookInc.containastack-basedbufferoverflowvulnerability.Anattacker More2026- 6.7 mayexecutearbitrarycodebymodifyingcertainregistryvalues. Details35553 CVE- Out-of-boundswritevulnerabilityinthefilesystem.Impact:Successfulexploitationofthisvulnerabilitymayaffect More2026- 6.7 Details34863 CVE- Out-of-boundsreadvulnerabilityinSamsungOpenSourceEscargotallowsResourceLeakExposure.Thisissueaffects More2026- 6.7 Details25206 AnOSCommandInjectionvulnerabilityintheCLIprocessingofJuniperNetworksJunosOSandJunosOSEvolved allowsalocal,high-privilegedattackerexecutingspecific,craftedCLIcommandstoinjectarbitraryshellcommands asroot,leadingtoacompletecompromiseofthesystem.Certain'setsystem'commands,whenexecutedwith CVE- craftedarguments,arenotproperlysanitized,allowingforarbitraryshellinjection.Theseshellcommandsare More2026- executedasroot,potentiallyallowingforcompletecontrolofthevulnerablesystem.Thisissueaffects:JunosOS:all 6.7 Details33791 versionsbefore22.4R3-S8,from23.2before23.2R2-S5,from23.4before23.4R2-S7,from24.2before24.2R2- S2,from24.4before24.4R2,from25.2before25.2R2;JunosOSEvolved:allversionsbefore22.4R3-S8-EVO, *from23.2before23.2R2-S5-EVO,from23.4before23.4R2-S7-EVO,from24.2before24.2R2-S2-EVO,from 24.4before24.4R2-EVO,*from25.2before25.2R1-S1-EVO,25.2R2-EVO. InvenTreeisanOpenSourceInventoryManagementSystem.Priorto1.2.7and1.3.0,anyuserswhohavestaff CVE- accesspermissionscaninstallpluginsviatheAPI,withoutrequiring"superuser"accountaccess.Thislevelof More2026- permissionrequirementisoutofalignmentwithotherpluginactions(suchasuninstalling)whichdorequire 6.6 Details35479 superuseraccess.Thevulnerabilityallowsstaffusers(whomaybeconsideredtohavealowerleveloftrustthana superuseraccount)toinstallarbitrary(andpotentiallyharmful)plugins.Thisvulnerabilityisfixedin1.2.7and1.3.0. CVE- DellPowerScaleOneFS,versions9.5.0.0through9.10.1.6andversions9.11.0.0through9.13.0.1,containsan More2026- incorrectprivilegeassignmentvulnerability.Alowprivilegedattackerwithlocalaccesscouldpotentiallyexploitthis 6.6 Details27102 vulnerability,leadingtoelevationofprivileges. Aneval()injectionvulnerabilityintheRapid7InsightAgentbeaconinglogicforLinuxversionscouldtheoreticallyCVE- allowanattackertoachieveremotecodeexecutionasrootviaacraftedbeaconresponse.BecausetheAgentuses More2026- 6.6 mutualTLS(mTLS)toverifycommandsfromtheRapid7Platform,itisunlikelythattheeval()functioncouldbe Details4837 exploitedremotelywithoutprior,highlyprivilegedaccesstothebackendplatform. UseofDefaultCryptographicKeyinthehardwareforsomeIntel(R)Pentium(R)ProcessorSilverSeries,Intel(R) Celeron(R)ProcessorJSeries,Intel(R)Celeron(R)ProcessorNSeriesmayallowanescalationofprivilege.Hardware CVE- reverseengineeradversarywithaprivilegedusercombinedwithahighcomplexityattackmayenableescalationof More privilege.Thisresultmaypotentiallyoccurviaphysicalaccesswhenattackrequirementsarepresentwithspecial 6.6 Details20709 internalknowledgeandrequiresnouserinteraction.Thepotentialvulnerabilitymayimpacttheconfidentiality(high), integrity(none)andavailability(none)ofthevulnerablesystem,resultinginsubsequentsystemconfidentiality (high),integrity(high)andavailability(none)impacts.

CVE- InsufficientpolicyenforcementinPWAsinGoogleChromepriorto147.0.7727.55allowedaremoteattackerwhohad More 6.6 compromisedtherendererprocesstoinstallaPWAwithoutuserconsentviaacraftedHTMLpage.(Chromium Details securityseverity:Medium) CVE- ImproperinputvalidationinRetailModepriortoSMRApr-2026Release1allowslocalattackerstotriggerprivileged More 6.6 functions. Details21010 AsecurityflawhasbeendiscoveredinGL.iNetGL-RM1,GL-RM10,GL-RM10RCandGL-RM1PE1.8.1.Affectedbythis issueissomeunknownfunctionalityofthecomponentFactoryResetHandler.PerformingamanipulationresultsinCVE- improperauthentication.Theattackcanbeinitiatedremotely.Thecomplexityofanattackisratherhigh.The More2026- 6.6 exploitationisknowntobedifficult.Upgradingtoversion1.8.2canresolvethisissue.Itisadvisabletoupgradethe Details5959 affectedcomponent.Thevendorwascontactedearly,respondedinaveryprofessionalmannerandquicklyreleased afixedversionoftheaffectedproduct. TheUserRegistration&Membership-Free&PaidMemberships,Subscriptions,ContentRestriction,UserProfile, CustomUserRegistration&LoginBuilderpluginforWordPressisvulnerabletoSQLInjectionviatheCVE- 'membershipids[]'parameterinallversionsupto,andincluding,5.1.2duetoinsufficientescapingontheuser More2026- 6.5 suppliedparameterandlackofsufficientpreparationontheexistingSQLquery.Thismakesitpossiblefor Details1865 authenticatedattackers,withSubscriber-levelaccessandabove,toappendadditionalSQLqueriesintoalready existingqueriesthatcanbeusedtoextractsensitiveinformationfromthedatabase. CVE- MissingAuthorizationvulnerabilityinAAWebServant12StepMeetingList12-step-meeting-listallowsExploiting More2026- IncorrectlyConfiguredAccessControlSecurityLevels.Thisissueaffects12StepMeetingList:fromn/athrough<= 6.5 Details39569 3.19.9. CVE- DuetomissingauthorizationchecksintheSAPS/4HANAODataService(ManageReferenceEquipment),anattacker More2026- couldupdateanddeletechildentitiesviaODataserviceswithoutproperauthorization.Thisvulnerabilityhasahigh 6.5 Details27677 impactonintegrity,whileconfidentialityandavailabilityarenotimpacted. TheLifterLMSpluginforWordPressisvulnerabletoSQLInjectionviathe'order'parameterinallversionsupto,and CVE- including,9.2.1.Thisisduetoinsufficientescapingontheusersuppliedparameterandlackofsufficientpreparation More2026- ontheexistingSQLquery.Thismakesitpossibleforauthenticatedattackers,withInstructor-levelaccessandabove 6.5 Details5207 whohavetheeditpostcapabilityonthequiz,toappendadditionalSQLqueriesintoalreadyexistingqueriesthatcan beusedtoextractsensitiveinformationfromthedatabase. CVE- Out-of-boundsreadvulnerabilityinSamsungOpenSourceEscargotallowsResourceLeakExposure.Thisissueaffects More2026- 6.5 Details25209 CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinRonaldHuereca More2026- CustomQueryBlockspost-type-archive-mappingallowsDOM-BasedXSS.ThisissueaffectsCustomQueryBlocks:from 6.5 Details39575 n/athrough<=5.5.0. CVE- UseafterfreeinWindowsUniversalPlugandPlay(UPnP)DeviceHostallowsanunauthorizedattackertodisclose More2026- 6.5 informationoveranadjacentnetwork. Details27925 ApacheAirflowversions3.0.0through3.1.8DagRunwaitendpointreturnsXComresultvalueseventouserswhoonly haveDAGRunreadpermissions,suchastheViewerrole.ThisbehaviorconflictswiththeFABRBACmodel,which CVE- treatsXComasaseparateprotectedresource,andwiththesecuritymodeldocumentationthatdefinestheViewer More2026- roleasread-only.AirflowusestheFABAuthManagertomanageaccesscontrolonaper-resourcebasis.TheViewer 6.5 Details34538 roleisintendedtoberead-onlybydefault,andthesecuritymodeldocumentationdefinesViewerusersasthosewho caninspectDAGswithoutaccessingsensitiveexecutionresults.UsersarerecommendedtoupgradetoApache Airflow3.2.0whichresolvesthisissue. CVE- Pachno1.0.6containsanopenredirectionvulnerabilitythatallowsattackerstoredirectuserstoarbitraryexternal More2026- websitesbymanipulatingthereturntoparameter.AttackerscancraftmaliciousloginURLswithunvalidated 6.5 Details40039 returntovaluestoconductphishingattacksandstealusercredentials. CVE- DuetomissingauthorizationchecksintheSAPS/4HANAbackendODataService(ManageReferenceStructures),an More2026- 6.5 Details27678 vulnerabilityhasahighimpactonintegrity,whileconfidentialityandavailabilityarenotimpacted. CVE- TheYMLforYandexMarketWordPresspluginbefore5.0.26isvulnerabletoRemoteCodeExecutionviathefeed More2025- 6.5 generationprocess. Details14545 Pachno1.0.6containsanauthenticationbypassvulnerabilityintherunSwitchUser()actionthatallowsauthenticatedCVE- low-privilegeuserstoescalateprivilegesbymanipulatingtheoriginalusernamecookie.Attackerscansettheclient- More2026- 6.5 controlledoriginalusernamecookietoanyvalueandrequestaswitchtouserID1toobtainsessiontokensor Details40043 passwordhashesbelongingtoadministratoraccounts. TheYITHWooCommerceWishlistWordPresspluginbefore4.13.0doesnotproperlyvalidatewishlistownershipintheCVE- save_title()AJAXhandlerbeforeallowingwishlistrenamingoperations.Thefunctiononlychecksforavalidnonce, More 6.5 whichispubliclyexposedinthepagesourceofthe/wishlist/page,makingitpossibleforunauthenticatedattackers Details torenameanywishlistbelongingtoanyuseronthesite.

Net::CIDR::Liteversionsbefore0.23forPerlmishandlesIPv4mappedIPv6addresses,whichmayallowIPACLbypass. packipv6()includesthesentinelbytefrompackipv4()whenbuildingthepackedrepresentationofIPv4mapped addresseslike::ffff:192.168.1.1.Thisproducesan18bytevalueinsteadof17bytes,misaligningtheIPv4partoftheCVE-address.Thewronglengthcausesincorrectresultsinmaskoperations(bitwiseANDtruncatestotheshorteroperand) More 6.5andinfind()/binfind()whichusePerlstringcomparison(lt/gt).Thiscancausefind()toincorrectlymatchormiss Details40199addresses.Example:my$cidr=Net::CIDR::Lite->new("::ffff:192.168.1.0/120");$cidr->find("::ffff:192.168.2.0");# incorrectlyreturnstrueThisistriggeredbyvalidRFC4291IPv4mappedaddresses(::ffff:x.x.x.x).SeealsoCVE-2026- 40198,arelatedissueinthesamefunctionaffectingmalformedIPv6addresses. ChamiloLMSisanopen-sourcelearningmanagementsystem.Inversionspriorto2.0.0-RC.3,thenotebookmodule containsanInsecureDirectObjectReference(IDOR)vulnerabilitythatallowsanyauthenticatedstudenttoreadthe CVE-privatecoursenotesofanyotheruserontheplatformbymanipulatingthenotebookidparameterintheeditnote More2026-action.TheapplicationfetchesthenotecontentusingonlythesuppliedintegerIDwithoutverifyingthatthe 6.5 Details34370requestinguserownsthenote,andthefulltitleandHTMLbodyarerenderedintheeditformandreturnedtothe attacker'sbrowser.Whileownershipchecksexistinthewritepaths(updateNote()anddeletenote()),theyare entirelyabsentfromthereadpath(getnoteinformation()).Thisissuehasbeenfixedinversion2.0.0-RC.3. Aflawwasfoundinmirror-registry.AuthenticateduserscanexploitthelogexportfeaturebyprovidingaspeciallyCVE-craftedwebaddress(URL).Thisallowstheapplication'sbackendtomakearbitraryrequeststointernalnetwork More2026- 6.5resources,avulnerabilityknownasServer-SideRequestForgery(SSRF).Thiscouldleadtounauthorizedaccessto Details2377sensitiveinformationorotherinternalsystems. CVE-InsufficientvalidationofuntrustedinputinWebSocketsinGoogleChromepriorto147.0.7727.55allowedaremote More2026-attackerwhohadcompromisedtherendererprocesstobypasssameoriginpolicyviaacraftedHTMLpage. 6.5 Details5919(Chromiumsecurityseverity:Low) PraisonAIisamulti-agentteamssystem.Priorto4.5.128,thesafeextractall()functioninPraisonAI'sreciperegistry CVE-validatesarchivemembersagainstpathtraversalattacksbutperformsnochecksonindividualmembersizes, More2026-cumulativeextractedsize,ormembercountbeforecallingtar.extractall().Anattackercanpublishamaliciousrecipe 6.5 Details40148bundlecontaininghighlycompressibledata(e.g.,10GBofzeroscompressingto~10MB)thatexhauststhevictim's diskwhenpulledviaLocalRegistry.pull()orHttpRegistry.pull().Thisvulnerabilityisfixedin4.5.128. CVE-DuetomissingauthorizationchecksintheSAPS/4HANAfrontendODataService(ManageReferenceStructures),an More2026- 6.5 Details27679vulnerabilityhasahighimpactonintegrity,whileconfidentialityandavailabilityarenotimpacted. CVE-VariousstoredXSSvulnerabilitiesinthemaps-andiconrenderinglogicinPhocaMapscomponent5.0.0-6.0.2have More2026- 6.5beendiscovered. Details23900 CVE-OpenClawbefore2026.3.31(patchedin2026.4.8)containsarequestbodyreplayvulnerabilityinfetchWithSsrFGuard More2026-thatallowsunsaferequestbodiestoberesentacrosscross-originredirects.Attackerscanexploitthisbytriggering 6.5 Details40037redirectstoexfiltratesensitiverequestdataorheaderstounintendedorigins. Directusisareal-timeAPIandAppdashboardformanagingSQLdatabasecontent.Priorto11.17.0,Directusstores CVE-revisionrecords(indirectusrevisions)wheneveritemsarecreatedorupdated.Duetotherevisionsnapshotcodenot More2026-consistentlycallingtheprepareDeltasanitizationpipeline,sensitivefields(includingusertokens,two-factor 6.5 Details39943authenticationsecrets,externalauthidentifiers,authdata,storedcredentials,andAIproviderAPIkeys)couldbe storedinplaintextwithinrevisionrecords.Thisvulnerabilityisfixedin11.17.0. CVE-DuetoamissingauthorizationcheckinSAPBusinessAnalyticsandSAPContentManagement,anauthenticateduser More2026-couldmakeunauthorizedcallstocertainremotefunctionmodules,potentiallyaccessingsensitiveinformationbeyond 6.5 Details34261theirintendedpermissions.Thisvulnerabilityaffectsconfidentiality,withnoimpactonintegrityandavailability. CVE-Cross-SiteRequestForgery(CSRF)vulnerabilityinThemeGoodsGrandBloggrandblogallowsCrossSiteRequest More2026- 6.5Forgery.ThisissueaffectsGrandBlog:fromn/athrough<=3.1. Details39632 DuringauthorizationchecksinSAPHumanCapitalManagementforSAPS/4HANA,thesystemreturnsspecificCVE-messages.Duetothis,anauthenticateduserwithlowprivilegescouldguessandenumeratethecontentshown, More2026- 6.5beyondtheirauthorizedscope.Thisleadstodisclosureofsensitiveinformationcausingahighimpacton Details34264confidentiality,whileintegrityandavailabilityareunaffected. CVE-Cross-SiteRequestForgery(CSRF)vulnerabilityinThemeGoodsGrandCarRentalgrandcarrentalallowsCrossSite More2026- 6.5RequestForgery.ThisissueaffectsGrandCarRental:fromn/athrough<=3.6.9. Details39633 AvulnerabilityexistsinthecommandhandlingoftheIEC61850communicationstackincludedintheproduct revisionslistedasaffectedinthisCVE.AnattackerwithaccesstoIEC61850networkscouldexploitthevulnerability byusingaspeciallycrafted61850packet,forcingthecommunicationinterfacesofthePM877,CI850andCI868 modulesintofaultmodeorcausingunavailabilityoftheS+Operations61850connectivity,resultinginadenial-of-CVE-servicesituation.TheSystem800xAIEC61850Connectisnotaffected.Note:Thisvulnerabilitydoesnotimpacton More2025- 6.5theoverallavailabilityandfunctionalityoftheS+Operationsnode,onlythe61850communicationfunction.This Details issueaffectsAC800M(System800xA):from6.0.0xthrough6.0.0303.0,from6.1.0xthrough6.1.0031.0,from6.1.1x through6.1.1004.0,from6.1.1xthrough6.1.1202.0,from6.2.0xthrough6.2.0006.0;SymphonyPlusSDSeries:A0, A1,A2.003,A3.005,A4.001,B0.005;SymphonyPlusMR(MelodyRack):from3.10through3.52;S+Operations: 2.1,2.2,2.3,3.3.

CVE- More MicrosoftLocalSecurityAuthoritySubsystemServiceInformationDisclosureVulnerability 6.5 Details26155 CVE- AmissingauthenticationforcriticalfunctionvulnerabilityinFortinetFortiOS7.6.0through7.6.3,FortiOS7.4.0 More2025- through7.4.8,FortiOS7.2.0through7.2.11,FortiOS7.0.0through7.0.17,FortiOS6.4allversions,FortiOS6.2.9 6.5 Details53847 through6.2.17allowsattackertoexecuteunauthorizedcodeorcommandsviaspeciallycraftedpackets. CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinbozdozLeaflet More2026- 6.5 Mapleaflet-mapallowsStoredXSS.ThisissueaffectsLeafletMap:fromn/athrough<=3.4.4. Details39646 CVE- Side-channelinformationleakageinNavigationinGoogleChromepriorto147.0.7727.55allowedaremoteattacker More2026- 6.5 toleakcross-origindataviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details5876 CVE- ChamiloLMSisalearningmanagementsystem.Priorto2.0.0-RC.3,anyauthenticateduser(including More2026- ROLESTUDENT)canenumerateallplatformusersandaccesspersonalinformation(email,phone,roles)viaGET 6.5 Details33736 /api/users,includingadministratoraccounts.Thisvulnerabilityisfixedin2.0.0-RC.3. UncontrolledResourceConsumption(CWE-400)inKibanacanleadtodenialofserviceviaExcessiveAllocationCVE- (CAPEC-130).Anauthenticateduserwithaccesstotheautomaticimportfeaturecansubmitspeciallycrafted More2026- 6.5 requestswithexcessivelylargeinputvalues.Whenmultiplesuchrequestsaresentconcurrently,thebackend Details33459 servicesbecomeunstable,resultinginservicedisruptionanddeploymentunavailabilityforallusers. CVE- ChamiloLMSisalearningmanagementsystem.Priorto1.11.38,thegetuserinfofrom_usernameRESTAPIendpoint More2026- returnspersonalinformation(email,firstname,lastname,userID,activestatus)ofanyusertoanyauthenticated 6.5 Details33708 user,includingstudents.Thereisnoauthorizationcheck.Thisvulnerabilityisfixedin1.11.38. CVE- ExposureofsensitiveinformationinSSharepriortoSMRApr-2026Release1allowsadjacentattackertoaccess More2026- 6.5 sensitiveinformation. Details21008 OpenClawbefore2026.3.24containsaprivilegeescalationvulnerabilitywherethe/allowlistcommandfailstore-CVE- validategatewayclientscopesforinternalcallers,allowingoperator.write-scopedclientstomutatechannel More2026- 6.5 authorizationpolicy.Attackerscanexploitchat.sendtobuildaninternalcommand-authorizedcontextandpersist Details35621 channelallowFromandgroupAllowFrompolicychangesreservedforoperator.adminscope. CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinuicoreUiCore More2026- 6.5 Elementsuicore-elementsallowsStoredXSS.ThisissueaffectsUiCoreElements:fromn/athrough<=1.3.14. Details39708 CVE- OpenClawbefore2026.3.22containsasettingsreconciliationvulnerabilitythatallowsattackerstobypassintended More2026- deny-allrevocationsbyexploitingemptyallowlisthandling.Thevulnerabilitytreatsexplicitemptyallowlistsasunset 6.5 Details35649 duringreconciliation,silentlyundoingintendedaccesscontroldenialsandrestoringpreviouslyrevokedpermissions. CVE- OpenClawbefore2026.3.22containsanauthorizationbypassvulnerabilityininteractivecallbackdispatchthatallows More2026- non-allowlistedsenderstoexecuteactionhandlers.Attackerscanbypasssenderauthorizationchecksbydispatching 6.5 Details35652 callbacksbeforenormalsecurityvalidationcompletes,enablingunauthorizedactions. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priorto2.3.0,theaddRepeatIntervalToTime CVE- functionusesanO(n)loopthatadvancesadatebythetask'sRepeatAfterdurationuntilitexceedsthecurrenttime. More2026- Bycreatingarepeatingtaskwitha1-secondintervalandaduedatefarinthepast,anattackertriggersbillionsof 6.5 Details35599 loopiterations,consumingCPUandholdingadatabaseconnectionforminutesperrequest.Thisvulnerabilityisfixed in2.3.0. OpenClawbefore2026.3.22containsanauthenticationbypassvulnerabilityintheX-Forwarded-ForheaderCVE- processingwhentrustedProxiesisconfigured,allowingattackerstospoofloopbackhops.Remoteattackerscaninject More2026- 6.5 forgedforwardingheaderstobypasscanvasauthenticationandrate-limitingprotectionsbymasqueradingas Details35656 loopbackclients. CVE- OpenClawbefore2026.3.25containsanauthorizationbypassvulnerabilityintheHTTP/sessions/:sessionKey/history More2026- routethatskipsoperator.readscopevalidation.Attackerscanaccesssessionhistorywithoutproperoperatorread 6.5 Details35657 permissionsbysendingHTTPrequeststothevulnerableendpoint. CVE- OpenClawbefore2026.3.2containsafilesystemboundarybypassvulnerabilityintheimagetoolthatfailstohonor More2026- tools.fs.workspaceOnlyrestrictions.Attackerscantraversesandboxbridgemountsoutsidetheworkspacetoread 6.5 Details35658 filesthatotherfilesystemtoolswouldreject.

project-managementforneuroimagingresearch.From15.10tobefore27.0.3and28.0.1,thereisapotentialforaCVE-cross-sitescriptingattackinthesurvey_accountsmoduleifauserprovidesaninvalidvisitlabel.Whilethedatais More2026- 6.5properlyJSONencoded,theContent-Typeheaderisnotsetcausingthewebbrowsertointerpretthepayloadas Details35403HTML,openingthepossibilityofacross-sitescriptingifauseristrickedintofollowinganinvalidlink.This

CVE- ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinElfsightElfsight

WhatsAppChatCCelfsight-whatsapp-chatallowsDOM-BasedXSS.ThisissueaffectsElfsightWhatsAppChatCC:from 6.5 More 39696n/athrough<=1.2.0. Details Jellyfinisanopensourceselfhostedmediaserver.Versionspriorto10.11.7containadenialofservicevulnerability intheSyncPlaygroupcreationendpoint(POST/SyncPlay/New),whereanauthenticatedusercancreategroupswithCVE-namesofunlimitedsizeduetoinsufficientinputvalidation.Bysendinglargepayloadscombinedwitharbitrarygroup More2026- 6.5IDs,anattackercanlockouttheendpointforotherclientsattemptingtojoinSyncPlaygroupsandsignificantly Details35034increasethememoryusageoftheJellyfinprocess,potentiallyleadingtoanout-of-memorycrash.Thisissuehasbeen fixedinversion10.11.7. Vikunjaisanopen-sourceself-hostedtaskmanagementplatform.Priorto2.3.0,Vikunja'slinkshareauthentication CVE-(GetLinkShareFromClaimsinpkg/models/linksharing.go)constructsauthorizationobjectsentirelyfromJWTclaims More2026-withoutanyserver-sidedatabasevalidation.Whenaprojectownerdeletesalinkshareordowngradesits 6.5 Details35594permissions,allpreviouslyissuedJWTscontinuetogranttheoriginalpermissionlevelforupto72hours(thedefault service.jwtttl).Thisvulnerabilityisfixedin2.3.0. Saleorisane-commerceplatform.From2.10.0tobefore3.23.0a3,3.22.47,3.21.54,and3.20.118,abusiness-logic andauthorizationflawwasfoundintheaccountemailchangeworkflow,theconfirmationflowdidnotverifythattheCVE-emailchangeconfirmationtokenwasissuedforthegivenauthenticateduser.Asaresult,avalidemail-changetoken More2026- 6.5generatedforoneaccountcanbereplayedwhileauthenticatedasadifferentaccount.Thesecondaccount'semail Details35407addressisthenupdatedtothetoken'snewemail,eventhoughthattokenwasneverissuedforthataccount.This vulnerabilityisfixedin3.23.0a3,3.22.47,3.21.54,and3.20.118. AcleartexttransmissionofsensitiveinformationvulnerabilityinFortinetFortiSOARPaaS7.6.0through7.6.3,CVE-FortiSOARPaaS7.5.0through7.5.2,FortiSOARPaaS7.4allversions,FortiSOARPaaS7.3allversions,FortiSOARon- More2026- 6.5premise7.6.0through7.6.2,FortiSOARon-premise7.5.0through7.5.1,FortiSOARon-premise7.4allversions, Details22155FortiSOARon-premise7.3allversionsmayallowattackertoinformationdisclosurevia CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinJoshKohlbach More2026-AdvancedCouponsforWooCommerceCouponsadvanced-coupons-for-woocommerce-freeallowsDOM-Based 6.5 Details39508XSS.ThisissueaffectsAdvancedCouponsforWooCommerceCoupons:fromn/athrough<=4.7.1.1. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinHidekazu More2026-IshikawaVKAllinOneExpansionUnitvk-all-in-one-expansion-unitallowsStoredXSS.ThisissueaffectsVKAllinOne 6.5 Details39483ExpansionUnit:fromn/athrough<=9.113.3. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinAWPLifeBlog More2026- 6.5Filterblog-filterallowsDOM-BasedXSS.ThisissueaffectsBlogFilter:fromn/athrough<=1.7.6. Details39517 Animproperlimitationofapathnametoarestricteddirectory('pathtraversal')vulnerabilityinFortinetFortiSOAR CVE-PaaS7.6.0through7.6.3,FortiSOARPaaS7.5allversions,FortiSOARPaaS7.4allversions,FortiSOARPaaS7.3all More2026-versions,FortiSOARon-premise7.6.0through7.6.3,FortiSOARon-premise7.5allversions,FortiSOARon-premise7.4 6.5 Details22573allversions,FortiSOARon-premise7.3allversionsmayallowanauthenticatedremoteattackertoperformpath traversalattackviaFileContentExtractionactions. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinPublishPressPost More2026- 6.5Expiratorpost-expiratorallowsDOM-BasedXSS.ThisissueaffectsPostExpirator:fromn/athrough<=4.9.4. Details39482 CVE-Cross-SiteRequestForgery(CSRF)vulnerabilityinSkywarriorBlackfyreblackfyreallowsCrossSiteRequest More2026- 6.5Forgery.ThisissueaffectsBlackfyre:fromn/athrough<=2.5.4. Details39641 CLIENTCERTauthenticationdoesnotfailasexpectedforsomescenarioswhensoftfailisdisabledandFFMisusedinCVE- ApacheTomcat.ThisissueaffectsApacheTomcat:from11.0.0-M14through11.0.20,from10.1.22through10.1.53, More2026- 6.5from9.0.92through9.0.116.Usersarerecommendedtoupgradetoversion11.0.21,10.1.54or9.0.117,whichfixes Details34500 theissue. CVE-NASMcontainsaheapuseafterfreevulnerabilityinresponsefile(-@)processingwhereadanglingpointertofreed More2026-memoryisstoredintheglobaldependfileandlaterdereferenced,astheresponse-filebufferisfreedbeforethe 6.5 Details6068pointerisused,allowingfordatacorruptionorunexpectedbehavior. CVE-ExposureofsensitiveinformationtoanunauthorizedactorinWindowsShellallowsanauthorizedattackertodisclose More2026- 6.5informationoveranetwork. Details32151 CVE-GitLabhasremediatedanissueinGitLabEEaffectingallversionsfrom18.2before18.8.9,18.9before18.9.5,and More2026-18.10before18.10.3thatcouldhaveallowedanauthenticatedusertocausedenialofservicetotheGitLabinstance 6.5 Details1101duetoimproperinputvalidationinGraphQLqueries. ChamiloLMSisalearningmanagementsystem.Priorto2.0.0-RC.3,anInsecureDirectObjectReference(IDOR)CVE-vulnerabilityintheRESTAPIstatsendpointallowsanyauthenticateduser(includinglow-privilegestudentswith More 6.5ROLE_USER)toreadanyotheruser'slearningprogress,certificates,andgradebookscoresforanycourse,without Details33141enrollmentorsupervisoryrelationship.Thisvulnerabilityisfixedin2.0.0-RC.3. CVE-

6.5ImproperinputvalidationinMicrosoftOfficeSharePointallowsanunauthorizedattackertoperformspoofingovera More 32201network. Details CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinManojKumarMK MoreGoogleDirectionsgoogle-distance-calculatorallowsDOM-BasedXSS.ThisissueaffectsMKGoogleDirections:fromn/a6.5 Details39674through<=3.1.1. TandoorRecipesisanapplicationformanagingrecipes,planningmeals,andbuildingshoppinglists.Priorto2.6.5,aCVE-criticalDenialofService(DoS)vulnerabilitywasintherecipeimportfunctionality.Thisvulnerabilityallowsan More2026-6.5authenticatedusertocrashtheserverormakeasignificantlydegradeitsperformancebyuploadingalargesizeZIP Details27460file(ZIPBomb).Thisvulnerabilityisfixedin2.6.5. AfilesordirectoriesaccessibletoexternalpartiesvulnerabilityinSynologySSLVPNClientbefore1.4.5-0684allowsCVE-remoteattackerstoaccessfileswithintheinstallationdirectoryviaalocalHTTPserverboundtotheloopback More2021-6.5interface.Byleveraginguserinteractionwithacraftedwebpage,attackersmayretrievesensitivefilessuchas Details47960configurationfiles,certificates,andlogs,leadingtoinformationdisclosure. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinlivemesh More2026-LivemeshAddonsforElementoraddons-for-elementorallowsStoredXSS.ThisissueaffectsLivemeshAddonsfor6.5 Details39636Elementor:fromn/athrough<=9.0. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinThemesflat More2026-themesflat-addons-for-elementorthemesflat-addons-for-elementorallowsStoredXSS.Thisissueaffectsthemesflat-6.5 Details39500addons-for-elementor:fromn/athrough<=2.3.2. AnImproperCheckforUnusualorExceptionalConditionsvulnerabilityinthepacketforwardingengine(pfe)ofJuniper NetworksJunosOSonspecificEXandQFXSeriesdevicesallowanunauthenticated,adjacentattackertocausea CVE-completeDenialofService(DoS).OnEX4k,andQFX5kplatformsconfiguredasservice-provideredgedevices,ifL2PT More2026-isenabledontheUNIandVSTPisenabledonNNIinVXLANscenarios,receivingVSTPBPDUsonUNIleadstopacket6.5 Details33781bufferallocationfailures,resultinginthedevicetonotpasstrafficanymoreuntilitismanuallyrecoveredwitha restart.ThisissueaffectsJunosOS:24.4releasesbefore24.4R2,25.2releasesbefore25.2R1-S1,25.2R2.This issuedoesnotaffectJunosOSreleasesbefore24.4R1. OpenClawbefore2026.3.22containsaninformationdisclosurevulnerabilitythatallowsattackerswithoperator.readCVE-scopetoexposecredentialsembeddedinchannelbaseUrlandhttpUrlfields.Attackerscanaccessgatewaysnapshots More2026-6.5viaconfig.getandchannels.statusendpointstoretrievesensitiveauthenticationinformationfromURLuserinfo Details35644components. TheWPBlockadepluginforWordPressisvulnerabletoMissingAuthorizationinallversionsuptoandincluding 0.9.14.Thepluginregistersanadminpostactionhook'wp-blockade-shortcode-render'thatmapstothe rendershortcodepreview()function.Thisfunctionlacksanycapabilitycheck(currentusercan())andnonce verification,allowinganyauthenticatedusertoexecutearbitraryWordPressshortcodes.Thefunctiontakesauser-CVE- Moresupplied'shortcode'parameterfrom$GET,passesitthroughstripslashes(),anddirectlyexecutesitvia2026-6.5 Detailsdoshortcode().Thismakesitpossibleforauthenticatedattackers,withSubscriber-levelaccessandabove,to3480 executearbitraryshortcodes,whichcouldleadtoinformationdisclosure,privilegeescalation,orotherimpacts dependingonwhatshortcodesareregisteredonthesite(e.g.,shortcodesfromotherpluginsthatdisplaysensitive data,performactions,orincludefiles). AnImproperFollowingofaCertificate'sChainofTrustvulnerabilityinJ-WebofJuniperNetworksJunosOSonSRX SeriesallowsaPITMtointerceptthecommunicationofthedeviceandgetaccesstoconfidentialinformationand CVE-potentiallymodifyit.WhenanSRXdeviceisprovisionedtoconnecttoSecurityDirector(SD)cloud,itdoesn'tperform More2026-sufficientverificationofthereceivedservercertificate.ThisallowsaPITMtointerceptthecommunicationbetween6.5 Details33779theSRXandSDcloudandaccesscredentialsandothersensitiveinformation.ThisissueaffectsJunosOS:all versionsbefore22.4R3-S9,23.2versionsbefore23.2R2-S6,23.4versionsbefore23.4R2-S7,24.2versionsbefore 24.2R2-S3,24.4versionsbefore24.4R2-S2,25.2versionsbefore25.2R1-S2,25.2R2. AMissingReleaseofMemoryafterEffectiveLifetimevulnerabilityintheLayer2AddressLearningDaemon(l2ald)of JuniperNetworksJunosOSandJunosOSEvolvedallowsanadjacent,unauthenticatedattackertocauseamemory leakultimatelyleadingtoaDenialofService(DoS).InanEVPN-MPLSscenario,routeslearnedfromremotemulti- homedProviderEdge(PE)devicesareprogrammedasESIroutes.Duetoalogicissueinthel2aldmemoryCVE-management,memoryallocatedfortheseroutesisnotreleasedwhenthereischurnfortheseroutes.Asaresult, More2026-6.5memoryleaksinthel2aldprocesswhichwillultimatelyleadtoacrashandrestartofl2ald.Usethefollowing Details33780commandtomonitorthememoryconsumptionbyl2ald:user@device>showsystemprocessextensive|match "PID|l2ald"Thisissueaffects:JunosOS:allversionsbefore22.4R3-S5,23.2versionsbefore23.2R2-S3,23.4 versionsbefore23.4R2-S4,24.2versionsbefore24.2R2;JunosOSEvolved:allversionsbefore22.4R3-S5-EVO, 23.2versionsbefore23.2R2-S3-EVO,23.4versionsbefore23.4R2-S4-EVO,24.2versionsbefore24.2R2-EVO. CVE-UninitializedUseinWebCodecsinGoogleChromepriorto147.0.7727.55allowedaremoteattackertoobtain More2026-potentiallysensitiveinformationfromprocessmemoryviaacraftedHTMLpage.(Chromiumsecurityseverity:6.5 Details5888Medium) OpenClawversions2026.3.11through2026.3.24containasessionisolationbypassvulnerabilitywhereCVE-sessionstatusresolvessessionIdtocanonicalsessionkeysbeforeenforcingvisibilitychecks.Sandboxedchild More6.5sessionscanexploitthistoaccessparentorsiblingsessionsthatshouldbeblockedbyexplicitsessionKey Details35636restrictions.

ABufferCopywithoutCheckingSizeofInput('ClassicBufferOverflow')vulnerabilityintheadvancedforwarding toolkit(evo-aftmand/evo-pfemand)ofJuniperNetworksJunosOSEvolvedonPTXSeriesorQFX5000Seriesallowsan unauthenticated,adjacentattackertocauseaDenialofService(DoS).Anattackersendingcraftedmulticastpackets willcauselinecardsrunningevo-aftmand/evo-pfemandtocrashandrestartornon-linecarddevicestocrashandCVE- Morerestart.ContinuedreceiptandprocessingofthesepacketswillsustaintheDenialofService(DoS)condition.This 6.5 DetailsissueaffectsJunosOSEvolvedPTXSeries:Allversionsbefore22.4R3-S8-EVO,from23.2before23.2R2-S5-EVO,59969from23.4before23.4R2-EVO,from24.2before24.2R2-EVO,from24.4before24.4R2-EVO.Thisissueaffects JunosOSEvolvedonQFX5000Series:22.2-EVOversionbefore22.2R3-S7-EVO,22.4-EVOversionbefore22.4R3- S7-EVO,23.2-EVOversionsbefore23.2R2-S4-EVO,23.4-EVOversionsbefore23.4R2-S5-EVO,24.2-EVOversions before24.2R2-S1-EVO,24.4-EVOversionsbefore24.4R1-S3-EVO,24.4R2-EVO.ThisissuedoesnotaffectJunosOS EvolvedonQFX5000Seriesversionsbefore:21.2R2-S1-EVO,21.2R3-EVO,21.3R2-EVO,21.4R1-EVO,and22.1R1-EVO. AMissingReleaseofMemoryafterEffectiveLifetimevulnerabilityintheDHCPdaemon(jdhcpd)ofJuniperNetworks JunosOSonMXSeries,allowsanadjacent,unauthenticatedattackertocauseamemoryleak,thatwilleventually causeacompleteDenial-of-Service(DoS).InaDHCPv6overPPPoE,orDHCPv6overVLANwithActiveleasequeryorCVE-Bulkleasequeryscenario,everysubscriberlogoutwillleakasmallamountofmemory.Whenallavailablememory More2026- 6.5hasbeenexhausted,jdhcpdwillcrashandrestartwhichcausesacompleteserviceimpactuntiltheprocesshas Details33782recovered.Thememoryusageofjdhcpdcanbemonitoredwith:user@host>showsystemprocessesextensive| matchjdhcpdThisissueaffectsJunosOS:allversionsbefore22.4R3-S1,23.2versionsbefore23.2R2,23.4 versionsbefore23.4R2. CVE-OpenClawbefore2026.3.22failstoenforceoperator.adminscopeonmutatinginternalACPchatcommands,allowing More2026-unauthorizedmodifications.Attackerswithoutadminprivilegescanexecutemutatingcontrol-planeactionsby 6.5 Details35631directlyinvokingaffectedACPcommandstobypassauthorizationgates. AFunctionCallWithIncorrectArgumentTypevulnerabilityinthesensorinterfaceofJuniperNetworksJunosOS EvolvedonPTXSeriesallowsanetwork-based,authenticatedattackerwithlowprivilegestocauseacompleteDenial ofService(DoS).IfcoloredSRTEpolicytunnelsareprovisionedviaPCEP,andgRPCisusedtomonitortrafficinthese CVE-tunnels,evo-aftmandcrashesanddoesn'trestartwhichleadstoacompleteandpersistentserviceimpact.The More2026-systemhastobemanuallyrestartedtorecover.TheissueisseenonlywhentheOriginatorASNfieldinPCEPcontains 6.5 Details33783avaluelargerthan65,535(32-bitASN).TheissueisnotreproduciblewhenSRTEpolicytunnelsarestatically configured.ThisissueaffectsJunosOSEvolvedonPTXSeries:allversionsbefore22.4R3-S9-EVO,23.2versions before23.2R2-S6-EVO,23.4versionsbefore23.4R2-S7-EVO,24.2versionsbefore24.2R2-S4-EVO,24.4versions before24.4R2-S2-EVO,25.2versionsbefore25.2R1-S2-EVO,25.2R2-EVO. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityintagDivtagDiv More2026- 6.5Composertd-composerallowsStoredXSS.ThisissueaffectstagDivComposer:fromn/athrough<=5.4.3. Details39692 CVE-MissingAuthorizationvulnerabilityinredpixelstudiosRPSIncludeContentrps-include-contentallowsExploiting More2026-IncorrectlyConfiguredAccessControlSecurityLevels.ThisissueaffectsRPSIncludeContent:fromn/athrough<= 6.5 Details396391.2.2. CVE-OpenClawbefore2026.3.22performscryptographicanddispatchoperationsoninboundNostrdirectmessages More2026-beforeenforcingsenderandpairingpolicyvalidation.Attackerscantriggerunauthorizedpre-authentication 6.5 Details35627computationbysendingcraftedDMmessages,enablingdenialofservicethroughresourceexhaustion. TheTheGermanizedforWooCommercepluginforWordPressisvulnerabletoarbitraryshortcodeexecutionviaCVE-'accountholder'parameterinallversionsupto,andincluding,3.20.5.Thisisduetothesoftwareallowingusersto More2026- 6.5executeanactionthatdoesnotproperlyvalidateavaluebeforerunningdoshortcode.Thismakesitpossiblefor Details2582unauthenticatedattackerstoexecutearbitraryshortcodes. CVE-PolicybypassinLocalNetworkAccessinGoogleChromepriorto147.0.7727.55allowedaremoteattackertobypass More2026- 6.5navigationrestrictionsviaacraftedHTMLpage.(Chromiumsecurityseverity:Medium) Details5881 OpenClawbefore2026.3.23containsareplayidentityvulnerabilityinPlivoV2signatureverificationthatallows CVE-attackerstobypassreplayprotectionbymodifyingqueryparameters.Theverificationpathderivesreplaykeysfrom More2026- 6.5thefullURLincludingquerystringsinsteadofthecanonicalizedbaseURL,enablingattackerstomintnewverified Details35618requestkeysthroughunsignedquery-onlychangestosignedrequests.

TheBEAR-BulkEditorandProductsManagerProfessionalforWooCommercebyPluginus.NetpluginforWordPressis CVE-vulnerabletoCross-SiteRequestForgeryinallversionsupto,andincluding,1.1.5.Thisisduetomissingnonce More2026-validationonthewooberedrawtable_row()function.Thismakesitpossibleforunauthenticatedattackerstoupdate 6.5 Details1672WooCommerceproductdataincludingprices,descriptions,andotherproductfieldsviaaforgedrequestgrantedthey cantrickasiteadministratororshopmanagerintoperforminganactionsuchasclickingonalink. CVE-PolicybypassinIFrameSandboxinGoogleChromepriorto147.0.7727.55allowedaremoteattackerwhoconvinceda More2026-usertoengageinspecificUIgesturestobypassnavigationrestrictionsviaacraftedHTMLpage.(Chromiumsecurity 6.5 Details5903 CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinwpbitsWPBITS MoreAddonsForElementorPageBuilderwpbits-addons-for-elementorallowsStoredXSS.ThisissueaffectsWPBITSAddons 6.5 Details39703ForElementorPageBuilder:fromn/athrough<=1.8.1. CVE- InsufficientpolicyenforcementinDevToolsinGoogleChromepriorto147.0.7727.55allowedanattackerwho

convincedausertoinstallamaliciousextensiontobypassenterprisehostrestrictionsforcookiemodificationviaa 6.5 More craftedChromeExtension.(Chromiumsecurityseverity:Low) Details CVE-InsufficientvalidationofuntrustedinputinWebMLinGoogleChromeonWindowspriorto147.0.7727.55alloweda MoreremoteattackertoobtainpotentiallysensitiveinformationfromprocessmemoryviaacraftedHTMLpage. 6.5 Details5885 DockyardisaDockercontainermanagementapp.Priorto1.1.0,DockercontainerstartandstopoperationsareCVE-performedthroughGETrequestswithoutCSRFprotection.Aremoteattackercancausealogged-inadministrator's More2026- 6.5browsertorequest/apps/action.php?action=stop&name= or/apps/action.php?action=start&name= Details39848,whichstartsorstopsthetargetcontainer.Thisvulnerabilityisfixedin1.1.0. AnImproperCheckforUnusualorExceptionalConditionsvulnerabilityinthepacketforwardingengine(pfe)ofJuniper NetworksJunosOSonMXSeriesallowsanunauthenticated,network-basedattackertobypasstheconfiguredfirewall filterandaccessthecontrol-planeofthedevice.OnMXplatformswithMPC10,MPC11,LC4800orLC9600linecards, andMX304,firewallfiltersappliedonaloopbackinterfacelo0.n(wherenisanon-0number)don'tgetexecutedwhen CVE-lo0.nisintheglobalVRF/defaultrouting-instance.Anaffectedconfigurationwouldbe:user@host#show More2026-configurationinterfaceslo0|displaysetsetinterfaceslo0unit1familyinetfilterinput whereafirewall 6.5 Details33774filterisappliedtoanon-0loopbackinterface,butthatloopbackinterfaceisnotreferredtoinanyrouting-instance(RI) configuration,whichimpliesthatit'susedinthedefaultRI.TheissuecanbeobservedwiththeCLIcommand: user@device>showfirewallcounterfilter notshowinganymatches.ThisissueaffectsJunosOSonMX Series:allversionsbefore23.2R2-S6,23.4versionsbefore23.4R2-S7,24.2versionsbefore24.2R2,24.4 versionsbefore24.4R2. CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinWealcoder More2026-AnimationAddonsforElementoranimation-addons-for-elementorallowsDOM-BasedXSS.ThisissueaffectsAnimation 6.5 Details39702AddonsforElementor:fromn/athrough<=2.6.1. AMissingReleaseofMemoryafterEffectiveLifetimevulnerabilityintheBroadBandEdgesubscribermanagement daemon(bbe-smgd)ofJuniperNetworksJunosOSonMXSeriesallowsanadjacent,unauthenticatedattackertocause aDenialofService(DoS).Iftheauthenticationpacket-typeoptionisconfiguredandareceivedpacketdoesnot matchthatpackettype,thememoryleakoccurs.Whenallmemoryavailabletobbe-smgdhasbeenconsumed,noCVE-newsubscriberswillbeabletologin.Thememoryutilizationofbbe-smgdcanbemonitoredwiththefollowingshow More2026- 6.5command:user@host>showsystemprocessesextensive|matchbbe-smgdThebelowlogmessagecanbeobserved Details33775whenthislimithasbeenreached:bbesmgd[]:%DAEMON-3-SMDDPROFRSMONERROR:Resource unavailability,Reason:DaemonHeapMemoryexhaustionThisissueaffectsJunosOSonMXSeries:allversions before22.4R3-S8,23.2versionsbefore23.2R2-S5,23.4versionsbefore23.4R2-S6,24.2versionsbefore24.2R2- S2,24.4versionsbefore24.4R2,25.2versionsbefore25.2R2. CVE-IncorrectsecurityUIinPermissionsinGoogleChromeonWindowspriorto147.0.7727.55allowedaremoteattacker More2026- 6.5toperformdomainspoofingviaacraftedHTMLpage.(Chromiumsecurityseverity:Low) Details5905 CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityintelepathyHello More2026-BarPopupBuilderhellobarallowsDOM-BasedXSS.ThisissueaffectsHelloBarPopupBuilder:fromn/athrough<= 6.5 Details396661.5.1. AnIncorrectSynchronizationvulnerabilityinthemanagementdaemon(mgd)ofJuniperNetworksJunosOSandJunos OSEvolvedallowsanetwork-basedattackerwithlowprivilegestocauseacompleteDenial-of-Service(DoS)ofthe managementplane.WhenNETCONFsessionsarequicklyestablishedanddisconnected,alockingissuecausesmgd processestohanginanunusablestate.Whenthemaximumnumberofmgdprocesseshasbeenreached,nonew loginsarepossible.Thisleadstotheinabilitytomanagethedeviceandrequiresapower-cycletorecover.Thisissue canbemonitoredbycheckingformgdprocessesinlockfstateintheoutputof'showsystemprocessesextensive': CVE-user@host>showsystemprocessesextensive|matchmgd root200501M4640Klockf10:010.00% More2026- 6.5mgdIfthesystemstillcanbeaccessed(eitherviatheCLIorasroot,whichmightstillbepossibleaslastresortasthis Details21919won'tinvokemgd),mgdprocessesinthisstatecanbekilledwith'requestsystemprocessterminate 'fromthe CLIorwith'kill-9 'fromtheshell.Thisissueaffects:JunosOS:23.4versionsbefore23.4R2-S4,24.2 versionsbefore24.2R2-S1,24.4versionsbefore24.4R1-S3,24.4R2;ThisissuedoesnotaffectJunosOSversions before23.4R1;JunosOSEvolved:23.4versionsbefore23.4R2-S5-EVO,24.2versionsbefore24.2R2-S1-EVO, 24.4versionsbefore24.4R1-S3-EVO,24.4R2-EVO.ThisissuedoesnotaffectJunosOSEvolvedversionsbefore 23.4R1-EVO; CVE-ImproperNeutralizationofInputDuringWebPageGeneration('Cross-siteScripting')vulnerabilityinVladimirPrelovac More2026-SEOFriendlyImagesseo-imageallowsDOM-BasedXSS.ThisissueaffectsSEOFriendlyImages:fromn/athrough<= 6.5 Details396653.0.5. TheTableOn-WordPressPostsTableFilterablepluginforWordPressisvulnerabletoStoredCross-SiteScriptingvia the'tableonbutton'shortcodeinallversionsuptoandincluding1.0.4.4.Thisisduetoinsufficientinputsanitization andoutputescapingonuser-suppliedshortcodeattributessuchas'class','helplink','popuptitle',and'helptitle'.CVE-Thedoshortcodebutton()functionextractstheseattributeswithoutsanitizationandpassesthemto More2026- 6.4TABLEONHELPER::drawhtmlitem(),whichconcatenatesattributevaluesintoHTMLusingsinglequoteswithout Details escaping(line29:$item.="{$key}='{$value}'").Thismakesitpossibleforauthenticatedattackers,with Contributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauser

AcontainerprivilegeescalationflawwasfoundincertainMulticlusterEngineforKubernetesimages.ThisissuestemsCVE- Morefromthe/etc/passwdfilebeingcreatedwithgroup-writablepermissionsduringbuildtime.Incertainconditions,an 6.4 Detailsattackerwhocanexecutecommandswithinanaffectedcontainer,evenasanon-rootuser,canleveragetheir57851membershipintherootgrouptomodifythe/etc/passwdfile.Thiscouldallowtheattackertoaddanewuserwithany arbitraryUID,includingUID0,leadingtofullrootprivilegeswithinthecontainer. TheListcategorypostspluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheplugin's'catlist'CVE-shortcodeinallversionsupto,andincluding,0.94.0duetoinsufficientinputsanitizationandoutputescapingonuser More2026- 6.4suppliedattributes.Thismakesitpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,to Details3005injectarbitrarywebscriptsinpagesthatwillexecutewheneverauseraccessesaninjectedpage. TheLatePoint-CalendarBookingPluginforAppointmentsandEventspluginforWordPressisvulnerabletoStored CVE-Cross-SiteScriptingviathe'buttoncaption'parameterinthe[latepointresources]shortcodeinversionsuptoand More2026-including5.3.0.Thisisduetoinsufficientoutputescapingwhenthe'items'parameterissetto'bundles'.Thismakes 6.4 Details4785itpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscriptsin pagesthatwillexecutewheneverauseraccessesaninjectedpage. TheColumnsbyBestWebSoftpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'id'shortcode attributeofthe[printclmns]shortcodeinallversionsuptoandincluding1.0.3.Thisisduetoinsufficientinput sanitizationandoutputescapingonthe'id'attribute.Theshortcodereceivesthe'id'parameterviashortcodeatts() CVE-atline596anddirectlyembedsitintoHTMLoutputatline731(inadividattribute)andintoinlineCSSatlines672- More2026-729withoutanyescapingorsanitization.WhiletheSQLqueryuses%dtocastthevaluetoanintegerfordatabase 6.4 Details3618lookup,theoriginalunsanitizedstringvalueof$idisstillusedintheHTML/CSSoutput.Thismakesitpossiblefor authenticatedattackers,withContributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwill executewheneverauseraccessesaninjectedpage.Theattackrequiresthatatleastonecolumnexistsintheplugin (createdbyanadmin),astheSQLquerymustreturnresultsfortheoutputbranchtobereached. TheWPVisitorStatistics(RealTimeTraffic)pluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe CVE-plugin's'wsm_showDayStatsGraph'shortcodeinallversionsupto,andincluding,8.4duetoinsufficientinput More2026-sanitizationandoutputescapingonusersuppliedattributes.Thismakesitpossibleforauthenticatedattackers,with 6.4 Details4303contributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauser

CVE- Innspawninsystemd233through259before260,anescape-to-hostactioncanoccurviaacraftedoptionalconfig More2026- 6.4 file. Details40226 TheThePlusAddonsforElementor-AddonsforElementor,PageTemplates,Widgets,MegaMenu,WooCommerce CVE- pluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheplugin'sProgressBarshortcodeinallversions More2026- upto,andincluding,6.4.9duetoinsufficientinputsanitizationandoutputescapingonusersuppliedattributes.This 6.4 Details3311 makesitpossibleforauthenticatedattackers,withcontributor-levelaccessandabove,toinjectarbitrarywebscripts inpagesthatwillexecutewheneverauseraccessesaninjectedpage. TheExtensionsforLeafletMappluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'elevation-CVE- track'shortcodeinallversionsupto,andincluding,4.14.Thisisduetoinsufficientinputsanitizationandoutput More2026- 6.4 escapingonusersuppliedattributes.Thismakesitpossibleforauthenticatedattackers,withContributor-levelaccess Details5451 TheDownloadManagerpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'sid'parameterofthe 'wpdmmembers'shortcodeinversionsuptoandincluding3.3.52.Thisisduetoinsufficientinputsanitizationand CVE- outputescapingontheuser-supplied'sid'shortcodeattribute.Thesidparameterisextractedwithoutsanitizationin More2026- themembers()functionandstoredviaupdatepostmeta(),thenechoeddirectlyintoanHTMLidattributeinthe 6.4 Details5357 members.phptemplatewithoutapplyingescattr().Thismakesitpossibleforauthenticatedattackers,with contributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewheneverauser accessestheinjectedpage. ThePageBuilder:PagelayerpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviatheButtonwidget's CustomAttributesfieldinallversionsupto,andincluding,2.0.8.ThisisduetoanincompleteeventhandlerblocklistCVE- More inthe'pagelayerxsscontent'XSSfilteringfunction,whichblockscommon,butnotall,eventhandlers.Thismakesit2026- 6.4 Details possibleforauthenticatedattackers,withContributor-levelaccessandabove,toinjectarbitrarywebscriptsinpages2509 thatwillexecutewheneverauseraccessesaninjectedpage. TheLearnPress-WordPressLMSPluginpluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'skin' attributeofthelearnpresscoursesshortcodeinallversionsuptoandincluding4.3.3.ThisisduetoinsufficientinputCVE- sanitizationandoutputescapingonthe'skin'shortcodeattribute.Theattributevalueisuseddirectlyinansprintf() More2026- 6.4 callthatgeneratesHTML(classattributeanddata-layoutattribute)withoutanyescattr()escaping.Thismakesit Details4333 possibleforauthenticatedattackers,withContributor-levelaccessandabove,toinjectarbitrarywebscriptsinpages thatwillexecutewheneverauseraccessesaninjectedpage. TheInvestipluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'investi-announcements- accordion'shortcode's'maximum-num-years'attributeinallversionsupto,andincluding,1.0.26.Thisisdueto CVE- insufficientinputsanitizationandoutputescapingonuser-suppliedshortcodeattributes.Specifically,the'maximum- More num-years'attributevalueisreaddirectlyfromshortcodeattributesandinterpolatedintoadouble-quotedHTML 6.4 Details attributewithoutanyescaping(noescattr(),htmlspecialchars(),orsimilar).Thismakesitpossibleforauthenticated attackers,withContributor-levelaccessandabove,toinjectarbitrarywebscriptsinpagesthatwillexecutewhenever auseraccessesaninjectedpage.

TheRoboGallerypluginforWordPressisvulnerabletoStoredCross-SiteScriptingviathe'LoadingLabel'settinginall versionsupto,andincluding,5.1.3.Thepluginusesacustom|***...***|markerpatterninitsfixJsFunction() methodtoembedrawJavaScriptfunctionreferenceswithinJSON-encodedconfigurationobjects.Whenagallery's optionsarerenderedonthefrontend,json_encode()wrapsallstringvaluesindoublequotes.ThefixJsFunction() methodthenstripsthe"|***and***|"sequences,effectivelyconvertingaJSONstringvalueintorawJavaScript CVE-code.TheLoadingLabelfield(storedasrbs_gallery_LoadingWordpostmeta)isanrbstexttypefieldthatis More2026-sanitizedwith`sanitizetextfield()onsave.WhilethisstripsHTMLtags,itdoesnotstripthe|...|markers 6.4 Details4300sincetheycontainnoHTML.Whenauserinputs|alert(document.domain)|`,thevaluepassesthrough sanitizationintact,isstoredinpostmeta,andislaterretrievedandoutputwithinaninline`