Medium severity vulnerability in TinaCMS. The TinaCMS CLI dev server configures Vite with `server.fs.strict: false`, which disables Vite's built-in filesystem access restriction. This allows any unauthenticated attacker who can reach the dev server to read arbitrary files on the host system
Unauthenticated access to Honeywell IQ4x building controller HMI. CVSS 10.0.
Veeam Backup & Replication allows a user with the Backup Viewer role (read-only) to escalate to remote code execution as the postgres database user. A read-only role achieving RCE represents a severe privilege escalation with scope change.
A second RCE vulnerability in Veeam Backup & Replication allows any authenticated domain user to execute code on the Backup Server with scope change. Same impact as CVE-2026-21666 but through a different attack vector.
Veeam Backup & Replication allows an authenticated domain user to achieve remote code execution on the Backup Server. With a scope change to CVSS 9.9, a compromised domain account can fully take over the backup infrastructure.
Yet another Veeam Backup & Replication RCE vulnerability allowing authenticated domain users to execute code on the Backup Server with scope change (CVSS 9.9). Part of a cluster of related Veeam vulnerabilities disclosed together.
SGLang's multimodal generation module deserializes untrusted data with pickle.loads() over an unauthenticated ZMQ broker, enabling remote code execution. Any attacker who can reach the ZMQ port can execute arbitrary Python code on the ML inference server.
SGLang's encoder parallel disaggregation system is vulnerable to unauthenticated RCE through pickle deserialization in the disaggregation module's inter-process communication. Same class of vulnerability as CVE-2026-3059 in a different code path.
QNAP Hyper Data Protector before 2.3.1.455 contains hard-coded credentials that allow remote unauthenticated attackers to gain unauthorized access to backup management functions, potentially compromising all backed-up data across the organization.
GL-iNet GL-AR300M16 v4.3.11 has a command injection in the set_config function, adding to the growing list of injection vulnerabilities in this device. This is the fourth distinct command injection CVE for this router model.
GL-iNet GL-AR300M16 v4.3.11 contains another command injection vulnerability, this time via the module parameter in the M.get_system_log function. Part of a series of command injection flaws in this router model.
GL-iNet GL-AR300M16 v4.3.11 has multiple command injection vulnerabilities in the set_upgrade function through seven different parameters. Each parameter provides an independent code execution vector on the router.
GL-iNet GL-AR300M16 router (v4.3.11) is vulnerable to command injection through the string port parameter in the enable_echo_server function. Unauthenticated attackers can execute arbitrary commands on the router.
D-Link DIR-513 router (v1.10) has a stack buffer overflow in the curTime parameter of formSetWizardSelectMode. This is an end-of-life router with no expected patch, meaning exploitation will remain possible indefinitely.
A remote code execution vulnerability in Uptime Kuma (CVSS 5.3). Remediation should follow standard vulnerability management procedures.
Trane Tracer SC, SC+, and Concierge building automation controllers use broken cryptographic algorithms that allow attackers to bypass authentication and gain root access. These are critical building management systems controlling HVAC in commercial facilities.
Veeam Backup & Replication allows Backup Administrators to achieve RCE in high-availability deployments. While requiring admin-level access, the scope change to the HA infrastructure makes this critical for organizations running Veeam in HA mode.
Remote code execution in Dataease prior to version 2.10.20 allows authenticated attackers to execute arbitrary code by manipulating the IniFile parameter to load malicious JDBC configuration files through the Redshift driver. An attacker with valid credentials can exploit the aggressive configuration file discovery mechanism to inject dangerous JDBC properties and gain complete system compromise. No patch is currently available, leaving affected deployments vulnerable to this high-severity attack vector.
Local privilege escalation in Veeam Backup & Replication on Windows enables authenticated users to gain system-level access without user interaction. An attacker with local account credentials can exploit this vulnerability to achieve complete control over the backup infrastructure, including reading, modifying, or deleting backups. No patch is currently available for this high-severity issue affecting backup administrators and organizations relying on Veeam for data protection.
Dataease is an open source data visualization analysis tool. versions up to 2.10.20 is affected by sql injection.
Remote code execution in D-Link DIR-513 firmware version 1.10 through a stack-based buffer overflow in the /goform/formEasySetupWizard3 endpoint allows unauthenticated attackers to achieve full system compromise over the network. The vulnerability can be exploited with minimal complexity using publicly available exploit code, and no patch is currently available to remediate the issue.
Authenticated domain users can bypass file access restrictions on Backup Repository systems to read, modify, or delete arbitrary files due to insufficient authorization controls. This high-severity flaw affects users with valid domain credentials and requires no user interaction to exploit. No patch is currently available for this vulnerability.
The issue was addressed with improved memory handling. This issue is fixed in iOS 17.2 and iPadOS 17.2, macOS Sonoma 14.2, Safari 17.2, iOS 16.7.15 and iPadOS 16.7.15, iOS 15.8.7 and iPadOS 15.8.7. [CVSS 8.8 HIGH]
SQL injection in GL-iNet GL-AR300M16 firmware v4.3.11 allows authenticated attackers to execute arbitrary database commands through the add_group() function via crafted HTTP requests. The vulnerability affects all installations of the affected firmware version and requires valid credentials to exploit. No patch is currently available to remediate this high-severity flaw.
A Memory Allocation with Excessive Size Value vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an unauthenticated attacker to cause a denial-of-service condition
Insufficient input padding in soroban-poseidon's Poseidon V1 hash function enables attackers to forge hash collisions by appending zeros to shorter inputs, allowing distinct messages to produce identical hashes when the input count is less than the sponge rate. This vulnerability affects any Soroban smart contract relying on PoseidonSponge or poseidon_hash for cryptographic integrity, potentially compromising authentication, signature verification, or other security mechanisms that depend on hash uniqueness. No patch is currently available.
Arbitrary file write in Black (the Python code formatter) before 26.3.1 lets an attacker who controls the value of the --python-cell-magics option place cache files at attacker-chosen filesystem locations via path traversal. The unsanitized option value is embedded directly into the computed cache filename, so a value such as '../../../tmp/pwned' escapes the cache directory and overwrites or creates files elsewhere. No public exploit is identified at time of analysis, EPSS is very low (0.02%), and the issue is not in CISA KEV; practical risk is confined to environments that feed untrusted input into Black's command-line options.
A command injection vulnerability has been identified in the Telnet command-line interface (CLI) of TP-Link TL-MR6400 v5.3. This issue is caused by insufficient sanitization of data processed during specific CLI operations.
NEXULEAN versions prior to 2.0.0 expose Firebase and Web3Forms API keys in the application, allowing unauthenticated attackers to access backend services and retrieve sensitive user data. The hardcoded credentials can be leveraged remotely without any user interaction to interact with protected resources. No patch is currently available for affected deployments.
A Use of Hard-coded Credentials vulnerability in Trane Tracer SC, Tracer SC+, and Tracer Concierge could allow an attacker to disclose sensitive information and take over accounts.
Deno versions 2.7.0 through 2.7.1 contain a command injection vulnerability in the node:child_process polyfill where improper quote handling allows attackers to bypass previous security fixes and execute arbitrary OS commands through shell metacharacter injection in spawn/spawnSync arguments. This vulnerability bypasses Deno's permission system entirely, enabling complete system compromise for applications processing untrusted input. A patch is available in version 2.7.2.
Magic Wormhole versions 0.21.0 through 0.22.x allow malicious senders to overwrite arbitrary files on a receiver's system during file transfer operations, potentially compromising SSH keys and shell configuration files. This path traversal vulnerability (CWE-22) requires the attacker to control the sending side of the transfer and affects any user receiving files from an untrusted source. No patch is currently available for this HIGH severity vulnerability.
Postal SMTP server versions below 3.3.5 contain a stored cross-site scripting (XSS) vulnerability in the admin interface where the API's "send/raw" method fails to properly escape user-supplied data, allowing authenticated attackers to inject malicious HTML and JavaScript. An attacker with API access could manipulate the admin dashboard or execute unauthorized actions in the context of an administrator's session. No patch is currently available for affected versions.
High severity vulnerability in OpenClaw. In affected versions of `openclaw`, browser-originated WebSocket connections could bypass origin validation when `gateway.auth.mode` was set to `trusted-proxy` and the request arrived with proxy headers. A page served from an untrusted origin could connect through a trusted reverse proxy, inherit proxy-authenticated identity, and establish a privileged operator session.
High severity vulnerability in SGLang. SGLangs `replay_request_dump.py` contains an insecure pickle.load() without validation and proper deserialization. An attacker can take advantage of this by providing a malicious .pkl file, which will execute the attackers code on the device running the script.
Local attackers can achieve heap buffer overflow in llama.cpp versions before b8146 through integer overflow in the GGUF file parsing function, enabling arbitrary code execution with high integrity and confidentiality impact. The vulnerability stems from undersized heap allocation followed by unvalidated writes of over 528 bytes of attacker-controlled data, bypassing a previous fix for the same component. This affects systems running vulnerable LLM inference implementations on local machines where user interaction is required to trigger the malicious GGUF file processing.
Unauthorized SSH credential extraction affects systems where low-privileged users can access stored authentication material, enabling account compromise without administrative access. The network-accessible vulnerability requires valid user credentials to exploit but impacts the entire system's security posture by exposing sensitive SSH keys. No patch is currently available to remediate this issue.
OpenCTI versions prior to 6.8.16 contain a server-side request forgery vulnerability in the data ingestion feature that fails to validate user-supplied URLs, allowing authenticated attackers to send requests to arbitrary internal endpoints and services. The Axios HTTP client's permissive default configuration processes absolute URLs without restriction, enabling semi-blind SSRF attacks that can compromise internal systems despite limited response visibility. This vulnerability requires authentication but affects all deployments running vulnerable versions.
Unauthenticated SQL injection in WordPress My Sticky Bar plugin versions up to 2.8.6 allows attackers to extract database contents through crafted AJAX requests that exploit unsanitized parameter names in SQL INSERT statements. The vulnerability enables blind time-based data exfiltration despite sanitization of parameter values, affecting all users of the vulnerable plugin. No patch is currently available.
Node.js undici WebSocket client denial-of-service vulnerability allows remote attackers to crash the process by sending a malformed permessage-deflate compression parameter that bypasses validation and triggers an uncaught exception. The vulnerability exists because the client fails to properly validate the server_max_window_bits parameter before passing it to zlib, enabling any WebSocket server to terminate connected clients. No patch is currently available.
High severity vulnerability in Ella Networks Core. Ella Core panics when processing a malformed integrity protected NGAP/NAS message with a length under 7 bytes.
Undici's WebSocket frame parser fails to properly validate 64-bit length fields, causing integer overflow in internal calculations that leaves the parser in an invalid state and crashes the process with a fatal TypeError. An unauthenticated remote attacker can exploit this to achieve denial of service by sending a specially crafted WebSocket frame. Versions 7.24.0, 6.24.0, and later contain fixes for this vulnerability.
Node.js undici WebSocket client denial-of-service via decompression bomb in permessage-deflate processing allows remote attackers to crash or hang affected processes through unbounded memory consumption. An attacker controlling a malicious WebSocket server can send specially crafted compressed frames that expand to extremely large sizes in memory without triggering any decompression limits. No patch is currently available for this vulnerability.
flatted is a circular JSON parser. versions up to 3.4.0 is affected by uncontrolled recursion (CVSS 7.5).
SQLite's zipfile extension contains a bug in the zipfileInflate function that leaks heap memory contents when processing specially crafted ZIP files. This affects SQLite version 3.51.1 and earlier installations that use the zipfile extension. An attacker can exploit this by providing a malicious ZIP file to read sensitive data from the application's memory, potentially exposing passwords, encryption keys, or other confidential information.
Remote code execution in Tenda W3 1.0.0.3(2204) via stack buffer overflow in the /goform/wifiSSIDset POST parameter handler allows authenticated attackers to achieve complete system compromise. The vulnerability exists in the index/GO parameter processing and can be exploited over the network without user interaction. Public exploit code is available for this vulnerability.
Stack-based buffer overflow in Tenda W3 firmware version 1.0.0.3(2204) allows remote authenticated attackers to achieve complete system compromise through manipulation of the index/GO parameter in the /goform/WifiMacFilterSet POST handler. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available.
Stack-based buffer overflow in Tenda W3 firmware version 1.0.0.3(2204) allows authenticated remote attackers to achieve complete system compromise through malicious ping parameters sent to the /goform/setAutoPing endpoint. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available, leaving affected devices exposed without mitigation options.
Stack-based buffer overflow in Tenda i3 firmware version 1.0.0.6(2204) allows authenticated remote attackers to achieve full system compromise through the SSID configuration endpoint. The vulnerability exists in the formwrlSSIDset function due to improper input validation on the index/GO parameter, and public exploit code is available. No patch is currently available, making this a critical risk for affected network devices.
High severity vulnerability in TinaCMS. ## Affected Package