THREAT ALERT

Daily vulnerability intelligence for defenders – fresh CVEs with exploitability signals, patch status, and action-oriented priorities from 17 sources.

CVEs published

Track vulnerabilities that matter to your stack

Personalized alerts, dashboards, and weekly digests – free.

Trending Now

Critical Watch

Attack Technique Trend

Prediction based on ZDI Disclosures & CVE data · 30 days

Analytics

Vendor Today – Quick Filter

Techniques

results

Sort:

Base Score

Vector String

Attack Vector (AV)

Attack Complexity (AC)

Privileges Required (PR)

User Interaction (UI)

Scope (S)

Confidentiality (C)

Integrity (I)

Availability (A)

0 | 3.9| 6.9| 8.9| 10

NONE LOW MEDIUM HIGH CRITICAL

CVSS Filter – CVEs match

No CVEs match the selected criteria

Browse older vulnerabilities in Archive

Live Feed auto-refresh 60s

Vulnerability Intelligence — March 12, 2026

182 CVEs tracked today. 17 Critical, 92 High, 52 Medium, 9 Low.

CVE-2026-32248 CRITICAL CVSS 9.8
Unauthenticated query injection in Parse Server before 9.6.0-alpha.12/8.6.38. PoC available.

Information Disclosure Node.js PostgreSQL Parse Server
CVE-2026-28792 CRITICAL CVSS 9.6
TinaCMS CLI dev server combines a permissive CORS policy (Access-Control-Allow-Origin: *) with path traversal to enable drive-by attacks. A remote attacker can enumerate, write, and delete files on a developer's machine simply by having them visit a malicious webpage. PoC available.

Path Traversal
CVE-2026-28252 CRITICAL CVSS 9.2
Trane Tracer SC, SC+, and Concierge building automation controllers use broken cryptographic algorithms that allow attackers to bypass authentication and gain root access. These are critical building management systems controlling HVAC in commercial facilities.

Authentication Bypass
CVE-2026-26795 CRITICAL CVSS 9.8
GL-iNet GL-AR300M16 v4.3.11 contains another command injection vulnerability, this time via the module parameter in the M.get_system_log function. Part of a series of command injection flaws in this router model.

Command Injection Ar300m16 Firmware
CVE-2026-26793 CRITICAL CVSS 9.8
GL-iNet GL-AR300M16 v4.3.11 has a command injection in the set_config function, adding to the growing list of injection vulnerabilities in this device. This is the fourth distinct command injection CVE for this router model.

Command Injection Ar300m16 Firmware
CVE-2026-26792 CRITICAL CVSS 9.8
GL-iNet GL-AR300M16 v4.3.11 has multiple command injection vulnerabilities in the set_upgrade function through seven different parameters. Each parameter provides an independent code execution vector on the router.

Command Injection Ar300m16 Firmware
CVE-2026-26791 CRITICAL CVSS 9.8
GL-iNet GL-AR300M16 router (v4.3.11) is vulnerable to command injection through the string port parameter in the enable_echo_server function. Unauthenticated attackers can execute arbitrary commands on the router.

Command Injection Ar300m16 Firmware
CVE-2026-21708 CRITICAL CVSS 9.9
Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.

PostgreSQL RCE
CVE-2026-21671 CRITICAL CVSS 9.1
Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.

RCE Code Injection
CVE-2026-21669 CRITICAL CVSS 9.9
Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.

RCE Code Injection
CVE-2026-21667 CRITICAL CVSS 9.9
A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.

RCE Authentication Bypass
CVE-2026-21666 CRITICAL CVSS 9.9
Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.

RCE Authentication Bypass
CVE-2026-3611 CRITICAL CVSS 10.0
Unauthenticated access to Honeywell IQ4x building controller HMI. CVSS 10.0.

Authentication Bypass
CVE-2026-3060 CRITICAL CVSS 9.8
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.

RCE Deserialization
CVE-2026-3059 CRITICAL CVSS 9.8
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.

RCE Deserialization
CVE-2025-70245 CRITICAL CVSS 9.8
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.

Buffer Overflow D-Link RCE Dir 513 Firmware
CVE-2025-59388 CRITICAL CVSS 9.8
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.

Authentication Bypass Hyper Data Protector
CVE-2026-32319 HIGH CVSS 7.5
High severity vulnerability in Ella Networks Core. Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes.

Information Disclosure Buffer Overflow
CVE-2026-32302 HIGH CVSS 8.1
High severity vulnerability in OpenClaw. In affected versions of `openclaw`, browser-originated WebSocket connections could bypass origin validation when `gateway.auth.mode` was set to `trusted-proxy` and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.

Node.js Information Disclosure
CVE-2026-32274 HIGH CVSS 7.5
### Impact Black writes a cache file, the name of which is computed from various formatting options. The value of the `--python-cell-magics` option was placed in the filename without sanitization, which allowed an attacker who controls the value of this argument to write cache files to arbitrary file system locations. ### Patches Fixed in Black 26.3.1. ### Workarounds Do not allow untrusted user input into the value of the `--python-cell-magics` option.

Path Traversal Python Black
CVE-2026-32260 HIGH CVSS 8.1
Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.

Command Injection Deno
CVE-2026-32247 HIGH CVSS 8.1
High severity vulnerability in Graphiti. #

Code Injection Nosql Injection Graphiti
CVE-2026-32246 HIGH CVSS 8.5
High severity vulnerability in TinyAuth. #

Authentication Bypass
CVE-2026-32242 HIGH CVSS 7.4
### Impact Parse Server's built-in OAuth2 auth adapter exports a singleton instance that is reused directly across all OAuth2 provider configurations. Under concurrent authentication requests for different OAuth2 providers, one provider's token validation may execute using another provider's configuration, potentially allowing a token that should be rejected by one provider to be accepted because it is validated against a different provider's policy. Deployments that configure multiple OAuth2 providers via the `oauth2: true` flag are affected. ### Patches The fix ensures that a new adapter instance is created for each provider instead of reusing the singleton, so each provider's configuration is isolated. ### Workarounds There is no known workaround. If only a single OAuth2 provider is configured, the race condition cannot occur. ### References - GitHub security advisory: https://github.com/parse-community/parse-server/security/advisories/GHSA-2cjm-2gwv-m892 - Fix Parse Server 9: https://github.com/parse-community/parse-server/releases/tag/9.6.0-alpha.11 - Fix Parse Server 8: https://github.com/parse-community/parse-server/releases/tag/8.6.37

Node.js Race Condition Information Disclosure Parse Server
CVE-2026-32231 HIGH CVSS 8.2
High severity vulnerability in ZeptoClaw. # The generic webhook channel trusts caller-supplied identity fields (`sender`, `chat_id`) from the request body and applies authorization checks to those untrusted values. Because authentication is optional and defaults to disabled (`auth_token: None`), an attacker who can reach `POST /webhook` can spoof an allowlisted sender and choose arbitrary `chat_id` values, enabling high-risk message sp...

Authentication Bypass
CVE-2026-32141 HIGH CVSS 7.5
flatted is a circular JSON parser. versions up to 3.4.0 is affected by uncontrolled recursion (CVSS 7.5).

Node.js Denial Of Service
CVE-2026-32140 HIGH CVSS 8.8
Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.

RCE Path Traversal Dataease
CVE-2026-32138 HIGH CVSS 8.2
NEXULEAN versions prior to 2.0.0 expose Firebase and Web3Forms API keys in the application, allowing unauthenticated attackers to access backend services and retrieve sensitive user data. The hardcoded credentials can be leveraged remotely without any user interaction to interact with protected resources. No patch is currently available for affected deployments.

Authentication Bypass
CVE-2026-32137 HIGH CVSS 8.8
Dataease is an open source data visualization analysis tool. versions up to 2.10.20 is affected by sql injection.

SQLi Dataease
CVE-2026-32129 HIGH CVSS 8.7
Insufficient input padding in soroban-poseidon's Poseidon V1 hash function enables attackers to forge hash collisions by appending zeros to shorter inputs, allowing distinct messages to produce identical hashes when the input count is less than the sponge rate. This vulnerability affects any Soroban smart contract relying on PoseidonSponge or poseidon_hash for cryptographic integrity, potentially compromising authentication, signature verification, or other security mechanisms that depend on hash uniqueness. No patch is currently available.

Code Injection
CVE-2026-32116 HIGH CVSS 8.1
Magic Wormhole versions 0.21.0 through 0.22.x allow malicious senders to overwrite arbitrary files on a receiver's system during file transfer operations, potentially compromising SSH keys and shell configuration files. This path traversal vulnerability (CWE-22) requires the attacker to control the sending side of the transfer and affects any user receiving files from an untrusted source. No patch is currently available for this HIGH severity vulnerability.

Path Traversal Magic Wormhole
CVE-2026-28793 HIGH CVSS 8.4
High severity vulnerability in TinaCMS. The TinaCMS CLI development server exposes media endpoints that are vulnerable to path traversal, allowing attackers to read and write arbitrary files on the filesystem outside the intended media directory.

Path Traversal
CVE-2026-28791 HIGH CVSS 7.4
High severity vulnerability in TinaCMS. ## Affected Package

Path Traversal
CVE-2026-28356 HIGH CVSS 7.5
High severity vulnerability in Python multipart. The `parse_options_header()` function in `multipart.py` uses a regular expression with an *ambiguous alternation*, which can cause *exponential backtracking (ReDoS)* when parsing maliciously crafted HTTP or multipart segment headers. This can be abused for **denial of service (DoS)** attacks against web applications using this library to parse request headers or `multipart/form-data` streams.

Python Denial Of Service Redhat Suse
CVE-2026-28255 HIGH CVSS 8.2
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Authentication Bypass
CVE-2026-28253 HIGH CVSS 8.7
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition

Information Disclosure
CVE-2026-27940 HIGH CVSS 7.8
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.

Buffer Overflow Heap Overflow AI / ML Suse
CVE-2026-26794 HIGH CVSS 8.8
SQL injection in GL-iNet GL-AR300M16 firmware v4.3.11 allows authenticated attackers to execute arbitrary database commands through the add_group() function via crafted HTTP requests. The vulnerability affects all installations of the affected firmware version and requires valid credentials to exploit. No patch is currently available to remediate this high-severity flaw.

SQLi Ar300m16 Firmware
CVE-2026-25529 HIGH CVSS 8.1
Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. No patch is currently available for affected versions.

XSS
CVE-2026-21887 HIGH CVSS 7.7
OpenCTI versions prior to 6.8.16 contain a server-side request forgery vulnerability in the data ingestion feature that fails to validate user-supplied URLs, allowing authenticated attackers to send requests to arbitrary internal endpoints and services. The Axios HTTP client's permissive default configuration processes absolute URLs without restriction, enabling semi-blind SSRF attacks that can compromise internal systems despite limited response visibility. This vulnerability requires authentication but affects all deployments running vulnerable versions.

SSRF
CVE-2026-21672 HIGH CVSS 8.8
Local privilege escalation in Veeam Backup & Replication on Windows enables authenticated users to gain system-level access without user interaction. An attacker with local account credentials can exploit this vulnerability to achieve complete control over the backup infrastructure, including reading, modifying, or deleting backups. No patch is currently available for this high-severity issue affecting backup administrators and organizations relying on Veeam for data protection.

Privilege Escalation Windows
CVE-2026-21670 HIGH CVSS 7.7
Unauthorized SSH credential extraction affects systems where low-privileged users can access stored authentication material, enabling account compromise without administrative access. The network-accessible vulnerability requires valid user credentials to exploit but impacts the entire system's security posture by exposing sensitive SSH keys. No patch is currently available to remediate this issue.

Information Disclosure
CVE-2026-21668 HIGH CVSS 8.8
Authenticated domain users can bypass file access restrictions on Backup Repository systems to read, modify, or delete arbitrary files due to insufficient authorization controls. This high-severity flaw affects users with valid domain credentials and requires no user interaction to exploit. No patch is currently available for this vulnerability.

Authentication Bypass
CVE-2026-4043 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda i12 version 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through improper input validation in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can trigger the overflow via the index parameter to execute arbitrary code with elevated privileges.

Buffer Overflow Tenda
CVE-2026-4042 HIGH CVSS 7.4
Remote code execution in Tenda i12 firmware version 1.0.0.6(2204) via stack-based buffer overflow in the WifiMacFilterGet function allows authenticated attackers to achieve full system compromise. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

Buffer Overflow Tenda
CVE-2026-4041 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda i12 1.0.0.6(2204) allows remote attackers with user privileges to achieve complete system compromise through malicious input to the cmdinput parameter in /goform/exeCommand. Public exploit code exists for this vulnerability, and no patch is currently available to remediate the issue.

Buffer Overflow Tenda
CVE-2026-4014 HIGH CVSS 7.3
SQL injection in the registration module of itsourcecode Cafe Reservation System 1.0 allows unauthenticated remote attackers to manipulate the Username parameter and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, which provides attackers with potential access to sensitive data and database manipulation capabilities. No patch is currently available.

PHP SQLi Cafe Reservation System
CVE-2026-4008 HIGH CVSS 7.4
Remote code execution in Tenda W3 1.0.0.3(2204) via stack buffer overflow in the /goform/wifiSSIDset POST parameter handler allows authenticated attackers to achieve complete system compromise. The vulnerability exists in the index/GO parameter processing and can be exploited over the network without user interaction. Public exploit code is available for this vulnerability.

Buffer Overflow Tenda
CVE-2026-4007 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) allows authenticated remote attackers to achieve code execution by manipulating the index parameter in POST requests to /goform/wifiSSIDget. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
CVE-2026-3989 HIGH CVSS 7.8
High severity vulnerability in SGLang. SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.

Deserialization
CVE-2026-3981 HIGH CVSS 7.3
SQL injection in itsourcecode Online Doctor Appointment System 1.0 allows unauthenticated remote attackers to manipulate the ID parameter in /admin/doctor_action.php, potentially gaining unauthorized access to sensitive data and modifying database records. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi Online Doctor Appointment System
CVE-2026-3980 HIGH CVSS 7.3
SQL injection in the Online Doctor Appointment System 1.0 admin panel allows unauthenticated remote attackers to manipulate the patient_id parameter and execute arbitrary database queries. The vulnerability affects the /admin/patient_action.php file and enables attackers to compromise data confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi Online Doctor Appointment System
CVE-2026-3978 HIGH CVSS 8.8
Remote code execution in D-Link DIR-513 firmware version 1.10 through a stack-based buffer overflow in the /goform/formEasySetupWizard3 endpoint allows unauthenticated attackers to achieve full system compromise over the network. The vulnerability can be exploited with minimal complexity using publicly available exploit code, and no patch is currently available to remediate the issue.

Buffer Overflow D-Link Dir 513 Firmware
CVE-2026-3976 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda W3 firmware version 1.0.0.3(2204) allows remote authenticated attackers to achieve complete system compromise through manipulation of the index/GO parameter in the /goform/WifiMacFilterSet POST handler. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

Buffer Overflow Tenda
CVE-2026-3975 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) allows authenticated remote attackers to achieve full system compromise through manipulation of the wl_radio parameter in the WifiMacFilterGet POST handler. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

Buffer Overflow Tenda
CVE-2026-3974 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) HTTP handler allows authenticated remote attackers to execute arbitrary code by sending a crafted request to the /goform/exeCommand endpoint with an oversized cmdinput parameter. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
CVE-2026-3973 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda W3 firmware version 1.0.0.3(2204) allows authenticated remote attackers to achieve complete system compromise through malicious ping parameters sent to the /goform/setAutoPing endpoint. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected devices exposed without mitigation options.

Buffer Overflow Tenda
CVE-2026-3972 HIGH CVSS 8.7
Stack-based buffer overflow in Tenda W3 1.0.0.3(2204) HTTP handler allows unauthenticated local network attackers to achieve arbitrary code execution by crafting malicious input to the funcpara1 parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation on vulnerable networks. No patch is currently available.

Buffer Overflow Tenda
CVE-2026-3971 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda i3 firmware version 1.0.0.6(2204) allows authenticated remote attackers to achieve full system compromise through the SSID configuration endpoint. The vulnerability exists in the formwrlSSIDset function due to improper input validation on the index/GO parameter, and public exploit code is available. No patch is currently available, making this a critical risk for affected network devices.

Buffer Overflow Tenda
CVE-2026-3970 HIGH CVSS 7.4
Stack-based buffer overflow in Tenda i3 1.0.0.6(2204) allows remote authenticated attackers to achieve complete system compromise through manipulation of the index parameter in the wifiSSIDget function. Public exploit code exists for this vulnerability, and no patch is currently available.

Buffer Overflow Tenda
CVE-2026-3969 HIGH CVSS 7.3
FeMiner WMS versions up to 1.0 contain a SQL injection vulnerability in the department addition module that allows unauthenticated remote attackers to manipulate the Name parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can compromise the confidentiality, integrity, and availability of the underlying database.

PHP SQLi
CVE-2026-3841 HIGH CVSS 8.5
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations.

Command Injection TP-Link
CVE-2026-3657 HIGH CVSS 7.5
Unauthenticated SQL injection in WordPress My Sticky Bar plugin versions up to 2.8.6 allows attackers to extract database contents through crafted AJAX requests that exploit unsanitized parameter names in SQL INSERT statements. The vulnerability enables blind time-based data exfiltration despite sanitization of parameter values, affecting all users of the vulnerable plugin. No patch is currently available.

WordPress SQLi
CVE-2026-2229 HIGH CVSS 7.5
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.

Node.js Denial Of Service Redhat
CVE-2026-1528 HIGH CVSS 7.5
Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.

Buffer Overflow Redhat
CVE-2026-1526 HIGH CVSS 7.5
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.

Node.js Denial Of Service Redhat
CVE-2025-70873 HIGH CVSS 7.5
SQLite's zipfile extension contains a bug in the zipfileInflate function that leaks heap memory contents when processing specially crafted ZIP files. This affects SQLite version 3.51.1 and earlier installations that use the zipfile extension. An attacker can exploit this by providing a malicious ZIP file to read sensitive data from the application's memory, potentially exposing passwords, encryption keys, or other confidential information.

Information Disclosure Redhat Suse
CVE-2023-43010 HIGH CVSS 8.8
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. [CVSS 8.8 HIGH]

Buffer Overflow Apple Memory Corruption Safari macOS
CVE-2019-25543 HIGH CVSS 8.2
Netartmedia Real Estate Portal 5.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the page parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
CVE-2019-25542 HIGH CVSS 8.2
Netartmedia Real Estate Portal 5.0 contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the user_email parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Real Estate Portal
CVE-2019-25541 HIGH CVSS 8.2
Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries through unvalidated parameters. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25540 HIGH CVSS 8.2
Netartmedia PHP Mall 4.1 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through various parameters. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25539 HIGH CVSS 8.2
202CMS v10 beta contains a blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

PHP SQLi 202cms
CVE-2019-25538 HIGH CVSS 8.2
202CMS v10 beta contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the log_user parameter. [CVSS 8.2 HIGH]

SQLi 202cms
CVE-2019-25537 HIGH CVSS 8.2
Netartmedia Event Portal 2.0 contains a time-based blind SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25536 HIGH CVSS 8.8
Netartmedia PHP Real Estate Agency 4.0 contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25535 HIGH CVSS 8.2
Netartmedia PHP Dating Site contains a SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25534 HIGH CVSS 8.2
Netartmedia PHP Car Dealer contains an SQL injection vulnerability that allows unauthenticated attackers to execute arbitrary SQL queries by injecting malicious code through the features[] parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25533 HIGH CVSS 8.2
Netartmedia PHP Business Directory 4.2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25532 HIGH CVSS 8.2
Netartmedia Jobs Portal 6.1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the Email parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25531 HIGH CVSS 8.2
Netartmedia Deals Portal contains an SQL injection vulnerability in the Email parameter of loginaction.php that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25530 HIGH CVSS 8.2
uHotelBooking System contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the system_page GET parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25529 HIGH CVSS 7.1
Placeto CMS Alpha rv.4 contains an SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the 'page' parameter. [CVSS 7.1 HIGH]

PHP SQLi
CVE-2019-25528 HIGH CVSS 8.2
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the property1 parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
CVE-2019-25527 HIGH CVSS 8.2
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the numguest parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
CVE-2019-25526 HIGH CVSS 8.2
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the location parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
CVE-2019-25525 HIGH CVSS 8.2
Inout EasyRooms Ultimate Edition v1.0 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the guests parameter. [CVSS 8.2 HIGH]

SQLi Information Disclosure
CVE-2019-25524 HIGH CVSS 8.2
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
CVE-2019-25523 HIGH CVSS 8.2
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cat_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
CVE-2019-25522 HIGH CVSS 8.2
XooGallery Latest contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to manipulate database queries by injecting SQL code through the photo_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure
CVE-2019-25521 HIGH CVSS 8.2
XooGallery Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gal_id parameter. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25520 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
CVE-2019-25519 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows attackers to manipulate database queries by injecting malicious SQL code through the option parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25518 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the poll parameter. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
CVE-2019-25517 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the cid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25516 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V1 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the gallery_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25515 HIGH CVSS 7.5
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an authentication bypass vulnerability in the login.php administration panel that allows unauthenticated attackers to gain administrative access by submitting crafted SQL syntax. [CVSS 7.5 HIGH]

PHP Authentication Bypass SQLi Php Stock News Site Script
CVE-2019-25514 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Information Disclosure Php Stock News Site Script
CVE-2019-25513 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'q' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25512 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows attackers to inject malicious SQL commands through the kelime parameter in POST requests. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25511 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V3 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the videoid parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Stock News Site Script
CVE-2019-25510 HIGH CVSS 8.2
Jettweb PHP Hazir Haber Sitesi Scripti V2 contains an authentication bypass vulnerability in the administration panel that allows unauthenticated attackers to gain administrative access by exploiting improper SQL query validation. [CVSS 8.2 HIGH]

PHP SQLi Authentication Bypass Php Stock News Site Script
CVE-2019-25509 HIGH CVSS 8.2
XooDigital Latest contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'p' parameter. Attackers can send GET requests to results.php with malicious 'p' values to extract sensitive database information. [CVSS 8.2 HIGH]

PHP SQLi
CVE-2019-25508 HIGH CVSS 8.2
Jettweb Php Hazir Ilan Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'kat' parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Advertisement Site Script
CVE-2019-25488 HIGH CVSS 8.2
Jettweb Hazir Rent A Car Scripti V4 contains multiple SQL injection vulnerabilities in the admin panel that allow unauthenticated attackers to manipulate database queries through GET parameters. [CVSS 8.2 HIGH]

PHP SQLi Denial Of Service Php Ready Rent A Car Site Script
CVE-2019-25482 HIGH CVSS 8.2
Jettweb PHP Hazir Rent A Car Sitesi Scripti V2 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the arac_kategori_id parameter. [CVSS 8.2 HIGH]

PHP SQLi Php Ready Rent A Car Site Script
CVE-2019-25481 HIGH CVSS 8.2
iScripts ReserveLogic contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the jqSearchDestination parameter. [CVSS 8.2 HIGH]

SQLi
CVE-2019-25479 HIGH CVSS 8.2
Inout RealEstate contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the city parameter. [CVSS 8.2 HIGH]

SQLi
CVE-2019-25473 HIGH CVSS 7.1
Clinic Pro contains a SQL injection vulnerability that allows authenticated attackers to manipulate database queries by injecting SQL code through the month parameter. [CVSS 7.1 HIGH]

SQLi
CVE-2026-32320 MEDIUM CVSS 6.5
Medium severity vulnerability in Ella Networks Core. Ella Core panics when processing a PathSwitchRequest containing UE Security Capabilities with zero-length NR encryption or integrity protection algorithm bitstrings, resulting in a denial of service.

Denial Of Service Information Disclosure Buffer Overflow
CVE-2026-32269 MEDIUM CVSS 6.5
Parse Server's OAuth2 authentication adapter fails to properly validate app IDs when appidField and appIds are configured, allowing attackers to bypass authentication restrictions or cause login failures depending on the introspection endpoint's response handling. Deployments using this specific OAuth2 configuration are vulnerable to authentication bypass if the endpoint accepts malformed requests. A patch is available in versions 9.6.0-alpha.13 and 8.6.39.

Information Disclosure Node.js Parse Server
CVE-2026-32259 MEDIUM CVSS 6.7
ImageMagick is free and open-source software used for editing and manipulating digital images. versions up to 7.1.2-16 is affected by stack-based buffer overflow (CVSS 6.7).

Stack Overflow Buffer Overflow Imagemagick
CVE-2026-32251 MEDIUM CVSS 6.5
Tolgee is an open-source localization platform. versions up to 3.166.3 is affected by improper restriction of xml external entity reference.

XXE Google Android
CVE-2026-32249 MEDIUM CVSS 5.3
command line text editor. From 9.1.0011 to versions up to 9.2.0137 is affected by null pointer dereference (CVSS 5.3).

Null Pointer Dereference Denial Of Service Vim
CVE-2026-32245 MEDIUM CVSS 6.5
Medium severity vulnerability in TinyAuth. #

Authentication Bypass
CVE-2026-32240 MEDIUM CVSS 6.5
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 contains a vulnerability that allows attackers to HTTP request/response smuggling.

Information Disclosure Capnproto
CVE-2026-32239 MEDIUM CVSS 6.5
n Proto is a data interchange format and capability-based RPC system. versions up to 1.4.0 is affected by integer overflow or wraparound.

Information Disclosure Integer Overflow Capnproto
CVE-2026-32237 MEDIUM CVSS 4.4
### Impact Authenticated users with permission to execute scaffolder dry-runs can gain access to server-configured environment secrets through the dry-run API response. Secrets are properly redacted in log output but not in all parts of the response payload. Deployments that have configured `scaffolder.defaultEnvironment.secrets` are affected. ### Patches This is patched in `@backstage/plugin-scaffolder-backend` version 3.1.5 ### Workarounds Remove or empty the `scaffolder.defaultEnvironment.secrets` configuration from `app-config.yaml`. Alternatively, restrict access to the scaffolder dry-run functionality via the permissions framework. ### References - [Backstage Scaffolder Backend documentation](https://backstage.io/docs/features/software-templates/)

Information Disclosure
CVE-2026-32235 MEDIUM CVSS 5.9
Medium severity vulnerability in See description. #

Open Redirect
CVE-2026-32230 MEDIUM CVSS 5.3
A remote code execution vulnerability in Uptime Kuma (CVSS 5.3). Remediation should follow standard vulnerability management procedures.

Authentication Bypass
CVE-2026-32142 MEDIUM CVSS 5.3
Shopware is an open commerce platform. /api/_info/config route exposes information about licenses. [CVSS 5.3 MEDIUM]

Information Disclosure
CVE-2026-32139 MEDIUM CVSS 5.4
Stored XSS in Dataease 2.10.19 and earlier allows authenticated users to upload malicious SVG files that bypass backend validation by lacking proper sanitization of event handlers and script-capable attributes. An attacker can exploit this vulnerability to execute arbitrary JavaScript in victims' browsers when they access the uploaded static resource, achieving persistent code execution. The vulnerability was patched in version 2.10.20.

XSS Dataease
CVE-2026-32100 MEDIUM CVSS 5.3
The Shopware /api/_info/config endpoint publicly discloses information about active security patches without authentication, allowing remote attackers to enumerate implemented security fixes and potentially identify applicable exploits for unpatched instances. This information disclosure affects Shopware versions prior to 2.0.16, 3.0.12, and 4.0.7, where no patch is currently available for earlier releases.

Information Disclosure
CVE-2026-31890 MEDIUM CVSS 4.8
Silent event loss in Inspektor Gadget prior to 0.50.1 allows local attackers to cause denial of service by filling the 256KB ring-buffer, which triggers undetected data drops without alerting users or administrators. When the buffer becomes full, gadgets silently discard events and fail to report the loss count, potentially hiding critical system events from Kubernetes cluster and Linux host monitoring. A local attacker with limited privileges can exploit this to obscure malicious activity or system anomalies by saturating the instrumentation buffer.

Linux Kubernetes Denial Of Service
CVE-2026-31860 MEDIUM CVSS 6.1
## Summary `useHeadSafe()` can be bypassed to inject arbitrary HTML attributes, including event handlers, into SSR-rendered `<head>` tags. This is the composable that Nuxt docs recommend for safely handling user-generated content. ## Details **XSS via `data-*` attribute name injection** The `acceptDataAttrs` function (safe.ts, line 16-20) allows any property key starting with `data-` through to the final HTML. It only checks the prefix, not whether the key contains spaces or other characters that break HTML attribute parsing. ```typescript function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter(([key]) => key === 'id' || key.startsWith('data-')), ) } ``` This result gets merged into every tag's props at line 114: ```typescript tag.props = { ...acceptDataAttrs(prev), ...next } ``` Then `propsToString` (propsToString.ts, line 26) interpolates property keys directly into the HTML string with no sanitization: ```typescript attrs += value === true ? ` ${key}` : ` ${key}="${encodeAttribute(value)}"` ``` A space in the key breaks out of the attribute name. Everything after the space becomes separate HTML attributes. ### PoC The most practical vector uses a `link` tag. `<link rel="stylesheet">` fires `onload` once the stylesheet loads, giving reliable script execution: ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: '/valid-stylesheet.css', 'data-x onload=alert(document.domain) y': 'z' }] }) ``` SSR output: ```html <link data-x onload=alert(document.domain) y="z" rel="stylesheet" href="/valid-stylesheet.css"> ``` The browser parses `onload=alert(document.domain)` as its own attribute. Once the stylesheet loads, the handler fires. The same injection works on any tag type since `acceptDataAttrs` is applied to all of them at line 114. Here's the same thing on a `meta` tag (the injected attributes render, though `onclick` doesn't fire on non-interactive `<meta>` elements): ```javascript useHeadSafe({ meta: [{ name: 'description', content: 'legitimate content', 'data-x onclick=alert(document.domain) y': 'z' }] }) ``` ### Realistic scenario A Nuxt app accepts SEO metadata from a CMS or user profile. The developer uses `useHeadSafe()` as the docs recommend. An attacker puts a `data-*` key with spaces and an event handler into their input. The payload renders into the HTML on every page load. ## Suggested fix For vulnerability 1, validate that attribute names only contain characters legal in HTML attributes: ```typescript const SAFE_ATTR_RE = /^[a-zA-Z][a-zA-Z0-9\-]*$/ function acceptDataAttrs(value: Record<string, string>) { return Object.fromEntries( Object.entries(value || {}).filter( ([key]) => (key === 'id' || key.startsWith('data-')) && SAFE_ATTR_RE.test(key) ), ) } ```

XSS Unhead
CVE-2026-31841 MEDIUM CVSS 6.5
Medium severity vulnerability in See description. Hyperterse allows users to specify database queries for tools to execute under the hood. As of [v2.0.0](https://github.com/hyperterse/hyperterse/releases/tag/v2.0.0), there are only two tools exposed - `search` and `execute`.

Information Disclosure AI / ML
CVE-2026-29066 MEDIUM CVSS 6.2
Medium severity vulnerability in TinaCMS. The TinaCMS CLI dev server configures Vite with `server.fs.strict: false`, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system

Information Disclosure
CVE-2026-28256 MEDIUM CVSS 6.9
A Use of Hard-coded, Security-relevant Constants vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.

Information Disclosure
CVE-2026-28254 MEDIUM CVSS 6.9
A Missing Authorization vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to access sensitive information through unprotected APIs.

Authentication Bypass
CVE-2026-24125 MEDIUM CVSS 6.3
Medium severity vulnerability in TinaCMS. ### Description

Path Traversal
CVE-2026-4039 MEDIUM CVSS 6.3
Code injection in OpenClaw 2026.2.19 and earlier through the Skill Env Handler's applySkillConfigenvOverrides function allows authenticated remote attackers to execute arbitrary code with low integrity and confidentiality impact. An authenticated user can manipulate environment configuration settings to inject malicious code that executes in the context of the application. Mitigation requires upgrading to version 2026.2.21-beta.1 or later, as no official patch is currently available for production releases.

Code Injection Openclaw
CVE-2026-4016 MEDIUM CVSS 5.3
Out-of-bounds write in GPAC 26.03-DEV's SVG parser allows local attackers with user privileges to corrupt memory and potentially execute code through a malicious SVG file. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires local system access but no user interaction beyond opening a crafted SVG document.

Buffer Overflow
CVE-2026-4015 MEDIUM CVSS 5.3
Stack-based buffer overflow in GPAC 26.03-DEV's TeXML file parser (txtin_process_texml function) allows local attackers with user privileges to corrupt memory and potentially execute arbitrary code. Public exploit code exists for this vulnerability, making it an immediate concern for systems processing untrusted TeXML files. No patch is currently available, requiring users to implement alternative mitigations or restrict access to the affected parser.

Buffer Overflow
CVE-2026-4013 MEDIUM CVSS 6.3
Improper authorization in SourceCodester Web-based Pharmacy Product Management System 1.0's add_admin.php allows authenticated remote attackers to gain unauthorized access or modify system data with low complexity. The vulnerability affects confidentiality, integrity, and availability of the affected application. No patch is currently available.

PHP Information Disclosure
CVE-2026-3994 MEDIUM CVSS 5.3
Heap-based buffer overflow in mold linker versions up to 2.40.4 allows local attackers with user privileges to corrupt memory and potentially execute code through the X86_64 object file initialization function. Public exploit code is available for this vulnerability. The maintainer has not yet released a patch despite early notification.

Buffer Overflow
CVE-2026-3993 MEDIUM CVSS 4.3
Reflected cross-site scripting (XSS) in itsourcecode Payroll Management System 1.0 exists in the /manage_employee_deductions.php file via unsanitized ID parameters, allowing remote attackers to inject malicious scripts that execute in users' browsers. Public exploit code is available and the vulnerability remains unpatched. Successful exploitation requires user interaction but can lead to session hijacking, credential theft, or unauthorized payroll data manipulation.

PHP XSS
CVE-2026-3992 MEDIUM CVSS 6.3
CodeGenieApp's serverless-express library (versions up to 4.17.1) contains an injection vulnerability in its Users Endpoint that allows attackers to manipulate filter arguments and execute unauthorized commands remotely. This affects applications using the vulnerable versions of this library. An attacker could exploit this to inject malicious code, potentially gaining unauthorized access to user data or taking control of affected systems.

Code Injection
CVE-2026-3990 MEDIUM CVSS 4.3
Stored cross-site scripting in CesiumJS up to version 1.137.0 allows unauthenticated remote attackers to inject malicious scripts through the parameter 'c' in Apps/Sandcastle/standalone.html, with public exploit code already available. While the vendor classifies this as demo code outside the core library product, the vulnerability affects users running vulnerable versions of the application. No patch is currently available.

XSS
CVE-2026-3982 MEDIUM CVSS 4.3
Cross-site scripting (XSS) in the /view_result.php endpoint of PHP-based University Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts through the vr parameter. Public exploit code exists for this vulnerability, which requires user interaction to execute. The vulnerability has no available patch and affects the integrity of affected applications.

PHP XSS
CVE-2026-3979 MEDIUM CVSS 5.3
Use-after-free vulnerability in quickjs-ng through version 0.12.1 allows local attackers to corrupt memory and potentially execute arbitrary code via the js_iterator_concat_return function in quickjs.c. Public exploit code exists for this vulnerability. A local account is required to trigger the flaw, which affects confidentiality, integrity, and availability of the affected system.

Buffer Overflow Denial Of Service
CVE-2026-3977 MEDIUM CVSS 6.3
ProjectSend up to revision 1945 contains an authorization bypass in its AJAX endpoints that allows authenticated attackers to manipulate functionality without proper access controls. An attacker with valid credentials can exploit this vulnerability to gain unauthorized access to sensitive operations across the application. No patch is currently available, though a fix has been identified in commit 35dfd6f08f7d517709c77ee73e57367141107e6b.

Authentication Bypass
CVE-2026-3968 MEDIUM CVSS 6.3
AutohomeCorp's frostmourne application (version 1.0 and earlier) allows attackers to inject malicious code through the EXPRESSION parameter in the ExpressionRule.java component, which uses Oracle's Nashorn JavaScript engine without proper input validation. This vulnerability affects users of frostmourne and can be exploited remotely by unauthenticated attackers to execute arbitrary code on affected systems. The vendor has not responded to disclosure attempts, leaving users vulnerable to potential system compromise.

Java Information Disclosure
CVE-2026-3967 MEDIUM CVSS 6.3
Unsafe deserialization in Alfresco Activiti up to versions 7.19 and 8.8.0 allows authenticated remote attackers to achieve arbitrary code execution through the Process Variable Serialization System component. An attacker with valid credentials can manipulate serialized objects during deserialization to execute malicious code on the affected system. Public exploit code is available and no patch has been released by the vendor.

Java Deserialization
CVE-2026-3966 MEDIUM CVSS 6.3
Server-side request forgery in wvp-GB28181-pro up to version 2.7.4-20260107 allows authenticated attackers to manipulate the MediaServer.streamIp parameter in the IP Address Handler component, enabling arbitrary network requests from the affected server. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to the disclosure.

Java SSRF
CVE-2026-3965 MEDIUM CVSS 6.3
Medium severity vulnerability in See description. A security vulnerability has been detected in whyour qinglong up to 2.20.1. Affected is an unknown function of the file back/loaders/express.ts of the component API Interface. The manipulation of the argument command leads to protection mechanism failure. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 2.20.2 is able to address...

Information Disclosure
CVE-2026-3234 MEDIUM CVSS 4.3
mod_proxy_cluster's decodeenc() function is vulnerable to CRLF injection, enabling unauthenticated attackers with network access to the MCMP protocol port to manipulate cluster configuration and corrupt INFO endpoint responses. This input validation bypass affects systems relying on mod_proxy_cluster for load balancing and cluster management. No patch is currently available for this medium-severity vulnerability.

Authentication Bypass
CVE-2026-3226 MEDIUM CVSS 4.3
LearnPress WordPress LMS Plugin versions up to 4.3.2.8 allow authenticated subscribers and above to trigger unauthorized email notifications due to missing capability validation in the SendEmailAjax class, enabling attackers to flood admins and users with emails or conduct social engineering attacks. The vulnerability exploits a valid wp_rest nonce that is publicly exposed in frontend JavaScript, combined with insufficient permission checks in the AJAX dispatcher, allowing low-privileged users to impersonate administrative communications. No patch is currently available for this medium-severity issue.

WordPress Authentication Bypass
CVE-2026-3099 MEDIUM CVSS 5.8
Libsoup's digest authentication mechanism fails to validate nonce reuse and enforce proper nonce-count incrementation, enabling attackers to replay captured authentication headers to bypass access controls. A remote attacker can exploit this to impersonate legitimate users and access protected resources without valid credentials. No patch is currently available.

Authentication Bypass
CVE-2026-2987 MEDIUM CVSS 6.1
Unauthenticated attackers can inject malicious scripts into WordPress sites running the Simple Ajax Chat plugin (versions up to 20260217) through improper sanitization of the 'c' parameter, allowing arbitrary JavaScript execution in victim browsers. The vulnerability affects any user viewing an injected page and requires no user interaction beyond normal site access. No patch is currently available for this stored XSS vulnerability.

WordPress XSS
CVE-2026-2808 MEDIUM CVSS 6.8
Medium severity vulnerability in HashiCorp Consul. HashiCorp Consul and Consul Enterprise 1.18.20 up to 1.21.10 and 1.22.4 are vulnerable to arbitrary file read when configured with Kubernetes authentication. This vulnerability, CVE-2026-2808, is fixed in Consul 1.18.21, 1.21.11 and 1.22.5.

Kubernetes Information Disclosure Redhat Suse
CVE-2026-2687 MEDIUM CVSS 4.3
The Reading progressbar WordPress plugin fails to properly clean user inputs in its settings, allowing administrators to inject malicious code that gets stored and executed when other users view the site. This affects WordPress installations using this plugin before version 1.3.1, particularly multisite setups. An admin-level attacker could execute arbitrary JavaScript in visitors' browsers to steal data or compromise accounts.

WordPress XSS
CVE-2026-2581 MEDIUM CVSS 5.9
Node.js Undici's response deduplication feature accumulates response bodies in memory instead of streaming them, allowing remote attackers to trigger denial of service through large or concurrent responses from untrusted endpoints. Applications using the deduplicate() interceptor are vulnerable to out-of-memory crashes when processing large or chunked responses. No patch is currently available.

Node.js Denial Of Service Undici Redhat
CVE-2026-2376 MEDIUM CVSS 4.9
Authenticated users in mirror-registry can exploit open redirect functionality to access internal or restricted systems by supplying malicious URLs that the application blindly follows without destination validation. This allows attackers with valid credentials to bypass access controls and reach systems they should not have permission to interact with. No patch is currently available for this medium-severity vulnerability.

Open Redirect Redhat
CVE-2026-1527 MEDIUM CVSS 4.6
CRLF injection in undici's HTTP upgrade handling allows authenticated attackers to inject arbitrary headers and perform request smuggling attacks against backend services like Redis and Elasticsearch when user input is passed unsanitized to the upgrade option. The vulnerability stems from insufficient validation of the upgrade parameter before writing to the socket, enabling attackers to terminate HTTP requests prematurely and route malicious data to non-HTTP protocols. This requires prior authentication and user interaction, with no patch currently available.

Code Injection Redis Elastic Redhat
CVE-2026-1525 MEDIUM CVSS 6.5
Undici fails to normalize HTTP header names when processing arrays, allowing duplicate Content-Length headers with case-variant names (e.g., "Content-Length" and "content-length") to be sent in malformed requests. Applications using undici's low-level APIs with user-controlled header inputs are vulnerable to request rejection by strict HTTP parsers or potential HTTP request smuggling attacks if intermediaries and backend servers interpret conflicting header values inconsistently. No patch is currently available.

Denial Of Service Redhat
CVE-2026-1182 MEDIUM CVSS 4.3
An authenticated user could view confidential issue titles in public GitLab projects that they shouldn't have access to due to a flaw in access controls. This affects GitLab CE/EE versions 8.14 through 18.9.1, impacting any organization using these versions. An attacker with a GitLab account could exploit this to read sensitive information hidden in issue titles, potentially exposing confidential project details.

Authentication Bypass Gitlab
CVE-2025-66955 MEDIUM CVSS 6.5
CVE-2025-66955 is a security vulnerability (CVSS 6.5) that allows remote authenticated users. Remediation should follow standard vulnerability management procedures.

Information Disclosure
CVE-2025-61154 MEDIUM CVSS 6.5
Heap buffer overflow vulnerability in LibreDWG versions v0.13.3.7571 up to v0.13.3.7835 allows a crafted DWG file to cause a Denial of Service (DoS) via the function decompress_R2004_section at decode.c.

Buffer Overflow Denial Of Service Heap Overflow Suse
CVE-2025-15473 MEDIUM CVSS 4.3
The Timetics WordPress plugin before 1.0.52 does not have authorization in a REST endpoint, allowing unauthenticated users to arbitrarily change a booking's payment status and post status for the "timetics-booking" custom post type. [CVSS 4.3 MEDIUM]

WordPress Authentication Bypass PHP
CVE-2025-13913 MEDIUM CVSS 6.3
Inductive Automation Ignition Software is vulnerable to an unauthenticated API endpoint exposure that may allow an attacker to remotely change the "forgot password" recovery email address. [CVSS 6.3 MEDIUM]

Deserialization
CVE-2023-1289 MEDIUM CVSS 5.5
Medium severity vulnerability in ImageMagick. # Specially crafted SVG file make segmentation fault and generate trash files in "/tmp", possible to leverage DoS.

Denial Of Service PHP Debian Docker Redhat
CVE-2026-32236 NONE
### Impact A Server-Side Request Forgery (SSRF) vulnerability exists in `@backstage/plugin-auth-backend` when `auth.experimentalClientIdMetadataDocuments.enabled` is set to `true`. The CIMD metadata fetch validates the initial `client_id` hostname against private IP ranges but does not apply the same validation after HTTP redirects. The practical impact is limited. The attacker cannot read the response body from the internal request, cannot control request headers or method, and the feature must be explicitly enabled via an experimental flag that is off by default. Deployments that restrict `allowedClientIdPatterns` to specific trusted domains are not affected. ### Patches Patched in `@backstage/plugin-auth-backend` version `0.27.1`. The fix disables HTTP redirect following when fetching CIMD metadata documents. ### Workarounds Disable the experimental CIMD feature by removing or setting `auth.experimentalClientIdMetadataDocuments.enabled` to `false` in your app-config. This is the default configuration. Alternatively, restrict `allowedClientIdPatterns` to specific trusted domains rather than using the default wildcard pattern. ### References - [IETF Client ID Metadata Document draft](https://datatracker.ietf.org/doc/draft-ietf-oauth-client-id-metadata-document/) - [MCP Authorization Specification - Client ID Metadata Documents](https://modelcontextprotocol.io/specification/2025-11-25/basic/authorization#client-id-metadata-documents)

SSRF
CVE-2026-32232 None
### Summary Workspace boundary enforcement currently has three related bypass risks. This issue tracks fixing all three in one pull request. ### Details #### R1 - Dangling Symlink Component Bypass - What happens: Path validation can miss dangling symlink components during traversal checks. - Why it matters: A symlink that is unresolved at validation time can later resolve to an external location. - Impact: Read and write operations may escape workspace boundaries. - Affected area: src/security/path.rs (check_symlink_escape). #### R2 - TOCTOU Between Validation and Use - What happens: The path is validated first, then used later for filesystem operations. - Why it matters: A concurrent filesystem change can swap path components after validation but before open/write. - Impact: Race-based workspace escape is possible. - Affected area: Filesystem and file-consuming tools that call validate_path_in_workspace before I/O. #### R3 - Hardlink Alias Bypass - What happens: A file inside workspace can be a hardlink to an inode outside the intended workspace trust boundary. - Why it matters: Prefix and symlink checks can pass while data access still mutates or reads external content. - Impact: Policy bypass for read/write operations. - Affected area: Any tool that reads or writes via validated paths. #### Risk Matrix | ID | Risk | Severity | Likelihood | Impact | |---|---|---|---|---| | R1 | Dangling symlink component bypass | High | Medium | Workspace boundary escape for read/write | | R2 | Validate/use TOCTOU race | High | Medium | Race-based boundary escape during file I/O | | R3 | Hardlink alias bypass | Medium | Low-Medium | External inode read/write through in-workspace path | ### PoC #### R1 - Dangling symlink component bypass 1. Create a symlink inside workspace pointing to a missing target. 2. Validate a path traversing that symlink. 3. Create the target directory outside workspace after validation. 4. Perform file operation and observe potential boundary escape if not fail-closed. #### R2 - TOCTOU between validation and use 1. Validate a candidate in-workspace path. 2. Before open/write, replace an intermediate component with a link to external location. 3. Continue with the file operation. 4. Observe boundary escape if operation trusts only stale validation result. #### R3 - Hardlink alias bypass 1. Place a hardlink inside workspace that points to an external inode. 2. Validate the in-workspace hardlink path. 3. Read or write through this path. 4. Observe external inode access through a path that appears in-scope. ### Impacts Unauthorized cross path boundary ## Credit [@zpbrent](https://github.com/zpbrent) ### Patch [f50c17e11ae3e2d40c96730abac41974ef2ee2a8](https://github.com/qhkm/zeptoclaw/commit/f50c17e11ae3e2d40c96730abac41974ef2ee2a8)

Path Traversal Race Condition
CVE-2026-31873 NONE
The `link.href` check in `makeTagSafe` (safe.ts, line 68-71) uses `String.includes()`, which is case-sensitive: ```typescript if (key === 'href') { if (val.includes('javascript:') || val.includes('data:')) { return } next[key] = val } ``` Browsers treat URI schemes case-insensitively. `DATA:text/css,...` is the same as `data:text/css,...` to the browser, but `'DATA:...'.includes('data:')` returns `false`. ### PoC ```javascript useHeadSafe({ link: [{ rel: 'stylesheet', href: 'DATA:text/css,body{display:none}' }] }) ``` SSR output: ```html <link rel="stylesheet" href="DATA:text/css,body{display:none}"> ``` The browser loads this as a CSS stylesheet. An attacker can inject arbitrary CSS for UI redressing or data exfiltration via CSS attribute selectors with background-image callbacks. Any case variation works: `DATA:`, `Data:`, `dAtA:`, `JAVASCRIPT:`, etc. ## Suggested fix ```typescript if (key === 'href') { const lower = val.toLowerCase() if (lower.includes('javascript:') || lower.includes('data:')) { return } next[key] = val } ```

XSS
CVE-2026-28384 None
unprivileged user to execute commands as the LXD daemon on the LXD server via API calls to the image and backup endpoints. This issue affected LXD from 4.12 versions up to 6.6 is affected by os command injection.

Command Injection
CVE-2026-4045 LOW CVSS 3.7
A flaw has been found in projectsend up to r1945. This impacts an unknown function of the file includes/Classes/Auth.php. [CVSS 3.7 LOW]

PHP Information Disclosure
CVE-2026-4044 LOW CVSS 3.8
A vulnerability was detected in projectsend up to r1945. This affects the function realpath of the file /import-orphans.php of the component Delete Handler. [CVSS 3.8 LOW]

PHP Path Traversal
CVE-2026-4040 LOW CVSS 3.3
A vulnerability was identified in OpenClaw versions up to 2026.2.17. is affected by information exposure (CVSS 3.3).

Information Disclosure
CVE-2026-4012 LOW CVSS 3.3
A vulnerability was determined in rxi fe up to ed4cda96bd582cbb08520964ba627efb40f3dd91. The impacted element is the function read_ of the file src/fe.c. [CVSS 3.3 LOW]

Buffer Overflow
CVE-2026-4010 LOW CVSS 3.3
A vulnerability was found in ThakeeNathees pocketlang up to cc73ca61b113d48ee130d837a7a8b145e41de5ce. The affected element is the function pkByteBufferAddString. [CVSS 3.3 LOW]

Buffer Overflow
CVE-2026-4009 LOW CVSS 3.3
A vulnerability has been found in jarikomppa soloud up to 20200207. Impacted is the function drwav_read_pcm_frames_s16__msadpcm in the library src/audiosource/wav/dr_wav.h of the component WAV File Parser. The manipulation leads to out-of-bounds read. The attack needs to be performed locally. The exploit has been disclosed to the public and may be used. Upgrading to version 20200207 is recommen...

Buffer Overflow
CVE-2026-3984 LOW CVSS 3.5
A weakness has been identified in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This vulnerability affects unknown code of the file save_up_athlete.php. [CVSS 3.5 LOW]

PHP XSS
CVE-2026-3983 LOW CVSS 3.5
A security flaw has been discovered in Campcodes Division Regional Athletic Meet Game Result Matrix System 2.1. This affects an unknown part of the file save-games.php. [CVSS 3.5 LOW]

PHP XSS
CVE-2026-3497 None
Vulnerability in the OpenSSH GSSAPI delta included in various Linux distributions. This vulnerability affects the GSSAPI patches added by various Linux distributions and does not affect the OpenSSH upstream project itself.

Linux
CVE-2026-2514 None
In Progress Flowmon ADS versions prior to 12.5.5 and 13.0.3, a vulnerability exists whereby an adversary with access to Flowmon monitoring ports may craft malicious network data that, when processed by Flowmon ADS and viewed by an authenticated user, could result in unintended actions being executed in the user's browser context.

XSS
CVE-2026-2513 None
This vulnerability allows attackers to trick administrators into performing unintended actions within Flowmon ADS by clicking malicious links while logged in. It affects Progress Flowmon ADS versions before 12.5.5 and 13.0.3. An attacker could exploit an administrator's authenticated session to make unauthorized changes to the system without the administrator's knowledge or consent.

XSS
CVE-2026-2366 LOW CVSS 3.1
A flaw was found in Keycloak. An authorization bypass vulnerability in the Keycloak Admin API allows any authenticated user, even those without administrative privileges, to enumerate the organization memberships of other users. This information disclosure occurs if the attacker knows the victim's u...

Information Disclosure Authentication Bypass
CVE-2026-1878 None
An Insufficient Integrity Verification vulnerability in the ASUS ROG peripheral driver installation process allows privilege escalation to SYSTEM. The vulnerability is due to improper access control on the installation directory, which enables the exploitation of a race condition where the legitimate installer is substituted with an unexpected payload immediately after download, resulting in arbitrary code execution. Refer to the "Security Update for ASUS ROG peripheral driver" section on the...

Privilege Escalation
CVE-2026-0809 None
Use of a custom token encoding algorithm in Streamsoft Prestiż software allows the value of the KSeF (Krajowy System e-Faktur) token to be guessed after analyzing how tokens with know values are encoded. This issue was fixed in version 20.0.380.92.

Information Disclosure
CVE-2025-15038 None
An Out-of-Bounds Read vulnerability exists in the ASUS Business System Control Interface driver. This vulnerability can be triggered by an unprivileged local user sending a specially crafted IOCTL request, potentially leading to a disclosure of kernel information or a system crash.

Linux
CVE-2025-15037 None
An Incorrect Permission Assignment vulnerability exists in the ASUS Business System Control Interface driver.

Linux RCE Information Disclosure
CVE-2025-13462 None
The "tarfile" module would still apply normalization of AREGTYPE (\x00) blocks to DIRTYPE, even while processing a multi-block member such as GNUTYPE_LONGNAME or GNUTYPE_LONGLINK. This could result in a crafted tar archive being misinterpreted by the tarfile module compared to other implementations.

Code Injection

Today's Vulnerabilities Vulnerabilities