Skip to main content
CVE-2024-14027 MEDIUM PATCH This Month

In the Linux kernel, the following vulnerability has been resolved: fs/xattr: missing fdput() in fremovexattr error path In the Linux kernel, the fremovexattr() syscall calls fdget() to acquire a file reference but returns early without calling fdput() when strncpy_from_user() fails on the name argument.

Linux Information Disclosure Red Hat Suse
NVD VulDB
CVSS 3.1
5.5
EPSS
0.0%
CVE-2026-3818 MEDIUM This Month

SQL injection in Tiandy Easy7 CMS 7.17.0 allows unauthenticated remote attackers to manipulate the strTBName parameter in GetDBData.jsp, potentially accessing or modifying sensitive database information. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi Microsoft
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2025-70060 MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in YMFE yapi v1.12.0. [CVSS 5.4 MEDIUM]

XSS Yapi
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-25604 MEDIUM PATCH This Month

AWS Airflow Providers with Auth Manager fail to validate SAML response origins against the actual instance URL, allowing attackers with valid credentials from one instance to authenticate to other instances with potentially different access controls. This cross-instance authentication bypass requires low privileges and network access but does not directly compromise confidentiality or integrity. Users should upgrade to version 9.22.0 or later to remediate this vulnerability.

Airflow Providers Amazon Information Disclosure
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70033 MEDIUM This Month

An issue pertaining to CWE-79: Improper Neutralization of Input During Web Page Generation was discovered in Sunbird-Ed SunbirdEd-portal v1.13.4. [CVSS 5.4 MEDIUM]

XSS Sunbirded Portal
NVD GitHub
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-70040 MEDIUM This Month

An issue pertaining to CWE-532: Insertion of Sensitive Information into Log File was discovered in LupinLin1 jimeng-web-mcp v2.1.2. This allows an attacker to obtain sensitive information. [CVSS 5.3 MEDIUM]

Information Disclosure Jimeng Web Mcp Server
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-3089 MEDIUM PATCH This Month

Actual Sync Server allows authenticated users to upload files through POST /sync/upload-user-file. In versions up to 26.3.0 is affected by path traversal.

Path Traversal Actual
NVD GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2025-41760 MEDIUM This Month

An administrator may attempt to block all traffic by configuring a pass filter with an empty table. However, in UBR, an empty list does not enforce any restrictions and allows all network traffic to pass unfiltered. [CVSS 4.9 MEDIUM]

Information Disclosure Universal Bacnet Router Firmware
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-41759 MEDIUM This Month

An administrator may attempt to block all networks by specifying "\*" or "all" as the network identifier. However, these values are not supported and do not trigger any validation error. [CVSS 4.9 MEDIUM]

Information Disclosure Universal Bacnet Router Firmware
NVD
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-70973 MEDIUM This Month

ScadaBR 1.12.4 is vulnerable to Session Fixation. The application assigns a JSESSIONID session cookie to unauthenticated users and does not regenerate the session identifier after successful authentication. [CVSS 4.8 MEDIUM]

Session Fixation Information Disclosure
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-21736 MEDIUM This Month

Improper GPU system call handling in the DDK allows non-privileged users to bypass memory protections on user-mode wrapped memory regions and gain unauthorized write access. An attacker with local access could exploit this to modify read-only memory structures, potentially compromising system integrity or escalating privileges. No patch is currently available for this medium-severity vulnerability.

Information Disclosure Ddk
NVD VulDB
CVSS 3.1
4.4
EPSS
0.0%
CVE-2026-2919 MEDIUM This Month

Domain spoofing in Focus for iOS versions prior to 148.2 allows remote attackers to display malicious content under trusted domain names through navigation stalling and iframe redirection techniques, without requiring user interaction beyond the initial page load. An attacker can leverage this to conduct phishing attacks or distribute misleading content by presenting spoofed trusted domains in the browser UI. No patch is currently available for this vulnerability.

Information Disclosure Apple
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-15603 LOW Monitor

A security vulnerability has been detected in open-webu versions up to 0.6.16. is affected by cryptographic issues (CVSS 3.7).

Information Disclosure
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-3797 LOW Monitor

Video Surveillance System Firmware versions up to 7.17.0 is affected by improper access control (CVSS 6.3).

Authentication Bypass File Upload Video Surveillance System Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3796 LOW Monitor

Qax Internet Control Gateway versions up to 2025-10 contains a vulnerability that allows attackers to improper access controls (CVSS 5.3).

Information Disclosure Qax Internet Control Gateway
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-33022 Awaiting Data

Rejected reason: The reporter agreed to not assign CVE ID. No vendor patch available.

Information Disclosure
NVD
Prev Page 3 of 3

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy