Buffer overflow in pyOpenSSL's cookie generation callback allows attackers to corrupt memory and potentially achieve remote code execution by supplying oversized cookie values exceeding 256 bytes. The vulnerability affects applications using custom cookie callbacks with OpenSSL integration, where insufficient length validation permits writing beyond allocated buffer boundaries. A patch is available that implements proper cookie size validation.
Remote code execution in Craft CMS allows authenticated administrators with control panel access to execute arbitrary code by exploiting an incomplete patch that left the same vulnerable gadget chain pattern in multiple controllers. The vulnerability requires administrative privileges and the allowAdminChanges setting to be enabled, limiting exposure to trusted users with elevated access. Craft CMS versions before 4.17.5 and 5.9.11 are affected and should be patched immediately.
Unsafe deserialization of untrusted user input in PHP Craft CMS allows authenticated high-privilege users to inject arbitrary Yii2 behaviors and event handlers, enabling remote code execution through the EntryTypesController. An incomplete prior patch for a similar vulnerability left the same dangerous pattern in place, permitting attackers with administrative access to manipulate application configuration and achieve full system compromise. A patch is available to properly sanitize configuration inputs before processing.
Smart Switch versions prior to 3.7.69.15 contain a replay attack vulnerability in the authentication mechanism that allows remote attackers to bypass security controls and execute privileged functions without valid credentials. The vulnerability requires user interaction to trigger but poses a significant risk as no patch is currently available. Organizations using affected Smart Switch deployments should implement network-level controls to restrict access until an update is released.
Samsung Smart Switch versions prior to 3.7.69.15 contain an authentication bypass vulnerability that allows unauthenticated remote attackers to circumvent security controls. This vulnerability could enable attackers to gain unauthorized access to the application without valid credentials. No patch is currently available for this high-severity issue.
A cryptographic downgrade vulnerability in Samsung Smart Switch allows remote attackers to force the application to use weak authentication schemes during device-to-device transfers. The vulnerability affects Smart Switch versions prior to 3.7.69.15 and requires user interaction to exploit, potentially exposing sensitive data during the transfer process between Samsung devices. With a CVSS 4.0 score of 7.1 and no current evidence of active exploitation or public proof-of-concept code, this represents a moderate risk primarily to Samsung device users performing data migrations.
CVE-2026-32769 is a security vulnerability. Remediation should follow standard vulnerability management procedures. Vendor patch is available.
A reflected Cross-Site Scripting (XSS) vulnerability exists in the Flexmls® IDX WordPress plugin through version 3.15.9, allowing attackers to inject malicious scripts into web pages that execute in victims' browsers when they click specially crafted links. The vulnerability has a CVSS score of 7.1 and requires user interaction but can impact confidentiality, integrity, and availability across different origins due to its scope change characteristic. While not currently listed in CISA KEV or showing high EPSS scores, the vulnerability represents a moderate risk for WordPress sites using this real estate listing plugin.
A non-relational SQL injection (NoSQLi) vulnerability exists in the Wakyma veterinary web application, specifically in the hospitalization summary generation endpoint at vets.wakyma.com. Authenticated users with low privileges can inject NoSQL commands into POST requests to exfiltrate customer reports containing sensitive veterinary and pet owner data. The vulnerability has a high CVSS score of 7.1 but requires authentication, limiting the attack surface to users with valid credentials.
A path traversal vulnerability in Smart Switch (CVSS 7.1) that allows adjacent attackers. High severity vulnerability requiring prompt remediation.
Glances monitoring system allows local attackers with limited privileges to execute arbitrary commands by injecting shell metacharacters into process or container names, which bypass command sanitization in the action execution handler. The vulnerability affects the threshold alert system that dynamically executes administrator-configured shell commands populated with runtime monitoring data. An attacker controlling a process name or container name can manipulate command parsing to break out of intended command boundaries and inject malicious commands.
Galaxy Store versions prior to 4.6.03.8 contain an access control flaw that enables local attackers to create files with elevated Galaxy Store privileges. This vulnerability affects local users on affected devices and could allow privilege escalation or persistence mechanisms. No patch is currently available.
SQL injection in Python's Glances DuckDB export module allows unauthenticated remote attackers to execute arbitrary SQL commands by injecting malicious data through unparameterized table and column name interpolation in DDL statements. While INSERT values use parameterized queries, identifier names are directly embedded via f-strings, enabling attackers over the network to manipulate database structure and access sensitive monitoring data. A patch is available.
File upload validation bypass in applications using MIME parameter injection allows authenticated attackers to upload malicious files by appending parameters like `;charset=utf-8` to the Content-Type header, bypassing extension filters and default blocklists. This enables stored XSS attacks that can compromise session tokens, credentials, and sensitive browser data accessible to the application's domain. A patch is available that strips MIME parameters during validation and expands the default blocklist.