--===============3783835882403185368==
Content-Type: multipart/alternative; boundary="===============7093670999237951758=="
MIME-Version: 1.0
--===============7093670999237951758==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
Cybersecurity and Infrastructure Security Agency (CISA)
You are subscribed to Vulnerability Bulletins for Cybersecurity and Infrast= ructure Security Agency. This information has recently been updated and is = now available.
The CISA Vulnerability Bulletin provides a summary of new vulnerabilities t= hat have been recorded in the past week. In some cases, the vulnerabilities=
in the bulletin may not yet have assigned CVSS scores.
Vulnerabilities are based on the=C2=A0Common Vulnerabilities and Exposures =
[
https://www.cve.org/ ]=C2=A0(CVE) vulnerability naming standard and are o= rganized according to severity, determined by the=C2=A0Common Vulnerability=
Scoring System [
https://www.cve.org/about/relatedefforts ]=C2=A0(CVSS) st= andard. The division of high, medium, and low severities correspond to the = following scores:
* *High*: vulnerabilities with a CVSS base score of 7.0=E2=80=9310.0=20
* *Medium*: vulnerabilities with a CVSS base score of 4.0=E2=80=936.9=20
* *Low*: vulnerabilities with a CVSS base score of 0.0=E2=80=933.9=20
Entries may include additional information provided by organizations and ef= forts sponsored by CISA. This information may include identifying informati= on, values, definitions, and related links. Patch information is provided w= hen available. Please note that some of the information in the bulletin is = compiled from external, open-source reports and is not a direct result of C= ISA analysis.
Vulnerability Summary for the Week of April 27, 2026 [
https://www.cisa.gov= /news-events/bulletins/sb26-125 ] 05/05/2026 3:30 PM EDT=20
High Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info n= /a-- OVMS3 3.3.005 Buffer overflow vulnerability in Open Vehicle Monitoring=
System 3 (OVMS3) 3.3.005. In canformat_gvret.cpp, the length field in GVRE=
T binary data is not properly validated, allowing remote attackers to cause=
a denial of service or possibly execute arbitrary code via crafted GVRET f= rames. 2026-05-01 10 CVE-2026-37541 [
https://www.cve.org/CVERecord?id=3DCV= E-2026-37541 ]
https://github.com/openvehicles/Open-Vehicle-Monitoring-Syst= em-3
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 tendacn[.]com-- W308R Tenda W308R v2 V5.07.48 contains a cookie sess= ion weakness vulnerability that allows unauthenticated attackers to modify = DNS settings by exploiting insufficient session validation. Attackers can s= end GET requests to the goform/AdvSetDns endpoint with a crafted admin lang= uage cookie to change DNS servers and redirect user traffic to malicious si= tes. 2026-04-29 9.8 CVE-2018-25316 [
https://www.cve.org/CVERecord?id=3DCVE= -2018-25316 ] ExploitDB-44373 [
https://www.exploit-db.com/exploits/44373 ] VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Session Weakness DNS Cha= nge [
https://www.vulncheck.com/advisories/tenda-w308r-v2-cookie-session-we= akness-dns-change ]
=C2=A0 tendacn[.]com--W3002R Tenda W3002R/A302/W309R wireless routers versi=
on V5.07.64_en contain a cookie session weakness vulnerability that allows = unauthenticated attackers to modify DNS settings by exploiting insufficient=
session validation. Attackers can send GET requests to the /goform/AdvSetD=
ns endpoint with a crafted admin language cookie to change primary and seco= ndary DNS servers, redirecting user traffic to malicious DNS servers. 2026-= 04-29 9.8 CVE-2018-25317 [
https://www.cve.org/CVERecord?id=3DCVE-2018-2531=
7 ] ExploitDB-44380 [
https://www.exploit-db.com/exploits/44380 ]
VulnCheck Advisory: Tenda W3002R/A302/W309R V5.07.64_en Cookie Session Weak= ness DNS Change [
https://www.vulncheck.com/advisories/tenda-w3002r-a302-w3= 09r-64-en-cookie-session-weakness-dns-change ]
=C2=A0 tendacn[.]com--FH303/A300 Tenda FH303/A300 firmware V5.07.68_EN cont= ains a session weakness vulnerability that allows unauthenticated attackers=
to modify DNS settings by exploiting insufficient cookie validation. Attac= kers can send GET requests to the /goform/AdvSetDns endpoint with a crafted=
admin cookie to change DNS servers and redirect user traffic to malicious = sites. 2026-04-29 9.8 CVE-2018-25318 [
https://www.cve.org/CVERecord?id=3DC= VE-2018-25318 ] ExploitDB-44381 [
https://www.exploit-db.com/exploits/44381=
]
VulnCheck Advisory: Tenda FH303/A300 V5.07.68_EN Cookie Session Weakness DN=
S Change [
https://www.vulncheck.com/advisories/tenda-fh303-a300-68-en-cook= ie-session-weakness-dns-change ]
=C2=A0 Weaver Network Co., Ltd.--E-office Weaver (Fanwei) E-office versions=
prior to 10.0_20221201 contain an unauthenticated arbitrary file upload vu= lnerability in the OfficeServer.php endpoint that allows remote attackers t=
o upload malicious files by sending multipart POST requests with arbitrary = filenames and disguised content types. Attackers can upload PHP webshells t=
o the Document directory and execute them via HTTP GET requests to achieve = remote code execution as the web server user. Exploitation evidence was fir=
st observed by the Shadowserver Foundation on 2022-10-10 (UTC). 2026-04-30 = 9.8 CVE-2022-50993 [
https://www.cve.org/CVERecord?id=3DCVE-2022-50993 ] ht= tps://service.e-office.cn/knowledge/detail/5
https://cn-sec.com/archives/1453025.html
https://bbs.chaitin.cn/topic/37 https://www.vulncheck.com/advisories/weaver-e-office-10-0-20221201-unauthen= ticated-arbitrary-file-read-via-xmlrpcservlet
=C2=A0 synway[.]net-- SMG Gateway Management Synway SMG Gateway Management = Software contains an OS command injection vulnerability in the RADIUS confi= guration endpoint at /en/9-2radius.php where the radius_address POST parame= ter is split and interpolated directly into a sed command without sanitizat= ion. An unauthenticated remote attacker can inject arbitrary shell commands=
by submitting a POST request with crafted radius_address, radius_address2,=
shared_secret2, source_ip, timeout, or retry parameters along with save=3D=
1 and enable_radius=3D1 to achieve remote code execution. Exploitation evid= ence was first observed by the Shadowserver Foundation on 2025-07-11 (UTC).=
2026-04-30 9.8 CVE-2025-71284 [
https://www.cve.org/CVERecord?id=3DCVE-202= 5-71284 ]
https://github.com/projectdiscovery/nuclei-templates/blob/main/ht= tp/vulnerabilities/synway/synwaysmg-radius-rce.yaml
https://mrxn.net/jswz/synway-9-2radius-rce.html https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA
https://www.synway.net/ https://www.vulncheck.com/advisories/synway-smg-gateway-management-software= -os-command-injection-via-radius-address
=C2=A0 Directorist Booking--Directorist Booking Improper Neutralization of = Special Elements used in an SQL Command ('SQL Injection') vulnerability in = Directorist Booking allows SQL Injection.This issue affects Directorist Boo= king: from n/a before 3.0.2. 2026-04-27 9.3 CVE-2026-22336 [
https://www.cv= e.org/CVERecord?id=3DCVE-2026-22336 ]
https://patchstack.com/database/wordp= ress/plugin/directorist-booking/vulnerability/wordpress-directorist-booking= -plugin-2-4-1-sql-injection-vulnerability?_s_id=3Dcve
=C2=A0 Directorist--Directorist Social Login Incorrect Privilege Assignment=
vulnerability in Directorist Directorist Social Login allows Privilege Esc= alation.This issue affects Directorist Social Login: from n/a before 2.1.4.=
2026-04-27 9.8 CVE-2026-22337 [
https://www.cve.org/CVERecord?id=3DCVE-202= 6-22337 ]
https://patchstack.com/database/wordpress/plugin/directorist-soci= al-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-priv= ilege-escalation-vulnerability?_s_id=3Dcve
=C2=A0 Milesight--MS-Cxx63-PD Specific firmware versions of Milesight AIOT = cameras use SSL certificates with default private keys. 2026-04-27 9.8 CVE-= 2026-32644 [
https://www.cve.org/CVERecord?id=3DCVE-2026-32644 ]
https://ww= w.cisa.gov/news-events/ics-advisories/icsa-26-113-03
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-113-03.json
https://www.milesight.com/support/download/firmware
=C2=A0 n/a--Automotive Grade Linux (AGL) AGL app-framework-main thru 17.1.1=
2 contains a Zip Slip path traversal vulnerability (CWE-22) combined with a=
TOCTOU race condition (CWE-367) in the widget installation flow. The is_va= lid_filename function in wgtpkg-zip.c validates ZIP entry names but does no=
t check for dot notation directory traversal sequences it only blocks absol= ute paths. The zread extraction function uses openat(workdirfd, filename, O= _CREAT) which resolves dot notation values relative to the work directory, = allowing files to be written anywhere on the filesystem. Critically, in fun= ction install_widget in file wgtpkg-install.c, extraction via zread occurs = BEFORE signature verification via check_all_signatures. Even if signature v= erification fails, the error cleanup (remove_workdir) only deletes the temp= orary work directory files written outside via path traversal persist perma= nently. 2026-05-01 9.8 CVE-2026-37531 [
https://www.cve.org/CVERecord?id=3D= CVE-2026-37531 ]
https://gerrit.automotivelinux.org/gerrit/src/app-framewor= k-main
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
=C2=A0 n/a-- cannelloni v2.0.0 Buffer overflow vulnerability in cannelloni = v2.0.0 in CAN frame parsing in parser.cpp in function parseCANFrame, and de= coder.cpp in function decodeFrame allowing remote attackers to cause a deni=
al of service (crash) or possibly execute arbitrary code via crafted CAN FD=
frames. 2026-05-01 9.8 CVE-2026-37539 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-37539 ]
https://github.com/mguentner/cannelloni https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 Carlson Software--VASCO-B GNSS Receiver The Carlson VASCO-B GNSS Rec= eiver lacks an authentication mechanism, allowing an attacker with network = access to directly access and modify its configuration and operational func= tions without needing credentials. 2026-04-28 9.4 CVE-2026-3893 [
https://w= ww.cve.org/CVERecord?id=3DCVE-2026-3893 ]
https://www.carlsonsw.com/support= -and-training/
https://www.cve.org/CVERecord?id=3DCVE-2026-3893 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-113-02.json
=C2=A0 Mersenne--Prime95 Prime95 29.4b8 contains a local buffer overflow vu= lnerability that allows attackers to execute arbitrary code by exploiting s= tructured exception handling (SEH) mechanisms. Attackers can inject malicio=
us payload through the optional proxy hostname field in the PrimeNet connec= tion settings to trigger the overflow and execute system commands. 2026-04-=
29 8.4 CVE-2018-25299 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25299 ]=
ExploitDB-44649 [
https://www.exploit-db.com/exploits/44649 ]
Official Product Homepage [
https://www.mersenne.org/ ]
Product Reference [
https://www.mersenne.org/download/#download ]
VulnCheck Advisory: Prime95 29.4b8 Local Buffer Overflow via SEH [
https://= www.vulncheck.com/advisories/prime95-29-4b8-local-buffer-overflow-via-seh ] =C2=A0 xataboost--XATABoost CMS XATABoost CMS 1.0.0 contains a union-based = SQL injection vulnerability that allows unauthenticated attackers to manipu= late database queries by injecting SQL code through the id parameter. Attac= kers can send GET requests to news.php with malicious id values to extract = sensitive database information. 2026-04-29 8.2 CVE-2018-25300 [
https://www= .cve.org/CVERecord?id=3DCVE-2018-25300 ] ExploitDB-44622 [
https://www.expl= oit-db.com/exploits/44622 ]
Official Product Homepage [
http://www2.xataboost.com ]
VulnCheck Advisory: XATABoost CMS 1.0.0 SQL Injection via news.php [ https:= //www.vulncheck.com/advisories/xataboost-cms-sql-injection-via-news-php ] =C2=A0 Easy MPEG--Easy MPEG to DVD Burner Easy MPEG to DVD Burner 1.7.11 co= ntains a structured exception handling (SEH) local buffer overflow vulnerab= ility that allows local attackers to execute arbitrary code by supplying a = malicious username string. Attackers can craft a payload containing junk da= ta, SEH chain pointers, and shellcode that overwrites the SEH handler to re= direct execution and run arbitrary commands like opening calc.exe. 2026-04-=
29 8.4 CVE-2018-25301 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25301 ]=
ExploitDB-44565 [
https://www.exploit-db.com/exploits/44565 ]
Product Reference [
https://downloads.tomsguide.com/MPEG-Easy-Burner,0301-1= 0418.html ]
VulnCheck Advisory: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer Overflo=
w [
https://www.vulncheck.com/advisories/easy-mpeg-to-dvd-burner-seh-local-= buffer-overflow ]
=C2=A0 Alloksoft--Allok Video to DVD Burner Allok Video to DVD Burner 2.6.1= 217 contains a stack-based buffer overflow vulnerability in the License Nam=
e field that allows local attackers to execute arbitrary code by triggering=
a structured exception handler (SEH) overwrite. Attackers can craft a mali= cious input string with 780 bytes of junk data followed by SEH chain pointe=
rs and shellcode, then paste it into the License Name field during registra= tion to achieve code execution. 2026-04-29 8.4 CVE-2018-25303 [
https://www= .cve.org/CVERecord?id=3DCVE-2018-25303 ] ExploitDB-44518 [
https://www.expl= oit-db.com/exploits/44518 ]
Official Product Homepage [
http://www.alloksoft.com/ ]
VulnCheck Advisory: Allok Video to DVD Burner 2.6.1217 Buffer Overflow SEH =
[
https://www.vulncheck.com/advisories/allok-video-to-dvd-burner-buffer-ove= rflow-seh ]
=C2=A0 Filehippo--Free Download Manager Free Download Manager 2.0 Built 417=
contains a local buffer overflow vulnerability in the URL import functiona= lity that allows attackers to trigger a structured exception handler (SEH) = chain exploitation. Attackers can craft a malicious URL file that, when imp= orted through the File > Import > Import lists of downloads menu, causes a = buffer overflow in the Location header response that overwrites the SEH cha=
in and executes arbitrary code. 2026-04-29 8.4 CVE-2018-25304 [
https://www= .cve.org/CVERecord?id=3DCVE-2018-25304 ] ExploitDB-44499 [
https://www.expl= oit-db.com/exploits/44499 ]
Product Reference [
https://filehippo.com/download_free_download_manager/92=
5/ ]
VulnCheck Advisory: Free Download Manager 2.0 Built 417 Local Buffer Overfl=
ow SEH [
https://www.vulncheck.com/advisories/free-download-manager-built-4= 17-local-buffer-overflow-seh ]
=C2=A0 Sysgauge--SysGauge Pro SysGauge Pro 4.6.12 contains a local buffer o= verflow vulnerability in the Register function that allows local attackers =
to overwrite the structured exception handler by supplying a crafted unlock=
key. Attackers can inject shellcode through the Unlock Key field during re= gistration to execute arbitrary code with application privileges. 2026-04-2=
9 8.4 CVE-2018-25307 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25307 ] = ExploitDB-44455 [
https://www.exploit-db.com/exploits/44455 ]
VulnCheck Advisory: SysGauge Pro 4.6.12 Local Buffer Overflow SEH [ https:/= /www.vulncheck.com/advisories/sysgauge-pro-local-buffer-overflow-seh ]
=C2=A0 donmik--Buddypress Xprofile Custom Fields Type BuddyPress Xprofile C= ustom Fields Type 2.6.3 contains a remote code execution vulnerability that=
allows authenticated users to delete arbitrary files by manipulating unesc= aped POST parameters. Attackers can modify the field_hiddenfile and field_d= eleteimg parameters during profile editing to unlink files from the server.=
2026-04-29 8.8 CVE-2018-25308 [
https://www.cve.org/CVERecord?id=3DCVE-201= 8-25308 ] ExploitDB-44432 [
https://www.exploit-db.com/exploits/44432 ] Official Product Homepage [
http://lenonleite.com.br/ ]
VulnCheck Advisory: BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Cod=
e Execution [
https://www.vulncheck.com/advisories/buddypress-xprofile-cust= om-fields-type-remote-code-execution ]
=C2=A0 Alloksoft--WMV to AVI MPEG DVD WMV Converter Allok soft WMV to AVI M= PEG DVD WMV Converter 4.6.1217 contains a buffer overflow vulnerability tha=
t allows local attackers to execute arbitrary code by supplying an oversize=
d string in the License Name field. Attackers can craft a malicious input c= ontaining shellcode with structured exception handler (SEH) overwrite to by= pass protections and execute code with application privileges. 2026-04-29 8=
.4 CVE-2018-25314 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25314 ] Exp= loitDB-44365 [
https://www.exploit-db.com/exploits/44365 ]
Official Product Homepage [
http://www.alloksoft.com ]
Product Reference [
http://www.alloksoft.com/wmv.htm ]
VulnCheck Advisory: Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 B= uffer Overflow [
https://www.vulncheck.com/advisories/allok-soft-wmv-to-avi= -mpeg-dvd-wmv-converter-buffer-overflow ]
=C2=A0 Alloksoft--Video Joiner Alloksoft Video joiner 4.6.1217 contains a b= uffer overflow vulnerability that allows local attackers to execute arbitra=
ry code by supplying a malicious string in the License Name field. Attacker=
s can craft a payload with structured exception handler (SEH) overwrite and=
shellcode to achieve code execution when the application processes the lic= ense registration input. 2026-04-29 8.4 CVE-2018-25315 [
https://www.cve.or= g/CVERecord?id=3DCVE-2018-25315 ] ExploitDB-44364 [
https://www.exploit-db.= com/exploits/44364 ]
Official Product Homepage [
http://www.alloksoft.com ]
Product Reference [
http://www.alloksoft.com/joiner.htm ]
VulnCheck Advisory: Alloksoft Video joiner 4.6.1217 Buffer Overflow via Lic= ense Name [
https://www.vulncheck.com/advisories/alloksoft-video-joiner-buf= fer-overflow-via-license-name ]
=C2=A0 marketingfire--Widget Options Advanced Conditional Visibility for Gu= tenberg Blocks & Classic Widgets The Widget Options - Advanced Conditional = Visibility for Gutenberg Blocks & Classic Widgets plugin for WordPress is v= ulnerable to Remote Code Execution in all versions up to, and including, 4.= 2.2 via the Display Logic feature. This is due to the plugin using eval() o=
n user-supplied Display Logic expressions with an insufficient blocklist/al= lowlist that can be bypassed using array_map with string concatenation, com= bined with a lack of authorization enforcement on the extended_widget_opts_= block attribute. This makes it possible for authenticated attackers, with C= ontributor-level access and above, to execute code on the server. The vulne= rability was partially patched in version 4.2.0. 2026-05-02 8.8 CVE-2026-20=
52 [
https://www.cve.org/CVERecord?id=3DCVE-2026-2052 ]
https://www.wordfen= ce.com/threat-intel/vulnerabilities/id/68023557-fc92-4cf6-96b4-405ff5a5fd5a= ?source=3Dcve
https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/wi= dgets/gutenberg/gutenberg-toolbar.php#L843
https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/ex= tras.php#L495
https://plugins.trac.wordpress.org/browser/widget-options/trunk/includes/ex= tras.php#L534
https://plugins.trac.wordpress.org/changeset/3481338/ https://plugins.trac.wordpress.org/changeset/3514411/
=C2=A0 Milesight--MS-Cxx63-PD An out-of-bounds memory access vulnerability = exists in specific firmware versions of Milesight AIOT cameras. 2026-04-27 = 8.8 CVE-2026-20766 [
https://www.cve.org/CVERecord?id=3DCVE-2026-20766 ] ht= tps://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-113-03.json
https://www.milesight.com/support/download/firmware
=C2=A0 wclovers--WCFM Frontend Manager for WooCommerce The WCFM - Frontend = Manager for WooCommerce along with Bookings Subscription Listings Compatibl=
e plugin for WordPress is vulnerable to Insecure Direct Object Reference in=
all versions up to, and including, 6.7.25 via the 'wcfm_delete_wcfm_custom= er' due to missing validation on the 'customerid' user controlled key. This=
makes it possible for authenticated attackers, with Vendor-level access an=
d above, to delete arbitrary users, including Administrators. 2026-05-02 8.=
1 CVE-2026-2554 [
https://www.cve.org/CVERecord?id=3DCVE-2026-2554 ] https:= //www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b32-4b13-a46b= -c465acea0796?source=3Dcve
https://plugins.trac.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/= core/class-wcfm-customer.php#L386
https://plugins.trac.wordpress.org/changeset/3483695/
=C2=A0 opencats--OpenCATS OpenCATS prior to commit 3002a29 contains a PHP c= ode injection vulnerability in the installer AJAX endpoint that allows unau= thenticated attackers to execute arbitrary code by injecting PHP statements=
into the databaseConnectivity action parameter. Attackers can break out of=
the define() string context in config.php using a single quote and stateme=
nt separator to inject malicious PHP code that persists and executes on eve=
ry subsequent page load when the installation wizard remains incomplete. 20= 26-04-28 8.1 CVE-2026-27760 [
https://www.cve.org/CVERecord?id=3DCVE-2026-2= 7760 ]
https://chocapikk.com/posts/2026/opencats-installer-rce/ https://github.com/opencats/OpenCATS/pull/706 https://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e18= 9906606b6
https://github.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-= L172
https://github.com/opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.p= hp#L130
https://www.vulncheck.com/advisories/opencats-php-code-injection-via-instal= ler-ajax-endpoint
=C2=A0 Milesight--MS-Cxx63-PD Specific firmware versions of Milesight AIOT = camera firmware contain hard-coded credentials. 2026-04-27 8.8 CVE-2026-277=
85 [
https://www.cve.org/CVERecord?id=3DCVE-2026-27785 ]
https://www.cisa.g= ov/news-events/ics-advisories/icsa-26-113-03
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-113-03.json
https://www.milesight.com/support/download/firmware
=C2=A0 Cockpit--Cockpit CMS Cockpit CMS contains an authenticated remote co=
de execution vulnerability in the /cockpit/collections/save_collection endp= oint that allows authenticated attackers with collection management privile= ges to inject arbitrary PHP code into collection rules parameters. Attacker=
s can inject malicious PHP code through rule parameters which is written di= rectly to server-side PHP files and executed via include() to achieve arbit= rary command execution on the underlying server. 2026-04-29 8.8 CVE-2026-34= 965 [
https://www.cve.org/CVERecord?id=3DCVE-2026-34965 ]
https://github.co= m/agentejo/cockpit
https://gist.github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be=
90
https://github.com/agentejo/cockpit/commits/494765e4f0fb9484f320aee0c6ee889= b6fa789b9
https://www.vulncheck.com/advisories/cockpit-cms-authenticated-remote-code-= execution-via-collections
=C2=A0 n/a--(UDS) & OBD-II (On Board Diagnostics for Vehicles) miaofng/uds-=
c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-05) contains a s= tack buffer overflow in send_diagnostic_request. A 6-byte stack buffer (MAX= _DIAGNOSTIC_PAYLOAD_SIZE=3D6) receives memcpy at offset 1+pid_length with p= ayload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=3D7, so 1+2+7=3D10 exce= eds buffer by 4 bytes. No bounds check on payload_length before memcpy. 202= 6-05-01 8.8 CVE-2026-37536 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37= 536 ]
https://github.com/miaofng/uds-c
https://github.com/openxc/uds-c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 n/a--Open-SAE-J1939 (Daniel Martensson) collin80/Open-SAE-J1939 thru=
commit 744024d4306bc387857dfce439558336806acb06 (2023-03-08) contains an i= nteger underflow leading to out-of-bounds write in Transport Protocol Data = Transfer handling. At line 23: uint8_t index =3D data[0] - 1. When data[0] = (sequence number from CAN frame) is 0, index underflows to 255. Subsequent = write at tp_dt->data[255*7 + i-1] reaches offset 1791, exceeding the MAX_TP= _DT buffer (1785 bytes) by 6 bytes. 2026-05-01 8.1 CVE-2026-37537 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-37537 ]
https://github.com/DanielMarte= nsson/Open-SAE-J1939
https://github.com/collin80/Open-SAE-J1939 https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 openampproject[.]org--OpenAMP v2025.10.0 OpenAMP v2025.10.0 ELF load=
er contains an integer overflow vulnerability in firmware image parsing. In=
elf_loader.c, it performs multiplication of two attacker-controlled 16-bit=
values from the ELF header without overflow checking. On 32-bit embedded s= ystems (STM32MP1, Zynq, i.MX), large values can cause the product to wrap a= round to a small value. 2026-05-01 8.4 CVE-2026-37540 [
https://www.cve.org= /CVERecord?id=3DCVE-2026-37540 ]
https://github.com/OpenAMP/open-amp https://github.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 n/a--MixPHP Framework 2.x Unsafe deserialization vulnerability in Mi= xPHP Framework 2.x thru 2.2.17. The sync-invoke TCP server (Server.php:87) = receives data from a TCP socket, passes it directly to Opis\Closure\unseria= lize(), then executes the result via call_user_func(). No authentication or=
signature verification exists on the TCP connection. An attacker with acce=
ss to the localhost TCP port (server binds 127.0.0.1) can send a crafted se= rialized PHP closure to achieve arbitrary code execution. 2026-05-01 8.4 CV= E-2026-37552 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37552 ]
https://= github.com/mix-php/mix
https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php https://gist.github.com/sgInnora/fa46386840fe978a30d7e53c458f2975
=C2=A0 benjaminprojas--WP Editor The WP Editor plugin for WordPress is vuln= erable to Cross-Site Request Forgery in all versions up to, and including, = 1.2.9.2. This is due to missing nonce verification in the 'add_plugins_page=
' and 'add_themes_page' functions. This makes it possible for unauthenticat=
ed attackers to overwrite arbitrary plugin and theme PHP files with attacke= r-controlled code via a forged request, granted they can trick a site admin= istrator into performing an action such as clicking a link. 2026-05-01 8.8 = CVE-2026-3772 [
https://www.cve.org/CVERecord?id=3DCVE-2026-3772 ]
https://= www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5de-4d66-9cc5-8= 02ef11f886c?source=3Dcve
https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditor= Plugins.php#L60
https://plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditor= Themes.php#L103
https://plugins.trac.wordpress.org/changeset/3480577/
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. In version 4.9.0, Chartbrew allows authenticated users with access to = one project to update or delete a SharePolicy record that belongs to a diff= erent project. The affected routes authorize the caller against the project=
in the URL path, but they never verify that policy_id belongs to that proj= ect. This permits cross-project modification of dashboard sharing rules, in= cluding visibility, password requirements, allowed parameters, and expirati=
on settings. This issue has been patched in version 5.0.0. 2026-04-30 8.1 C= VE-2026-40600 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40600 ] https:/= /github.com/chartbrew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
=C2=A0 TRENDnet--TEW-821DAP A security vulnerability has been detected in T= RENDnet TEW-821DAP 1.12B01. Impacted is the function auto_update_firmware o=
f the component Firmware Udpate. The manipulation of the argument str leads=
to buffer overflow. The attack may be initiated remotely. The vendor expla= ins: "That firmware version will only work on our hardware version v1.xR. W=
e have already EOL that product 8 years ago and are no longer selling". Thi=
s vulnerability only affects products that are no longer supported by the m= aintainer. 2026-05-02 8.8 CVE-2026-7607 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7607 ] VDB-360564 | TRENDnet TEW-821DAP Firmware Udpate auto_up= date_firmware buffer overflow [
https://vuldb.com/vuln/360564 ]
VDB-360564 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360564= /cti ]
Submit #806214 | Trendnet TEW-821DAP v1.12B01 CWE-120 Buffer Copy without C= hecking Size of Input [
https://vuldb.com/submit/806214 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _BO.md
=C2=A0 carazo--Import and export users and customers The Import and export = users and customers plugin for WordPress is vulnerable to Privilege Escalat= ion in all versions up to and including 2.0.8 via the `save_extra_user_prof= ile_fields()` function. This is due to an incomplete blocklist that correct=
ly restricts capability meta keys for the primary site (e.g., `wp_capabilit= ies`, `wp_user_level`) but fails to block the equivalent meta keys for any = other subsite in a WordPress Multisite network (e.g., `wp_2_capabilities`, = `wp_2_user_level`), allowing these keys to pass the `in_array()` check and =
be written directly to user meta via `update_user_meta()`. This makes it po= ssible for authenticated attackers, with Subscriber-level access and above,=
to escalate their privileges to Administrator on any subsite within the Mu= ltisite network by submitting a crafted profile update to `/wp-admin/profil= e.php`. Exploitation requires that an administrator has previously imported=
a CSV file containing multisite-prefixed capability column headers and has=
enabled the 'Show fields in profile?' option, which causes those keys to b=
e stored in the `acui_columns` option and exposed as editable fields on the=
user profile page. 2026-05-02 8.8 CVE-2026-7641 [
https://www.cve.org/CVER= ecord?id=3DCVE-2026-7641 ]
https://www.wordfence.com/threat-intel/vulnerabi= lities/id/368cff00-6a86-443e-aec4-4115a229a3c1?source=3Dcve
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= trunk/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.8/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= trunk/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.8/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= trunk/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.8/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= trunk/classes/multisite.php#L21
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.8/classes/multisite.php#L21
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.6/classes/columns.php#L221
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.6/classes/columns.php#L198
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.6/classes/helper.php#L150
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/= tags/2.0.6/classes/multisite.php#L21
https://plugins.trac.wordpress.org/changeset/3515646
=C2=A0 Cozmoslabs--Profile Builder Pro The Profile Builder Pro plugin for W= ordPress is vulnerable to PHP Object Injection in all versions up to and in= cluding 3.14.5. This is due to the use of PHP's maybe_unserialize() functio=
n on the attacker-controlled 'args' POST parameter within the wppb_request_= users_pins_action_callback() AJAX handler, which lacked any nonce verificat= ion, type checking, or input validation before deserialization. Because the=
handler was registered with both wp_ajax_ and wp_ajax_nopriv_ hooks, it wa=
s reachable by completely unauthenticated users. This makes it possible for=
unauthenticated attackers to inject arbitrary PHP objects into application=
memory. 2026-05-02 8.1 CVE-2026-7647 [
https://www.cve.org/CVERecord?id=3D= CVE-2026-7647 ]
https://www.wordfence.com/threat-intel/vulnerabilities/id/c= 7b897f5-f988-4515-83bc-456f041d7e2e?source=3Dcve
https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-on= s/user-listing/one-map-listing.php#L271
https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/= add-ons/user-listing/one-map-listing.php#L271
https://plugins.trac.wordpress.org/browser/profile-builder-pro/trunk/add-on= s/user-listing/one-map-listing.php#L13
https://plugins.trac.wordpress.org/browser/profile-builder-pro/tags/3.14.5/= add-ons/user-listing/one-map-listing.php#L13
=C2=A0 Shenzhen Libituo Technology--LBT-T300-HW1 A flaw has been found in S= henzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. This issue affects the=
function start_single_service of the component Web Management Interface. E= xecuting a manipulation of the argument vpn_pptp_server/vpn_l2tp_server can=
lead to buffer overflow. The attack can be executed remotely. The vendor w=
as contacted early about this disclosure but did not respond in any way. 20= 26-05-03 8.8 CVE-2026-7674 [
https://www.cve.org/CVERecord?id=3DCVE-2026-76=
74 ] VDB-360827 | Shenzhen Libituo Technology LBT-T300-HW1 Web Management s= tart_single_service buffer overflow [
https://vuldb.com/vuln/360827 ] VDB-360827 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360827= /cti ]
Submit #800705 | Libtor Technology lbt-t300-hw1 <=3DV1.2.8 Buffer Overflow =
[
https://vuldb.com/submit/800705 ]
Submit #800706 | Libtor Technology lbt-t300-hw1 <=3DV1.2.8 Buffer Overflow = (Duplicate) [
https://vuldb.com/submit/800706 ]
https://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC= %88vpn_pptp_server%EF%BC%89.md
=C2=A0 Shenzhen Libituo Technology--LBT-T300-HW1 A vulnerability has been f= ound in Shenzhen Libituo Technology LBT-T300-HW1 up to 1.2.8. Impacted is t=
he function start_lan of the file /apply.cgi. The manipulation of the argum= ent Channel/ApCliSsid leads to buffer overflow. The attack is possible to b=
e carried out remotely. The exploit has been disclosed to the public and ma=
y be used. The vendor was contacted early about this disclosure but did not=
respond in any way. 2026-05-03 8.8 CVE-2026-7675 [
https://www.cve.org/CVE= Record?id=3DCVE-2026-7675 ] VDB-360828 | Shenzhen Libituo Technology LBT-T3= 00-HW1 apply.cgi start_lan buffer overflow [
https://vuldb.com/vuln/360828 ] VDB-360828 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360828= /cti ]
Submit #800708 | Libtor Technology lbt-t300-hw1 <=3DV1.2.8 Buffer Overflow =
[
https://vuldb.com/submit/800708 ]
Submit #800709 | Libtor Technology <=3DV1.2.8 Buffer Overflow (Duplicate) [=
https://vuldb.com/submit/800709 ]
https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_conf_router(Cha= nnel).md
=C2=A0 Edimax--BR-6428nC A security vulnerability has been detected in Edim=
ax BR-6428nC up to 1.16. This impacts an unknown function of the file /gofo= rm/setWAN. Such manipulation of the argument pptpDfGateway=C2=A0 leads to b= uffer overflow. The attack can be launched remotely. The exploit has been d= isclosed publicly and may be used. The vendor was contacted early about thi=
s disclosure but did not respond in any way. 2026-05-03 8.8 CVE-2026-7684 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-7684 ] VDB-360843 | Edimax BR-= 6428nC setWAN buffer overflow [
https://vuldb.com/vuln/360843 ]
VDB-360843 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360843= /cti ]
Submit #801599 | Edimax BR-6428nC v1.16 Buffer Overflow [
https://vuldb.com= /submit/801599 ]
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-St= ack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2
=C2=A0 Edimax--BR-6208AC A vulnerability was detected in Edimax BR-6208AC u=
p to 1.02. Affected is an unknown function of the file /goform/setWAN. Perf= orming a manipulation of the argument pptpDfGateway=C2=A0 results in buffer=
overflow. The attack may be initiated remotely. The exploit is now public = and may be used. The vendor was contacted early about this disclosure but d=
id not respond in any way. 2026-05-03 8.8 CVE-2026-7685 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-7685 ] VDB-360844 | Edimax BR-6208AC setWAN buff=
er overflow [
https://vuldb.com/vuln/360844 ]
VDB-360844 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360844= /cti ]
Submit #801606 | Edimax BR-6208AC V2_1.02 Buffer Overflow [
https://vuldb.c= om/submit/801606 ]
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-St= ack-Overflow-33db5c52018a80c1835dd4fab4b6c7f2
=C2=A0 Alloksoft--Allok AVI to DVD SVCD VCD Converter Allok AVI to DVD SVCD=
VCD Converter 4.0.1217 contains a structured exception handling (SEH) base=
d buffer overflow vulnerability that allows local attackers to execute arbi= trary code by supplying a malicious string in the License Name field. Attac= kers can craft a payload with junk data, NSEH bypass, SEH handler address, = and shellcode that triggers the overflow when pasted into the License Name = field and the Register button is clicked, resulting in code execution. 2026= -04-29 7.8 CVE-2018-25302 [
https://www.cve.org/CVERecord?id=3DCVE-2018-253=
02 ] ExploitDB-44549 [
https://www.exploit-db.com/exploits/44549 ]
Official Product Homepage [
http://www.alloksoft.com/ ]
VulnCheck Advisory: Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Ove= rflow SEH [
https://www.vulncheck.com/advisories/allok-avi-to-dvd-svcd-vcd-= converter-buffer-overflow-seh ]
=C2=A0 mybb--MyBB Recent threads MyBB Recent threads 17.0 contains a persis= tent cross-site scripting vulnerability that allows attackers to inject mal= icious scripts by creating threads with crafted subject lines. Attackers ca=
n create threads with script tags in the subject parameter to execute arbit= rary JavaScript in the browsers of all users viewing the index page. 2026-0= 4-29 7.2 CVE-2018-25309 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25309=
] ExploitDB-44420 [
https://www.exploit-db.com/exploits/44420 ]
Product Reference [
https://community.mybb.com/mods.php?action=3Dview&pid= =3D191 ]
VulnCheck Advisory: MyBB Recent threads 17.0 Persistent Cross-Site Scriptin=
g [
https://www.vulncheck.com/advisories/mybb-recent-threads-persistent-cro= ss-site-scripting ]
=C2=A0 Weaver Network Co., Ltd.--E-cology Weaver (Fanwei) E-cology 9.5 vers= ions prior to 10.52 contain an arbitrary file read vulnerability in the Xml= RpcServlet interface at the XML-RPC endpoint that allows unauthenticated re= mote attackers to read arbitrary files by supplying file paths to the Workf= lowService.getAttachment and WorkflowService.LoadTemplateProp methods. Atta= ckers can exploit these methods without authentication to retrieve sensitiv=
e files including system configuration files and database credentials from = the server. Exploitation evidence was first observed by the Shadowserver Fo= undation on 2022-12-14 (UTC). 2026-04-30 7.5 CVE-2022-50992 [
https://www.c= ve.org/CVERecord?id=3DCVE-2022-50992 ]
https://www.weaver.com.cn/cs/securit= yDownload.html#
https://www.weaver.com.cn/cs/ecology_full_log.html https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245 https://blog.csdn.net/qq_36618918/article/details/135104295 https://blog.csdn.net/xiayu729100940/article/details/135205082 https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbitr= ary-file-read-via-xmlrpcservlet
=C2=A0 n/a--django-mdeditor All versions of the package django-mdeditor are=
vulnerable to Missing Authentication for Critical Function in the image up= load endpoint. An attacker can upload malicious files and achieve arbitrary=
code execution since this endpoint lacks authentication protection and pro= per sanitisation of file names. 2026-04-30 7.1 CVE-2025-13030 [
https://www= .cve.org/CVERecord?id=3DCVE-2025-13030 ]
https://security.snyk.io/vuln/SNYK= -PYTHON-DJANGOMDEDITOR-8630926
https://github.com/pylixm/django-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa8= 8c376cc33b62/mdeditor/views.py%23L25
https://github.com/pylixm/django-mdeditor/issues/151 https://github.com/pylixm/django-mdeditor/pull/185 https://github.com/pylixm/django-mdeditor/commit/3e80f9edcabc5d2fc136b05a50= 1964b8a5e97cfe
=C2=A0 CryptPad--CryptPad CryptPad 2025.3.1 allows unbounded WebSocket fram=
e flood. A remote, unauthenticated attacker can significantly degrade or de=
ny service for all users of a CryptPad instance. Fixed in 2026.2.2. 2026-04= -30 7.5 CVE-2025-51846 [
https://www.cve.org/CVERecord?id=3DCVE-2025-51846 =
] url [
https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8a0c= 5dab795f85f9730ec2693320c62e ]
url [
https://www.cve.org/CVERecord?id=3DCVE-2025-51846 ]
url [
https://raw.githubusercontent.com/cisagov/CSAF/develop/csaf_files/IT/= white/2026/va-26-119-01.json ]
url [
https://github.com/JohnPerifanis/cryptpad-cve-2025-51846-advisory/blo= b/main/README.md ]
=C2=A0 Zyxel--DX3301-T0 firmware A post-authentication command injection vu= lnerability in the "DomainName" parameter of the DHCP configuration file in=
Zyxel DX3301-T0 and EX3301-T0 firmware versions through 5.50(ABVY.7.1)C0 c= ould allow an authenticated attacker with administrator privileges to execu=
te OS commands on an affected device. 2026-04-28 7.2 CVE-2026-1460 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-1460 ]
https://www.zyxel.com/global/e= n/support/security-advisories/zyxel-security-advisory-for-command-injection= -vulnerabilities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-an= d-wireless-extenders-04-28-2026
=C2=A0 OPPO--ColorOS Assistant ColorOS Assistant has an unauthenticated sta= rt-download channel, leading to file path traversal. 2026-04-30 7.1 CVE-202= 6-22070 [
https://www.cve.org/CVERecord?id=3DCVE-2026-22070 ]
https://secur= ity.oppo.com/en/noticeDetail?notice_only_key=3DNOTICE-2049764240746881024 =C2=A0 VEGA Grieshaber--VEGAPULS 6X Two-wire PROFINET, Modbus TCP, OPC UA (= Ethernet-APL) An unsecured configuration interface on affected devices allo=
ws unauthenticated remote attackers to access sensitive information, includ= ing hashed credentials and access codes. 2026-04-28 7.5 CVE-2026-3323 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-3323 ]
https://certvde.com/en/advi= sories/VDE-2026-016
https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2026-016.j= son
=C2=A0 redhat[.]com--DTLS A flaw in GnuTLS DTLS handshake parsing allows ma= lformed fragments with zero length and non-zero offset, leading to an integ=
er underflow during reassembly and resulting in an out-of-bounds read. This=
issue is remotely exploitable and may cause information disclosure or deni=
al of service. 2026-04-30 7.5 CVE-2026-33845 [
https://www.cve.org/CVERecor= d?id=3DCVE-2026-33845 ] RHSA-2026:13274 [
https://access.redhat.com/errata/= RHSA-2026:13274 ]
https://access.redhat.com/security/cve/CVE-2026-33845
RHBZ#2450624 [
https://bugzilla.redhat.com/show_bug.cgi?id=3D2450624 ]
=C2=A0 Dell--iDRAC10 Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, cont= ains an Insufficiently Protected Credentials vulnerability. A race conditio=
n vulnerability exists that could allow an authenticated low=E2=80=91privil= eged attacker to gain elevated access. 2026-04-29 7.1 CVE-2026-35155 [ http= s://www.cve.org/CVERecord?id=3DCVE-2026-35155 ]
https://www.dell.com/suppor= t/kbdoc/en-us/000452298/dsa-2026-187-security-update-for-dell-idrac10-vulne= rability
=C2=A0 n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 AGL app-framew= ork-binder (afb-daemon) through v19.90.0 contains a privilege escalation vu= lnerability in the supervision Do command. The on_supervision_call function=
in src/afb-supervision.c explicitly nullifies the request credentials by c= alling afb_context_change_cred(&xreq->context, NULL) before dispatching an = attacker-controlled API call via xapi->itf->call(xapi->closure, xreq). The = NULL propagation chain through afb-context.c:110 (context->credentials =3D = afb_cred_addref(NULL)) and afb-cred.c:163 (returns NULL when cred is NULL) = confirms that credentials are zeroed before the target API executes. The at= tacker controls both api and verb parameters via JSON input, allowing execu= tion of any registered API with a NULL credential context. APIs that rely o=
n context->credentials for authorization decisions may fail open when recei= ving NULL credentials, enabling privilege escalation. This vulnerability wa=
s introduced in commit abbb4599f0b921c6f434b6bd02bcfb277eecf745 on 2018-02-= 14. 2026-05-01 7.8 CVE-2026-37525 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-37525 ]
https://gerrit.automotivelinux.org/gerrit/src/app-framework-bi= nder
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
=C2=A0 n/a--Automotive Grade Linux (AGL) afb-daemon v19.90.0 AGL app-framew= ork-binder (afb-daemon) through v19.90.0 allows any local process to execut=
e privileged supervision commands (Exit, Do, Sclose, Config, Trace, Debug, = Token, slist) without authentication via the abstract Unix socket @urn:AGL:= afs:supervision:socket. The on_supervision_call function in src/afb-supervi= sion.c dispatches all 8 commands without any credential verification. The a= bstract socket has no DAC protection, as acknowledged in the official CAUTI=
ON comment in src/afs-supervision.h. This allows a low-privileged local pro= cess to kill the daemon (DoS via Exit command), execute arbitrary API calls=
(via Do command), close arbitrary user sessions (via Sclose command), or l= eak the entire global configuration (via Config command). The vulnerability=
was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b3723777e1 on 2017-= 06-29. 2026-05-01 7.8 CVE-2026-37526 [
https://www.cve.org/CVERecord?id=3DC= VE-2026-37526 ]
https://gerrit.automotivelinux.org/gerrit/src/app-framework= -binder
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
=C2=A0 n/a--Automotive Grade Linux (AGL) aglservice v17.1.12 AGL agl-servic= e-can-low-level thru 17.1.12 contains a heap buffer over-read in the isotp-=
c library. In isotp_continue_receive (receive.c:87-89), the payload_length = for a Single Frame is extracted from a 4-bit nibble in the CAN frame data, = yielding values 0-15. However, a standard CAN frame is only 8 bytes, with p= ayload starting at data[1] (7 bytes available). When payload_length exceeds=
the available data (e.g., nibble=3D15 but only 7 payload bytes exist), mem= cpy(message.payload, &data[1], payload_length) reads up to 8 bytes past the=
end of the data buffer. 2026-05-01 7.1 CVE-2026-37532 [
https://www.cve.or= g/CVERecord?id=3DCVE-2026-37532 ]
https://gerrit.automotivelinux.org/gerrit= /apps/agl-service-can-low-level
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
=C2=A0 n/a--Automotive Grade Linux (AGL) isotp-c openxc/isotp-c thru commit=
5a5d19245f65189202719321facd49ce6f5d46ac (2021-08-09) contains an out-of-b= ounds read in the ISO-TP Single Frame receive handler, where the 4-bit payl= oad length nibble is used directly as the memcpy size without validating it=
against the actual CAN data length. A malicious CAN frame with an oversize=
d length nibble can cause memory reads beyond the buffer, allowing attacker=
s to cause a denial of service, or gain sensitive information. 2026-05-01 7=
.1 CVE-2026-37535 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37535 ] htt= ps://github.com/openxc/isotp-c
https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 n/a-- Vanetza V2X v26.02 An issue was discovered in Vanetza V2X v26.=
02 allowing remote unauthorized attackers to cause a denial of service. The=
vulnerability exists in the GeoNetworking packet processing pipeline where=
OpenSSL exceptions from ECC point validation (invalid compressed point, po= int not on curve) are not properly caught by the Router::indicate() call ch= ain. The openssl_wrapper.cpp check() function (line 19) throws openssl::Exc= eption when OpenSSL operations fail. The parser's catch block in parse_secu= red() should catch these, but the exception escapes through subsequent proc= essing stages (indicate_common, indicate_extended). This causes std::termin= ate, crashing the V2X receiver. 2026-05-01 7.5 CVE-2026-37554 [
https://www= .cve.org/CVERecord?id=3DCVE-2026-37554 ]
https://github.com/riebl/vanetza https://github.com/riebl/vanetza/blob/master/vanetza/security/openssl_wrapp= er.cpp
https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cpp https://gist.github.com/sgInnora/45128ae15d52df7238680a8f2da8359f
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. In version 4.9.0, Chartbrew exposes public chart retrieval and export = routes that only verify project-level public access and, for exports, a tea= m-level export toggle. The routes do not verify whether the target chart is=
actually allowed on the public report or whether the governing SharePolicy=
permits public access. An unauthenticated attacker who knows a chart ident= ifier in a public project can read or export chart data for charts that wer=
e intentionally hidden from the report. This issue has been patched in vers= ion 5.0.0. 2026-04-30 7.5 CVE-2026-40595 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-40595 ]
https://github.com/chartbrew/chartbrew/security/advisor= ies/GHSA-mq7q-6xh6-5649
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
=C2=A0 cyberhobo--Geo Mashup The Geo Mashup plugin for WordPress is vulnera= ble to Time-Based SQL Injection via the 'sort' parameter in all versions up=
to, and including, 1.13.18. This is due to insufficient escaping on the us=
er supplied parameter and lack of sufficient preparation on the existing SQ=
L query. The `esc_sql()` function is applied but is ineffective in the `ORD=
ER BY` context because the value is not enclosed in quotes. Additionally, w= hile a `sanitize_sort_arg()` allowlist-based sanitizer was added in version=
1.13.18, it is only applied in the AJAX code path (`sanitize_query_args()`=
) and not in the `render-map.php` or template tag code paths. This makes it=
possible for unauthenticated attackers to append additional SQL queries in=
to already existing queries that can be used to extract sensitive informati=
on from the database via a time-based blind approach. 2026-05-02 7.5 CVE-20= 26-4060 [
https://www.cve.org/CVERecord?id=3DCVE-2026-4060 ]
https://www.wo= rdfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532c-40f9-b70a-217f0f9= cd473?source=3Dcve
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.p= hp#L1767
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.p= hp#L1785
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#= L166
https://plugins.trac.wordpress.org/changeset/3503627/
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. In version 4.9.0, Chartbrew exposes POST /api/chart/:chart_id/query wi= thout authentication. The endpoint only checks team.allowReportRefresh and = does not verify that the target chart belongs to a public report, that the = project is public, or that sharing policy allows the operation. An unauthen= ticated attacker who knows a chart identifier can trigger a data refresh an=
d retrieve the current data of private charts. This issue has been patched =
in version 5.0.0. 2026-04-30 7.5 CVE-2026-40601 [
https://www.cve.org/CVERe= cord?id=3DCVE-2026-40601 ]
https://github.com/chartbrew/chartbrew/security/= advisories/GHSA-cpr6-mhgm-893w
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
=C2=A0 cyberhobo--Geo Mashup The Geo Mashup plugin for WordPress is vulnera= ble to Time-Based SQL Injection via the 'map_post_type' parameter in all ve= rsions up to, and including, 1.13.18. This is due to the `SearchResults` ho=
ok explicitly calling `stripslashes_deep($_POST)` which removes WordPress m= agic quotes protection, followed by the unsanitized `map_post_type` value b= eing concatenated into an `IN(...)` clause without `esc_sql()` or `$wpdb->p= repare()`. The 'any' branch of the same code correctly applies `array_map('= esc_sql', ...)`, but the else branch does not. This makes it possible for u= nauthenticated attackers to append additional SQL queries into already exis= ting queries that can be used to extract sensitive information from the dat= abase via a time-based blind approach. Exploitation requires the Geo Search=
feature to be enabled in plugin settings. 2026-05-02 7.5 CVE-2026-4061 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-4061 ]
https://www.wordfence.com= /threat-intel/vulnerabilities/id/cc3cf6c5-643e-49ca-b09c-bd7cfec328ee?sourc= e=3Dcve
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.p= hp#L1748
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Hooks/Searc= hResults.php#L39
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#= L152
https://plugins.trac.wordpress.org/changeset/3503627/
=C2=A0 cyberhobo--Geo Mashup The Geo Mashup plugin for WordPress is vulnera= ble to Time-Based SQL Injection via the 'object_ids' and 'exclude_object_id=
s' parameters in all versions up to, and including, 1.13.18. This is due to=
insufficient escaping on the user supplied parameters and lack of sufficie=
nt preparation on the existing SQL query. The `esc_sql()` function is appli=
ed but is ineffective because the values are placed in an unquoted `IN(...)=
` / `NOT IN(...)` SQL context - `esc_sql()` only escapes quote characters a=
nd provides no protection against parenthesis or SQL keyword injection. Add= itionally, while a numeric-only sanitizer exists in `sanitize_query_args()`=
, it is only applied in the AJAX code path and not in the `render-map.php` =
or template tag code paths. This makes it possible for unauthenticated atta= ckers to append additional SQL queries into already existing queries that c=
an be used to extract sensitive information from the database via a time-ba= sed blind approach. 2026-05-02 7.5 CVE-2026-4062 [
https://www.cve.org/CVER= ecord?id=3DCVE-2026-4062 ]
https://www.wordfence.com/threat-intel/vulnerabi= lities/id/abc5ed0a-504f-4d8c-9662-a4c9f7c7acb8?source=3Dcve
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.p= hp#L1755
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.p= hp#L1759
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk/render-map.php#= L166
https://plugins.trac.wordpress.org/changeset/3503627/
=C2=A0 n/a--libssh2 A security vulnerability has been detected in libssh2 u=
p to 1.11.1. The impacted element is the function userauth_password of the = file src/userauth.c. Such manipulation of the argument username_len/passwor= d_len leads to integer overflow. The attack may be launched remotely. The n= ame of the patch is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch shoul=
d be applied to remediate this issue. 2026-05-01 7.3 CVE-2026-7598 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-7598 ] VDB-360555 | libssh2 userauth.=
c userauth_password integer overflow [
https://vuldb.com/vuln/360555 ] VDB-360555 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360555= /cti ]
Submit #805564 | libssh2 <=3D 1.11.1 Integer Overflow [
https://vuldb.com/s= ubmit/805564 ]
https://github.com/libssh2/libssh2/pull/1858 https://github.com/libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b217= 4d744b1
https://github.com/libssh2/libssh2/
=C2=A0 innocommerce--InnoShop A vulnerability has been found in innocommerc=
e InnoShop up to 0.7.8. The affected element is the function InstallService= Provider::boot of the file innopacks/install/src/InstallServiceProvider.php=
of the component Installation Endpoint. The manipulation leads to improper=
authentication. Remote exploitation of the attack is possible. The exploit=
has been disclosed to the public and may be used. The identifier of the pa= tch is 45758e4ec22451ab944ae2ae826b1e70f6450dc9. It is recommended to apply=
a patch to fix this issue. 2026-05-02 7.3 CVE-2026-7630 [
https://www.cve.= org/CVERecord?id=3DCVE-2026-7630 ] VDB-360576 | innocommerce InnoShop Insta= llation Endpoint InstallServiceProvider.php boot improper authentication [ =
https://vuldb.com/vuln/360576 ]
VDB-360576 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360576= /cti ]
Submit #806484 | innocommerce innoshop <=3D 0.7.3 Missing Authorization [ h= ttps://vuldb.com/submit/806484 ]
https://github.com/innocommerce/innoshop/issues/314 https://github.com/innocommerce/innoshop/issues/314#issuecomment-4357464458 https://github.com/innocommerce/innoshop/commit/45758e4ec22451ab944ae2ae826= b1e70f6450dc9
https://github.com/innocommerce/innoshop/
=C2=A0 code-projects--Online Hospital Management System A vulnerability was=
determined in code-projects Online Hospital Management System 1.0. This af= fects an unknown function of the file /viewappointment.php. This manipulati=
on of the argument delid causes sql injection. The attack is possible to be=
carried out remotely. The exploit has been publicly disclosed and may be u= tilized. 2026-05-02 7.3 CVE-2026-7632 [
https://www.cve.org/CVERecord?id=3D= CVE-2026-7632 ] VDB-360578 | code-projects Online Hospital Management Syste=
m viewappointment.php sql injection [
https://vuldb.com/vuln/360578 ] VDB-360578 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60578/cti ]
Submit #806633 | code-projects Online Hospital Management System In PHP 1.0=
SQL Injection [
https://vuldb.com/submit/806633 ]
https://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md https://code-projects.org/
=C2=A0 ChatGPTNextWeb--NextChat A vulnerability has been found in ChatGPTNe= xtWeb NextChat up to 2.16.1. Affected is the function addMcpServer of the f= ile app/mcp/actions.ts. The manipulation leads to improper authorization. R= emote exploitation of the attack is possible. The exploit has been disclose=
d to the public and may be used. The project was informed of the problem ea= rly through an issue report but has not responded yet. 2026-05-02 7.3 CVE-2= 026-7644 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7644 ] VDB-360756 | = ChatGPTNextWeb NextChat actions.ts addMcpServer improper authorization [ ht= tps://vuldb.com/vuln/360756 ]
VDB-360756 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60756/cti ]
Submit #806851 | ChatGPTNextWeb NextChat 2.16.1 Unauthenticated Remote Code=
Execution [
https://vuldb.com/submit/806851 ]
https://github.com/ChatGPTNextWeb/NextChat/issues/6757 https://github.com/ChatGPTNextWeb/NextChat/
=C2=A0 reputeinfosystems--ARMember Membership Plugin, Content Restriction, = Member Levels, User Profile & User signup The ARMember - Membership Plugin,=
Content Restriction, Member Levels, User Profile & User signup plugin for = WordPress is vulnerable to time-based blind SQL Injection via the 'orderby'=
parameter in all versions up to, and including, 4.0.60 due to insufficient=
escaping on the user supplied parameter and lack of sufficient preparation=
on the existing SQL query. This makes it possible for unauthenticated atta= ckers to append additional SQL queries into already existing queries that c=
an be used to extract sensitive information from the database. 2026-05-02 7=
.5 CVE-2026-7649 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7649 ] https= ://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54b-4401-9d4= f-29f0952deb24?source=3Dcve
https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/c= lasses/class.arm_members_directory.php#L1019
https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/= core/classes/class.arm_members_directory.php#L1019
https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/c= lasses/class.arm_shortcodes.php#L434
https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/= core/classes/class.arm_shortcodes.php#L434
https://plugins.trac.wordpress.org/browser/armember-membership/trunk/core/c= lasses/class.arm_shortcodes.php#L36
https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/= core/classes/class.arm_shortcodes.php#L36
=C2=A0 MikroTik--RouterOS A vulnerability was identified in MikroTik Router=
OS 6.49.8. This vulnerability affects the function ASN1_STRING_data in the = library nova/lib/www/scep.p of the component SCEP Endpoint. The manipulatio=
n of the argument transactionID/messageType leads to out-of-bounds read. Th=
e attack may be initiated remotely. The exploit is publicly available and m= ight be used. The vendor was contacted early about this disclosure but did = not respond in any way. 2026-05-02 7.3 CVE-2026-7668 [
https://www.cve.org/= CVERecord?id=3DCVE-2026-7668 ] VDB-360804 | MikroTik RouterOS SCEP Endpoint=
scep.p ASN1_STRING_data out-of-bounds [
https://vuldb.com/vuln/360804 ] VDB-360804 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360804= /cti ]
Submit #798623 | MikroTik RouterOS 6.49.8 Out-of-Bounds Read [
https://vuld= b.com/submit/798623 ]
https://github.com/ezio315/cve/issues/4
=C2=A0 Jinher--OA A flaw has been found in Jinher OA 1.0. The affected elem= ent is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/UserSel= .aspx. This manipulation of the argument DeptIDList causes sql injection. T=
he attack is possible to be carried out remotely. The exploit has been publ= ished and may be used. The vendor was contacted early about this disclosure=
but did not respond in any way. 2026-05-02 7.3 CVE-2026-7670 [
https://www= .cve.org/CVERecord?id=3DCVE-2026-7670 ] VDB-360818 | Jinher OA UserSel.aspx=
sql injection [
https://vuldb.com/vuln/360818 ]
VDB-360818 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60818/cti ]
Submit #799506 | Jinhe OA V1.0 SQL Injection [
https://vuldb.com/submit/799= 506 ]
https://github.com/zzlln/cvecve/issues/1
=C2=A0 YunaiV--yudao-cloud A security flaw has been discovered in YunaiV yu= dao-cloud up to 2026.01. This impacts the function getAccessToken of the fi=
le yudao-module-system-biz/src/main/java/io/github/ruoyi/common/oauth2/serv= ice/impl/OAuth2TokenServiceImpl.java. Performing a manipulation results in = improper authentication. The attack can be initiated remotely. The exploit = has been released to the public and may be used for attacks. The vendor was=
contacted early about this disclosure but did not respond in any way. 2026= -05-03 7.3 CVE-2026-7679 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7679=
] VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessTok=
en improper authentication [
https://vuldb.com/vuln/360832 ]
VDB-360832 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360832= /cti ]
Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authentication Bypass by = Primary Weakness [
https://vuldb.com/submit/800866 ]
https://github.com/9str0IL/CVE/issues/1
=C2=A0 Acrel Electrical--ECEMS Enterprise Microgrid Energy Efficiency Manag= ement System A flaw has been found in Acrel Electrical ECEMS Enterprise Mic= rogrid Energy Efficiency Management System 1.3.0. The impacted element is a=
n unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Ex= ecuting a manipulation of the argument fCircuitids can lead to sql injectio=
n. The attack can be launched remotely. The exploit has been published and = may be used. The vendor was contacted early about this disclosure but did n=
ot respond in any way. 2026-05-03 7.3 CVE-2026-7694 [
https://www.cve.org/C= VERecord?id=3DCVE-2026-7694 ] VDB-360863 | Acrel Electrical ECEMS Enterpris=
e Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql inje= ction [
https://vuldb.com/vuln/360863 ]
VDB-360863 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60863/cti ]
Submit #803271 | Acrel Electric Co., Ltd. Enterprise Microgrid Energy Effic= iency Management System (ECEMS) 1.3.0 SQL Injection [
https://vuldb.com/sub= mit/803271 ]
https://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb
=C2=A0 Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cl= oud Platform A vulnerability has been found in Acrel Electrical EEMS Enterp= rise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an = unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The = manipulation of the argument fCircuitids leads to sql injection. The attack=
may be initiated remotely. The exploit has been disclosed to the public an=
d may be used. The vendor was contacted early about this disclosure but did=
not respond in any way. 2026-05-03 7.3 CVE-2026-7695 [
https://www.cve.org= /CVERecord?id=3DCVE-2026-7695 ] VDB-360864 | Acrel Electrical EEMS Enterpri=
se Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql in= jection [
https://vuldb.com/vuln/360864 ]
VDB-360864 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60864/cti ]
Submit #803275 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation a=
nd Maintenance Cloud Platform 1.3.0 SQL Injection [
https://vuldb.com/submi= t/803275 ]
https://ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg
=C2=A0 Tiandy--Easy7 Integrated Management Platform A vulnerability was ide= ntified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by = this vulnerability is an unknown functionality of the file /Easy7/rest/syst= emInfo/updateDbBackupInfo. Such manipulation of the argument week leads to =
os command injection. The attack can be executed remotely. The exploit is p= ublicly available and might be used. The vendor was contacted early about t= his disclosure but did not respond in any way. 2026-05-03 7.3 CVE-2026-7698=
[
https://www.cve.org/CVERecord?id=3DCVE-2026-7698 ] VDB-360867 | Tiandy E= asy7 Integrated Management Platform updateDbBackupInfo os command injection=
[
https://vuldb.com/vuln/360867 ]
VDB-360867 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60867/cti ]
Submit #804048 | Tiandy Technologies Co., Ltd. Tiandy-Easy7 7.17.0 OS Comma=
nd Injection [
https://vuldb.com/submit/804048 ]
https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c
=C2=A0 AV Stumpfl--Pixera Two Media Server A flaw has been found in AV Stum= pfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function =
of the component Websocket API. This manipulation causes code injection. Th=
e attack can be initiated remotely. The exploit has been published and may =
be used. Upgrading to version 25.2 R3 is recommended to address this issue.=
Upgrading the affected component is advised. 2026-05-03 7.3 CVE-2026-7703 =
[
https://www.cve.org/CVERecord?id=3DCVE-2026-7703 ] VDB-360872 | AV Stumpf=
l Pixera Two Media Server Websocket API code injection [
https://vuldb.com/= vuln/360872 ]
VDB-360872 | CTI Indicators (IOB, IOC, TTP) [
https://vuldb.com/vuln/360872= /cti ]
Submit #805274 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Remote Code E= xecution [
https://vuldb.com/submit/805274 ]
https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-ch= angelog
=C2=A0 YunaiV--yudao-cloud A security flaw has been discovered in YunaiV yu= dao-cloud up to 3.8.0. This affects the function doFilterInternal of the fi=
le JwtAuthenticationTokenFilter.java of the component Ruoyi-Vue-Pro. Perfor= ming a manipulation of the argument mock-token results in improper authenti= cation. Remote exploitation of the attack is possible. The exploit has been=
released to the public and may be used for attacks. The vendor was contact=
ed early about this disclosure but did not respond in any way. 2026-05-03 7=
.3 CVE-2026-7710 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7710 ] VDB-3= 60886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilter.java = doFilterInternal improper authentication [
https://vuldb.com/vuln/360886 ] VDB-360886 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360886= /cti ]
Submit #806493 | YunaiV yudao-cloud yudao-cloud up to 2026.01 Authenticatio=
n Bypass by Primary Weakness [
https://vuldb.com/submit/806493 ]
https://github.com/9str0IL/CVE/issues/5
=C2=A0 n/a--MindsDB A weakness has been identified in MindsDB up to 26.01. = This impacts the function exec of the file mindsdb/integrations/handlers/by= om_handler/proc_wrapper.py of the component Engine Handler. Executing a man= ipulation can lead to unrestricted upload. The attack can be executed remot= ely. The exploit has been made available to the public and could be used fo=
r attacks. The vendor was contacted early about this disclosure but did not=
respond in any way. 2026-05-03 7.3 CVE-2026-7711 [
https://www.cve.org/CVE= Record?id=3DCVE-2026-7711 ] VDB-360887 | MindsDB Engine proc_wrapper.py exe=
c unrestricted upload [
https://vuldb.com/vuln/360887 ]
VDB-360887 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60887/cti ]
Submit #806822 | mindsdb <=3D26.01 Remote Code Execution [
https://vuldb.co= m/submit/806822 ]
https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_R= CE.md
=C2=A0=20
Back to top [ #top ]
Medium Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info x= enial--RSVG librsvg2-bin 2.40.13 contains a buffer overflow vulnerability t= hat allows local attackers to cause a denial of service by processing malfo= rmed SVG files. Attackers can supply crafted SVG input to the rsvg conversi=
on tool to trigger a segmentation fault in the cairo image compositor. 2026= -04-29 6.2 CVE-2018-25305 [
https://www.cve.org/CVERecord?id=3DCVE-2018-253=
05 ] ExploitDB-44491 [
https://www.exploit-db.com/exploits/44491 ]
VulnCheck Advisory: librsvg2-bin 2.40.13 Buffer Overflow via Malformed SVG =
[
https://www.vulncheck.com/advisories/librsvg2-bin-buffer-overflow-via-mal= formed-svg ]
=C2=A0 poppler-utils--PDFunite PDFunite 0.41.0 contains a buffer overflow v= ulnerability that allows local attackers to crash the application by proces= sing malformed PDF files during merge operations. Attackers can trigger a s= egmentation fault in the XRef::getEntry function within libpoppler by provi= ding a specially crafted PDF file to the pdfunite utility. 2026-04-29 6.2 C= VE-2018-25306 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25306 ] Exploit= DB-44490 [
https://www.exploit-db.com/exploits/44490 ]
Official Product Homepage [
https://launchpad.net/ubuntu/artful/+package/po= ppler-utils ]
Product Reference [
https://launchpad.net/ubuntu/+source/poppler/0.57.0-2ub= untu4.2 ]
VulnCheck Advisory: PDFunite 0.41.0 Buffer Overflow via Malformed PDF [ htt= ps://www.vulncheck.com/advisories/pdfunite-buffer-overflow-via-malformed-pd=
f ]
=C2=A0 VideoFlow Ltd.--VideoFlow Digital Video Protection VideoFlow Digital=
Video Protection DVP 2.10 contains an authenticated directory traversal vu= lnerability that allows authenticated attackers to disclose arbitrary files=
by injecting path traversal sequences in the ID parameter. Attackers can s= ubmit requests to downloadsys.pl, download_xml.pl, download.pl, downloadmib= .pl, or downloadFile.pl with directory traversal payloads to read sensitive=
system files like /etc/passwd. 2026-04-29 6.5 CVE-2018-25311 [
https://www= .cve.org/CVERecord?id=3DCVE-2018-25311 ] ExploitDB-44386 [
https://www.expl= oit-db.com/exploits/44386 ]
Vulnerability Advisory [
https://www.zeroscience.mk/en/vulnerabilities/ZSL-= 2018-5454.php ]
VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated=
Directory Traversal 2.10 (X-Prototype-Version: 1.6.0.2) [
https://www.vuln= check.com/advisories/videoflow-digital-video-protection-dvp-10-authenticate= d-directory-traversal-x-prototype-version ]
=C2=A0 LifeSize--ClearSea LifeSize ClearSea 3.1.4 contains directory traver= sal vulnerabilities that allow authenticated attackers to download and uplo=
ad arbitrary files by manipulating path parameters in the smartgui interfac=
e. Attackers can exploit the upload endpoint with directory traversal seque= nces to write files to arbitrary locations on the system, enabling remote c= ode execution. 2026-04-29 6.5 CVE-2018-25312 [
https://www.cve.org/CVERecor= d?id=3DCVE-2018-25312 ] ExploitDB-44390 [
https://www.exploit-db.com/exploi= ts/44390 ]
VulnCheck Advisory: LifeSize ClearSea 3.1.4 Directory Traversal Remote Code=
Execution [
https://www.vulncheck.com/advisories/lifesize-clearsea-directo= ry-traversal-remote-code-execution ]
=C2=A0 Sysgauge--SysGauge SysGauge 4.5.18 contains a buffer overflow vulner= ability in the proxy configuration handler that allows local attackers to c= ause a denial of service by supplying an oversized string. Attackers can in= ject a large payload through the Proxy Server Host Name field in the Option=
s menu to crash the application. 2026-04-29 6.2 CVE-2018-25313 [
https://ww= w.cve.org/CVERecord?id=3DCVE-2018-25313 ] ExploitDB-44372 [
https://www.exp= loit-db.com/exploits/44372 ]
VulnCheck Advisory: SysGauge 4.5.18 Local Denial of Service via Proxy Confi= guration [
https://www.vulncheck.com/advisories/sysgauge-local-denial-of-se= rvice-via-proxy-configuration ]
=C2=A0 sebet--Go Fetch Jobs (for WP Job Manager) Multiple plugins and/or th= emes for WordPress are vulnerable to Reflected Cross-Site Scripting via the=
url parameter in various versions due to insufficient input sanitization a=
nd output escaping. This makes it possible for unauthenticated attackers to=
inject arbitrary web scripts in pages that execute if they can successfull=
y trick a user into performing an action such as clicking on a link. 2026-0= 5-01 6.1 CVE-2024-13362 [
https://www.cve.org/CVERecord?id=3DCVE-2024-13362=
]
https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f5-= 4418-805a-db792ea4f712?source=3Dcve
https://plugins.trac.wordpress.org/browser/tablepress/trunk/libraries/freem= ius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/widgets-on-pages/trunk/freemius/= assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/menu-image/trunk/freemius/assets= /js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freem= ius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.3= 3/freemius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds/tr= unk/includes/freemius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/fr= eemius-pricing.js
https://plugins.trac.wordpress.org/browser/add-search-to-menu/trunk/include= s/freemius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/master-addons/trunk/lib/freemius= /assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freemius/= assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freem= ius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/internal-links/trunk/vendor/free= mius/wordpress-sdk/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21= /vendor/freemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/independent-analytics/trunk/free= mius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/spotlight-social-photo-feeds/tru= nk/ui/freemius-pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/woo-permalink-manager/tags/2.3.1= 1/assets/admin/js/pricing-page/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/pdf-poster/trunk/freemius/assets= /js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.= 3.4/freemius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor= /trunk/provider/freemius/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/browser/shortcodes-ultimate/trunk/freemi= us/assets/js/pricing/freemius-pricing.js
https://plugins.trac.wordpress.org/changeset/3235286/ https://plugins.trac.wordpress.org/changeset/3249130/ https://plugins.trac.wordpress.org/changeset/3229060/
=C2=A0 WSO2--WSO2 Identity Server The authentication endpoint accepts user-= supplied input without enforcing expected validation constraints, leading t=
o a lack of proper output encoding. This allows for the injection of malici= ous JavaScript payloads, enabling reflected cross-site scripting. An attack=
er can leverage this vulnerability to redirect the user's browser to a mali= cious website, modify the user interface of the web page, retrieve informat= ion from the browser, or cause other harmful actions. However, due to the p= rotection of session-related cookies with the httpOnly flag, session hijack= ing is not possible. 2026-04-29 6.1 CVE-2025-10503 [
https://www.cve.org/CV= ERecord?id=3DCVE-2025-10503 ]
https://security.docs.wso2.com/en/latest/secu= rity-announcements/security-advisories/2026/WSO2-2025-4577/
=C2=A0 trustindex--Widgets for Social Photo Feed The Widgets for Social Pho=
to Feed plugin for WordPress is vulnerable to unauthorized access of data a=
nd modification of data due to a missing capability check on the '/trustind= ex_feed_hook_instagram/troubleshooting' and '/trustindex_feed_hook_instagra= m/submit-data' REST API endpoints in all versions up to, and including, 1.8=
. This makes it possible for unauthenticated attackers to access and update=
plugin settings. 2026-05-02 6.5 CVE-2025-14726 [
https://www.cve.org/CVERe= cord?id=3DCVE-2025-14726 ]
https://www.wordfence.com/threat-intel/vulnerabi= lities/id/ab15fa8b-4072-435a-8a1c-ca6fd964a260?source=3Dcve
https://plugins.trac.wordpress.org/changeset/3513612/social-photo-feed-widg=
et
=C2=A0 IBM--Db2 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 fo=
r Linux, UNIX and Windows (includes DB2 Connect Server) could allow an auth= enticated user to cause a denial of service using a specially crafted SQL q= uery due to improper allocation of system resources. 2026-04-30 6.5 CVE-202= 5-36122 [
https://www.cve.org/CVERecord?id=3DCVE-2025-36122 ]
https://www.i= bm.com/support/pages/node/7267642
=C2=A0 IBM--watsonx.data intelligence IBM watsonx.data intelligence 5.2.0, = 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read=
by a local user. 2026-04-30 6.2 CVE-2025-36335 [
https://www.cve.org/CVERe= cord?id=3DCVE-2025-36335 ]
https://www.ibm.com/support/pages/node/7270923 =C2=A0 xlplugins--NextMove Lite Thank You Page for WooCommerce The NextMove=
Lite - Thank You Page for WooCommerce plugin for WordPress is vulnerable t=
o Stored Cross-Site Scripting via the plugin's 'xlwcty_current_date' shortc= ode in all versions up to, and including, 2.23.0 due to insufficient input = sanitization and output escaping on user supplied attributes. This makes it=
possible for authenticated attackers, with contributor-level access and ab= ove, to inject arbitrary web scripts in pages that will execute whenever a = user accesses an injected page. 2026-05-02 6.4 CVE-2026-0703 [
https://www.= cve.org/CVERecord?id=3DCVE-2026-0703 ]
https://www.wordfence.com/threat-int= el/vulnerabilities/id/a8eab201-04a5-43df-bb9b-2964c50a1833?source=3Dcve
https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite= /tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79
https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-lite= /tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87
https://plugins.trac.wordpress.org/changeset/3482613/
=C2=A0 Zyxel--DX3300-T0 firmware A post-authentication command injection vu= lnerability in the EasyMesh-related APIs of Zyxel DX3300-T0 firmware versio=
ns through 5.50(ABVY.7.1)C0 could allow an authenticated, adjacent attacker=
with administrator privileges to execute OS commands on an affected device=
. 2026-04-28 6.8 CVE-2026-0711 [
https://www.cve.org/CVERecord?id=3DCVE-202= 6-0711 ]
https://www.zyxel.com/global/en/support/security-advisories/zyxel-= security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte-5= g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026
=C2=A0 IBM--Db2 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 fo=
r Linux, UNIX and Windows (includes Db2 Connect Server) could allow an=C2= =A0authenticated user to cause a denial of service due to improper neutrali= zation of special=C2=A0elements in data query logic. 2026-04-30 6.5 CVE-202= 6-1577 [
https://www.cve.org/CVERecord?id=3DCVE-2026-1577 ]
https://www.ibm= .com/support/pages/node/7269434
=C2=A0 Dell--Alienware Command Center (AWCC) Dell Alienware Command Center = (AWCC), versions prior to 6.13.8.0, contain an Execution with Unnecessary P= rivileges vulnerability in the AWCC. A low privileged attacker with local a= ccess could potentially exploit this vulnerability, leading to Elevation of=
Privileges. 2026-04-27 6.7 CVE-2026-25908 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-25908 ]
https://www.dell.com/support/kbdoc/en-us/000451018/ds= a-2026-192-security-update-for-dell-alienware-command-center-6-x-for-multip= le-vulnerabilities
=C2=A0 wazuh--wazuh Wazuh is a free and open source platform used for threa=
t prevention, detection, and response. From version 4.0.0 to before version=
4.14.4, Wazuh's server API brute-force protection for POST /security/user/= authenticate can be bypassed by sending concurrent authentication requests.=
Although the configured threshold (max_login_attempts, default 50) is enfo= rced correctly for sequential requests, a parallel burst allows significant=
ly more failed login attempts to be processed before the IP block is applie=
d. This enables an attacker to perform more password guesses than the confi= gured policy intends (e.g., 100 attempts processed where 50 should be allow= ed). This issue has been patched in version 4.14.4. 2026-04-29 6.5 CVE-2026= -26206 [
https://www.cve.org/CVERecord?id=3DCVE-2026-26206 ]
https://github= .com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhhv-jx58
https://github.com/wazuh/wazuh/releases/tag/v4.14.4
=C2=A0 Dell--Dell/Alienware Purchased Apps Dell/Alienware Purchased Apps, v= ersions prior to 1.1.31.0, contain an Improper Link Resolution Before File = Access ('Link Following') vulnerability. A low privileged attacker with loc=
al access could potentially exploit this vulnerability, leading to Arbitrar=
y File Write 2026-04-29 6.3 CVE-2026-27105 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-27105 ]
https://www.dell.com/support/kbdoc/en-us/000438321/ds= a-2026-131-security-update-for-dell-alienware-purchased-apps-for-an-imprope= r-link-resolution-before-file-access-vulnerability
=C2=A0 Milesight--MS-Cxx63-PD A command injection vulnerability exists in t=
he web server of specific firmware versions of Milesight cameras. 2026-04-2=
7 6.8 CVE-2026-32649 [
https://www.cve.org/CVERecord?id=3DCVE-2026-32649 ] =
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03 https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-= 26-113-03.json
https://www.milesight.com/support/download/firmware
=C2=A0 IBM--Langflow Desktop IBM Langflow Desktop 1.0.0 through 1.8.4 IBM L= angflow is vulnerable to server-side request forgery (SSRF). This may allow=
an authenticated attacker to send unauthorized requests from the system, p= otentially leading to network enumeration or facilitating other attacks. 20= 26-04-30 6.5 CVE-2026-3340 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33=
40 ]
https://www.ibm.com/support/pages/node/7271096
=C2=A0 IBM--Langflow Desktop IBM Langflow Desktop <=3D1.8.4 Langflow could = allow a remote attacker to traverse directories on the system. An attacker = could send a specially crafted URL request containing "dot dot" sequences (= /../) to view arbitrary files on the system. 2026-04-30 6.5 CVE-2026-3345 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-3345 ]
https://www.ibm.com/sup= port/pages/node/7271094
=C2=A0 IBM--Langflow Desktop IBM Langflow Desktop 1.6.0 through 1.8.4 Lanfl=
ow is vulnerable to stored cross-site scripting. This vulnerability allows =
an authenticated user to embed arbitrary JavaScript code in the Web UI thus=
altering the intended functionality potentially leading to credentials dis= closure within a trusted session. 2026-04-30 6.4 CVE-2026-3346 [
https://ww= w.cve.org/CVERecord?id=3DCVE-2026-3346 ]
https://www.ibm.com/support/pages/= node/7271095
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. In version 4.9.0, the endpoint POST /user/invited does not validate an=
y invite token, authentication header, or session. Any unauthenticated atta= cker can call this endpoint directly to create a fully active account and r= eceive a valid JWT - even when the instance has existing users and signupRe= stricted is enabled. This bypass is distinct from the normal registration e= ndpoint (POST /user) which enforces signupRestricted and sets active: false=
pending verification. This issue has been patched in version 5.0.0. 2026-0= 4-30 6.5 CVE-2026-35514 [
https://www.cve.org/CVERecord?id=3DCVE-2026-35514=
]
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-g47g-v5c= p-j8hp
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
=C2=A0 n/a-- V2Board =C2=A0v1.7.4 Cross-Site Scripting (XSS) in V2Board thr=
u 1.7.4. The custom_html field in theme configuration is rendered using Bla=
de unescaped output in public/theme/v2board/dashboard.blade.php. An admin c=
an inject arbitrary JavaScript via the saveThemeConfig API. All site visito=
rs execute the payload, enabling cookie theft, session hijacking, or phishi= ng. 2026-05-01 6.9 CVE-2026-37503 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-37503 ]
https://github.com/v2board/v2board https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9
=C2=A0 redhat[.]com--gnutls A flaw was found in gnutls. This vulnerability = occurs because gnutls performs case-sensitive comparisons of `nameConstrain= ts` labels, specifically for `dNSName` (DNS) or `rfc822Name` (email) constr= aints within `excludedSubtrees` or `permittedSubtrees`. A remote attacker c=
an exploit this by crafting a leaf certificate with casing differences in t=
he Subject Alternative Name (SAN), leading to a policy bypass where a certi= ficate that should be rejected is instead accepted. This could result in un= authorized access or information disclosure. 2026-04-30 6.5 CVE-2026-3833 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-3833 ] RHSA-2026:13274 [ https= ://access.redhat.com/errata/RHSA-2026:13274 ]
https://access.redhat.com/security/cve/CVE-2026-3833
RHBZ#2445763 [
https://bugzilla.redhat.com/show_bug.cgi?id=3D2445763 ]
https://gitlab.com/gnutls/gnutls/-/issues/1803
=C2=A0 chartbrew--chartbrew Chartbrew is an open-source web application tha=
t can connect directly to databases and APIs and use the data to create cha= rts. In version 4.9.0, Chartbrew exposes a legacy dashboard route that retu= rns a project's report data to any authenticated member of the same team, e= ven when that user does not have access to the specific project. The route = bypasses project-level authorization and returns the raw project object. As=
a result, a low-privileged same-team user can read another project's dashb= oard data and recover the project's stored report password from the respons=
e. This issue has been patched in version 5.0.0. 2026-04-30 6.5 CVE-2026-40= 603 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40603 ]
https://github.co= m/chartbrew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.0
=C2=A0 nextlevelbuilder--ui-ux-pro-max-skill A flaw has been found in nextl= evelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this vulnerability=
is the function _format_plugins of the file .claude/skills/ui-styling/scri= pts/tailwind_config_gen.py of the component Tailwind Config Generator. This=
manipulation causes code injection. The attack is possible to be carried o=
ut remotely. The exploit has been published and may be used. The project wa=
s informed of the problem early through a pull request but has not reacted = yet. 2026-05-01 6.3 CVE-2026-7595 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-7595 ] VDB-360548 | nextlevelbuilder ui-ux-pro-max-skill Tailwind Conf=
ig Generator tailwind_config_gen.py _format_plugins code injection [ https:= //vuldb.com/vuln/360548 ]
VDB-360548 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60548/cti ]
Submit #805509 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config=
Generator Code Injection Leading to RCE [
https://vuldb.com/submit/805509 ]
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/
=C2=A0 mem0ai--mem0 A vulnerability was found in mem0ai mem0 up to 1.0.11. = This affects the function pickle.load/pickle.dump of the file mem0/vector_s= tores/faiss.py. Performing a manipulation results in deserialization. It is=
possible to initiate the attack remotely. The exploit has been made public=
and could be used. The patch is named 62dca096f9236010ca15fea9ba369ba740b8= 6b7a. Applying a patch is the recommended action to fix this issue. 2026-05= -01 6.3 CVE-2026-7597 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7597 ] = VDB-360550 | mem0ai mem0 faiss.py pickle.dump deserialization [
https://vul= db.com/vuln/360550 ]
VDB-360550 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360550= /cti ]
Submit #805562 | Mem0 <=3D v1.0.11 Unsafe Deserialization [
https://vuldb.c= om/submit/805562 ]
https://github.com/mem0ai/mem0/issues/3778 https://github.com/mem0ai/mem0/pull/4833 https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b86= b7a
https://github.com/mem0ai/mem0/
=C2=A0 Dayoooun--hwpx-mcp A vulnerability was detected in Dayoooun hwpx-mcp=
0.2.0. This affects the function save_document/export_to_text/export_to_ht=
ml of the file mcp-server/src/index.ts of the component MCP Interface. Perf= orming a manipulation of the argument output_path results in path traversal=
. Remote exploitation of the attack is possible. The exploit is now public = and may be used. The project was informed of the problem early through an i= ssue report but has not responded yet. 2026-05-01 6.3 CVE-2026-7599 [ https= ://www.cve.org/CVERecord?id=3DCVE-2026-7599 ] VDB-360556 | Dayoooun hwpx-mc=
p MCP index.ts export_to_html path traversal [
https://vuldb.com/vuln/36055=
6 ]
VDB-360556 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60556/cti ]
Submit #805608 | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae= 914a15d Path Traversal [
https://vuldb.com/submit/805608 ]
https://github.com/Dayoooun/hwpx-mcp/issues/3 https://github.com/BruceJqs/public_exp/issues/28 https://github.com/Dayoooun/hwpx-mcp/
=C2=A0 ArtMin96--yii2-mcp-server A flaw has been found in ArtMin96 yii2-mcp= -server 1.0.2. This impacts the function yii_command_help/yii_execute_comma=
nd of the file src/index.ts of the component MCP Interface. Executing a man= ipulation can lead to os command injection. The attack can be executed remo= tely. The exploit has been published and may be used. The project was infor= med of the problem early through an issue report but has not responded yet.=
2026-05-02 6.3 CVE-2026-7600 [
https://www.cve.org/CVERecord?id=3DCVE-2026= -7600 ] VDB-360557 | ArtMin96 yii2-mcp-server MCP index.ts yii_execute_comm= and os command injection [
https://vuldb.com/vuln/360557 ]
VDB-360557 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60557/cti ]
Submit #805613 | ArtMin96 yii2-mcp-server 1.0.2 Command Injection [ https:/= /vuldb.com/submit/805613 ]
https://github.com/ArtMin96/yii2-mcp-server/issues/3 https://github.com/BruceJqs/public_exp/issues/29 https://github.com/ArtMin96/yii2-mcp-server/
=C2=A0 n/a--JeecgBoot A vulnerability was found in JeecgBoot up to 3.9.1. A= ffected by this vulnerability is an unknown functionality of the file /sys/= fillRule/edit of the component FillRuleUtil Component. The manipulation of = the argument ruleClass results in improper authorization. The attack may be=
performed from remote. The exploit has been made public and could be used.=
You should upgrade the affected component. The vendor confirmed the issue = and will provide a fix in the upcoming release. 2026-05-02 6.3 CVE-2026-760=
2 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7602 ] VDB-360559 | JeecgBo=
ot FillRuleUtil edit improper authorization [
https://vuldb.com/vuln/360559=
]
VDB-360559 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60559/cti ]
Submit #805706 | jeecgboot JeecgBoot <=3D v3.9.1 Remote Code Execution [ ht= tps://vuldb.com/submit/805706 ]
https://github.com/jeecgboot/JeecgBoot/issues/9552 https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment-4251391314 https://github.com/jeecgboot/JeecgBoot/
=C2=A0 n/a--JeecgBoot A vulnerability was determined in JeecgBoot up to 3.9= .1. Affected by this issue is the function checkPathTraversalBatch of the f= ile FileDownloadUtils.jav of the component LoadFile Endpoint. This manipula= tion of the argument files causes server-side request forgery. It is possib=
le to initiate the attack remotely. The exploit has been publicly disclosed=
and may be utilized. The affected component should be upgraded. The vendor=
confirmed the issue and will provide a fix in the upcoming release. 2026-0= 5-02 6.3 CVE-2026-7603 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7603 ]=
VDB-360560 | JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathTr= aversalBatch server-side request forgery [
https://vuldb.com/vuln/360560 ] VDB-360560 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360560= /cti ]
Submit #805707 | jeecgboot JeecgBoot <=3D v3.9.1 SSRF [
https://vuldb.com/s= ubmit/805707 ]
https://github.com/jeecgboot/JeecgBoot/issues/9553 https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-4251745014 https://github.com/jeecgboot/JeecgBoot/
=C2=A0 n/a--JeecgBoot A vulnerability was identified in JeecgBoot up to 3.9= .1. This affects the function OpenApiController.add/OpenApiController.call =
of the file OpenApiController.java of the component OpenApi Service. Such m= anipulation of the argument originUrl database leads to server-side request=
forgery. It is possible to launch the attack remotely. The exploit is publ= icly available and might be used. It is suggested to upgrade the affected c= omponent. The vendor confirmed the issue and will provide a fix in the upco= ming release. 2026-05-02 6.3 CVE-2026-7604 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-7604 ] VDB-360561 | JeecgBoot OpenApi Service OpenApiControll= er.java OpenApiController.call server-side request forgery [
https://vuldb.= com/vuln/360561 ]
VDB-360561 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360561= /cti ]
Submit #805708 | jeecgboot JeecgBoot <=3D v3.9.1 SSRF [
https://vuldb.com/s= ubmit/805708 ]
https://github.com/jeecgboot/JeecgBoot/issues/9554 https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151 https://github.com/jeecgboot/JeecgBoot/
=C2=A0 n/a--JeecgBoot A security flaw has been discovered in JeecgBoot up t=
o 3.9.1. This vulnerability affects the function CommonController.uploadImg= ByHttp/HttpFileToMultipartFileUtil.httpFileToMultipartFile/HttpFileToMultip= artFileUtil.downloadImageData of the file CommonController.java of the comp= onent uploadImgByHttpEndpoint. Performing a manipulation results in server-= side request forgery. The attack can be initiated remotely. The exploit has=
been released to the public and may be used for attacks. Upgrading the aff= ected component is recommended. The vendor confirmed the issue and will pro= vide a fix in the upcoming release. 2026-05-02 6.3 CVE-2026-7605 [
https://= www.cve.org/CVERecord?id=3DCVE-2026-7605 ] VDB-360562 | JeecgBoot uploadImg= ByHttpEndpoint CommonController.java HttpFileToMultipartFileUtil.downloadIm= ageData server-side request forgery [
https://vuldb.com/vuln/360562 ] VDB-360562 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360562= /cti ]
Submit #805709 | jeecgboot JeecgBoot <=3D v3.9.1 SSRF [
https://vuldb.com/s= ubmit/805709 ]
https://github.com/jeecgboot/JeecgBoot/issues/9555 https://github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271 https://github.com/jeecgboot/JeecgBoot/
=C2=A0 TRENDnet--TEW-821DAP A flaw has been found in TRENDnet TEW-821DAP up=
to 1.12B01. The impacted element is the function tools_diagnostic of the f= ile /tmp/diagnostic of the component Firmware Udpate. This manipulation cau= ses os command injection. Remote exploitation of the attack is possible. Th=
e exploit has been published and may be used. The vendor explains: "That fi= rmware version will only work on our hardware version v1.xR. We have alread=
y EOL that product 8 years ago and are no longer selling". This vulnerabili=
ty only affects products that are no longer supported by the maintainer. 20= 26-05-02 6.3 CVE-2026-7609 [
https://www.cve.org/CVERecord?id=3DCVE-2026-76=
09 ] VDB-360566 | TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diag= nostic os command injection [
https://vuldb.com/vuln/360566 ]
VDB-360566 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60566/cti ]
Submit #806216 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralizatio=
n of Special Elements used in an O [
https://vuldb.com/submit/806216 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _CI2.md
=C2=A0 8nite--metatrader-4-mcp A security vulnerability has been detected i=
n 8nite metatrader-4-mcp 1.0.0. This vulnerability affects the function Cal= lToolRequestSchema of the file src/index.ts of the component sync_ea_from_f= ile. Such manipulation of the argument ea_name leads to path traversal. The=
attack can be launched remotely. The exploit has been disclosed publicly a=
nd may be used. The project was informed of the problem early through an is= sue report but has not responded yet. 2026-05-02 6.3 CVE-2026-7627 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-7627 ] VDB-360573 | 8nite metatrader-= 4-mcp sync_ea_from_file index.ts CallToolRequestSchema path traversal [ htt= ps://vuldb.com/vuln/360573 ]
VDB-360573 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60573/cti ]
Submit #806286 | 8nite metatrader-4-mcp 1.0.0 Path Traversal [
https://vuld= b.com/submit/806286 ]
https://github.com/8nite/metatrader-4-mcp/issues/1 https://github.com/8nite/metatrader-4-mcp/
=C2=A0 crazyrabbitLTC--mcp-code-review-server A vulnerability was detected =
in crazyrabbitLTC mcp-code-review-server up to 0.1.0. This issue affects th=
e function executeRepomix of the file src/repomix.ts of the component RepoM=
ix Command Handler. Performing a manipulation results in command injection.=
The attack may be initiated remotely. The exploit is now public and may be=
used. The project was informed of the problem early through a pull request=
but has not reacted yet. 2026-05-02 6.3 CVE-2026-7628 [
https://www.cve.or= g/CVERecord?id=3DCVE-2026-7628 ] VDB-360574 | crazyrabbitLTC mcp-code-revie= w-server RepoMix repomix.ts executeRepomix command injection [
https://vuld= b.com/vuln/360574 ]
VDB-360574 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60574/cti ]
Submit #806469 | crazyrabbitLTC mcp-code-review-server <=3D0.1.0 Command In= jection [
https://vuldb.com/submit/806469 ]
https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4 https://github.com/crazyrabbitLTC/mcp-code-review-server/pull/5 https://github.com/user-attachments/files/26018245/mcp-code-review-server_b= ug.pdf
https://github.com/crazyrabbitLTC/mcp-code-review-server/
=C2=A0 kleneway--awesome-cursor-mpc-server A flaw has been found in klenewa=
y awesome-cursor-mpc-server up to 2.0.1. Impacted is the function runCodeRe= viewTool of the file src/tools/codeReview.ts of the component Ccode-Review = Tool. Executing a manipulation can lead to command injection. The attack ma=
y be launched remotely. The exploit has been published and may be used. The=
project was informed of the problem early through a pull request but has n=
ot reacted yet. 2026-05-02 6.3 CVE-2026-7629 [
https://www.cve.org/CVERecor= d?id=3DCVE-2026-7629 ] VDB-360575 | kleneway awesome-cursor-mpc-server Ccod= e-Review Tool codeReview.ts runCodeReviewTool command injection [
https://v= uldb.com/vuln/360575 ]
VDB-360575 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60575/cti ]
Submit #806470 | kleneway awesome-cursor-mpc-server <=3D2.0.1 Command Injec= tion [
https://vuldb.com/submit/806470 ]
https://github.com/kleneway/awesome-cursor-mpc-server/issues/6 https://github.com/kleneway/awesome-cursor-mpc-server/pull/14 https://github.com/user-attachments/files/26019723/awesome-cursor-mpc-serve= r_bug.pdf
https://github.com/kleneway/awesome-cursor-mpc-server/
=C2=A0 Totolink--N300RH A vulnerability was identified in Totolink N300RH 6= .1c.1353_B20190305. This impacts the function setUploadSetting of the file = /cgi-bin/cstecgi.cgi. Such manipulation of the argument FileName leads to f= ile inclusion. The attack may be performed from remote. The exploit is publ= icly available and might be used. 2026-05-02 6.5 CVE-2026-7633 [
https://ww= w.cve.org/CVERecord?id=3DCVE-2026-7633 ] VDB-360579 | Totolink N300RH cstec= gi.cgi setUploadSetting file inclusion [
https://vuldb.com/vuln/360579 ] VDB-360579 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360579= /cti ]
Submit #806597 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control o=
f System or Configuration Setting [
https://vuldb.com/submit/806597 ]
https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N300RHv4/03_setUploadS= etting_ECFNP
https://www.totolink.net/
=C2=A0 pskill9--website-downloader A vulnerability was detected in pskill9 = website-downloader up to 0.1.0. This affects the function download_website =
of the file src/index.ts of the component MCP Interface. Performing a manip= ulation of the argument outputPath results in os command injection. The att= ack may be initiated remotely. The exploit is now public and may be used. T=
he project was informed of the problem early through an issue report but ha=
s not responded yet. 2026-05-02 6.3 CVE-2026-7642 [
https://www.cve.org/CVE= Record?id=3DCVE-2026-7642 ] VDB-360754 | pskill9 website-downloader MCP ind= ex.ts download_website os command injection [
https://vuldb.com/vuln/360754=
]
VDB-360754 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60754/cti ]
Submit #806812 | pskill9 website-downloader Commit 5b399bebad1800ac6df5052b= 63eaea37117092b6 Command Injection [
https://vuldb.com/submit/806812 ]
https://github.com/pskill9/website-downloader/issues/7 https://github.com/BruceJqs/public_exp/issues/31 https://github.com/pskill9/website-downloader/
=C2=A0 ruvnet--sublinear-time-solver A vulnerability was found in ruvnet su= blinear-time-solver 1.5.0. Affected by this vulnerability is the function e= xport_state of the file src/consciousness-explorer/mcp/server.js of the com= ponent MCP Interface. The manipulation results in path traversal. The attac=
k can be executed remotely. The exploit has been made public and could be u= sed. The project was informed of the problem early through an issue report = but has not responded yet. 2026-05-02 6.5 CVE-2026-7645 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-7645 ] VDB-360757 | ruvnet sublinear-time-solver=
MCP server.js export_state path traversal [
https://vuldb.com/vuln/360757 ] VDB-360757 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60757/cti ]
Submit #806895 | ruvnet sublinear-time-solver / consciousness-explorer subl= inear-time-solver 1.5.0, consciousness-explorer 1.1.1, commit 1210646955f33= abe5c91f894cc7b04d024f62408 Path Traversal [
https://vuldb.com/submit/80689=
5 ]
https://github.com/ruvnet/sublinear-time-solver/issues/19 https://github.com/ruvnet/sublinear-time-solver/
=C2=A0 r-huijts--mcp-server-rijksmuseum A security flaw has been discovered=
in r-huijts mcp-server-rijksmuseum up to 1.0.4. Affected is the function o= pen_image_in_browser of the file src/index.ts of the component MCP Interfac=
e. Performing a manipulation of the argument imageUrl results in os command=
injection. The attack is possible to be carried out remotely. The exploit = has been released to the public and may be used for attacks. The project wa=
s informed of the problem early through an issue report but has not respond=
ed yet. 2026-05-02 6.3 CVE-2026-7653 [
https://www.cve.org/CVERecord?id=3DC= VE-2026-7653 ] VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts op= en_image_in_browser os command injection [
https://vuldb.com/vuln/360778 ] VDB-360778 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60778/cti ]
Submit #806909 | r-huijts mcp-server-rijksmuseum 1.0.4 Command Injection [ =
https://vuldb.com/submit/806909 ]
https://github.com/r-huijts/rijksmuseum-mcp/issues/9
=C2=A0 youlaitech--youlai-boot A security vulnerability has been detected i=
n youlaitech youlai-boot up to 2.21.1. This affects the function getUserLis=
t of the file src/main/java/com/youlai/boot/system/controller/UserControlle= r.java of the component Users Endpoint. Such manipulation of the argument o= rder leads to sql injection. The attack may be launched remotely. The explo=
it has been disclosed publicly and may be used. The vendor was contacted ea= rly about this disclosure but did not respond in any way. 2026-05-03 6.3 CV= E-2026-7672 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7672 ] VDB-360825=
| youlaitech youlai-boot Users Endpoint UserController.java getUserList sq=
l injection [
https://vuldb.com/vuln/360825 ]
VDB-360825 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60825/cti ]
Submit #800658 | youlaitech youlai-boot v2.21.1 SQL Injection [
https://vul= db.com/submit/800658 ]
https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=3Dfrom_= copylink
=C2=A0 YunaiV--yudao-cloud A vulnerability was identified in YunaiV yudao-c= loud up to 2026.01. This affects the function getDataBySQL of the file yuda= o-module-report-biz/src/main/java/io/github/ruoyi/report/service/impl/GoVie= wDataServiceImpl.java. Such manipulation leads to sql injection. It is poss= ible to launch the attack remotely. The exploit is publicly available and m= ight be used. The vendor was contacted early about this disclosure but did = not respond in any way. 2026-05-03 6.3 CVE-2026-7678 [
https://www.cve.org/= CVERecord?id=3DCVE-2026-7678 ] VDB-360831 | YunaiV yudao-cloud GoViewDataSe= rviceImpl.java getDataBySQL sql injection [
https://vuldb.com/vuln/360831 ] VDB-360831 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60831/cti ]
Submit #800865 | YunaiV yudao-cloud yudao-cloud up to 2026.01 SQL Injection=
[
https://vuldb.com/submit/800865 ]
https://github.com/9str0IL/CVE/issues/2
=C2=A0 jsbroks--COCO Annotator A security vulnerability has been detected i=
n jsbroks COCO Annotator up to 0.11.1. Affected by this vulnerability is an=
unknown functionality of the file backend/webserver/api/datasets.py of the=
component Dataset API. The manipulation of the argument DatasetId leads to=
authorization bypass. The attack may be initiated remotely. The exploit ha=
s been disclosed publicly and may be used. The vendor was contacted early a= bout this disclosure but did not respond in any way. 2026-05-03 6.5 CVE-202= 6-7681 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7681 ] VDB-360834 | js= broks COCO Annotator Dataset API datasets.py authorization [
https://vuldb.= com/vuln/360834 ]
VDB-360834 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360834= /cti ]
Submit #801408 | jsbroks COCO Annotator 0.11.1 Authorization Bypass [ https= ://vuldb.com/submit/801408 ]
https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/t= ree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing%20Au= thentication
=C2=A0 Edimax--BR-6208AC A security flaw has been discovered in Edimax BR-6= 208AC 1.02. The impacted element is the function setWAN of the file /goform= /setWAN of the component L2TP Mode. The manipulation of the argument L2TPUs= erName results in command injection. It is possible to launch the attack re= motely. The exploit has been released to the public and may be used for att= acks. The vendor was contacted early about this disclosure but did not resp= ond in any way. 2026-05-03 6.3 CVE-2026-7682 [
https://www.cve.org/CVERecor= d?id=3DCVE-2026-7682 ] VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN comma=
nd injection [
https://vuldb.com/vuln/360841 ]
VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60841/cti ]
Submit #801572 | Edimax BR-6208AC V2_1.02 Command Injection [
https://vuldb= .com/submit/801572 ]
https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-C= ommand-Injection-33db5c52018a80c1b3aac6db8927bd0f
=C2=A0 Edimax--BR-6428nC A weakness has been identified in Edimax BR-6428nC=
up to 1.16. This affects an unknown function of the file /goform/setWAN of=
the component Web Interface. This manipulation of the argument pppUserName= /pptpUserName causes command injection. The attack can be initiated remotel=
y. The exploit has been made available to the public and could be used for = attacks. The vendor was contacted early about this disclosure but did not r= espond in any way. 2026-05-03 6.3 CVE-2026-7683 [
https://www.cve.org/CVERe= cord?id=3DCVE-2026-7683 ] VDB-360842 | Edimax BR-6428nC Web setWAN command = injection [
https://vuldb.com/vuln/360842 ]
VDB-360842 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60842/cti ]
Submit #801597 | Edimax BR-6428nC v1.16 v1.16 Command Injection [
https://v= uldb.com/submit/801597 ]
Submit #801598 | Edimax BR-6428nC v1.16 v1.16 Command Injection (Duplicate)=
[
https://vuldb.com/submit/801598 ]
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-Comm= and-Injection-33db5c52018a80dab299ef508e810d00
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName-Com= mand-Injection-33db5c52018a80949cfbcc2091340c80
=C2=A0 langflow-ai--langflow A vulnerability was determined in langflow-ai = langflow up to 1.8.4. Affected by this issue is the function CodeParser.par= se_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_par= ser.py of the component Full Builtins Module Handler. Executing a manipulat= ion can lead to command injection. The attack can be executed remotely. The=
exploit has been publicly disclosed and may be utilized. The vendor was co= ntacted early about this disclosure but did not respond in any way. 2026-05= -03 6.3 CVE-2026-7687 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7687 ] = VDB-360857 | langflow-ai langflow Full Builtins code_parser.py CodeParser.p= arse_callable_details command injection [
https://vuldb.com/vuln/360857 ] VDB-360857 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60857/cti ]
Submit #798731 | langflow-ai langflow 1.8.4 Command Injection [
https://vul= db.com/submit/798731 ]
https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc= =3D#g4kyb
=C2=A0 Wavlink--WL-WN570HA1 A weakness has been identified in Wavlink WL-WN= 570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of = the file /cgi-bin/adm.cgi. This manipulation of the argument Username cause=
s command injection. It is possible to initiate the attack remotely. The ex= ploit has been made available to the public and could be used for attacks. = Once again the vendors acted very professional and confirms, "that the WN57= 0HA1 firmware version R70HA1 V1410_221110 has been removed from our website=
." This vulnerability only affects products that are no longer supported by=
the maintainer. 2026-05-03 6.3 CVE-2026-7690 [
https://www.cve.org/CVEReco= rd?id=3DCVE-2026-7690 ] VDB-360860 | Wavlink WL-WN570HA1 adm.cgi set_sys_ad=
m command injection [
https://vuldb.com/vuln/360860 ]
VDB-360860 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60860/cti ]
Submit #807805 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection [ ht= tps://vuldb.com/submit/807805 ]
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_adm-34753= a41781f809d8043f0a7a3e07e50?source=3Dcopy_link
=C2=A0 Wavlink--WL-WN570HA1 A security vulnerability has been detected in W= avlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cm=
d of the file /cgi-bin/adm.cgi. Such manipulation of the argument command l= eads to command injection. It is possible to launch the attack remotely. Th=
e exploit has been disclosed publicly and may be used. Once again the vendo=
rs acted very professional and confirms, "that the WN570HA1 firmware versio=
n R70HA1 V1410_221110 has been removed from our website." This vulnerabilit=
y only affects products that are no longer supported by the maintainer. 202= 6-05-03 6.3 CVE-2026-7691 [
https://www.cve.org/CVERecord?id=3DCVE-2026-769=
1 ] VDB-360861 | Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection =
[
https://vuldb.com/vuln/360861 ]
VDB-360861 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60861/cti ]
Submit #807806 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection [ ht= tps://vuldb.com/submit/807806 ]
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sys_cmd-34753= a41781f80ab88a1d95d4f798d1f?source=3Dcopy_link
=C2=A0 Wavlink--WL-WN570HA1 A vulnerability was detected in Wavlink WL-WN57= 0HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of=
the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS = results in command injection. The attack can be initiated remotely. The exp= loit is now public and may be used. Once again the vendors acted very profe= ssional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_2211=
10 has been removed from our website." This vulnerability only affects prod= ucts that are no longer supported by the maintainer. 2026-05-03 6.3 CVE-202= 6-7692 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7692 ] VDB-360862 | Wa= vlink WL-WN570HA1 adm.cgi ping_ddns command injection [
https://vuldb.com/v= uln/360862 ]
VDB-360862 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60862/cti ]
Submit #807807 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection [ ht= tps://vuldb.com/submit/807807 ]
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns-34753a4= 1781f80c0a6c6c1b09b7cdf1c?source=3Dcopy_link
=C2=A0 Acrel Electrical--EEMS Enterprise Power Operation and Maintenance Cl= oud Platform A vulnerability was found in Acrel Electrical EEMS Enterprise = Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unkno=
wn function of the file /SubstationWEBV2/main/uploadH5Files. The manipulati=
on of the argument File results in unrestricted upload. The attack may be l= aunched remotely. The exploit has been made public and could be used. The v= endor was contacted early about this disclosure but did not respond in any = way. 2026-05-03 6.3 CVE-2026-7696 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-7696 ] VDB-360865 | Acrel Electrical EEMS Enterprise Power Operation a=
nd Maintenance Cloud Platform uploadH5Files unrestricted upload [
https://v= uldb.com/vuln/360865 ]
VDB-360865 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60865/cti ]
Submit #807944 | Acrel Electric Co., Ltd. EEMS Enterprise Power Operation a=
nd Maintenance Cloud Platform 1.3.0 Unrestricted Upload of File with Danger= ous Type [
https://vuldb.com/submit/807944 ]
https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=3Dfrom= _copylink
=C2=A0 Dromara--MaxKey A security flaw has been discovered in Dromara MaxKe=
y up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInj= ection of the file StrUtils.java. Performing a manipulation of the argument=
filtersfields results in sql injection. The attack is possible to be carri=
ed out remotely. The exploit has been released to the public and may be use=
d for attacks. The vendor was contacted early about this disclosure but did=
not respond in any way. 2026-05-03 6.3 CVE-2026-7699 [
https://www.cve.org= /CVERecord?id=3DCVE-2026-7699 ] VDB-360868 | Dromara MaxKey StrUtils.java S= trUtils.checkSqlInjection sql injection [
https://vuldb.com/vuln/360868 ] VDB-360868 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60868/cti ]
Submit #804260 | Dromara MaxKey 3.5.13 SQL Injection [
https://vuldb.com/su= bmit/804260 ]
https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_In= jection
=C2=A0 langflow-ai--langflow A weakness has been identified in langflow-ai = langflow up to 1.8.4. This affects the function eval of the file src/lfx/sr= c/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilt= erComponent. Executing a manipulation can lead to code injection. The attac=
k may be performed from remote. The exploit has been made available to the = public and could be used for attacks. The vendor was contacted early about = this disclosure but did not respond in any way. 2026-05-03 6.3 CVE-2026-770=
0 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7700 ] VDB-360869 | langflo= w-ai langflow LambdaFilterComponent lambda_filter.p eval code injection [ h= ttps://vuldb.com/vuln/360869 ]
VDB-360869 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60869/cti ]
Submit #804305 | langflow-ai Langflow Desktop 1.8.3 Execution with Unnecess= ary Privileges [
https://vuldb.com/submit/804305 ]
https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%= E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20eval(= )/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B
=C2=A0 JD Cloud--JDCOS A flaw has been found in JD Cloud JDCOS 4.5.1.r4518.=
This vulnerability affects the function set_iptv_info of the file /jdcap o=
f the component Service Interface. Executing a manipulation of the argument=
vid can lead to command injection. It is possible to launch the attack rem= otely. The exploit has been published and may be used. The vendor was conta= cted early about this disclosure but did not respond in any way. 2026-05-03=
6.3 CVE-2026-7705 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7705 ] VDB= -360881 | JD Cloud JDCOS Service jdcap set_iptv_info command injection [ ht= tps://vuldb.com/vuln/360881 ]
VDB-360881 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60881/cti ]
Submit #805644 | jdcloud =E4=BA=AC=E4=B8=9C=E4=BA=91=E6=97=A0=E7=BA=BF=E5= =AE=9DER1 =E5=A4=AA=E4=B9=99 =E6=9C=89=E7=BA=BF=E8=B7=AF=E7=94=B1 =E5=8D=83= =E5=85=86=E8=B7=AF=E7=94=B1=E5=99=A8 JDCOS-JDC08-4.5.1.r4518 Remote code ex= ecution [
https://vuldb.com/submit/805644 ]
https://www.notion.so/3430c75766a8802dbde3dc8a372c7f46
=C2=A0 janeczku--Calibre-Web A vulnerability was identified in janeczku Cal= ibre-Web up to 0.6.26. The impacted element is the function generate_auth_t= oken of the file cps/kobo_auth.py of the component Endpoint. Such manipulat= ion of the argument user_id leads to improper authorization. The attack may=
be launched remotely. The exploit is publicly available and might be used.=
The vendor was contacted early about this disclosure but did not respond i=
n any way. 2026-05-03 6.3 CVE-2026-7709 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7709 ] VDB-360885 | janeczku Calibre-Web Endpoint kobo_auth.py = generate_auth_token improper authorization [
https://vuldb.com/vuln/360885 ] VDB-360885 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60885/cti ]
Submit #805823 | Janeczku Calibre-web V0.6.7-V0.6.26 IDOR in auth-token gen= eration leading to account takeover / user [
https://vuldb.com/submit/80582=
3 ]
https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?us= p=3Ddrive_link
=C2=A0 n/a--MindsDB A security vulnerability has been detected in MindsDB u=
p to 26.01. Affected is the function pickle.loads of the component Pickle H= andler. The manipulation leads to deserialization. The attack is possible t=
o be carried out remotely. The exploit has been disclosed publicly and may =
be used. The vendor was contacted early about this disclosure but did not r= espond in any way. 2026-05-03 6.3 CVE-2026-7712 [
https://www.cve.org/CVERe= cord?id=3DCVE-2026-7712 ] VDB-360888 | MindsDB Pickle pickle.loads deserial= ization [
https://vuldb.com/vuln/360888 ]
VDB-360888 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360888= /cti ]
Submit #806827 |
https://github.com/mindsdb/mindsdb <=3D26.01 Remote Code E= xecution [
https://vuldb.com/submit/806827 ]
https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle= _RCE.md
=C2=A0 Merge--Merge PACS Merge PACS 7.0 contains a cross-site request forge=
ry vulnerability that allows attackers to perform unauthorized actions by c= rafting malicious HTML forms targeting the merge-viewer endpoint. Attackers=
can submit POST requests to /servlet/actions/merge-viewer/summary with log=
in credentials to hijack user sessions and gain unauthorized access to the = PACS system. 2026-04-29 5.3 CVE-2018-25298 [
https://www.cve.org/CVERecord?= id=3DCVE-2018-25298 ] ExploitDB-44681 [
https://www.exploit-db.com/exploits= /44681 ]
Official Product Homepage [
http://www.merge.com/ ]
VulnCheck Advisory: Merge PACS 7.0 Cross-Site Request Forgery via merge-vie= wer [
https://www.vulncheck.com/advisories/merge-pacs-cross-site-request-fo= rgery-via-merge-viewer ]
=C2=A0 IBM--Db2 IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 fo=
r Linux, UNIX and Windows (includes Db2 Connect Server) could allow an auth= enticated user to cause a denial of service due to improper neutralization =
of special elements in data query logic when certain configurations exist. = 2026-04-30 5.3 CVE-2025-14688 [
https://www.cve.org/CVERecord?id=3DCVE-2025= -14688 ]
https://www.ibm.com/support/pages/node/7269424
=C2=A0 IBM--watsonx.data IBM watsonx.data 2.2 through 2.3 IBM Lakehouse doe=
s not properly restrict communication between pods which could allow an att= acker to transfer data between pods without restrictions. 2026-04-30 5.3 CV= E-2025-36180 [
https://www.cve.org/CVERecord?id=3DCVE-2025-36180 ]
https://= www.ibm.com/support/pages/node/7270593
=C2=A0 Dell--Alienware Command Center (AWCC) Dell Alienware Command Center = (AWCC), versions prior to 6.13.8.0, contain a Least Privilege Violation vul= nerability. A low privileged attacker with local access could potentially e= xploit this vulnerability, leading to Elevation of Privileges. 2026-04-27 5=
.3 CVE-2026-32655 [
https://www.cve.org/CVERecord?id=3DCVE-2026-32655 ] htt= ps://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-security-updat= e-for-dell-alienware-command-center-6-x-for-multiple-vulnerabilities
=C2=A0 Elastic--Elastic Package Registry Improper Verification of Cryptogra= phic Signature (CWE-347) in Elastic Package Registry could allow an attacke=
r positioned to intercept network traffic, or to otherwise influence the co= ntents served to a self-hosted registry, to substitute a tampered package w= ithout the integrity check failing closed. 2026-04-28 5.9 CVE-2026-33467 [ =
https://www.cve.org/CVERecord?id=3DCVE-2026-33467 ]
https://discuss.elastic= .co/t/elastic-package-registry-1-38-0-security-update-esa-2026-27/386081
=C2=A0 dokaninc--Dokan: AI Powered WooCommerce Multivendor Marketplace Solu= tion Build Your Own Amazon, eBay, Etsy The Dokan: AI Powered WooCommerce Mu= ltivendor Marketplace Solution plugin for WordPress is vulnerable to Sensit= ive Information Exposure in all versions up to, and including, 4.3.1 via th=
e '/dokan/v1/stores/{id}/reviews' REST API endpoint. This is due to the 'pr= epare_reviews_for_response' method including reviewer email addresses, user= names, and user IDs in the API response. This makes it possible for unauthe= nticated attackers to extract email addresses, usernames, and user IDs of a=
ll customers who left reviews on any vendor's store. The Pro version of the=
plugin must be installed and activated, with store reviews enabled, in ord=
er to exploit the vulnerability. 2026-05-02 5.3 CVE-2026-3504 [
https://www= .cve.org/CVERecord?id=3DCVE-2026-3504 ]
https://www.wordfence.com/threat-in= tel/vulnerabilities/id/02b0d7d7-8a10-48de-b1e1-7e1f1fda6ffe?source=3Dcve
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/S= toreController.php#L125
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/S= toreController.php#L835
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/S= toreController.php#L854
https://plugins.trac.wordpress.org/changeset/3481799/
=C2=A0 n/a-- V2Board =C2=A0v1.7.4 Sensitive server_token exposed via GET pa= rameter in V2Board thru 1.7.4. In app/Http/Controllers/Server/UniProxyContr= oller.php, the server authentication token is accepted via GET parameter tr= ansmission. The token appears in URLs such as /api/v1/server/UniProxy/user?= token=3DSECRET, causing it to be recorded in web server access logs, browse=
r history, HTTP Referer headers, and proxy/CDN logs. An attacker who gains = access to any log source can extract the token and impersonate a proxy serv=
er node, potentially intercepting all user traffic. 2026-05-01 5.3 CVE-2026= -37504 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37504 ]
https://github= .com/v2board/v2board
https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9
=C2=A0 complianz--Complianz GDPR/CCPA Cookie Consent The Complianz - GDPR/C= CPA Cookie Consent plugin for WordPress is vulnerable to unauthorized data = access in all versions up to, and including, 7.4.5 This is due to the REST = API endpoint at /wp-json/complianz/v1/consent-area/{post_id}/{block_id} usi=
ng __return_true as the permission_callback, allowing any unauthenticated u= ser to access it. The cmplz_rest_consented_content() function retrieves a p= ost by ID via get_post() and returns the consentedContent attribute of any = complianz/consent-area block found in it, without checking if the post is p= ublished or if the user has permission to read it. This makes it possible f=
or unauthenticated attackers to read the consent area block content from pr= ivate, draft, or unpublished posts. 2026-04-29 5.3 CVE-2026-4019 [
https://= www.cve.org/CVERecord?id=3DCVE-2026-4019 ]
https://www.wordfence.com/threat= -intel/vulnerabilities/id/3892489e-6ff7-4664-bb06-b8edff6dd659?source=3Dcve
https://github.com/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d8= 3ca19b87df2cef/rest-api/rest-api.php#L61
https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest= -api/rest-api.php#L54
https://plugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest= -api/rest-api.php#L61
https://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/r= est-api/rest-api.php
https://plugins.trac.wordpress.org/changeset?old_path=3D%2Fcomplianz-gdpr/t= ags/7.4.5&new_path=3D%2Fcomplianz-gdpr/tags/7.4.6
=C2=A0 diplodoc-platform--@diplodoc/search-extension @diplodoc/search-exten= sion 1.0.0 through 3.x before 3.0.3 allows stored XSS via the title in a .m=
d file. 2026-05-01 5.4 CVE-2026-40201 [
https://www.cve.org/CVERecord?id=3D= CVE-2026-40201 ]
https://github.com/diplodoc-platform/search-extension/rele= ases
https://github.com/diplodoc-platform/search-extension/pull/41 https://github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3 https://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md
=C2=A0 wproyal--Royal Addons for Elementor Addons and Templates Kit for Ele= mentor The Royal Addons for Elementor plugin for WordPress is vulnerable to=
unauthorized modification of data due to a missing capability check on the=
`wpr_update_form_action_meta` AJAX action in all versions up to, and inclu= ding, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_no= priv` hooks, making it accessible to unauthenticated users. Although a nonc=
e is verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend = JavaScript via `WprConfig.nonce` on any page that loads Royal Addons widget=
s, rendering the protection ineffective. The endpoint also lacks any capabi= lity or ownership checks and directly calls `update_post_meta()` with user-= controlled input on a whitelisted set of form action meta keys. This makes =
it possible for unauthenticated attackers to modify form action configurati=
on metadata (email, submissions, Mailchimp, and webhook settings) on any po= st, potentially leading to webhook/email action tampering and data exfiltra= tion via modified webhook URLs. 2026-05-02 5.3 CVE-2026-4024 [
https://www.= cve.org/CVERecord?id=3DCVE-2026-4024 ]
https://www.wordfence.com/threat-int= el/vulnerabilities/id/2ecec7d7-d1b2-4ccf-ade6-1f78224968c6?source=3Dcve
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/cla= sses/modules/forms/wpr-actions-status.php#L21
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.= 1049/classes/modules/forms/wpr-actions-status.php#L21
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/cla= sses/modules/forms/wpr-actions-status.php#L73
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.= 1049/classes/modules/forms/wpr-actions-status.php#L73
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plu= gin.php#L592
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.= 1049/plugin.php#L592
=C2=A0 MIT--Kerberos 5 In MIT Kerberos 5 (aka krb5) before 1.22.3, there is=
a NULL pointer dereference if an application calls gss_accept_sec_context(=
) on a system with a NegoEx mechanism registered in /etc/gss/mech. An unaut= henticated remote attacker can trigger this, causing the process to termina=
te in parse_nego_message. 2026-04-28 5.9 CVE-2026-40355 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-40355 ]
https://web.mit.edu/kerberos/advisories/ https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilitie= s.html
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f =C2=A0 MIT--Kerberos 5 In MIT Kerberos 5 (aka krb5) before 1.22.3, there is=
an integer underflow and resultant out-of-bounds read if an application ca= lls gss_accept_sec_context() on a system with a NegoEx mechanism registered=
in /etc/gss/mech. An unauthenticated remote attacker can trigger this, pos= sibly causing the process to terminate in parse_message. 2026-04-28 5.9 CVE= -2026-40356 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40356 ]
https://w= eb.mit.edu/kerberos/advisories/
https://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilitie= s.html
https://github.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f =C2=A0 SmarterTools Inc.--SmarterMail SmarterTools SmarterMail builds prior=
to 9610 contain a cryptographic weakness in the file and email sharing end= points that use DES-CBC encryption with keys and initialization vectors der= ived from System.Random seeded with insufficient entropy, reducing the seed=
space to approximately 19,000 possible values. An unauthenticated attacker=
can use the attachment download endpoint as an oracle to determine the see=
d in use and derive encryption keys and initialization vectors to forge sha= ring tokens for arbitrary emails, attachments, or file storage contents wit= hout prior access to the targeted content. 2026-04-27 5.9 CVE-2026-40514 [ =
https://www.cve.org/CVERecord?id=3DCVE-2026-40514 ]
https://www.smartertool= s.com/smartermail/release-notes/current
https://www.vulncheck.com/advisories/smartertools-smartermail-build-9610-cr= yptographic-weakness-via-weak-rng
=C2=A0 Exim--Exim In Exim before 4.99.2, on systems using musl libc (not gl= ibc), an attacker can crash the connection instance when malformed DNS data=
is present in PTR records. This is caused by a dn_expand oddity in octal p= rinting. 2026-04-30 5.9 CVE-2026-40684 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-40684 ]
https://www.openwall.com/lists/oss-security/2026/04/30/=
21
https://exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e1= 8c81
https://exim.org/static/doc/security/CVE-2026-40684.txt
=C2=A0 TRENDnet--TEW-821DAP A vulnerability was detected in TRENDnet TEW-82= 1DAP up to 1.12B01. The affected element is the function tools_diagnostic. = The manipulation results in os command injection. The exploit is now public=
and may be used. The vendor explains: "That firmware version will only wor=
k on our hardware version v1.xR. We have already EOL that product 8 years a=
go and are no longer selling". This vulnerability only affects products tha=
t are no longer supported by the maintainer. 2026-05-02 5.5 CVE-2026-7608 [=
https://www.cve.org/CVERecord?id=3DCVE-2026-7608 ] VDB-360565 | TRENDnet T= EW-821DAP tools_diagnostic os command injection [
https://vuldb.com/vuln/36= 0565 ]
VDB-360565 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60565/cti ]
Submit #806215 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralizatio=
n of Special Elements used in an OS [
https://vuldb.com/submit/806215 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _CI1.md
=C2=A0 code-projects--Online Hospital Management System A vulnerability was=
found in code-projects Online Hospital Management System 1.0. The impacted=
element is an unknown function of the component Registration Handler. The = manipulation of the argument Username results in improper authorization. Th=
e attack can be executed remotely. The exploit has been made public and cou=
ld be used. 2026-05-02 5.4 CVE-2026-7631 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7631 ] VDB-360577 | code-projects Online Hospital Management Sy= stem Registration improper authorization [
https://vuldb.com/vuln/360577 ] VDB-360577 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60577/cti ]
Submit #806565 | Code-projects Online Hospital Management System V1.0 unaut= horized access [
https://vuldb.com/submit/806565 ]
https://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md https://code-projects.org/
=C2=A0 appcheap--App Builder Create Native Android & iOS Apps On The Flight=
The App Builder - Create Native Android & iOS Apps On The Flight plugin fo=
r WordPress is vulnerable to Insecure Direct Object Reference in all versio=
ns up to and including 5.6.0. This is due to missing authorization validati=
on in the `upload_avatar()` function, which accepts an attacker-controlled = `user_id` parameter from the POST request body and uses it to update user m= eta without verifying that the authenticated requester owns or has permissi=
on to modify the target account. This makes it possible for authenticated a= ttackers, with Subscriber-level access and above, to overwrite the profile = avatar of any arbitrary user on the site, including administrators, by supp= lying a target `user_id` in the request body to the `/wp-json/app-builder/v= 1/upload-avatar` endpoint. 2026-05-02 5.3 CVE-2026-7638 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-7638 ]
https://www.wordfence.com/threat-intel/vu= lnerabilities/id/2d532ffc-c6f1-41e3-9a59-0706802ab8e2?source=3Dcve
https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Se= rvice/Auth/UploadAvatar.php#L80
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/= Di/Service/Auth/UploadAvatar.php#L80
https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Se= rvice/Auth/UploadAvatar.php#L161
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/= Di/Service/Auth/UploadAvatar.php#L161
https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Trait= s/Permission.php#L33
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.6.0/includes/= Traits/Permission.php#L33
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes= /Di/Service/Auth/UploadAvatar.php#L80
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes= /Di/Service/Auth/UploadAvatar.php#L161
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes= /Traits/Permission.php#L33
=C2=A0 sgl-project--SGLang A vulnerability was detected in sgl-project SGLa=
ng up to 0.5.9. Impacted is the function get_tokenizer of the file python/s= glang/srt/utils/hf_transformers_utils.py of the component HuggingFace Trans= former Handler. The manipulation of the argument trust_remote_code with the=
input False as part of Boolean results in code injection. The attack can b=
e executed remotely. A high complexity level is associated with this attack=
. The exploitability is considered difficult. In get_tokenizer(), when the = caller passes trust_remote_code=3DFalse and HuggingFace transformers v5 ret= urns a TokenizersBackend instance (the generic fallback for tokenizer class=
es not in the registry), SGLang silently re-invokes AutoTokenizer.from_pret= rained with trust_remote_code=3DTrue, overriding the caller's explicit secu= rity setting. A model repository containing a malicious tokenizer.py refere= nced via auto_map in tokenizer_config.json will execute arbitrary Python in=
the SGLang process during this second call. No log line or warning is emit= ted. The override affects all current SGLang versions because transformers= =3D=3D5.3.0 is pinned in pyproject.toml. Both tokenizer_mode=3D"auto" and t= okenizer_mode=3D"slow" are affected. The exploit is now public and may be u= sed. The vendor was contacted early about this disclosure but did not respo=
nd in any way. 2026-05-02 5.6 CVE-2026-7669 [
https://www.cve.org/CVERecord= ?id=3DCVE-2026-7669 ] VDB-360817 | sgl-project SGLang HuggingFace Transform=
er hf_transformers_utils.py get_tokenizer code injection [
https://vuldb.co= m/vuln/360817 ]
VDB-360817 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60817/cti ]
Submit #799263 | sgl-project sglang <=3D0.5.9 Protection Mechanism Failure =
[
https://vuldb.com/submit/799263 ]
https://github.com/gouldnicholas/CVE-2026-7669-PoC
=C2=A0 eyeo--Adblock Plus A vulnerability was found in eyeo Adblock Plus up=
to 4.36.2 on Chrome. Affected by this vulnerability is the function postMe= ssage of the file premium.preload.js of the component Legacy Premium Activa= tion. Performing a manipulation results in improper access controls. Remote=
exploitation of the attack is possible. The exploit has been made public a=
nd could be used. Upgrading the affected component is recommended. The vend=
or provides additional details: "The affected code path is a legacy Premium=
activation flow that has been deprecated. eyeo has already migrated to a n=
ew user account-based licensing system. The exploit does not grant permanen=
t Premium access. The licensing server issues a short-lived trial license (= valid for approximately 24 hours) for any submitted userId. On the next lic= ense check, the server validates against a real subscription and the trial = expires if no valid subscription is found. The researcher's claim of perman= ently unlocking all Premium features is therefore incorrect. (...) The old = flow has been present for years and has not been weaponized at scale to our=
knowledge. The risk to eyeo and to users is minimal." 2026-05-03 5.3 CVE-2= 026-7686 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7686 ] VDB-360856 | = eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage = access control [
https://vuldb.com/vuln/360856 ]
VDB-360856 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60856/cti ]
Submit #793551 | Eyeo GmbH Adblock Plus 4.36.2 Privilege Escalation [ https= ://vuldb.com/submit/793551 ]
https://github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md https://adblockplus.org/en/download
=C2=A0 Dolibarr--ERP CRM A vulnerability was identified in Dolibarr ERP CRM=
up to 23.0.2. This affects the function _checkValForAPI of the file htdocs= /expedition/class/expedition.class.php of the component Shipments API Endpo= int. The manipulation of the argument fields leads to sql injection. The at= tack is possible to be carried out remotely. A high degree of complexity is=
needed for the attack. It is indicated that the exploitability is difficul=
t. The exploit is publicly available and might be used. The vendor was cont= acted early about this disclosure but did not respond in any way. 2026-05-0=
3 5 CVE-2026-7688 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7688 ] VDB-= 360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _chec= kValForAPI sql injection [
https://vuldb.com/vuln/360858 ]
VDB-360858 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60858/cti ]
Submit #799337 | Dolibarr Dolibarr ERP CRM 23.0.2 and earlier SQL Injection=
[
https://vuldb.com/submit/799337 ]
=C2=A0 toeverything--AFFiNE A vulnerability was detected in toeverything AF= FiNE up to 0.26.3. This issue affects the function allowDocPreview of the f= ile /workspace/:workspaceId/:docId of the component Public Markdown Preview=
Endpoint. The manipulation results in authorization bypass. It is possible=
to launch the attack remotely. The exploit is now public and may be used. = The vendor was contacted early about this disclosure but did not respond in=
any way. 2026-05-03 5.3 CVE-2026-7702 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7702 ] VDB-360871 | toeverything AFFiNE Public Markdown Preview=
Endpoint :docId allowDocPreview authorization [
https://vuldb.com/vuln/360= 871 ]
VDB-360871 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360871= /cti ]
Submit #804455 | AFFiNE AFFiNE (
https://github.com/toeverything/AFFiNE) 0.2= 6.3 Authorization Bypass [
https://vuldb.com/submit/804455 ]
https://github.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4 =C2=A0 VideoFlow Ltd.--VideoFlow Digital Video Protection VideoFlow Digital=
Video Protection DVP 2.10 contains an authenticated remote code execution = vulnerability that allows authenticated attackers to execute arbitrary syst=
em commands by exploiting a cross-site request forgery flaw in the web mana= gement interface. Attackers with valid credentials can leverage the CSRF vu= lnerability to inject and execute system commands through the Tools > Syste=
m > Shell interface, gaining root-level access to the device. 2026-04-29 4.=
3 CVE-2018-25310 [
https://www.cve.org/CVERecord?id=3DCVE-2018-25310 ] Expl= oitDB-44387 [
https://www.exploit-db.com/exploits/44387 ]
Vulnerability Advisory [
https://www.zeroscience.mk/en/vulnerabilities/ZSL-= 2018-5455.php ]
VulnCheck Advisory: VideoFlow Digital Video Protection DVP 10 Authenticated=
Remote Code Execution [
https://www.vulncheck.com/advisories/videoflow-dig= ital-video-protection-dvp-10-authenticated-remote-code-execution ]
=C2=A0 gnu--wget2 wget2 accepts a server certificate with incorrect Key Usa=
ge (KU) or Extended Key Usage (EKU). If the attackers compromise a certific= ate (with the associated private key) issued for a different purpose, they = may be able to reuse it for TLS server authentication. 2026-04-29 4.8 CVE-2= 026-1858 [
https://www.cve.org/CVERecord?id=3DCVE-2026-1858 ]
https://www.t= enable.com/security/research/tra-2026-37
=C2=A0 wazuh--wazuh Wazuh is a free and open source platform used for threa=
t prevention, detection, and response. From version 1.0.0 to before version=
4.14.4, a heap-based out-of-bounds WRITE occurs in GetAlertData, resulting=
in writing a NULL byte exactly 1 byte before the start of the buffer alloc= ated by strdup. Due to unsigned integer underflow and pointer arithmetic wr= apping, the write lands at offset -1 from the buffer, corrupting heap metad= ata. A malicious actor can potentially leverage this issue through a compro= mised agent to cause denial of service or heap corruption by injecting a sp= ecially crafted alert into the alerts log file monitored by wazuh-logcollec= tor. This issue has been patched in version 4.14.4. 2026-04-29 4.4 CVE-2026= -26204 [
https://www.cve.org/CVERecord?id=3DCVE-2026-26204 ]
https://github= .com/wazuh/wazuh/security/advisories/GHSA-j4c7-hwjw-8857
https://github.com/wazuh/wazuh/releases/tag/v4.14.4
=C2=A0 Oracle Corporation--Oracle Linux An unprivileged attacker can craft =
a user-space process with a malicious ELF binary containing an out-of-range=
sh_link field. When root-level dtrace attaches to -- or instruments -- tha=
t process (via dtrace -p , pid probes, or USDT), the ELF parser reads heap = memory beyond the allocated section cache array without any bounds check. T= his results in an uninitialized/out-of-bounds heap read that can cause a NU=
LL pointer dereference crash of the dtrace process (DoS), or -- depending o=
n heap layout -- a read-then-use of a garbage pointer controlled by adjacen=
t allocations, providing a foothold toward further exploitation in a privil= eged context. 2026-05-01 4.4 CVE-2026-35233 [
https://www.cve.org/CVERecord= ?id=3DCVE-2026-35233 ] Oracle Advisory [
https://linux.oracle.com/cve/CVE-2= 026-35233.html ]
=C2=A0 n/a-- V2Board =C2=A0v1.7.4 SQL Injection via ORDER BY clause in V2Bo= ard thru 1.7.4. In app/Http/Controllers/Admin/UserController.php, the sort = parameter from user input is passed directly to User::orderBy($sort, $sortT= ype) without validation. An authenticated admin can sort users by any datab= ase column including password, remember_token, and other sensitive fields, = enabling information disclosure through ordering analysis. 2026-05-01 4.9 C= VE-2026-37505 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37505 ] https:/= /github.com/v2board/v2board
https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9
=C2=A0 nextlevelbuilder--ui-ux-pro-max-skill A vulnerability has been found=
in nextlevelbuilder ui-ux-pro-max-skill up to 2.5.0. Affected by this issu=
e is the function data.get of the file .claude/skills/design-system/scripts= /generate-slide.py of the component Slide Generator. Such manipulation lead=
s to cross site scripting. The attack may be performed from remote. The exp= loit has been disclosed to the public and may be used. The project was info= rmed of the problem early through a pull request but has not reacted yet. 2= 026-05-01 4.3 CVE-2026-7596 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7= 596 ] VDB-360549 | nextlevelbuilder ui-ux-pro-max-skill Slide Generator gen= erate-slide.py data.get cross site scripting [
https://vuldb.com/vuln/36054=
9 ]
VDB-360549 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60549/cti ]
Submit #805510 | nextlevelbuilder ui-ux-pro-max-skill 2.5.0 Slide Generator=
Multiple Stored XSS [
https://vuldb.com/submit/805510 ]
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274 https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/
=C2=A0 n/a--Open5GS A vulnerability has been found in Open5GS up to 2.7.6. = Affected is an unknown function of the file src/amf/gmm-handler.c of the co= mponent AMF. The manipulation of the argument reg_type leads to denial of s= ervice. The attack is possible to be carried out remotely. Upgrading to ver= sion 2.7.7 is able to address this issue. The identifier of the patch is eb= c66942b6f8f1fab2d640e71cf4e9f1a423b426. It is advisable to upgrade the affe= cted component. 2026-05-02 4.3 CVE-2026-7601 [
https://www.cve.org/CVERecor= d?id=3DCVE-2026-7601 ] VDB-360558 | Open5GS AMF gmm-handler.c denial of ser= vice [
https://vuldb.com/vuln/360558 ]
VDB-360558 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60558/cti ]
Submit #805675 | Open5GS v.2.7.6 Denial of Service [
https://vuldb.com/subm= it/805675 ]
https://github.com/open5gs/open5gs/issues/4321 https://github.com/open5gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a= 423b426
https://github.com/open5gs/open5gs/releases/tag/v2.7.7 https://github.com/open5gs/open5gs/
=C2=A0 itsourcecode--Courier Management System A vulnerability was determin=
ed in itsourcecode Courier Management System 1.0. Affected is an unknown fu= nction of the file /edit_user.php. Executing a manipulation of the argument=
ID can lead to sql injection. The attack may be performed from remote. The=
exploit has been publicly disclosed and may be utilized. 2026-05-02 4.7 CV= E-2026-7612 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7612 ] VDB-360569=
| itsourcecode Courier Management System edit_user.php sql injection [ htt= ps://vuldb.com/vuln/360569 ]
VDB-360569 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60569/cti ]
Submit #806275 | itsourcecode Courier Management System V1.0 SQL Injection =
[
https://vuldb.com/submit/806275 ]
https://github.com/ltranquility/submit/issues/12
https://itsourcecode.com/
=C2=A0 ChatGPTNextWeb--NextChat A flaw has been found in ChatGPTNextWeb Nex= tChat up to 2.16.1. This impacts an unknown function of the file Next.js of=
the component API Endpoint. Executing a manipulation can lead to permissiv=
e cross-domain policy with untrusted domains. The attack may be launched re= motely. The exploit has been published and may be used. The project was inf= ormed of the problem early through an issue report but has not responded ye=
t. 2026-05-02 4.3 CVE-2026-7643 [
https://www.cve.org/CVERecord?id=3DCVE-20= 26-7643 ] VDB-360755 | ChatGPTNextWeb NextChat API Endpoint Next.js cross-d= omain policy [
https://vuldb.com/vuln/360755 ]
VDB-360755 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360755= /cti ]
Submit #806833 | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Po= licy [
https://vuldb.com/submit/806833 ]
https://github.com/ChatGPTNextWeb/NextChat/issues/6756 https://github.com/ChatGPTNextWeb/NextChat/
=C2=A0 n/a--crmeb_java A vulnerability was detected in crmeb_java up to 1.3= .4. This vulnerability affects unknown code of the file crmeb/crmeb-service= /src/main/java/com/zbkj/service/service/impl/UploadServiceImpl.java of the = component Admin Upload. Performing a manipulation of the argument model res= ults in unrestricted upload. Remote exploitation of the attack is possible.=
The exploit is now public and may be used. The vendor was contacted early = about this disclosure but did not respond in any way. 2026-05-03 4.7 CVE-20= 26-7673 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7673 ] VDB-360826 | c= rmeb_java Admin Upload UploadServiceImpl.java unrestricted upload [ https:/= /vuldb.com/vuln/360826 ]
VDB-360826 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60826/cti ]
Submit #800684 | crmeb crmeb_java 1.3.4 Unrestricted Upload [
https://vuldb= .com/submit/800684 ]
https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=3Dfrom_= copylink
=C2=A0 kerwincui--FastBee A vulnerability was found in kerwincui FastBee up=
to 1.2.1. The affected element is the function ToolController.download of = the file springboot/fastbee-open-api/src/main/java/com/fastbee/data/control= ler/ToolController.java of the component Tool Download Endpoint. The manipu= lation of the argument fileName results in path traversal. The attack may b=
e performed from remote. The exploit has been made public and could be used=
. The vendor was contacted early about this disclosure but did not respond =
in any way. 2026-05-03 4.3 CVE-2026-7676 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7676 ] VDB-360829 | kerwincui FastBee Tool Download Endpoint To= olController.java ToolController.download path traversal [
https://vuldb.co= m/vuln/360829 ]
VDB-360829 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60829/cti ]
Submit #800723 | kerwincui FastBee =E2=89=A4 1.2.1 Path Traversal [ https:/= /vuldb.com/submit/800723 ]
https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=3Dfrom_= copylink
=C2=A0 jsbroks--COCO Annotator A weakness has been identified in jsbroks CO=
CO Annotator up to 0.11.1. Affected is an unknown function of the file back= end/webserver/api/datasets.py of the component Data Endpoint. Executing a m= anipulation of the argument folder can lead to path traversal. The attack c=
an be launched remotely. The exploit has been made available to the public = and could be used for attacks. The vendor was contacted early about this di= sclosure but did not respond in any way. 2026-05-03 4.3 CVE-2026-7680 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-7680 ] VDB-360833 | jsbroks COCO A= nnotator Data Endpoint datasets.py path traversal [
https://vuldb.com/vuln/= 360833 ]
VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60833/cti ]
Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal [ ht= tps://vuldb.com/submit/801150 ]
https://github.com/natanmorette-thoropass/thoropass-vuln-research-program/t= ree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20Parameter
=C2=A0 AMTT--Hotel Broadband Operation System A vulnerability was determine=
d in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown func= tion of the file /manager/card/cardhand_submit.php. This manipulation of th=
e argument ID causes sql injection. Remote exploitation of the attack is po= ssible. The exploit has been publicly disclosed and may be utilized. The ve= ndor was contacted early about this disclosure but did not respond in any w= ay. 2026-05-03 4.7 CVE-2026-7697 [
https://www.cve.org/CVERecord?id=3DCVE-2= 026-7697 ] VDB-360866 | AMTT Hotel Broadband Operation System cardhand_subm= it.php sql injection [
https://vuldb.com/vuln/360866 ]
VDB-360866 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60866/cti ]
Submit #803272 | Anmei Century (Beijing) Technology Co., Ltd. Hotel Broadba=
nd Operation System v1.0 SQL Injection [
https://vuldb.com/submit/803272 ]
https://github.com/testnet0/testnet/issues/74
=C2=A0 Telegram--Desktop A security vulnerability has been detected in Tele= gram Desktop up to 6.7.5. This vulnerability affects the function RequestBu= tton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the compone=
nt Bot API. The manipulation of the argument login_url leads to null pointe=
r dereference. It is possible to initiate the attack remotely. The exploit = has been disclosed publicly and may be used. The vendor was contacted early=
about this disclosure but did not respond in any way. 2026-05-03 4.3 CVE-2= 026-7701 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7701 ] VDB-360870 | = Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer derefe= rence [
https://vuldb.com/vuln/360870 ]
VDB-360870 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360870= /cti ]
Submit #804341 | Telegram Telegram Desktop <=3D 6.7.5 NULL Pointer Derefere= nce [
https://vuldb.com/submit/804341 ]
https://www.youtube.com/watch?v=3Dxo9Bplsy1K8
=C2=A0 AV Stumpfl--Pixera Two Media Server A vulnerability has been found i=
n AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is=
an unknown function of the component Service Port 1338. Such manipulation = leads to path traversal. The exploit has been disclosed to the public and m=
ay be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. I=
t is advisable to upgrade the affected component. 2026-05-03 4.3 CVE-2026-7= 704 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7704 ] VDB-360873 | AV St= umpfl Pixera Two Media Server Service Port 1338 path traversal [
https://vu= ldb.com/vuln/360873 ]
VDB-360873 | CTI Indicators (IOB, IOC, TTP) [
https://vuldb.com/vuln/360873= /cti ]
Submit #805275 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Arbitrary Fil=
e Read [
https://vuldb.com/submit/805275 ]
https://gist.github.com/TrebledJ/585a20525e45549f299d282233632608 https://help.pixera.one/changelogs-version-overviews/pixera-252-overview-ch= angelog
=C2=A0 n/a--Open5GS A vulnerability has been found in Open5GS up to 2.7.7. = This issue affects the function gmm_handle_service_request of the file /src= /amf/gmm-handler.c of the component AMF. The manipulation leads to denial o=
f service. The attack can be initiated remotely. The exploit has been discl= osed to the public and may be used. The project was informed of the problem=
early through an issue report but has not responded yet. 2026-05-03 4.3 CV= E-2026-7706 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7706 ] VDB-360882=
| Open5GS AMF gmm-handler.c gmm_handle_service_request denial of service [=
https://vuldb.com/vuln/360882 ]
VDB-360882 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60882/cti ]
Submit #805698 | Open5GS AMF v2.7.7 Denial of Service [
https://vuldb.com/s= ubmit/805698 ]
https://github.com/open5gs/open5gs/issues/4409 https://github.com/open5gs/open5gs/
=C2=A0 n/a--Open5GS A vulnerability was found in Open5GS up to 2.7.7. Impac= ted is the function udr_nudr_dr_handle_subscription_context of the file /sr= c/udr/nudr-handler.c of the component UDR. The manipulation of the argument=
pei results in denial of service. The attack can be launched remotely. The=
exploit has been made public and could be used. The project was informed o=
f the problem early through an issue report but has not responded yet. 2026= -05-03 4.3 CVE-2026-7707 [
https://www.cve.org/CVERecord?id=3DCVE-2026-7707=
] VDB-360883 | Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_= context denial of service [
https://vuldb.com/vuln/360883 ]
VDB-360883 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60883/cti ]
Submit #805699 | Open5gs UDR v2.7.7 Denial of Service [
https://vuldb.com/s= ubmit/805699 ]
Submit #805700 | Open5gs UDR v2.7.7 Denial of Service (Duplicate) [ https:/= /vuldb.com/submit/805700 ]
https://github.com/open5gs/open5gs/issues/4410 https://github.com/open5gs/open5gs/issues/4411 https://github.com/open5gs/open5gs/
=C2=A0 n/a--Open5GS A vulnerability was determined in Open5GS up to 2.7.7. = The affected element is the function ogs_dbi_subscription_data in the libra=
ry /lib/dbi/subscription.c of the component UDR. This manipulation of the a= rgument supi_id causes denial of service. The attack may be initiated remot= ely. The exploit has been publicly disclosed and may be utilized. The proje=
ct was informed of the problem early through an issue report but has not re= sponded yet. 2026-05-03 4.3 CVE-2026-7708 [
https://www.cve.org/CVERecord?i= d=3DCVE-2026-7708 ] VDB-360884 | Open5GS UDR subscription.c ogs_dbi_subscri= ption_data denial of service [
https://vuldb.com/vuln/360884 ]
VDB-360884 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60884/cti ]
Submit #805701 | Open5gs UDR v2.7.7 Denial of Service [
https://vuldb.com/s= ubmit/805701 ]
https://github.com/open5gs/open5gs/issues/4412 https://github.com/open5gs/open5gs/
=C2=A0=20
Back to top [ #top ]
Low Vulnerabilities
Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info O= racle Corporation--Oracle Linux An unprivileged attacker can reliably trigg=
er a crash of the dtrace process with a malicious ELF binary due to an inte= ger Divide-by-Zero in Pbuild_file_symtab() 2026-05-01 3.3 CVE-2026-21996 [ =
https://www.cve.org/CVERecord?id=3DCVE-2026-21996 ] Oracle Advisory [ https= ://linux.oracle.com/cve/CVE-2026-21996.html ]
=C2=A0 redhat[.]com--gnutls A flaw was found in gnutls. A remote attacker c= ould exploit this vulnerability by presenting a specially crafted Online Ce= rtificate Status Protocol (OCSP) response during a TLS handshake. Due to a = logic error in how gnutls processes multi-record OCSP responses, a client w= ith OCSP verification enabled may incorrectly accept a revoked server certi= ficate, potentially leading to a compromise of trust. 2026-04-30 3.7 CVE-20= 26-3832 [
https://www.cve.org/CVERecord?id=3DCVE-2026-3832 ] RHSA-2026:1327=
4 [
https://access.redhat.com/errata/RHSA-2026:13274 ]
https://access.redhat.com/security/cve/CVE-2026-3832
RHBZ#2445762 [
https://bugzilla.redhat.com/show_bug.cgi?id=3D2445762 ]
https://gitlab.com/gnutls/gnutls/-/issues/1801
=C2=A0 TRENDnet--TEW-821DAP A weakness has been identified in TRENDnet TEW-= 821DAP 1.12B01. This issue affects the function find_hwid/new_gui_update_fi= rmware of the component Firmware Update Handler. Executing a manipulation o=
f the argument dest can lead to insufficient verification of data authentic= ity. The attack can be launched remotely. Attacks of this nature are highly=
complex. The exploitability is assessed as difficult. The vendor explains:=
"That firmware version will only work on our hardware version v1.xR. We ha=
ve already EOL that product 8 years ago and are no longer selling". This vu= lnerability only affects products that are no longer supported by the maint= ainer. 2026-05-02 3.7 CVE-2026-7606 [
https://www.cve.org/CVERecord?id=3DCV= E-2026-7606 ] VDB-360563 | TRENDnet TEW-821DAP Firmware Update new_gui_upda= te_firmware data authenticity [
https://vuldb.com/vuln/360563 ]
VDB-360563 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360563= /cti ]
Submit #806213 | Trendnet TEW-821DAP v1.12B01 CWE-287 Improper Authenticati=
on [
https://vuldb.com/submit/806213 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _Auth.md
=C2=A0 TRENDnet--TEW-821DAP A vulnerability has been found in TRENDnet TEW-= 821DAP 1.12B01. This affects an unknown function of the file /www/cgi/ssi o=
f the component Firmware Update. Such manipulation leads to cleartext trans= mission of sensitive information. The attack can be executed remotely. This=
attack is characterized by high complexity. The exploitability is reported=
as difficult. The exploit has been disclosed to the public and may be used=
. The vendor explains: "That firmware version will only work on our hardwar=
e version v1.xR. We have already EOL that product 8 years ago and are no lo= nger selling". This vulnerability only affects products that are no longer = supported by the maintainer. 2026-05-02 3.7 CVE-2026-7610 [
https://www.cve= .org/CVERecord?id=3DCVE-2026-7610 ] VDB-360567 | TRENDnet TEW-821DAP Firmwa=
re Update ssi cleartext transmission [
https://vuldb.com/vuln/360567 ] VDB-360567 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60567/cti ]
Submit #806217 | Trendnet TEW-821DAP v1.12B01 CWE-319: Cleartext Transmissi=
on of Sensitive Information [
https://vuldb.com/submit/806217 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _Down.md
=C2=A0 TRENDnet--TEW-821DAP A vulnerability was found in TRENDnet TEW-821DA=
P up to 1.12B01. This impacts the function platform_do_upgrade_cameo_dev of=
the file cameo_dev.sh of the component Firmware Update Handler. Performing=
a manipulation results in insufficient verification of data authenticity. = The attack is possible to be carried out remotely. The complexity of an att= ack is rather high. The exploitability is said to be difficult. The vendor = explains: "That firmware version will only work on our hardware version v1.= xR. We have already EOL that product 8 years ago and are no longer selling"=
. This vulnerability only affects products that are no longer supported by = the maintainer. 2026-05-02 3.7 CVE-2026-7611 [
https://www.cve.org/CVERecor= d?id=3DCVE-2026-7611 ] VDB-360568 | TRENDnet TEW-821DAP Firmware Update cam= eo_dev.sh platform_do_upgrade_cameo_dev data authenticity [
https://vuldb.c= om/vuln/360568 ]
VDB-360568 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360568= /cti ]
Submit #806218 | Trendnet TEW-821DAP v1.12B01 CWE-327 Use of a Broken or Ri= sky Cryptographic Algorithm [
https://vuldb.com/submit/806218 ]
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP= _Inte.md
=C2=A0 CodeWise--Tornet Scooter Mobile App A vulnerability has been found i=
n CodeWise Tornet Scooter Mobile App 4.75 on iOS/Android. The impacted elem= ent is an unknown function of the file /TwoFactor. Such manipulation leads =
to improper restriction of excessive authentication attempts. The attack ma=
y be performed from remote. Attacks of this nature are highly complex. The = exploitability is regarded as difficult. The exploit has been disclosed to = the public and may be used. The vendor was contacted early about this discl= osure but did not respond in any way. 2026-05-02 3.7 CVE-2026-7671 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-7671 ] VDB-360819 | CodeWise Tornet S= cooter Mobile App TwoFactor excessive authentication [
https://vuldb.com/vu= ln/360819 ]
VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60819/cti ]
Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP) 4.75 Im= proper Restriction of Excessive Authentication Attempts (CWE-3 [
https://vu= ldb.com/submit/799987 ]
https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO
=C2=A0 kerwincui--FastBee A vulnerability was determined in kerwincui FastB=
ee up to 1.2.1. The impacted element is the function Add of the file spring= boot/fastbee-admin/src/main/java/com/fastbee/web/controller/system/SysNotic= eController.java of the component System Notice Handler. This manipulation =
of the argument noticeContent causes cross site scripting. It is possible t=
o initiate the attack remotely. The exploit has been publicly disclosed and=
may be utilized. The vendor was contacted early about this disclosure but = did not respond in any way. 2026-05-03 3.5 CVE-2026-7677 [
https://www.cve.= org/CVERecord?id=3DCVE-2026-7677 ] VDB-360830 | kerwincui FastBee System No= tice SysNoticeController.java add cross site scripting [
https://vuldb.com/= vuln/360830 ]
VDB-360830 | CTI Indicators (IOB, IOC, TTP, IOA) [
https://vuldb.com/vuln/3= 60830/cti ]
Submit #800724 | kerwincui FastBee =E2=89=A4 1.2.1 Improper Neutralization =
of Alternate XSS Syntax [
https://vuldb.com/submit/800724 ]
https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=3Dfrom_= copylink
=C2=A0 Dolibarr--ERP CRM A security flaw has been discovered in Dolibarr ER=
P CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash =
in the library htdocs/core/lib/security.lib.php of the component Online Sig= nature Module. The manipulation results in improper verification of cryptog= raphic signature. The attack may be performed from remote. Attacks of this = nature are highly complex. It is stated that the exploitability is difficul=
t. The exploit has been released to the public and may be used for attacks.=
The vendor was contacted early about this disclosure but did not respond i=
n any way. 2026-05-03 3.7 CVE-2026-7689 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-7689 ] VDB-360859 | Dolibarr ERP CRM Online Signature security.= lib.php dol_verifyHash signature verification [
https://vuldb.com/vuln/3608=
59 ]
VDB-360859 | CTI Indicators (IOB, IOC, IOA) [
https://vuldb.com/vuln/360859= /cti ]
Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Authentication Bypass Iss= ues [
https://vuldb.com/submit/801794 ]
https://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158
=C2=A0=20
Back to top [ #top ]
Severity Not Yet Assigned
Primary
Vendor -- Product Description Published CVSS Score Source Info Patch Info n= /a--Sourcecodester Online Job Portal phppdo 1.0 SQL Injection vulnerability=
exists in Sourcecodester Online Job Portal phppdo 1.0 ivia the category pa= rameter in /jobportal/index.php. 2026-04-27 not yet calculated CVE-2021-364=
38 [
https://www.cve.org/CVERecord?id=3DCVE-2021-36438 ]
https://www.linked= in.com/in/mohamed-elobeid-oscp-ewptxv2-crtp-cissp-mba-537ba485/
https://thecyberpost.com/tools/exploits-cve/online-job-portal-in-php-pdo-1-= 0-sql-injection/
=C2=A0 Lobster GmbH--Lobster_pro Unauthenticated attackers can exploit a we= akness in the XML parser functionality of Lobster_pro prior to version 4.12= .6-GA. This allows them to obtain read access to files on the application s= erver and adjacent network shares, and perform HTTP GET requests to arbitra=
ry services. 2026-04-30 not yet calculated CVE-2024-13971 [
https://www.cve= .org/CVERecord?id=3DCVE-2024-13971 ]
https://www.schutzwerk.com/en/blog/sch= utzwerk-sa-2024-005/
=C2=A0 4D--4D Server Unauthenticated attackers can exploit a weakness in th=
e XML parser functionality of the SOAP endpoints in 4D server. This allows = them to obtain read access to files on the application server and adjacent = network shares, and perform HTTP GET requests to arbitrary services. 2026-0= 4-30 not yet calculated CVE-2024-39847 [
https://www.cve.org/CVERecord?id= =3DCVE-2024-39847 ]
https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-0= 02/
https://4d.com
=C2=A0 n/a--NASA EOSDIS MODAPS NASA Earth Observing System Data and Informa= tion System (EOSDIS) MODAPS v8.1 was discovered to contain a SQL injection = vulnerability in the category parameter 2026-04-27 not yet calculated CVE-2= 024-46636 [
https://www.cve.org/CVERecord?id=3DCVE-2024-46636 ]
https://www= .linkedin.com/in/abdulrahman-aldossary-842b6b26b/
https://bugcrowd.com/Xnu11
https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS
=C2=A0 Hanwha Vision--QND-8080R Penetration Testing engineers at Amazon hav=
e discovered a flaw where the camera system fails to properly handle data s= upplied in certain requests,=C2=A0causing a service disruption. The manufac= turer has released patch firmware for the flaw, please refer to the manufac= turer's report for details and workarounds. 2026-04-28 not yet calculated C= VE-2024-54011 [
https://www.cve.org/CVERecord?id=3DCVE-2024-54011 ] https:/= /www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerability-Repor= tCVE-2024-5401154013.pdf
=C2=A0 Hanwha Vision--QND-8080R Penetration Testing engineers at Amazon dis= covered a vulnerability where the camera system failed to properly validate=
input, allowing specially crafted requests containing malicious commands t=
o be executed on the device. The manufacturer has released patch firmware f=
or the flaw; please refer to the manufacturer's report for details and work= arounds. 2026-04-28 not yet calculated CVE-2024-54012 [
https://www.cve.org= /CVERecord?id=3DCVE-2024-54012 ]
https://www.hanwhavision.com/wp-content/up= loads/2026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf
=C2=A0 Hanwha Vision--QND-8080R Penetration Testing engineers at Amazon hav=
e identified a security flaw related to request handling in the web server = component that could, under certain conditions, lead to unintended access t=
o protected functions. The manufacturer has released patch firmware for the=
flaw, please refer to the manufacturer's report for details and workaround=
s 2026-04-28 not yet calculated CVE-2024-54013 [
https://www.cve.org/CVERec= ord?id=3DCVE-2024-54013 ]
https://www.hanwhavision.com/wp-content/uploads/2= 026/04/Camera-Vulnerability-ReportCVE-2024-5401154013.pdf
=C2=A0 DeskTime--DeskTime Time Tracking App Due to improper TLS certificate=
validation in the DeskTime Time Tracking App before version 1.3.674, attac= kers who can position themselves in the network path between the client and=
the DeskTime update servers can return a malicious executable in response =
to an update request. This allows the attacker to achieve user-level remote=
code execution on the affected client. 2026-04-28 not yet calculated CVE-2= 025-10539 [
https://www.cve.org/CVERecord?id=3DCVE-2025-10539 ]
https://r.s= ec-consult.com/desktime
https://desktime.com/download
=C2=A0 RTI--Connext Professional Improper Restriction of XML External Entit=
y Reference vulnerability in Connext Professional (Core Libraries) allows S= erialized Data External Linking.This issue affects Connext Professional: fr=
om 7.4.0 before 7.7.0, from 7.0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, = from 6.0.0 before 6.0.*, from 5.3.0 before 5.3.*, from 4.3x before 5.2.*. 2= 026-04-30 not yet calculated CVE-2025-14543 [
https://www.cve.org/CVERecord= ?id=3DCVE-2025-14543 ]
https://www.rti.com/vulnerabilities/#cve-2025-14543 =C2=A0 The Qt Company--Qt Insufficient validation of node IDs in Qt SVG mod= ule allows arbitrary QML/JavaScript code injection when loading malicious S=
VG files through the VectorImage component in Qt Quick. While QML execution=
is typically more restricted than native code execution, this could still = lead to denial of service, information disclosure, or other impacts dependi=
ng on the application's privilege level and data access. 2026-04-30 not yet=
calculated CVE-2025-14576 [
https://www.cve.org/CVERecord?id=3DCVE-2025-14= 576 ] Qt Code Review - Fix for QTBUG-142556 [
https://codereview.qt-project= .org/c/qt/qtdeclarative/+/697273 ]
=C2=A0 Ribblr--Crotchet and Knitting Authenticated user can bypass authoriz= ation in Ribblr - Crochet & Knitting iOS application 2026-04-27 not yet cal= culated CVE-2025-15626 [
https://www.cve.org/CVERecord?id=3DCVE-2025-15626 =
]
https://ribblr.com/
=C2=A0 Apache Software Foundation--Apache Thrift Mismatched Memory Manageme=
nt Routines vulnerability in Apache Thrift c_glib language bindings. This i= ssue affects Apache Thrift: before 0.23.0. Users are recommended to upgrade=
to version 0.23.0, which fixes the issue. Description: Specially crafted r= equests can crash an c_glib-based Thrift server with a clean but fatal "fre= e(): invalid pointer" error message. 2026-04-28 not yet calculated CVE-2025= -48431 [
https://www.cve.org/CVERecord?id=3DCVE-2025-48431 ]
https://lists.= apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql
=C2=A0 n/a--B1 Free Archiver v1.5.86 A vulnerability in B1 Free Archiver v1= .5.86 allows files extracted from downloaded archives to bypass Windows Mar=
k of the Web (MotW) protections. When an archive is downloaded from the int= ernet and extracted using B1 Free Archiver, the software fails to propagate=
the 'Zone.Identifier' alternate data stream to the extracted files. As a r= esult, these files can be executed without triggering Windows Defender Smar= tScreen warnings or security prompts, enabling untrusted code execution wit= hout standard security restrictions. 2026-04-29 not yet calculated CVE-2025= -50328 [
https://www.cve.org/CVERecord?id=3DCVE-2025-50328 ]
https://b1.org/ https://github.com/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version =C2=A0 passmark[.]com-- BurnInTest v11.0 An issue in the component DirectIo= 64.sys of PassMark BurnInTest v11.0 Build 1011, OSForensics v11.1 Build 100=
7, and PerformanceTest v11.1 Build 1004 allows attackers to access kernel m= emory and escalate privileges via a crafted IOCTL 0x8011E044 call. 2026-05-=
01 not yet calculated CVE-2025-52347 [
https://www.cve.org/CVERecord?id=3DC= VE-2025-52347 ]
https://www.passmark.com/products/performancetest/history.p=
hp
https://www.osforensics.com/whats-new.html https://www.passmark.com/products/burnintest/history.php https://github.com/netero1010/Vulnerability-Disclosure/tree/main/CVE-2025-5= 2347
=C2=A0 n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 An issue in Eprosima Micr= o-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of serv= ice via a crafted packet to the MTU length field 2026-05-01 not yet calcula= ted CVE-2025-63547 [
https://www.cve.org/CVERecord?id=3DCVE-2025-63547 ] ht= tps://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390
https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md
=C2=A0 n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1 An issue in Eprosima Micr= o-XREC-DDS Agent v.3.0.1 allows a remote attacker to cause a denial of serv= ice via a packet specially crafted to bear a non-valid value in any Boolean=
field. 2026-05-01 not yet calculated CVE-2025-63548 [
https://www.cve.org/= CVERecord?id=3DCVE-2025-63548 ]
https://github.com/eProsima/Micro-XRCE-DDS-= Agent/issues/389
https://github.com/j4kb4dw0lf/CVEs/blob/main/README.md
=C2=A0 n/a--Pro-Bit An issue in Pro-Bit before v1.77.4 allows unauthenticat=
ed attackers to directly access sensitive directory and its subdirectories.=
2026-04-27 not yet calculated CVE-2025-69428 [
https://www.cve.org/CVEReco= rd?id=3DCVE-2025-69428 ]
https://github.com/jasetpen/CVE-2025-69428
=C2=A0 n/a--GSVoIP web panel v2.0.90 Cross-Site Scripting (XSS) vulnerabili=
ty was discovered in the GSVoIP web panel version 2.0.90. The `msg` paramet=
er in the `/painel/gateways.php/error` endpoint does not properly sanitize = user-supplied input, allowing attackers to inject arbitrary JavaScript into=
the HTML response. A remote attacker can exploit this vulnerability by sen= ding a crafted URL to a victim, leading to unauthorized script execution, s= ession hijacking, phishing, or other client-side attacks. 2026-05-01 not ye=
t calculated CVE-2025-69606 [
https://www.cve.org/CVERecord?id=3DCVE-2025-6= 9606 ]
https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg=3D%3= C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E
https://www.solutionsvoip.com.br/ https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS
=C2=A0 getfancontrol[.]com--Fan Control App v251 The Fan Control applicatio=
n V251 contains an improper privilege handling vulnerability in its Open Fi=
le Dialog. The dialog processes user-supplied paths with elevated permissio= ns, which can be exploited by a local attacker to perform actions with admi= nistrator-level privileges. 2026-04-27 not yet calculated CVE-2025-69689 [ =
https://www.cve.org/CVERecord?id=3DCVE-2025-69689 ]
https://getfancontrol.c=
om
https://github.com/Rem0o/FanControl.Releases https://github.com/Rem0o/FanControl.Releases/releases/tag/V251 https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529
=C2=A0 SonicWall--SonicOS A vulnerability in the access control mechanism o=
f SonicOS may allow certain management interface functions to be accessible=
under specific conditions. 2026-04-29 not yet calculated CVE-2026-0204 [ h= ttps://www.cve.org/CVERecord?id=3DCVE-2026-0204 ]
https://psirt.global.soni= cwall.com/vuln-detail/SNWLID-2026-0004
=C2=A0 SonicWall--SonicOS A post-authentication Path Traversal vulnerabilit=
y in SonicOS allows an attacker to interact with usually restricted service=
s. 2026-04-29 not yet calculated CVE-2026-0205 [
https://www.cve.org/CVERec= ord?id=3DCVE-2026-0205 ]
https://psirt.global.sonicwall.com/vuln-detail/SNW= LID-2026-0004
=C2=A0 SonicWall--SonicOS A post-authentication Stack-based Buffer Overflow=
vulnerabilities in SonicOS allows a remote attacker to crash a firewall. 2= 026-04-29 not yet calculated CVE-2026-0206 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-0206 ]
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-= 2026-0004
=C2=A0 Wolters Kluwer Polska--LEX Baza Dokumentw LEX Baza Dokument=C3=B3w i=
s vulnerable to DOM-based XSS in "em"=C2=A0cookie parameter.=C2=A0The appli= cation unsafely processes the parameter on the client side, allowing an att= acker to execute arbitrary JavaScript in the context of the victim's browse=
r. An attacker with ability to set a cookie can perform a more severe attac=
k, so we evaluate the impact and risk of exploitation as minimal. However, = the vendor considered this a vulnerability and released a security patch. T= his issue was fixed in version 1.3.4. 2026-04-30 not yet calculated CVE-202= 6-1493 [
https://www.cve.org/CVERecord?id=3DCVE-2026-1493 ]
https://www.wol= terskluwer.com/pl-pl/solutions/lex-baza-dokumentow
https://cert.pl/posts/2026/04/CVE-2025-1493
=C2=A0 Samsung Mobile--Samsung Mobile Devices Insufficient verification of = data authenticity in PackageManagerService prior to SMR Mar-2026 Release 1 = allows local attackers to modify the installation restriction of specific a= pplication. 2026-04-29 not yet calculated CVE-2026-21023 [
https://www.cve.= org/CVERecord?id=3DCVE-2026-21023 ]
https://security.samsungmobile.com/secu= rityUpdate.smsb?year=3D2026&month=3D03
=C2=A0 OPPO--OPPO Wallet APP OPPO Wallet APP contains a trusted domain vali= dation flaw that allows attackers to bypass protected interface access rest= rictions, which may lead to account token hijacking and sensitive informati=
on disclosure. 2026-04-27 not yet calculated CVE-2026-22077 [
https://www.c= ve.org/CVERecord?id=3DCVE-2026-22077 ]
https://security.oppo.com/en/noticeD= etail?notice_only_key=3DNOTICE-2048652556296790016
=C2=A0 Imagination Technologies--Graphics DDK A web page that contains unus= ual WebGPU content loaded into the GPU GLES render process and can trigger =
a write UAF crash in the GPU GLES user-space shared library. On certain pla= tforms, when the process executing graphics workload has system privileges = this could enable further exploits on the device. 2026-05-01 not yet calcul= ated CVE-2026-22165 [
https://www.cve.org/CVERecord?id=3DCVE-2026-22165 ] h= ttps://www.imaginationtech.com/gpu-driver-vulnerabilities/
=C2=A0 Imagination Technologies--Graphics DDK A web page that contains unus= ual WebGPU content loaded into the GPU GLES render process and can trigger = write UAF crash in the GPU GLES user-space shared library. On certain platf= orms, when the process executing graphics workload has system privileges th=
is could enable subsequent exploit on the system. 2026-05-01 not yet calcul= ated CVE-2026-22166 [
https://www.cve.org/CVERecord?id=3DCVE-2026-22166 ] h= ttps://www.imaginationtech.com/gpu-driver-vulnerabilities/
=C2=A0 Imagination Technologies--Graphics DDK Software installed and run as=
a non-privileged user may conduct improper GPU system calls to force GPU t=
o write to arbitrary physical memory pages. Under certain circumstances thi=
s exploit could be used to corrupt data pages not allocated by the GPU driv=
er but memory pages in use by the kernel and drivers running on the platfor=
m altering their behaviour. This attack can lead the GPU to perform write o= perations on restricted internal GPU buffers that can lead to a second orde=
r affect of corrupted arbitrary physical memory. 2026-05-01 not yet calcula= ted CVE-2026-22167 [
https://www.cve.org/CVERecord?id=3DCVE-2026-22167 ] ht= tps://www.imaginationtech.com/gpu-driver-vulnerabilities/
=C2=A0 Acronis--Acronis DeviceLock DLP Local privilege escalation due to DL=
L hijacking vulnerability. The following products are affected: Acronis Dev= iceLock DLP (Windows) before build 9.0.93212. 2026-04-29 not yet calculated=
CVE-2026-25852 [
https://www.cve.org/CVERecord?id=3DCVE-2026-25852 ] SEC-7= 217 [
https://security-advisory.acronis.com/advisories/SEC-7217 ]
=C2=A0 arc53--DocsGPT DocsGPT is a GPT-powered chat for documentation. From=
version 0.15.0 to before version 0.16.0, an attacker accessing both the of= ficial DocsGPT website or any local and public deployment, can craft a mali= cious payload bypassing the "MCP test" behavior to achieve arbitrary remote=
code execution (RCE). This issue has been patched in version 0.16.0. 2026-= 04-29 not yet calculated CVE-2026-26015 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-26015 ]
https://github.com/arc53/DocsGPT/security/advisories/GH= SA-gcrq-f296-2j74
https://github.com/arc53/DocsGPT/releases/tag/0.16.0
=C2=A0 aver[.]com-- web mgt interface v0.1.0000.65 A Command Injection vuln= erability in the web management interface in Aver PTC320UV2 0.1.0000.65 all= ows an unauthenticated attacker to execute arbitrary commands via a crafted=
web request. 2026-05-01 not yet calculated CVE-2026-26461 [
https://www.cv= e.org/CVERecord?id=3DCVE-2026-26461 ]
https://www.aver.com/Downloads/search= ?q=3DPTC320UV2
https://github.com/spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md =C2=A0 Apache Software Foundation--Apache Camel The ConsulRegistry in the c= amel-consul component (class org.apache.camel.component.consul.ConsulRegist=
ry and its inner ConsulRegistryUtils.deserialize method) read Java-serializ=
ed values from the Consul KV store and passed them to ObjectInputStream.rea= dObject() without configuring an ObjectInputFilter. An attacker who can wri=
te to the Consul KV store backing a Camel ConsulRegistry instance could inj= ect a malicious serialized Java object that is deserialized the next time C= amel performs a lookup against that registry, leading to arbitrary code exe= cution in the Camel process. The issue mirrors the class of vulnerability a= lready addressed for other Camel components in CVE-2024-22369, CVE-2024-231=
14 and CVE-2026-25747, and was overlooked during the original remediation o=
f those CVEs. This issue affects Apache Camel: from 3.0.0 before 4.14.6, fr=
om 4.15.0 before 4.18.1. Users are recommended to upgrade to version 4.19.0=
, which fixes the issue. If users are on the 4.14.x LTS releases stream, th=
en they are suggested to upgrade to 4.14.6. If users are on the 4.18.x rele= ases stream, then they are suggested to upgrade to 4.18.1. 2026-04-27 not y=
et calculated CVE-2026-27172 [
https://www.cve.org/CVERecord?id=3DCVE-2026-= 27172 ]
https://camel.apache.org/security/CVE-2026-27172.html
=C2=A0 Netskope--Client Netskope was notified about a potential gap in the = Endpoint DLP Module for Netskope Client on Windows systems. The successful = exploitation of the gap can potentially allow an unprivileged user to trigg=
er an out-of-bounds read within a driver, leading to a Blue-Screen-of-Death=
(BSOD). Successful exploitation would require the Endpoint DLP module to b=
e enabled in the client configuration. A successful exploit can potentially=
result in a denial-of-service for the local machine. 2026-04-29 not yet ca= lculated CVE-2026-2810 [
https://www.cve.org/CVERecord?id=3DCVE-2026-2810 ]=
https://www.netskope.com/resources/netskope-resources/netskope-security-ad= visory-nskpsa-2026-002
https://support.netskope.com/s/article/Netskope-Security-Advisory-NSKPSA-20= 26-002-Netskope-Endpoint-DLP-Driver-Security-Advisory
=C2=A0 elixir-plug--plug_cowboy Allocation of Resources Without Limits or T= hrottling vulnerability in elixir-plug plug_cowboy allows unauthenticated r= emote denial of service via atom table exhaustion. Plug.Cowboy.Conn.conn/1 =
in lib/plug/cowboy/conn.ex calls String.to_atom/1 on the value returned by = :cowboy_req.scheme/1. For HTTP/2 connections, cowlib passes the client-supp= lied :scheme pseudo-header value through verbatim without validation. Each = unique value permanently allocates a new entry in the BEAM atom table. Sinc=
e atoms are never garbage-collected and the atom table has a fixed limit (d= efault 1,048,576), an unauthenticated attacker can exhaust the table by sen= ding HTTP/2 requests with unique :scheme values, causing the Erlang VM to a= bort with system_limit and taking down the entire node. This vulnerability = does not affect HTTP/1.1, where cowboy derives the scheme from the listener=
type rather than from a client-supplied header. This issue affects plug_co= wboy: from 2.0.0 before 2.8.1. 2026-04-27 not yet calculated CVE-2026-32688=
[
https://www.cve.org/CVERecord?id=3DCVE-2026-32688 ]
https://github.com/e= lixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2
https://cna.erlef.org/cves/CVE-2026-32688.html https://osv.dev/vulnerability/EEF-CVE-2026-32688 https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023= fb306de1bf9c19b
=C2=A0 CRM Sistemas de Fidelizacin--MegaCMS SQL injection (SQLi) in MegaCMS=
v12.0.0, specifically in the "id_territorio" parameter of the "/web_comuni= cations/cms/get_provincias" endpoint. The vulnerability arises from inadequ= ate validation and sanitisation of user input. Specifically, via a POST req= uest, the "id_territorio" parameter, used immediately after the registratio=
n form is submitted, could be manipulated by an unauthenticated attacker to=
execute arbitrary SQL queries. 2026-04-29 not yet calculated CVE-2026-3325=
[
https://www.cve.org/CVERecord?id=3DCVE-2026-3325 ]
https://www.incibe.es= /en/incibe-cert/notices/aviso/sql-injection-megacms-crm-sistemas-de-fideliz= acion
=C2=A0 Japan Computer Emergency Response Team Coordination Center (JPCERT/C= C)--LogonTracer An OS command Injection issue exists in LogonTracer prior t=
o v2.0.0. An arbitrary OS command may be executed by a logged-in user. 2026= -04-27 not yet calculated CVE-2026-33277 [
https://www.cve.org/CVERecord?id= =3DCVE-2026-33277 ]
https://www.jpcert.or.jp/press/2026/PR20260423.html https://jvn.jp/en/jp/JVN57877356/
=C2=A0 Absolute Software--Secure Access CVE-2026-33446 is a buffer overflow=
in the authentication sub-system of the Secure Access client prior to 14.5=
0. Attackers with control of a modified server can send a special packet th=
at can overwrite a small portion of memory conceivably leading to memory co= rruption or a denial of service. 2026-04-30 not yet calculated CVE-2026-334=
46 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33446 ]
https://www.absolu= te.com/platform/security-information/vulnerability-archive/cve-2026-33446 =C2=A0 Absolute Software--Secure Access CVE-2026-33447 is a buffer overflow=
in a message parsing function of the Secure Access client prior to 14.50. = Attackers with control of a modified server can send a special packet that = can overwrite a small portion of memory conceivably leading to memory corru= ption or denial of service. 2026-04-30 not yet calculated CVE-2026-33447 [ =
https://www.cve.org/CVERecord?id=3DCVE-2026-33447 ]
https://www.absolute.co= m/platform/security-information/vulnerability-archive/cve-2026-33447
=C2=A0 Absolute Software--Secure Access CVE-2026-33448 is a format string v= ulnerability in the logging subsystem of Secure Access client for MacOS pri=
or to 14.50. Attackers with control of a modified server can force the clie=
nt to dump the contents of a small portion of memory to the log files poten= tially revealing secrets. 2026-04-30 not yet calculated CVE-2026-33448 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-33448 ]
https://www.absolute.com/= platform/security-information/vulnerability-archive/cve-2026-33448
=C2=A0 Absolute Software--Secure Access CVE-2026-33449 is a buffer overflow=
in a message handling function of the Secure Access client prior to 14.50.=
Attackers with control of a modified server can send a cryptographically v= alid message to the client, overwriting a small portion of memory conceivab=
ly leading to a denial of service. 2026-04-30 not yet calculated CVE-2026-3= 3449 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33449 ]
https://www.abso= lute.com/platform/security-information/vulnerability-archive/cve-2026-33449 =C2=A0 Absolute Software--Secure Access CVE-2026-33450 is an out of bounds = read vulnerability in the Secure Access MacOS client prior to 14.50. Attack= ers with control of a modified server can send a malformed packet to the cl= ient causing a denial of service. 2026-04-30 not yet calculated CVE-2026-33= 450 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33450 ]
https://www.absol= ute.com/platform/security-information/vulnerability-archive/cve-2026-33450 =C2=A0 Absolute Software--Secure Access CVE-2026-33451 is an arbitrary read= /write vulnerability in the Secure Access Windows client prior to 14.50. At= tackers with local control of the Windows client can send malformed data to=
an API and elevate their level of privilege to system. 2026-04-30 not yet = calculated CVE-2026-33451 [
https://www.cve.org/CVERecord?id=3DCVE-2026-334=
51 ]
https://www.absolute.com/platform/security-information/vulnerability-a= rchive/cve-2026-33451
=C2=A0 Absolute Software--Secure Access CVE-2026-33452 is a buffer overflow=
vulnerability in the Secure Access Windows client prior to 14.50. Attacker=
s with local control of the Windows client can use it to 'blue screen' the = system. 2026-04-30 not yet calculated CVE-2026-33452 [
https://www.cve.org/= CVERecord?id=3DCVE-2026-33452 ]
https://www.absolute.com/platform/security-= information/vulnerability-archive/cve-2026-33452
=C2=A0 Apache Software Foundation--Apache Camel Improperly Controlled Modif= ication of Dynamically-Determined Object Attributes vulnerability in Apache=
Camel Camel-Coap component. Apache Camel's camel-coap component is vulnera= ble to Camel message header injection, leading to remote code execution whe=
n routes forward CoAP requests to header-sensitive producers (e.g. camel-ex= ec) The camel-coap component maps incoming CoAP request URI query parameter=
s directly into Camel Exchange In message headers without applying any Head= erFilterStrategy. =C2=A0 Specifically, CamelCoapResource.handleRequest() it= erates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHead= er(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rat= her than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not im= plement HeaderFilterStrategyComponent; the component contains no references=
to HeaderFilterStrategy at all. As a result, an unauthenticated attacker w=
ho can send a single CoAP UDP packet to a Camel route consuming from coap:/=
/ can inject arbitrary Camel internal headers (those prefixed with Camel*) = into the Exchange. When the route delivers the message to a header-sensitiv=
e producer such as camel-exec, camel-sql, camel-bean, camel-file, or templa=
te components (camel-freemarker, camel-velocity), the injected headers can = alter the producer's behavior. In the case of camel-exec, the CamelExecComm= andExecutable and CamelExecCommandArgs headers override the executable and = arguments configured on the endpoint, resulting in arbitrary OS command exe= cution under the privileges of the Camel process. The producer's output is = written back to the Exchange body and returned in the CoAP response payload=
by CamelCoapResource, giving the attacker an interactive RCE channel witho=
ut any need for out-of-band exfiltration. =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 Exploitation prerequisites are mi= nimal: a single unauthenticated UDP datagram to the CoAP port (default 5683=
). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and=
disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS=
controls do not apply. This issue affects Apache Camel: from 4.14.0 throug=
h 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgra=
de to version 4.18.1 or 4.19.0, fixing the issue. 2026-04-27 not yet calcul= ated CVE-2026-33453 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33453 ] h= ttps://camel.apache.org/security/CVE-2026-33453.html
=C2=A0 Apache Software Foundation--Apache Camel The Camel-Mail component is=
vulnerable to Camel message header injection. The custom header filter str= ategy used by the component (MailHeaderFilterStrategy) only filters the 'ou=
t' direction via setOutFilterStartsWith, while it does not configure the 'i=
n' direction via setInFilterStartsWith. As a result, when a Camel applicati=
on consumes mail through camel-mail (for example via from(\"imap://...\") o=
r from(\"pop3://...\")) the inbound filter check is skipped and Camel-prefi= xed MIME headers are mapped unfiltered into the Exchange. An attacker who c=
an deliver an email to a mailbox monitored by such a consumer can inject Ca= mel-specific headers that, for some Camel components downstream of the mail=
consumer (such as camel-bean, camel-exec, or camel-sql), can alter the beh= aviour of the route. This is the same pattern that was previously addressed=
in camel-undertow (CVE-2025-30177) and the broader incoming-header filter = (CVE-2025-27636 and CVE-2025-29891). This issue affects Apache Camel: from = 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommended to up= grade to version 4.19.0, which fixes the issue. If users are on the 4.18.x = LTS releases stream, then they are suggested to upgrade to 4.18.1. If users=
are on the 4.14.x LTS releases stream, then they are suggested to upgrade =
to 4.14.6. 2026-04-27 not yet calculated CVE-2026-33454 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-33454 ]
https://camel.apache.org/security/CVE-20= 26-33454.html
=C2=A0 Japan Computer Emergency Response Team Coordination Center (JPCERT/C= C)--LogonTracer There is a cypher injection issue in LogonTracer prior to v= 2.0.0. If specially crafted Windows event log data is loaded, the contents =
of the database may be altered. 2026-04-27 not yet calculated CVE-2026-3356=
6 [
https://www.cve.org/CVERecord?id=3DCVE-2026-33566 ]
https://www.jpcert.= or.jp/press/2026/PR20260423.html
https://jvn.jp/en/jp/JVN57877356/
=C2=A0 traefik--traefik Traefik is an HTTP reverse proxy and load balancer.=
Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is an authenticat= ion bypass vulnerability in Traefik's ForwardAuth middleware when trustForw= ardHeader=3Dfalse is configured and Traefik is deployed behind a trusted up= stream proxy. This issue has been patched in versions 2.11.43, 3.6.14, and = 3.7.0-rc.2. 2026-04-30 not yet calculated CVE-2026-35051 [
https://www.cve.= org/CVERecord?id=3DCVE-2026-35051 ]
https://github.com/traefik/traefik/secu= rity/advisories/GHSA-6384-m2mw-rf54
https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
=C2=A0 FreeBSD--FreeBSD When processing the header of an incoming message, = libnv failed to properly validate the message size. The lack of validation = allows a malicious program to write outside the bounds of a heap allocation=
. This can trigger a crash or system panic, and it may be possible for an u= nprivileged user to exploit the bug to elevate their privileges. 2026-04-30=
not yet calculated CVE-2026-35547 [
https://www.cve.org/CVERecord?id=3DCVE= -2026-35547 ]
https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libn= v.asc
=C2=A0 merkurysmart[.]com-- MIPC252W v1.0.5 A handling issue in the RTSP se= rvice of the Mercury MIPC252W 1.0.5 Build 230306 Rel.79931n allows an authe= nticated attacker to trigger session termination by repeatedly sending SETU=
P requests for the same media track within a single RTSP session. This caus=
es the server to reset the RTSP connection, leading to a denial-of-service = condition. 2026-04-27 not yet calculated CVE-2026-35901 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-35901 ]
https://github.com/izxnfirh8148/CVE_REQU= ESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md =C2=A0 merkurysmart[.]com-- MIPC252W v1.0.5 The RTSP service of MERCURY IP = camera MIPC252W 1.0.5 Build 230306 has an issue handling failed Digest auth= entication attempts. By repeatedly sending RTSP requests with invalid authe= ntication parameters, an unauthenticated attacker can cause the RTSP servic=
e to enter a persistent authentication failure state, preventing legitimate=
clients from authenticating and leading to a denial of service. 2026-04-27=
not yet calculated CVE-2026-35902 [
https://www.cve.org/CVERecord?id=3DCVE= -2026-35902 ]
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/= main/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md
=C2=A0 merkurysmart[.]com-- MIPC252W v1.0.5 MERCURY MIPC252W IP camera 1.0.=
5 Build 230306 Rel.79931n contains an improper authentication vulnerability=
in the RTSP service. After successful Digest authentication in an initial = DESCRIBE request, the device does not verify the Digest response parameter =
in subsequent RTSP requests within the same session. As a result, RTSP meth= ods such as SETUP, PLAY, and TEARDOWN can be processed even when the Author= ization header contains an empty or invalid response value, as long as the = nonce and session identifier correspond to a previously authenticated sessi= on. This allows an attacker with network access to reuse session parameters=
and issue unauthorized RTSP control commands without computing a valid Dig= est response. 2026-04-27 not yet calculated CVE-2026-35903 [
https://www.cv= e.org/CVERecord?id=3DCVE-2026-35903 ]
https://github.com/izxnfirh8148/CVE_R= EQUESTS_references/blob/main/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md =C2=A0 n/a--Krayin CRM v.2.1.5 An issue in Krayin CRM v.2.1.5 and fixed in = v.2.1.6 allows a remote attacker to execute arbitrary code via the compose = email function 2026-04-30 not yet calculated CVE-2026-36340 [
https://www.c= ve.org/CVERecord?id=3DCVE-2026-36340 ]
https://drive.google.com/file/d/1yBd= vbrXGf9fsFckmK9zTe2v8_vDtdicH/view
https://github.com/krayin/laravel-crm/releases/tag/v2.1.6 https://github.com/cybercrewinc/CVE-2026-36340
=C2=A0 n/a--halo v2.22.14 A Server-Side Request Forgery (SSRF) in the /plug= ins/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attac= kers to scan internal resources via a crafted GET request. 2026-04-30 not y=
et calculated CVE-2026-36756 [
https://www.cve.org/CVERecord?id=3DCVE-2026-= 36756 ]
https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md
=C2=A0 n/a--halo v2.22.14 A Server-Side Request Forgery (SSRF) in the /plug= ins/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated = attackers to scan internal resources via a crafted GET request. 2026-04-30 = not yet calculated CVE-2026-36757 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-36757 ]
https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md
=C2=A0 n/a--halo v2.22.14 A Server-Side Request Forgery (SSRF) in the /them= es/-/install-from-uri endpoint of halo v2.22.14 allows authenticated attack= ers to scan internal resources via a crafted GET request. 2026-04-30 not ye=
t calculated CVE-2026-36758 [
https://www.cve.org/CVERecord?id=3DCVE-2026-3= 6758 ]
https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md
=C2=A0 n/a--halo v2.22.14 A Server-Side Request Forgery (SSRF) in the /them= es/{name}/upgrade-from-uri endpoint of halo v2.22.14 allows authenticated a= ttackers to scan internal resources via a crafted GET request. 2026-04-30 n=
ot yet calculated CVE-2026-36759 [
https://www.cve.org/CVERecord?id=3DCVE-2= 026-36759 ]
https://github.com/halo-dev/halo https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md
=C2=A0 n/a--JeeSite v5.15.1 An issue in the fileMd5 parameter in the /a/fil= e/upload endpoint of JeeSite v5.15.1 allows authenticated attackers with fi=
le upload permissions to execute a path traversal and write arbitrary files=
with whitelisted suffixes to arbitrary filesystem locations while chunked = upload is enabled. 2026-04-30 not yet calculated CVE-2026-36760 [
https://w= ww.cve.org/CVERecord?id=3DCVE-2026-36760 ]
https://github.com/thinkgem/jees= ite
https://github.com/thinkgem/jeesite/issues/530
=C2=A0 n/a--JeeSite v5.15.1 A stored cross-site scripting (XSS) vulnerabili=
ty in the /msg/msgInner/save endpoint of JeeSite v5.15.1 allows attackers t=
o execute arbitrary web scripts or HTML via injecting a crafted input into = the msgContent parameter. 2026-04-30 not yet calculated CVE-2026-36761 [ ht= tps://www.cve.org/CVERecord?id=3DCVE-2026-36761 ]
https://github.com/thinkg= em/jeesite
https://github.com/thinkgem/jeesite/issues/528
=C2=A0 n/a--JeeSite v5.15.1 An issue in the fileEntityId parameter in the /= a/file/upload endpoint of JeeSite v5.15.1 allows authenticated attackers wi=
th file upload permissions to execute a path traversal and write arbitrary = files with whitelisted suffixes to arbitrary filesystem locations. 2026-04-=
30 not yet calculated CVE-2026-36762 [
https://www.cve.org/CVERecord?id=3DC= VE-2026-36762 ]
https://github.com/thinkgem/jeesite https://github.com/thinkgem/jeesite/issues/529
=C2=A0 n/a--SpringBlade v4.8.0 A stored cross-site scripting (XSS) vulnerab= ility in the /api/blade-desk/notice/submit endpoint of SpringBlade v4.8.0 a= llows attackers to execute arbitrary web scripts or HTML via injecting a cr= afted input into the content parameter. 2026-04-30 not yet calculated CVE-2= 026-36763 [
https://www.cve.org/CVERecord?id=3DCVE-2026-36763 ]
https://git= hub.com/chillzhuang/SpringBlade
https://github.com/chillzhuang/SpringBlade/issues/38 https://github.com/shopizer-ecommerce/shopizer/issues/1091
=C2=A0 n/a--SpringBlade v4.8.0 A Server-Side Request Forgery (SSRF) in the = /ureport/datasource/testConnection endpoint of SpringBlade v4.8.0 allows au= thenticated attackers to scan internal resources via a crafted GET request.=
2026-04-30 not yet calculated CVE-2026-36764 [
https://www.cve.org/CVEReco= rd?id=3DCVE-2026-36764 ]
https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/36
=C2=A0 n/a--SpringBlade v4.8.0 An XML external entity (XXE) vulnerability i=
n the /designer/loadReport endpoint of SpringBlade v4.8.0 allows authentica= ted attackers to execute arbitrary code via injecting a crafted payload. 20= 26-04-30 not yet calculated CVE-2026-36765 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-36765 ]
https://github.com/chillzhuang/SpringBlade https://github.com/chillzhuang/SpringBlade/issues/37
=C2=A0 n/a--shopizer v3.2.5 Multiple authenticated cross-site scripting (XS=
S) vulnerabilities in the XssHttpServletRequestWrapper class of shopizer v3= .2.5 allows attackers to execute arbitrary web scripts or HTML via injectin=
g a crafted payload into the getInputStream() or getReader() functions. 202= 6-04-30 not yet calculated CVE-2026-36766 [
https://www.cve.org/CVERecord?i= d=3DCVE-2026-36766 ]
https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1093
=C2=A0 n/a--shopizer v3.2.5 A path traversal vulnerability in the /content/= images/add endpoint of shopizer v3.2.5 allows attackers write arbitrary fil=
es to any writeable path via a crafted POST request. 2026-04-30 not yet cal= culated CVE-2026-36767 [
https://www.cve.org/CVERecord?id=3DCVE-2026-36767 =
]
https://github.com/shopizer-ecommerce/shopizer https://github.com/shopizer-ecommerce/shopizer/issues/1091
=C2=A0 Totolink[.]net -- TOTOLINK A3002RU v3 TOTOLINK A3002RU V3 <=3D V3.0.= 0-B20220304.1804 was discovered to contain a stack-based buffer overflow vi=
a the hostname parameter in the formMapDelDevice function. 2026-04-29 not y=
et calculated CVE-2026-36837 [
https://www.cve.org/CVERecord?id=3DCVE-2026-= 36837 ]
https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-f= ormMapDelDevice-StackOverflow
=C2=A0 Totolink[.]net -- TOTOLINK N200RE v5 TOTOLINK N200RE V5 was discover=
ed to contain a command injection vulnerability via the macstr and bandstr = parameters in the formMapDelDevice function. 2026-04-29 not yet calculated = CVE-2026-36841 [
https://www.cve.org/CVERecord?id=3DCVE-2026-36841 ] https:= //github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapDelDev= ice-CommandInjection
=C2=A0 Dbitnet[.]com -- Dbit N300 router v.1.0 A Cross-Site Request Forgery=
(CSRF) vulnerability exists in the web management interface of the Dbit N3=
00 T1 Pro wireless router V1.0.0. The router fails to implement proper CSRF=
protection mechanisms such as anti-CSRF tokens or strict Origin/Referer va= lidation for administrative API endpoints. An attacker can craft a maliciou=
s webpage that sends forged HTTP requests to configuration endpoints such a=
s /api/setWlan. If an authenticated administrator visits the malicious webp= age, the victim's browser automatically includes the valid session cookie i=
n the request, allowing the router to process the request as a legitimate a= dministrative action. 2026-04-30 not yet calculated CVE-2026-36956 [ https:= //www.cve.org/CVERecord?id=3DCVE-2026-36956 ]
http://dbit.com https://github.com/kirubel-cve/CVE-2026-36956
=C2=A0 Dbitnet[.]com -- Dbit N300 router v.1.0 Dbit N300 T1 Pro Easy Setup = Wireless Wi-Fi Router V1.0.0 is vulnerable to Denial of Service via the boa=
web server URI handler. By initiating a high-volume flood of HTTP GET requ= ests to non-existent URIs, an attacker can exhaust critical system resource=
s, including file descriptors and memory buffers. This results in a kernel = deadlock or system hang that disables the web management portal and all rou= ting capabilities. 2026-04-30 not yet calculated CVE-2026-36957 [
https://w= ww.cve.org/CVERecord?id=3DCVE-2026-36957 ]
http://dbit.com https://github.com/kirubel-cve/CVE-2026-36957
=C2=A0 Dbitnet[.]com -- Dbit N300 router v.1.0 A denial-of-service vulnerab= ility exists in the U-SPEED N300 V1.0.0 wireless router. By sending a large=
number of concurrent HTTP requests to random or non-existent endpoints on = the web management interface, an attacker can exhaust system resources in t=
he embedded Boa HTTP server. This causes the router web interface to become=
unresponsive and may require manual reboot to restore normal operation. 20= 26-04-30 not yet calculated CVE-2026-36958 [
https://www.cve.org/CVERecord?= id=3DCVE-2026-36958 ]
http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36958
=C2=A0 Dbitnet[.]com -- Dbit N300 router v.1.0 U-SPEED N300 router V1.0.0 d= oes not implement rate limiting or account lockout protections on the /api/= login endpoint. This allows an attacker on the local network to perform unl= imited authentication attempts, enabling brute-force attacks against the ad= ministrator account and potential unauthorized access to the router managem= ent interface. 2026-04-30 not yet calculated CVE-2026-36959 [
https://www.c= ve.org/CVERecord?id=3DCVE-2026-36959 ]
http://u-speed.com https://github.com/kirubel-cve/CVE-2026-36959
=C2=A0 Dbitnet[.]com -- Dbit N300 router v.1.0 A Cross-Site Request Forgery=
(CSRF) vulnerability exists in the web management interface of the U-SPEED=
N300 Rounter V1.0.0. The device does not implement CSRF protection mechani= sms such as anti-CSRF tokens or strict Origin/Referer validation for admini= strative API endpoints. An attacker can craft a malicious webpage that send=
s forged HTTP requests to configuration endpoints. If an authenticated admi= nistrator visits the malicious webpage, the victim's browser automatically = includes the valid session cookie in the request, allowing the router to pr= ocess the request as a legitimate administrative action. 2026-04-30 not yet=
calculated CVE-2026-36960 [
https://www.cve.org/CVERecord?id=3DCVE-2026-36= 960 ]
http://u-speed.com
https://github.com/kirubel-cve/CVE-2026-36960
=C2=A0 n/a--FlowSpec operator array An off-by-one out-of-bounds write vulne= rability in the bgp_flowspec_op_decode() function (bgpd/bgp_flowspec_util.c=
) of FRRouting (FRR) stable/10.0 allows attackers to cause a Denial of Serv= ice (DoS) via supplying a crafted FlowSpec component. 2026-05-01 not yet ca= lculated CVE-2026-37457 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37457=
]
https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f0f73b7a9= 1099a25c
=C2=A0 n/a--Automotive Grade Linux (AGL) AGL agl-service-can-low-level thru=
17.1.12 contains a stack buffer overflow in the uds-c library. The send_di= agnostic_request function in uds.c allocates a 6-byte stack buffer (MAX_DIA= GNOSTIC_PAYLOAD_SIZE=3D6) but copies up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD= _LENGTH=3D7) via memcpy at an offset of 1+pid_length (2-3 bytes), resulting=
in 1-4 bytes of controlled stack overflow. The payload_length field (uint8= _t) has no bounds check against the destination buffer. On 32-bit ARM autom= otive ECUs without stack canaries, this can lead to return address overwrit=
e and RCE. 2026-05-01 not yet calculated CVE-2026-37530 [
https://www.cve.o= rg/CVERecord?id=3DCVE-2026-37530 ]
https://gerrit.automotivelinux.org/gerri= t/apps/agl-service-can-low-level
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643
=C2=A0 n/a--Automotive Open SAE J1939 protocol CAN-Bus) Integer underflow v= ulnerability in Open-SAE-J1939 thru commit b6caf884df46435e539b1ecbf92b6c29= b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Protocol_Data_Transfer,al= lows attackers to write to arbitrary memory via crafted sequence number fro=
m the CAN frame. 2026-05-01 not yet calculated CVE-2026-37534 [
https://www= .cve.org/CVERecord?id=3DCVE-2026-37534 ]
https://github.com/DanielMartensso= n/Open-SAE-J1939
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 n/a--socketcand 0.4.2 Buffer overflow vulnerability in socketcand 0.= 4.2 in file socketcand.c in function main allows attackers to cause a denia=
l of service or other unspecified impacts via crafted bus_name. 2026-05-01 = not yet calculated CVE-2026-37538 [
https://www.cve.org/CVERecord?id=3DCVE-= 2026-37538 ]
https://github.com/dschanoeh/socketcand https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381
=C2=A0 n/a--libsndfile 1.2.2 An issue was discovered in libsndfile 1.2.2 IM=
A ADPCM codec. The AIFF code path (line 241) was fixed with (sf_count_t) ca= st, but the WAV code path (line 235) and close path (line 167) were not. Wh=
en samplesperblock (int) * blocks (int) exceeds INT_MAX, the 32-bit multipl= ication overflows before being assigned to sf.frames (sf_count_t/int64). Wi=
th samplesperblock=3D50000 and blocks=3D50000, the product 2500000000 overf= lows to -1794967296. This causes incorrect frame count leading to heap buff=
er overflow or denial of service. Both values come from the WAV file header=
and are attacker-controlled. This issue was discovered after an incomplete=
fix for CVE-2022-33065. 2026-04-29 not yet calculated CVE-2026-37555 [ htt= ps://www.cve.org/CVERecord?id=3DCVE-2026-37555 ]
https://github.com/libsndf= ile/libsndfile/issues/833
https://github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e9= 0609e4b7df151
https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1
=C2=A0 n/a--School Management System A reflected Cross-Site Scripting (XSS)=
vulnerability in School Management System by mahmoudai1 allows unauthentic= ated remote attackers to execute arbitrary JavaScript in victim's browsers = via the unsanitized type parameter in register.php. 2026-04-28 not yet calc= ulated CVE-2026-37750 [
https://www.cve.org/CVERecord?id=3DCVE-2026-37750 ]=
https://github.com/mahmoudai1/school-management-system https://github.com/mahmoudai1/school-management-system/blob/main/register.p=
hp
https://github.com/menevarad007/CVE-2026-37750
=C2=A0 n/a--Netmaker v1.5.0 Authentication Bypass vulnerability exists in N= etmaker versions prior to 1.5.0. The VerifyHostToken function in logic/jwts= .go fails to validate the JWT signature when verifying host tokens. An atta= cker can forge a JWT signed with any arbitrary key and use it to impersonat=
e any host in the network, gaining access to sensitive information 2026-04-=
28 not yet calculated CVE-2026-38651 [
https://www.cve.org/CVERecord?id=3DC= VE-2026-38651 ]
https://github.com/gravitl/netmaker/commit/5309aa70d464ef56= 5911369714d661a61481a79b
https://www.zyenra.com/blog/netmaker-jwt-verification-bypass https://www.zyenra.com/advisories/netmaker-jwt-verification-bypass
=C2=A0 Moxa--EDR-8010 Series An improper ownership management vulnerability=
has been identified in Moxa's Secure Router. Because of improper ownership=
management, a low-privileged authenticated user may access a configuration=
file containing the hashed password of the administrative account. Success= ful exploitation of this vulnerability could allow an attacker to obtain se= nsitive information. Exploitation is only possible under a specific conditi=
on - when the configuration file has been exported. This vulnerability does=
not impact the integrity or availability of the affected product, and no c= onfidentiality, integrity, or availability impact to the subsequent system = has been identified. 2026-04-27 not yet calculated CVE-2026-3867 [
https://= www.cve.org/CVERecord?id=3DCVE-2026-3867 ]
https://www.moxa.com/en/support/= product-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-i= mproper-ownership-management-and-improper-handling-of-length-parameter-inco=
ns
=C2=A0 Moxa--EDR-8010 Series An improper handling of the length parameter i= nconsistency vulnerability has been identified in Moxa's Secure Router.=C2= =A0Because of improper validation of length parameters in the HTTPS managem= ent interface, an unauthenticated remote attacker could send specially craf= ted requests that trigger a buffer overflow condition, causing the web serv= ice to become unresponsive.=C2=A0Successful exploitation may result in a de= nial-of-service condition requiring a device reboot to restore normal opera= tion.=C2=A0While successful exploitation can=C2=A0severely=C2=A0impact the = availability of the affected device, no impact to the confidentiality or in= tegrity of the affected product has been identified. Additionally, no confi= dentiality, integrity, or availability impact to the subsequent system has = been identified. 2026-04-27 not yet calculated CVE-2026-3868 [
https://www.= cve.org/CVERecord?id=3DCVE-2026-3868 ]
https://www.moxa.com/en/support/prod= uct-support/security-advisory/mpsa-261521-cve-2026-3867-cve-2026-3868-impro= per-ownership-management-and-improper-handling-of-length-parameter-incons =C2=A0 n/a--diskoverdata v.2.3.5 Cross Site Request Forgery vulnerability i=
n diskoverdata diskover-community v.2.3.5. and before allows a remote attac= ker to escalate privileges and obtain sensitive information via the public/= settings_process.php 2026-04-27 not yet calculated CVE-2026-38934 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-38934 ]
http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-20= 26-38934
=C2=A0 n/a--diskoverdata v.2.3.5 A reflected cross-site scripting (XSS) vul= nerability exists in diskover-community <=3D 2.3.5 in public/view.php via t=
he doctype parameter 2026-04-27 not yet calculated CVE-2026-38935 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-38935 ]
http://diskover-community.com http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-20= 26-38935
=C2=A0 n/a--diskoverdata v.2.3.5 A reflected cross-site scripting (XSS) vul= nerability exists in diskover-community <=3D 2.3.5 in public/selectindices.= php via the namecontains parameter 2026-04-27 not yet calculated CVE-2026-3= 8936 [
https://www.cve.org/CVERecord?id=3DCVE-2026-38936 ]
http://diskover-= community.com
http://diskoverdata.com https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CVE-20= 26-38936
=C2=A0 n/a--mvc-ecommerce v.1.0 Cross Site Scripting vulnerability in andre= wtch88 mvc-ecommerce v.1.0 allows a remote attacker to execute arbitrary co=
de and obtain sensitive information via the product_catalogue.php component=
2026-04-30 not yet calculated CVE-2026-38939 [
https://www.cve.org/CVEReco= rd?id=3DCVE-2026-38939 ]
https://gist.github.com/spico8/3b8b64a58069fc189ca= 28563dd1249e8
=C2=A0 n/a--TOKO-ONLINE-ROTI v.1.0 Cross Site Scripting vulnerability in Ra= fyMrX TOKO-ONLINE-ROTI v.1.0 allows a remote attacker to execute arbitrary = code via the detail_produk.php component 2026-04-30 not yet calculated CVE-= 2026-38940 [
https://www.cve.org/CVERecord?id=3DCVE-2026-38940 ]
https://gi= st.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8
=C2=A0 n/a--FUEL CMS v1.5.2 Cross-Site Scripting (XSS) vulnerability exists=
in FUEL CMS v1.5.2 and before within the asset upload functionality. The a= pplication fails to properly sanitize uploaded SVG files, allowing a low-pr= ivileged authenticated user to upload a crafted SVG file containing malicio=
us code. 2026-04-28 not yet calculated CVE-2026-38948 [
https://www.cve.org= /CVERecord?id=3DCVE-2026-38948 ]
https://github.com/daylightstudio/FUEL-CMS https://www.youtube.com/watch?v=3DlLCF0xbjecQ https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md =C2=A0 n/a--HTMLy v3.1.1 Cross-Site Scripting (XSS) vulnerability exists in=
HTMLy version 3.1.1 in the content creation functionality at the /add/cont= ent?type=3Dimage endpoint. The application fails to properly sanitize user = input, allowing injection of arbitrary code 2026-04-28 not yet calculated C= VE-2026-38949 [
https://www.cve.org/CVERecord?id=3DCVE-2026-38949 ] https:/= /github.com/danpros/htmly
https://youtu.be/3e-tzUMCox8 https://github.com/Chittu13/cve-research/blob/main/CVE-2026-38949/README.md =C2=A0 n/a--Cockpit v2.13.5 Cockpit 2.13.5 and earlier is affected by a mis= configuration within the Bucket component _isFileTypeAllowed function where=
a specially crafted filename bypasses an extension filter. This allows an = authenticated attacker to rename arbitrary files with the .php file extensi=
on enabling arbitrary code to be executed on the underlying server. 2026-04= -29 not yet calculated CVE-2026-38991 [
https://www.cve.org/CVERecord?id=3D= CVE-2026-38991 ]
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
=C2=A0 n/a--Cockpit v2.13.5 Cockpit v2.13.5 and earlier is vulnerable to ar= bitrary code execution via the filter parameter within multiple endpoints. = This vulnerability allows an attacker to run system commands on the underly= ing infrastructure via the MongoLite $func operator. 2026-04-29 not yet cal= culated CVE-2026-38992 [
https://www.cve.org/CVERecord?id=3DCVE-2026-38992 =
]
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
=C2=A0 n/a--Cockpit v2.13.5 Cockpit 2.13.5 and earlier is vulnerable to dir= ectory traversal via the Buckets component. This vulnerability allows authe= nticated attackers to write files to arbitrary locations within the uploads=
directory or overwrite assets with malicious versions. 2026-04-29 not yet = calculated CVE-2026-38993 [
https://www.cve.org/CVERecord?id=3DCVE-2026-389=
93 ]
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0 https://felsec.com/posts/cockpit-cms-2.13.5-multi-vulns/
=C2=A0 FreeBSD--FreeBSD When exchanging data over a socket, libnv uses sele= ct(2) to wait for data to arrive. However, it does not verify whether the p= rovided socket descriptor fits in select(2)'s file descriptor set size limi=
t of FD_SETSIZE (1024). An attacker who is able to force a libnv applicatio=
n to allocate large file descriptors, e.g., by opening many descriptors and=
executing a program which is not careful to close them upon startup, can t= rigger stack corruption. If the target application is setuid-root, then thi=
s could be used to elevate local privileges. 2026-04-30 not yet calculated = CVE-2026-39457 [
https://www.cve.org/CVERecord?id=3DCVE-2026-39457 ] https:= //security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.asc
=C2=A0 mtrudel--bandit Allocation of Resources Without Limits or Throttling=
vulnerability in mtrudel bandit allows unauthenticated remote denial of se= rvice via memory exhaustion when WebSocket permessage-deflate compression i=
s enabled. 'Elixir.Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/ban= dit/websocket/permessage_deflate.ex calls :zlib.inflate/2 with no output-si=
ze cap, then materializes the entire decompressed payload as a single binar=
y via IO.iodata_to_binary/1. The websocket_options.max_frame_size option on=
ly bounds the on-the-wire (compressed) frame size, not the decompressed out= put. A high-ratio compressed frame (e.g. uniform data at ~1024:1 ratio) can=
stay well under any wire-size limit while forcing GiB-scale heap allocatio=
ns in the connection process before any application code runs. An unauthent= icated attacker who can open a WebSocket connection can send a single such = frame to exhaust the BEAM node's memory and trigger an OOM kill. This vulne= rability requires both Bandit's server-level websocket_options.compress and=
the per-upgrade compress: true option passed to WebSockAdapter.upgrade/4 t=
o be enabled. Stock Phoenix and LiveView applications are not affected as t= hey default to compress: false. This issue affects bandit: from 0.5.9 befor=
e 1.11.0. 2026-05-01 not yet calculated CVE-2026-39804 [
https://www.cve.or= g/CVERecord?id=3DCVE-2026-39804 ]
https://github.com/mtrudel/bandit/securit= y/advisories/GHSA-frh3-6pv6-rc8j
https://cna.erlef.org/cves/CVE-2026-39804.html https://osv.dev/vulnerability/EEF-CVE-2026-39804 https://github.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a02= 2f722e
=C2=A0 mtrudel--bandit Inconsistent Interpretation of HTTP Requests vulnera= bility in mtrudel bandit allows HTTP request smuggling via duplicate Conten= t-Length headers. 'Elixir.Bandit.Headers':get_content_length/1 in lib/bandi= t/headers.ex uses List.keyfind/3, which returns only the first matching hea= der. When a request contains two Content-Length headers with different valu= es, Bandit silently accepts it, uses the first value to read the body, and = dispatches the remaining bytes as a second pipelined request on the same ke= ep-alive connection. RFC 9112 =C2=A76.3 requires recipients to treat this a=
s an unrecoverable framing error. When Bandit sits behind a proxy that pick=
s the last Content-Length value and forwards the request rather than reject= ing it, an unauthenticated attacker can smuggle requests past edge WAF rule=
s, path-based ACLs, rate limiting, and audit logging. This issue affects ba= ndit: before 1.11.0. 2026-05-01 not yet calculated CVE-2026-39805 [ https:/= /www.cve.org/CVERecord?id=3DCVE-2026-39805 ]
https://github.com/mtrudel/ban= dit/security/advisories/GHSA-c67r-gc9j-2qf7
https://cna.erlef.org/cves/CVE-2026-39805.html https://osv.dev/vulnerability/EEF-CVE-2026-39805 https://github.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa= 1630d1
=C2=A0 mtrudel--bandit Reliance on Untrusted Inputs in a Security Decision = vulnerability in mtrudel bandit allows unauthenticated transport-state spoo= fing on plaintext HTTP connections. 'Elixir.Bandit.Pipeline':determine_sche= me/2 in lib/bandit/pipeline.ex returns the client-supplied URI scheme verba= tim, ignoring the transport's secure? flag. HTTP/1.1 absolute-form request = targets (e.g. GET
https://victim/path HTTP/1.1) and the HTTP/2 :scheme pseu= do-header are both attacker-controlled strings that flow through this funct= ion. Over a plaintext TCP connection, a client can declare https and Bandit=
will set conn.scheme =3D :https even though no TLS was negotiated. Downstr= eam Plug consumers that branch on conn.scheme are silently misled: Plug.SSL=
's already-secure branch skips its HTTP=E2=86=92HTTPS redirect, cookies emi= tted with secure: true are sent over plaintext, audit logs record requests =
as having arrived over HTTPS, and CSRF/SameSite gating may make incorrect d= ecisions. This issue affects bandit: from 1.0.0 before 1.11.0. 2026-05-01 n=
ot yet calculated CVE-2026-39807 [
https://www.cve.org/CVERecord?id=3DCVE-2= 026-39807 ]
https://github.com/mtrudel/bandit/security/advisories/GHSA-375f= -4r2h-f99j
https://cna.erlef.org/cves/CVE-2026-39807.html https://osv.dev/vulnerability/EEF-CVE-2026-39807 https://github.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c0= 40e667
=C2=A0 traefik--traefik Traefik is an HTTP reverse proxy and load balancer.=
Prior to versions 2.11.43, 3.6.14, and 3.7.0-rc.2, there is a high severit=
y authentication bypass vulnerability in Traefik's ForwardAuth and snippet-= based authentication middleware. Traefik's forwarded-header sanitization lo= gic targets only canonical header names (e.g., X-Forwarded-Proto) and does = not strip or normalize alias variants that use underscores instead of dashe=
s (e.g., X_Forwarded_Proto). These unsanitized alias headers are forwarded = intact to the authentication backend. When the backend normalizes underscor=
e and dash header forms equivalently, an attacker can inject spoofed trust = context - such as a trusted scheme or host - through the alias headers and = bypass authentication on protected routes without valid credentials. This i= ssue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2. 2026-04-=
30 not yet calculated CVE-2026-39858 [
https://www.cve.org/CVERecord?id=3DC= VE-2026-39858 ]
https://github.com/traefik/traefik/security/advisories/GHSA= -5m6w-wvh7-57vm
https://github.com/traefik/traefik/releases/tag/v2.11.43 https://github.com/traefik/traefik/releases/tag/v3.6.14 https://github.com/traefik/traefik/releases/tag/v3.7.0-rc.2
=C2=A0 Apache Software Foundation--Apache Camel Platform HTTP Main When aut= hentication is enabled on the Apache Camel embedded HTTP server or embedded=
management server (camel-platform-http-main) and a non-root context path s= uch as /api or /admin is configured via camel.server.path or camel.manageme= nt.path, the BasicAuthenticationConfigurer and JWTAuthenticationConfigurer = classes derive the authentication path from properties.getPath() when camel= .server.authenticationPath / camel.management.authenticationPath is not exp= licitly set. Combined with the Vert.x sub-router mounting model - the sub-r= outer is mounted at _path_* and the authentication handler is registered in= side the sub-router at the resolved path - this causes the authentication h= andler to match only the exact configured context path, not its subpaths. U= nauthenticated requests to subpaths such as /api/_route_ or /admin/observe/= info therefore reach protected business routes and management endpoints wit= hout being challenged for credentials. The /observe/info endpoint can discl= ose runtime metadata such as the user, working directory, home directory, p= rocess ID, JVM and operating system information. This issue affects Apache = Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Users are reco= mmended to upgrade to version 4.20.0, which fixes the issue. If users are o=
n the 4.14.x LTS releases stream, they are suggested to upgrade to 4.14.6. =
If users are on the 4.18.x LTS releases stream, they are suggested to upgra=
de to 4.18.2. 2026-04-27 not yet calculated CVE-2026-40022 [
https://www.cv= e.org/CVERecord?id=3DCVE-2026-40022 ]
https://camel.apache.org/security/CVE= -2026-40022.html
=C2=A0 Apache Software Foundation--Apache Camel PQC The Camel-PQC FileBased= KeyLifecycleManager class deserializes the contents of `<keyId>.key` files =
in the configured key directory using java.io.ObjectInputStream without app= lying any ObjectInputFilter or class-loading restrictions. The cast to `jav= a.security.KeyPair` is evaluated only after `readObject()` has already retu= rned, so any `readObject()` side effects in the deserialized object run bef= ore the type check. An attacker who can write to the key directory used by =
a Camel application - for example through a path traversal into the directo= ry, misconfigured filesystem permissions on the volume where keys are store=
d, a compromised key provisioning pipeline, or a symlink attack - can place=
a crafted serialized Java object that, when deserialized during normal key=
lifecycle operations, results in arbitrary code execution in the context o=
f the application. This issue affects Apache Camel: from 4.19.0 before 4.20= .0, from 4.18.0 before 4.18.2. Users are recommended to upgrade to version = 4.20.0, which fixes the issue by replacing java.io.ObjectInputStream-based = key and metadata storage with standard PKCS#8 (private key) / X.509 Subject= PublicKeyInfo (public key) Base64 JSON encoding. For users on the 4.18.x LT=
S releases stream, upgrade to 4.18.2. 2026-04-27 not yet calculated CVE-202= 6-40048 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40048 ]
https://camel= .apache.org/security/CVE-2026-40048.html
=C2=A0 helpyio--helpy Helpy contains a stored cross-site scripting vulnerab= ility in the post author display logic. Any registered user can persist arb= itrary HTML in their account name field and cause it to be rendered unescap=
ed in public forum threads where they participate, in the admin ticket view=
, and in HTML notification emails sent to other users.This issue affects he= lpy: 2.8.0. 2026-04-29 not yet calculated CVE-2026-40229 [
https://www.cve.= org/CVERecord?id=3DCVE-2026-40229 ]
https://fluidattacks.com/es/advisories/= offspring
https://github.com/helpyio/helpy
=C2=A0 helpyio--helpy Helpy contains a stored cross-site scripting vulnerab= ility in the knowledge base Doc rendering logic. An authenticated attacker = with admin or agent editor privileges can persist arbitrary HTML or JavaScr= ipt in the body field of a knowledge base Doc.This issue affects helpy: 2.8= .0. 2026-04-29 not yet calculated CVE-2026-40230 [
https://www.cve.org/CVER= ecord?id=3DCVE-2026-40230 ]
https://fluidattacks.com/es/advisories/prisione= ros
https://github.com/helpyio/helpy
=C2=A0 Apache Software Foundation--Apache Camel JMS The fix for CVE-2025-27= 636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-varia=
nt header names such as 'CAmelExecCommandExecutable' are filtered out along= side 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not=
applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFi= lterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFil= terStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and Goog= lePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategi=
es use case-sensitive String.startsWith('Camel'/'camel') filtering while th=
e Camel Exchange stores headers in a case-insensitive map, an attacker with=
JMS (or equivalent) producer access to the broker consumed by a Camel rout=
e can inject case-variant Camel internal headers, which are then resolved b=
y downstream components such as camel-exec and camel-file using their canon= ical casing. This enables remote code execution and arbitrary file write on=
routes that forward JMS messages to header-driven components. This issue a= ffects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, f= rom 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.=
0, which fixes the issue. If users are on the 4.14.x LTS releases stream, t= hen they are suggested to upgrade to 4.14.6. If users are on the 4.18.x rel= eases stream, then they are suggested to upgrade to 4.18.2. 2026-04-27 not = yet calculated CVE-2026-40453 [
https://www.cve.org/CVERecord?id=3DCVE-2026= -40453 ]
https://camel.apache.org/security/CVE-2026-40453.html
=C2=A0 Apache Software Foundation--Apache Camel Mina The camel-mina compone= nt's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer=
in a java.io.ObjectInputStream without applying any ObjectInputFilter or c= lass-loading restrictions. When a Camel route uses camel-mina as a TCP or U=
DP consumer and requests conversion to ObjectInput (for example via getBody= (ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted se= rialized Java object over the network to the MINA consumer port can trigger=
arbitrary code execution in the context of the application during readObje= ct(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.=
0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrad=
e to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS = releases stream, then they are suggested to upgrade to 4.14.6. If users are=
on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.=
2. 2026-04-27 not yet calculated CVE-2026-40473 [
https://www.cve.org/CVERe= cord?id=3DCVE-2026-40473 ]
https://camel.apache.org/security/CVE-2026-40473= .html
=C2=A0 BinSoft--mpGabinet mpGabinet is vulnerable to Privilege Escalation d=
ue to excessive database privileges assigned to the user used by the applic= ation. An attacker with access to any running application instance connecte=
d to the backend server can extract database credentials from the applicati= on's memory by inspecting the running process. While ability to retrieve cr= edentials from memory is expected behavior, the exposed credentials grant a= dministrative access to the database, exceeding the privileges required for=
normal application functionality. This allows an attacker to perform actio=
ns beyond those permitted through the application interface. This issue aff= ects mpGabinet version 23.12.19 and below. 2026-04-28 not yet calculated CV= E-2026-40550 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40550 ]
https://= cert.pl/posts/2026/04/CVE-2026-40550/
https://www.mpgabinet.pl/
=C2=A0 BinSoft--mpGabinet mpGabinet performs client-side authentication. An=
attacker with access to any application instance connected to the backend = server can bypass the login verification process by manipulating the applic= ation binary and authenticate as an arbitrary user. This issue affects mpGa= binet version 23.12.19 and below. 2026-04-28 not yet calculated CVE-2026-40= 551 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40551 ]
https://cert.pl/p= osts/2026/04/CVE-2026-40550/
https://www.mpgabinet.pl/
=C2=A0 BinSoft--mpGabinet mpGabinet is vulnerable to Remote Command Executi= on. An authorized user with access to the application and direct access to = the backend database can achieve system command execution by uploading an a= ttachment and modifying its storage path in the database to reference an at= tacker-controlled remote network resource. Alternatively, it is possible to=
use a previously uploaded file and change its reference. When the applicat= ion processes the attachment, and a user tries to open it, the referenced r= esource is executed by the system. Critically, this vulnerability can be ex= ploited by any unauthenticated attacker by chaining it with CVE-2026-40550 = and CVE-2026-40551, which allows obtaining database access, and logging ont=
o any account. This issue affects mpGabinet version 23.12.19 and below. 202= 6-04-28 not yet calculated CVE-2026-40552 [
https://www.cve.org/CVERecord?i= d=3DCVE-2026-40552 ]
https://cert.pl/posts/2026/04/CVE-2026-40550/ https://www.mpgabinet.pl/
=C2=A0 Apache Software Foundation--Apache Storm Prometheus Reporter Imprope=
r Certificate Validation via Global SSL Context Downgrade in Apache Storm P= rometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Description:=C2=
=A0 In production deployments where an administrator enables storm.daemon.m= etrics.reporter.plugin.prometheus.skip_tls_validation=C2=A0(by default it i=
s disabled)=C2=A0intending to affect only the Prometheus reporter, the undo= cumented global side effect creates an attack surface across every TLS-prot= ected communication channel in the Storm daemon. The PrometheusPreparableRe= porter class implements an INSECURE_TRUST_MANAGER that accepts all SSL cert= ificates without validation, with empty checkClientTrusted and checkServerT= rusted methods. Most critically, when the storm.daemon.metrics.reporter.plu= gin.prometheus.skip_tls_validation configuration option is enabled (default=
=3D disabled) for HTTPS Prometheus PushGateway connections, the INSECURE_C= ONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which globally r= eplaces the JVM's default SSL context rather than applying the insecure con= text only to the Prometheus connection. This payload flows through storm.ya=
ml configuration =E2=86=92 PrometheusPreparableReporter.prepare() =E2=86=92=
INSECURE_CONNECTION_FACTORY =E2=86=92 SSLContext.setDefault(), resulting i=
n a JVM-wide TLS security downgrade. All subsequent HTTPS connections in th=
e process - including ZooKeeper, Thrift, Netty, and UI connections - silent=
ly trust all certificates, including self-signed, expired, and attacker-gen= erated ones, enabling man-in-the-middle interception of cluster state, topo= logy submissions, tuple data, and administrative credentials. Mitigation: 2=
.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporter is used=
. Prometheus Metrics Reporter Users who cannot upgrade immediately should r= emove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls_validati= on: true setting from their storm.yaml configuration and instead configure =
a proper truststore containing the PushGateway's certificate. 2026-04-27 no=
t yet calculated CVE-2026-40557 [
https://www.cve.org/CVERecord?id=3DCVE-20= 26-40557 ]
https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq =C2=A0 MIYAGAWA--Starman Starman versions before 0.4018 for Perl allows HTT=
P Request Smuggling via Improper Header Precedence. Starman incorrectly pri= oritizes "Content-Length" over "Transfer-Encoding: chunked" when both heade=
rs are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding mu=
st take precedence. An attacker could exploit this to smuggle malicious HTT=
P requests via a front-end reverse proxy. 2026-04-28 not yet calculated CVE= -2026-40560 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40560 ]
https://g= ithub.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.= patch
https://metacpan.org/release/MIYAGAWA/Starman-0.4018/changes https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3
=C2=A0 KAZUHO--Starlet Starlet versions through 0.31 for Perl allows HTTP R= equest Smuggling via Improper Header Precedence. Starlet incorrectly priori= tizes "Content-Length" over "Transfer-Encoding: chunked" when both headers = are present in an HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must = take precedence. An attacker could exploit this to smuggle malicious HTTP r= equests via a front-end reverse proxy. 2026-05-03 not yet calculated CVE-20= 26-40561 [
https://www.cve.org/CVERecord?id=3DCVE-2026-40561 ]
https://data= tracker.ietf.org/doc/html/rfc7230#section-3.3.3
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0fdb6acf4cc= 15b2d0.patch
=C2=A0=20
Back to top [ #top ]
body { font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight=
: normal; font-style: normal; color: #333333; }=20
Having trouble viewing this message?=C2=A0View it as a webpage [
https://co= ntent.govdelivery.com/accounts/USDHSCISA/bulletins/415f47b ].=C2=A0 [ https= ://content.govdelivery.com/accounts/USDHS/bulletins/292141e ]
You are subscribed to updates from the Cybersecurity and Infrastructure Sec= urity Agency [
https://www.cisa.gov ] (CISA)
Manage Subscriptions [
https://public.govdelivery.com/accounts/USDHSCISA/su= bscriber/edit?preferences=3Dtrue#tab1 ]=C2=A0=C2=A0|=C2=A0=C2=A0Privacy Pol= icy [
https://www.cisa.gov/privacy-policy ]=C2=A0=C2=A0|=C2=A0 Help [ https= ://subscriberhelp.granicus.com/s/article/Subscriber-Help-Center ] [ https:/= /insights.govdelivery.com/Communications/Subscriber_Help_Center ]
Connect with CISA:=20
Facebook [
https://www.facebook.com/CISA ]=C2=A0 |=C2=A0 Twitter [
https://= twitter.com/CISAgov ]=C2=A0 |=C2=A0 Instagram [
https://Instagram.com/cisag=
ov ]=C2=A0 |=C2=A0 LinkedIn [
https://www.linkedin.com/company/cybersecurit= y-and-infrastructure-security-agency ]=C2=A0 |=C2=A0=C2=A0 YouTube [ https:= //www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A ]
________________________________________________________________________
This email was sent to
cisa@toolazy.synchro.net using GovDelivery Communica= tions Cloud, on behalf of: Cybersecurity and Infrastructure Security Agency=
=C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202 GovDelivery logo [ =
https://subscriberhelp.granicus.com/ ]=20
body .abe-column-block { min-height: 5px; } table.gd_combo_table img {margi= n-left:10px; margin-right:10px;} table.gd_combo_table div.govd_image_displa=
y img, table.gd_combo_table td.gd_combo_image_cell img {margin-left:0px; ma= rgin-right:0px;}
--===============7093670999237951758==
Content-Type: text/html; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
"
http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns=3D"
http://www.w3.org/1999/xhtml" xml:lang=3D"en" lang=3D"en"> <head>
<title> Vulnerability Summary for the Week of April 27, 2026
</title>
</head>
<body style=3D"">
<table width=3D"700" border=3D"0" cellspacing=3D"0" cellpadding=3D"0"=
align=3D"center">
<tr>
<td>
<!--[if (gte mso 9)|(IE)]>
<table style=3D"display:none"><tr><td><a name=3D"gd_top" id=3D"gd_top"></= a></td></tr></table>
<![endif]-->
<a name=3D"gd_top" id=3D"gd_top"></a>
=20
<p><img src=3D"
https://content.govdelivery.com/attachments/fancy_images/U= SDHSCISA/2020/06/3486054/05152023-gov-delivery-banner-copy_original.png" al= t=3D"Cybersecurity and Infrastructure Security Agency (CISA)" title=3D"" wi= dth=3D"600" height=3D"100"></p>
<p>You are subscribed to Vulnerability Bulletins for Cybersecurity and In= frastructure Security Agency. This information has recently been updated an=
d is now available.</p>
<p>The CISA Vulnerability Bulletin provides a summary of new vulnerabilitie=
s that have been recorded in the past week. In some cases, the vulnerabilit= ies in the bulletin may not yet have assigned CVSS scores.</p> <p>Vulnerabilities are based on the=C2=A0<a href=3D"
https://www.cve.org/" t= arget=3D"_blank" class=3D"ext" data-extlink=3D"" rel=3D"noopener">Common Vu= lnerabilities and Exposures</a>=C2=A0(CVE) vulnerability naming standard an=
d are organized according to severity, determined by the=C2=A0<a href=3D"ht= tps://www.cve.org/about/relatedefforts" target=3D"_blank" rel=3D"noopener">= Common Vulnerability Scoring System</a>=C2=A0(CVSS) standard. The division =
of high, medium, and low severities correspond to the following scores:</p>
<strong>High</strong>: vulnerabilities with a CVSS base score of 7.0=E2=80= =9310.0</li>
<strong>Medium</strong>: vulnerabilities with a CVSS base score of 4.0=E2= =80=936.9</li>
<strong>Low</strong>: vulnerabilities with a CVSS base score of 0.0=E2=80= =933.9</li>
</ul>
<p>Entries may include additional information provided by organizations and=
efforts sponsored by CISA. This information may include identifying inform= ation, values, definitions, and related links. Patch information is provide=
d when available. Please note that some of the information in the bulletin =
is compiled from external, open-source reports and is not a direct result o=
f CISA analysis.</p>
<div class=3D"rss_item" style=3D"margin-bottom: 2em;">
<div class=3D"rss_title" style=3D"font-weight: bold; font-size: 120%; margi=
n: 0 0 0.3em; padding: 0;"><a href=3D"
https://www.cisa.gov/news-events/bull= etins/sb26-125">Vulnerability Summary for the Week of April 27, 2026</a></d=
<div class=3D"rss_pub_date" style=3D"font-size: 90%; font-style: italic; co= lor: #666666; margin: 0 0 0.3em; padding: 0;">05/05/2026 3:30 PM EDT</div>
<div class=3D"rss_description" style=3D"margin: 0 0 0.3em; padding: 0;">
<div id=3D"high_v">
<h2 id=3D"high_v_title">High Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"High Vulnerabilities">
<thead>
<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>
<td class=3D"vendor-product">n/a-- OVMS3 3.3.005</td>
<td>Buffer overflow vulnerability in Open Vehicle Monitoring System 3 (OVMS=
3) 3.3.005. In canformat_gvret.cpp, the length field in GVRET binary data i=
s not properly validated, allowing remote attackers to cause a denial of se= rvice or possibly execute arbitrary code via crafted GVRET frames.</td> <td>2026-05-01</td>
<td>10</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37541" target=3D= "_blank" rel=3D"noopener">CVE-2026-37541</a></td>
<a href=3D"
https://github.com/openvehicles/Open-Vehicle-Monitoring-System-3=
" target=3D"_blank" rel=3D"noopener">
https://github.com/openvehicles/Open-V= ehicle-Monitoring-System-3</a><br><a href=3D"
https://gist.github.com/sgInno= ra/f4ac66faeefe07a653ceeb3f58cdc381" target=3D"_blank" rel=3D"noopener">htt= ps://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381</a><br>=C2= =A0</td>
</tr>
<td class=3D"vendor-product">tendacn[.]com-- W308R</td>
<td>Tenda W308R v2 V5.07.48 contains a cookie session weakness vulnerabilit=
y that allows unauthenticated attackers to modify DNS settings by exploitin=
g insufficient session validation. Attackers can send GET requests to the g= oform/AdvSetDns endpoint with a crafted admin language cookie to change DNS=
servers and redirect user traffic to malicious sites.</td>
<td>2026-04-29</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25316" target=3D= "_blank" rel=3D"noopener">CVE-2018-25316</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44373" target=3D"_blank" rel= =3D"noopener">ExploitDB-44373</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/tenda-w308r-v2-cookie-session-weakness-dns-change" target=3D"_bla= nk" rel=3D"noopener">VulnCheck Advisory: Tenda W308R v2 V5.07.48 Cookie Ses= sion Weakness DNS Change</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">tendacn[.]com--W3002R</td>
<td>Tenda W3002R/A302/W309R wireless routers version V5.07.64_en contain a = cookie session weakness vulnerability that allows unauthenticated attackers=
to modify DNS settings by exploiting insufficient session validation. Atta= ckers can send GET requests to the /goform/AdvSetDns endpoint with a crafte=
d admin language cookie to change primary and secondary DNS servers, redire= cting user traffic to malicious DNS servers.</td>
<td>2026-04-29</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25317" target=3D= "_blank" rel=3D"noopener">CVE-2018-25317</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44380" target=3D"_blank" rel= =3D"noopener">ExploitDB-44380</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/tenda-w3002r-a302-w309r-64-en-cookie-session-weakness-dns-change"=
target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Tenda W3002R/A302/W= 309R V5.07.64_en Cookie Session Weakness DNS Change</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">tendacn[.]com--FH303/A300</td>
<td>Tenda FH303/A300 firmware V5.07.68_EN contains a session weakness vulne= rability that allows unauthenticated attackers to modify DNS settings by ex= ploiting insufficient cookie validation. Attackers can send GET requests to=
the /goform/AdvSetDns endpoint with a crafted admin cookie to change DNS s= ervers and redirect user traffic to malicious sites.</td>
<td>2026-04-29</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25318" target=3D= "_blank" rel=3D"noopener">CVE-2018-25318</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44381" target=3D"_blank" rel= =3D"noopener">ExploitDB-44381</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/tenda-fh303-a300-68-en-cookie-session-weakness-dns-change" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: Tenda FH303/A300 V5.07.68_=
EN Cookie Session Weakness DNS Change</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Weaver Network Co., Ltd.--E-office</td>
<td>Weaver (Fanwei) E-office versions prior to 10.0_20221201 contain an una= uthenticated arbitrary file upload vulnerability in the OfficeServer.php en= dpoint that allows remote attackers to upload malicious files by sending mu= ltipart POST requests with arbitrary filenames and disguised content types.=
Attackers can upload PHP webshells to the Document directory and execute t= hem via HTTP GET requests to achieve remote code execution as the web serve=
r user. Exploitation evidence was first observed by the Shadowserver Founda= tion on 2022-10-10 (UTC).</td>
<td>2026-04-30</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2022-50993" target=3D= "_blank" rel=3D"noopener">CVE-2022-50993</a></td>
<a href=3D"
https://service.e-office.cn/knowledge/detail/5" target=3D"_blank=
" rel=3D"noopener">
https://service.e-office.cn/knowledge/detail/5</a><br><a=
href=3D"
https://cn-sec.com/archives/1453025.html" target=3D"_blank" rel=3D= "noopener">
https://cn-sec.com/archives/1453025.html</a><br><a href=3D"https= ://bbs.chaitin.cn/topic/37" target=3D"_blank" rel=3D"noopener">
https://bbs.= chaitin.cn/topic/37</a><br><a href=3D"
https://www.vulncheck.com/advisories/= weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-via-xmlrp= cservlet" target=3D"_blank" rel=3D"noopener">
https://www.vulncheck.com/advi= sories/weaver-e-office-10-0-20221201-unauthenticated-arbitrary-file-read-vi= a-xmlrpcservlet</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">synway[.]net-- SMG Gateway Management</td> <td>Synway SMG Gateway Management Software contains an OS command injection=
vulnerability in the RADIUS configuration endpoint at /en/9-2radius.php wh= ere the radius_address POST parameter is split and interpolated directly in=
to a sed command without sanitization. An unauthenticated remote attacker c=
an inject arbitrary shell commands by submitting a POST request with crafte=
d radius_address, radius_address2, shared_secret2, source_ip, timeout, or r= etry parameters along with save=3D1 and enable_radius=3D1 to achieve remote=
code execution. Exploitation evidence was first observed by the Shadowserv=
er Foundation on 2025-07-11 (UTC).</td>
<td>2026-04-30</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-71284" target=3D= "_blank" rel=3D"noopener">CVE-2025-71284</a></td>
<a href=3D"
https://github.com/projectdiscovery/nuclei-templates/blob/main/h= ttp/vulnerabilities/synway/synwaysmg-radius-rce.yaml" target=3D"_blank" rel= =3D"noopener">
https://github.com/projectdiscovery/nuclei-templates/blob/mai= n/http/vulnerabilities/synway/synwaysmg-radius-rce.yaml</a><br><a href=3D"h= ttps://mrxn.net/jswz/synway-9-2radius-rce.html" target=3D"_blank" rel=3D"no= opener">
https://mrxn.net/jswz/synway-9-2radius-rce.html</a><br><a href=3D"h= ttps://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA" target=3D"_blank" rel=3D"= noopener">
https://mp.weixin.qq.com/s/PyepoFSuQ63E3RnpQa9nsA</a><br><a href= =3D"
https://www.synway.net/" target=3D"_blank" rel=3D"noopener">
https://www= .synway.net/</a><br><a href=3D"
https://www.vulncheck.com/advisories/synway-= smg-gateway-management-software-os-command-injection-via-radius-address" ta= rget=3D"_blank" rel=3D"noopener">
https://www.vulncheck.com/advisories/synwa= y-smg-gateway-management-software-os-command-injection-via-radius-address</= a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Directorist Booking--Directorist Booking</td> <td>Improper Neutralization of Special Elements used in an SQL Command ('SQ=
L Injection') vulnerability in Directorist Booking allows SQL Injection.Thi=
s issue affects Directorist Booking: from n/a before 3.0.2.</td> <td>2026-04-27</td>
<td>9.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22336" target=3D= "_blank" rel=3D"noopener">CVE-2026-22336</a></td>
<a href=3D"
https://patchstack.com/database/wordpress/plugin/directorist-boo= king/vulnerability/wordpress-directorist-booking-plugin-2-4-1-sql-injection= -vulnerability?_s_id=3Dcve" target=3D"_blank" rel=3D"noopener">
https://patc= hstack.com/database/wordpress/plugin/directorist-booking/vulnerability/word= press-directorist-booking-plugin-2-4-1-sql-injection-vulnerability?_s_id=3D= cve</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Directorist--Directorist Social Login</td> <td>Incorrect Privilege Assignment vulnerability in Directorist Directorist=
Social Login allows Privilege Escalation.This issue affects Directorist So= cial Login: from n/a before 2.1.4.</td>
<td>2026-04-27</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22337" target=3D= "_blank" rel=3D"noopener">CVE-2026-22337</a></td>
<a href=3D"
https://patchstack.com/database/wordpress/plugin/directorist-soc= ial-login/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-pri= vilege-escalation-vulnerability?_s_id=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://patchstack.com/database/wordpress/plugin/directorist-social-lo= gin/vulnerability/wordpress-directorist-social-login-plugin-2-1-1-privilege= -escalation-vulnerability?_s_id=3Dcve</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Milesight--MS-Cxx63-PD</td>
<td>Specific firmware versions of Milesight AIOT cameras use SSL certificat=
es with default private keys.</td>
<td>2026-04-27</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-32644" target=3D= "_blank" rel=3D"noopener">CVE-2026-32644</a></td>
<a href=3D"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03" = target=3D"_blank" rel=3D"noopener">
https://www.cisa.gov/news-events/ics-adv= isories/icsa-26-113-03</a><br><a href=3D"
https://github.com/cisagov/CSAF/bl= ob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json" target=3D"_blank" = rel=3D"noopener">
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT= /white/2026/icsa-26-113-03.json</a><br><a href=3D"
https://www.milesight.com= /support/download/firmware" target=3D"_blank" rel=3D"noopener">
https://www.= milesight.com/support/download/firmware</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL)</td>
<td>AGL app-framework-main thru 17.1.12 contains a Zip Slip path traversal = vulnerability (CWE-22) combined with a TOCTOU race condition (CWE-367) in t=
he widget installation flow. The is_valid_filename function in wgtpkg-zip.c=
validates ZIP entry names but does not check for dot notation directory tr= aversal sequences it only blocks absolute paths. The zread extraction funct= ion uses openat(workdirfd, filename, O_CREAT) which resolves dot notation v= alues relative to the work directory, allowing files to be written anywhere=
on the filesystem. Critically, in function install_widget in file wgtpkg-i= nstall.c, extraction via zread occurs BEFORE signature verification via che= ck_all_signatures. Even if signature verification fails, the error cleanup = (remove_workdir) only deletes the temporary work directory files written ou= tside via path traversal persist permanently.</td>
<td>2026-05-01</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37531" target=3D= "_blank" rel=3D"noopener">CVE-2026-37531</a></td>
<a href=3D"
https://gerrit.automotivelinux.org/gerrit/src/app-framework-main=
" target=3D"_blank" rel=3D"noopener">
https://gerrit.automotivelinux.org/ger= rit/src/app-framework-main</a><br><a href=3D"
https://gist.github.com/sgInno= ra/8526eedcfd826d05ef1fc45d8f405643" target=3D"_blank" rel=3D"noopener">htt= ps://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643</a><br>=C2= =A0</td>
</tr>
<td class=3D"vendor-product">n/a-- cannelloni v2.0.0</td>
<td>Buffer overflow vulnerability in cannelloni v2.0.0 in CAN frame parsing=
in parser.cpp in function parseCANFrame, and decoder.cpp in function decod= eFrame allowing remote attackers to cause a denial of service (crash) or po= ssibly execute arbitrary code via crafted CAN FD frames.</td> <td>2026-05-01</td>
<td>9.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37539" target=3D= "_blank" rel=3D"noopener">CVE-2026-37539</a></td>
<a href=3D"
https://github.com/mguentner/cannelloni" target=3D"_blank" rel= =3D"noopener">
https://github.com/mguentner/cannelloni</a><br><a href=3D"htt= ps://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381" target=3D"_= blank" rel=3D"noopener">
https://gist.github.com/sgInnora/f4ac66faeefe07a653= ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Carlson Software--VASCO-B GNSS Receiver</td> <td>The Carlson VASCO-B GNSS Receiver lacks an authentication mechanism, al= lowing an attacker with network access to directly access and modify its co= nfiguration and operational functions without needing credentials.</td> <td>2026-04-28</td>
<td>9.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3893" target=3D"= _blank" rel=3D"noopener">CVE-2026-3893</a></td>
<a href=3D"
https://www.carlsonsw.com/support-and-training/" target=3D"_blan=
k" rel=3D"noopener">
https://www.carlsonsw.com/support-and-training/</a><br>=
<a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3893" target=3D"_bla= nk" rel=3D"noopener">
https://www.cve.org/CVERecord?id=3DCVE-2026-3893</a><b= r><a href=3D"
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT/whi= te/2026/icsa-26-113-02.json" target=3D"_blank" rel=3D"noopener">
https://git= hub.com/cisagov/CSAF/blob/develop/csaf_files/OT/white/2026/icsa-26-113-02.j= son</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Mersenne--Prime95</td>
<td>Prime95 29.4b8 contains a local buffer overflow vulnerability that allo=
ws attackers to execute arbitrary code by exploiting structured exception h= andling (SEH) mechanisms. Attackers can inject malicious payload through th=
e optional proxy hostname field in the PrimeNet connection settings to trig= ger the overflow and execute system commands.</td>
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25299" target=3D= "_blank" rel=3D"noopener">CVE-2018-25299</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44649" target=3D"_blank" rel= =3D"noopener">ExploitDB-44649</a><br><a href=3D"
https://www.mersenne.org/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
https://www.mersenne.org/download/#download" target=3D"_blank" rel=3D"n= oopener">Product Reference</a><br><a href=3D"
https://www.vulncheck.com/advi= sories/prime95-29-4b8-local-buffer-overflow-via-seh" target=3D"_blank" rel= =3D"noopener">VulnCheck Advisory: Prime95 29.4b8 Local Buffer Overflow via = SEH</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">xataboost--XATABoost CMS</td>
<td>XATABoost CMS 1.0.0 contains a union-based SQL injection vulnerability = that allows unauthenticated attackers to manipulate database queries by inj= ecting SQL code through the id parameter. Attackers can send GET requests t=
o news.php with malicious id values to extract sensitive database informati= on.</td>
<td>2026-04-29</td>
<td>8.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25300" target=3D= "_blank" rel=3D"noopener">CVE-2018-25300</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44622" target=3D"_blank" rel= =3D"noopener">ExploitDB-44622</a><br><a href=3D"
http://www2.xataboost.com" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
https://www.vulncheck.com/advisories/xataboost-cms-sql-injection-via-ne= ws-php" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: XATABoost CM=
S 1.0.0 SQL Injection via news.php</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Easy MPEG--Easy MPEG to DVD Burner</td>
<td>Easy MPEG to DVD Burner 1.7.11 contains a structured exception handling=
(SEH) local buffer overflow vulnerability that allows local attackers to e= xecute arbitrary code by supplying a malicious username string. Attackers c=
an craft a payload containing junk data, SEH chain pointers, and shellcode = that overwrites the SEH handler to redirect execution and run arbitrary com= mands like opening calc.exe.</td>
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25301" target=3D= "_blank" rel=3D"noopener">CVE-2018-25301</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44565" target=3D"_blank" rel= =3D"noopener">ExploitDB-44565</a><br><a href=3D"
https://downloads.tomsguide= .com/MPEG-Easy-Burner,0301-10418.html" target=3D"_blank" rel=3D"noopener">P= roduct Reference</a><br><a href=3D"
https://www.vulncheck.com/advisories/eas= y-mpeg-to-dvd-burner-seh-local-buffer-overflow" target=3D"_blank" rel=3D"no= opener">VulnCheck Advisory: Easy MPEG to DVD Burner 1.7.11 SEH Local Buffer=
Overflow</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Alloksoft--Allok Video to DVD Burner</td> <td>Allok Video to DVD Burner 2.6.1217 contains a stack-based buffer overfl=
ow vulnerability in the License Name field that allows local attackers to e= xecute arbitrary code by triggering a structured exception handler (SEH) ov= erwrite. Attackers can craft a malicious input string with 780 bytes of jun=
k data followed by SEH chain pointers and shellcode, then paste it into the=
License Name field during registration to achieve code execution.</td> <td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25303" target=3D= "_blank" rel=3D"noopener">CVE-2018-25303</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44518" target=3D"_blank" rel= =3D"noopener">ExploitDB-44518</a><br><a href=3D"
http://www.alloksoft.com/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
https://www.vulncheck.com/advisories/allok-video-to-dvd-burner-buffer-o= verflow-seh" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Allok V= ideo to DVD Burner 2.6.1217 Buffer Overflow SEH</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Filehippo--Free Download Manager</td>
<td>Free Download Manager 2.0 Built 417 contains a local buffer overflow vu= lnerability in the URL import functionality that allows attackers to trigge=
r a structured exception handler (SEH) chain exploitation. Attackers can cr= aft a malicious URL file that, when imported through the File > Import &= gt; Import lists of downloads menu, causes a buffer overflow in the Locatio=
n header response that overwrites the SEH chain and executes arbitrary code= .</td>
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25304" target=3D= "_blank" rel=3D"noopener">CVE-2018-25304</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44499" target=3D"_blank" rel= =3D"noopener">ExploitDB-44499</a><br><a href=3D"
https://filehippo.com/downl= oad_free_download_manager/925/" target=3D"_blank" rel=3D"noopener">Product = Reference</a><br><a href=3D"
https://www.vulncheck.com/advisories/free-downl= oad-manager-built-417-local-buffer-overflow-seh" target=3D"_blank" rel=3D"n= oopener">VulnCheck Advisory: Free Download Manager 2.0 Built 417 Local Buff=
er Overflow SEH</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Sysgauge--SysGauge Pro</td>
<td>SysGauge Pro 4.6.12 contains a local buffer overflow vulnerability in t=
he Register function that allows local attackers to overwrite the structure=
d exception handler by supplying a crafted unlock key. Attackers can inject=
shellcode through the Unlock Key field during registration to execute arbi= trary code with application privileges.</td>
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25307" target=3D= "_blank" rel=3D"noopener">CVE-2018-25307</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44455" target=3D"_blank" rel= =3D"noopener">ExploitDB-44455</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/sysgauge-pro-local-buffer-overflow-seh" target=3D"_blank" rel=3D"= noopener">VulnCheck Advisory: SysGauge Pro 4.6.12 Local Buffer Overflow SEH= </a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">donmik--Buddypress Xprofile Custom Fields Type= </td>
<td>BuddyPress Xprofile Custom Fields Type 2.6.3 contains a remote code exe= cution vulnerability that allows authenticated users to delete arbitrary fi= les by manipulating unescaped POST parameters. Attackers can modify the fie= ld_hiddenfile and field_deleteimg parameters during profile editing to unli=
nk files from the server.</td>
<td>2026-04-29</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25308" target=3D= "_blank" rel=3D"noopener">CVE-2018-25308</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44432" target=3D"_blank" rel= =3D"noopener">ExploitDB-44432</a><br><a href=3D"
http://lenonleite.com.br/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
https://www.vulncheck.com/advisories/buddypress-xprofile-custom-fields-= type-remote-code-execution" target=3D"_blank" rel=3D"noopener">VulnCheck Ad= visory: BuddyPress Xprofile Custom Fields Type 2.6.3 Remote Code Execution<= /a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Alloksoft--WMV to AVI MPEG DVD WMV Converter</=
<td>Allok soft WMV to AVI MPEG DVD WMV Converter 4.6.1217 contains a buffer=
overflow vulnerability that allows local attackers to execute arbitrary co=
de by supplying an oversized string in the License Name field. Attackers ca=
n craft a malicious input containing shellcode with structured exception ha= ndler (SEH) overwrite to bypass protections and execute code with applicati=
on privileges.</td>
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25314" target=3D= "_blank" rel=3D"noopener">CVE-2018-25314</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44365" target=3D"_blank" rel= =3D"noopener">ExploitDB-44365</a><br><a href=3D"
http://www.alloksoft.com" t= arget=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
http://www.alloksoft.com/wmv.htm" target=3D"_blank" rel=3D"noopener">Pr= oduct Reference</a><br><a href=3D"
https://www.vulncheck.com/advisories/allo= k-soft-wmv-to-avi-mpeg-dvd-wmv-converter-buffer-overflow" target=3D"_blank"=
rel=3D"noopener">VulnCheck Advisory: Allok soft WMV to AVI MPEG DVD WMV Co= nverter 4.6.1217 Buffer Overflow</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Alloksoft--Video Joiner</td>
<td>Alloksoft Video joiner 4.6.1217 contains a buffer overflow vulnerabilit=
y that allows local attackers to execute arbitrary code by supplying a mali= cious string in the License Name field. Attackers can craft a payload with = structured exception handler (SEH) overwrite and shellcode to achieve code = execution when the application processes the license registration input.</t=
<td>2026-04-29</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25315" target=3D= "_blank" rel=3D"noopener">CVE-2018-25315</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44364" target=3D"_blank" rel= =3D"noopener">ExploitDB-44364</a><br><a href=3D"
http://www.alloksoft.com" t= arget=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
http://www.alloksoft.com/joiner.htm" target=3D"_blank" rel=3D"noopener"= >Product Reference</a><br><a href=3D"
https://www.vulncheck.com/advisories/a= lloksoft-video-joiner-buffer-overflow-via-license-name" target=3D"_blank" r= el=3D"noopener">VulnCheck Advisory: Alloksoft Video joiner 4.6.1217 Buffer = Overflow via License Name</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">marketingfire--Widget Options Advanced Conditi= onal Visibility for Gutenberg Blocks & Classic Widgets</td>
<td>The Widget Options - Advanced Conditional Visibility for Gutenberg Bloc=
ks & Classic Widgets plugin for WordPress is vulnerable to Remote Code = Execution in all versions up to, and including, 4.2.2 via the Display Logic=
feature. This is due to the plugin using eval() on user-supplied Display L= ogic expressions with an insufficient blocklist/allowlist that can be bypas= sed using array_map with string concatenation, combined with a lack of auth= orization enforcement on the extended_widget_opts_block attribute. This mak=
es it possible for authenticated attackers, with Contributor-level access a=
nd above, to execute code on the server. The vulnerability was partially pa= tched in version 4.2.0.</td>
<td>2026-05-02</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-2052" target=3D"= _blank" rel=3D"noopener">CVE-2026-2052</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/680235= 57-fc92-4cf6-96b4-405ff5a5fd5a?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/68023557-fc9= 2-4cf6-96b4-405ff5a5fd5a?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg/gut= enberg-toolbar.php#L843" target=3D"_blank" rel=3D"noopener">
https://plugins= .trac.wordpress.org/browser/widget-options/trunk/includes/widgets/gutenberg= /gutenberg-toolbar.php#L843</a><br><a href=3D"
https://plugins.trac.wordpres= s.org/browser/widget-options/trunk/includes/extras.php#L495" target=3D"_bla= nk" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/widget-opti= ons/trunk/includes/extras.php#L495</a><br><a href=3D"
https://plugins.trac.w= ordpress.org/browser/widget-options/trunk/includes/extras.php#L534" target= =3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/wid= get-options/trunk/includes/extras.php#L534</a><br><a href=3D"
https://plugin= s.trac.wordpress.org/changeset/3481338/" target=3D"_blank" rel=3D"noopener"= >
https://plugins.trac.wordpress.org/changeset/3481338/</a><br><a href=3D"ht= tps://plugins.trac.wordpress.org/changeset/3514411/" target=3D"_blank" rel= =3D"noopener">
https://plugins.trac.wordpress.org/changeset/3514411/</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Milesight--MS-Cxx63-PD</td>
<td>An out-of-bounds memory access vulnerability exists in specific firmwar=
e versions of Milesight AIOT cameras.</td>
<td>2026-04-27</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-20766" target=3D= "_blank" rel=3D"noopener">CVE-2026-20766</a></td>
<a href=3D"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03" = target=3D"_blank" rel=3D"noopener">
https://www.cisa.gov/news-events/ics-adv= isories/icsa-26-113-03</a><br><a href=3D"
https://github.com/cisagov/CSAF/bl= ob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json" target=3D"_blank" = rel=3D"noopener">
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT= /white/2026/icsa-26-113-03.json</a><br><a href=3D"
https://www.milesight.com= /support/download/firmware" target=3D"_blank" rel=3D"noopener">
https://www.= milesight.com/support/download/firmware</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">wclovers--WCFM Frontend Manager for WooCommerc= e</td>
<td>The WCFM - Frontend Manager for WooCommerce along with Bookings Subscri= ption Listings Compatible plugin for WordPress is vulnerable to Insecure Di= rect Object Reference in all versions up to, and including, 6.7.25 via the = 'wcfm_delete_wcfm_customer' due to missing validation on the 'customerid' u= ser controlled key. This makes it possible for authenticated attackers, wit=
h Vendor-level access and above, to delete arbitrary users, including Admin= istrators.</td>
<td>2026-05-02</td>
<td>8.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-2554" target=3D"= _blank" rel=3D"noopener">CVE-2026-2554</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397= a4-0b32-4b13-a46b-c465acea0796?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/21e397a4-0b3= 2-4b13-a46b-c465acea0796?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-cus= tomer.php#L386" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wor= dpress.org/browser/wc-frontend-manager/tags/6.7.24/core/class-wcfm-customer= .php#L386</a><br><a href=3D"
https://plugins.trac.wordpress.org/changeset/34= 83695/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.o= rg/changeset/3483695/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">opencats--OpenCATS</td>
<td>OpenCATS prior to commit 3002a29 contains a PHP code injection vulnerab= ility in the installer AJAX endpoint that allows unauthenticated attackers =
to execute arbitrary code by injecting PHP statements into the databaseConn= ectivity action parameter. Attackers can break out of the define() string c= ontext in config.php using a single quote and statement separator to inject=
malicious PHP code that persists and executes on every subsequent page loa=
d when the installation wizard remains incomplete.</td>
<td>2026-04-28</td>
<td>8.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-27760" target=3D= "_blank" rel=3D"noopener">CVE-2026-27760</a></td>
<a href=3D"
https://chocapikk.com/posts/2026/opencats-installer-rce/" target= =3D"_blank" rel=3D"noopener">
https://chocapikk.com/posts/2026/opencats-inst= aller-rce/</a><br><a href=3D"
https://github.com/opencats/OpenCATS/pull/706"=
target=3D"_blank" rel=3D"noopener">
https://github.com/opencats/OpenCATS/pu= ll/706</a><br><a href=3D"
https://github.com/opencats/OpenCATS/commit/3002a2= 9f4c3cada1aa2c4f3d4ae4e189906606b6" target=3D"_blank" rel=3D"noopener">http= s://github.com/opencats/OpenCATS/commit/3002a29f4c3cada1aa2c4f3d4ae4e189906= 606b6</a><br><a href=3D"
https://github.com/opencats/OpenCATS/blob/46e4727/l= ib/CATSUtility.php#L142-L172" target=3D"_blank" rel=3D"noopener">
https://gi= thub.com/opencats/OpenCATS/blob/46e4727/lib/CATSUtility.php#L142-L172</a><b= r><a href=3D"
https://github.com/opencats/OpenCATS/blob/46e4727/modules/inst= all/ajax/ui.php#L130" target=3D"_blank" rel=3D"noopener">
https://github.com= /opencats/OpenCATS/blob/46e4727/modules/install/ajax/ui.php#L130</a><br><a = href=3D"
https://www.vulncheck.com/advisories/opencats-php-code-injection-vi= a-installer-ajax-endpoint" target=3D"_blank" rel=3D"noopener">
https://www.v= ulncheck.com/advisories/opencats-php-code-injection-via-installer-ajax-endp= oint</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Milesight--MS-Cxx63-PD</td>
<td>Specific firmware versions of Milesight AIOT camera firmware contain ha= rd-coded credentials.</td>
<td>2026-04-27</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-27785" target=3D= "_blank" rel=3D"noopener">CVE-2026-27785</a></td>
<a href=3D"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03" = target=3D"_blank" rel=3D"noopener">
https://www.cisa.gov/news-events/ics-adv= isories/icsa-26-113-03</a><br><a href=3D"
https://github.com/cisagov/CSAF/bl= ob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json" target=3D"_blank" = rel=3D"noopener">
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT= /white/2026/icsa-26-113-03.json</a><br><a href=3D"
https://www.milesight.com= /support/download/firmware" target=3D"_blank" rel=3D"noopener">
https://www.= milesight.com/support/download/firmware</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Cockpit--Cockpit CMS</td>
<td>Cockpit CMS contains an authenticated remote code execution vulnerabili=
ty in the /cockpit/collections/save_collection endpoint that allows authent= icated attackers with collection management privileges to inject arbitrary = PHP code into collection rules parameters. Attackers can inject malicious P=
HP code through rule parameters which is written directly to server-side PH=
P files and executed via include() to achieve arbitrary command execution o=
n the underlying server.</td>
<td>2026-04-29</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-34965" target=3D= "_blank" rel=3D"noopener">CVE-2026-34965</a></td>
<a href=3D"
https://github.com/agentejo/cockpit" target=3D"_blank" rel=3D"no= opener">
https://github.com/agentejo/cockpit</a><br><a href=3D"
https://gist.= github.com/thepiyushkumarshukla/64d2318518b17f529bc3ccb11fd5be90" target=3D= "_blank" rel=3D"noopener">
https://gist.github.com/thepiyushkumarshukla/64d2= 318518b17f529bc3ccb11fd5be90</a><br><a href=3D"
https://github.com/agentejo/= cockpit/commits/494765e4f0fb9484f320aee0c6ee889b6fa789b9" target=3D"_blank"=
rel=3D"noopener">
https://github.com/agentejo/cockpit/commits/494765e4f0fb9= 484f320aee0c6ee889b6fa789b9</a><br><a href=3D"
https://www.vulncheck.com/adv= isories/cockpit-cms-authenticated-remote-code-execution-via-collections" ta= rget=3D"_blank" rel=3D"noopener">
https://www.vulncheck.com/advisories/cockp= it-cms-authenticated-remote-code-execution-via-collections</a><br>=C2=A0</t=
</tr>
<td class=3D"vendor-product">n/a--(UDS) & OBD-II (On Board Diagnostics = for Vehicles)</td>
<td>miaofng/uds-c commit e506334e270d77b20c0bc259ac6c7d8c9b702b7a (2016-10-= 05) contains a stack buffer overflow in send_diagnostic_request. A 6-byte s= tack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=3D6) receives memcpy at offset 1+p= id_length with payload_length bytes. MAX_UDS_REQUEST_PAYLOAD_LENGTH=3D7, so=
1+2+7=3D10 exceeds buffer by 4 bytes. No bounds check on payload_length be= fore memcpy.</td>
<td>2026-05-01</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37536" target=3D= "_blank" rel=3D"noopener">CVE-2026-37536</a></td>
<a href=3D"
https://github.com/miaofng/uds-c" target=3D"_blank" rel=3D"noope= ner">
https://github.com/miaofng/uds-c</a><br><a href=3D"
https://github.com/= openxc/uds-c" target=3D"_blank" rel=3D"noopener">
https://github.com/openxc/= uds-c</a><br><a href=3D"
https://gist.github.com/sgInnora/f4ac66faeefe07a653= ceeb3f58cdc381" target=3D"_blank" rel=3D"noopener">
https://gist.github.com/= sgInnora/f4ac66faeefe07a653ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Open-SAE-J1939 (Daniel Martensson)</td> <td>collin80/Open-SAE-J1939 thru commit 744024d4306bc387857dfce439558336806= acb06 (2023-03-08) contains an integer underflow leading to out-of-bounds w= rite in Transport Protocol Data Transfer handling. At line 23: uint8_t inde=
x =3D data[0] - 1. When data[0] (sequence number from CAN frame) is 0, inde=
x underflows to 255. Subsequent write at tp_dt->data[255*7 + i-1] reache=
s offset 1791, exceeding the MAX_TP_DT buffer (1785 bytes) by 6 bytes.</td> <td>2026-05-01</td>
<td>8.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37537" target=3D= "_blank" rel=3D"noopener">CVE-2026-37537</a></td>
<a href=3D"
https://github.com/DanielMartensson/Open-SAE-J1939" target=3D"_b= lank" rel=3D"noopener">
https://github.com/DanielMartensson/Open-SAE-J1939</= a><br><a href=3D"
https://github.com/collin80/Open-SAE-J1939" target=3D"_bla= nk" rel=3D"noopener">
https://github.com/collin80/Open-SAE-J1939</a><br><a h= ref=3D"
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381" t= arget=3D"_blank" rel=3D"noopener">
https://gist.github.com/sgInnora/f4ac66fa= eefe07a653ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">openampproject[.]org--OpenAMP v2025.10.0</td> <td>OpenAMP v2025.10.0 ELF loader contains an integer overflow vulnerabilit=
y in firmware image parsing. In elf_loader.c, it performs multiplication of=
two attacker-controlled 16-bit values from the ELF header without overflow=
checking. On 32-bit embedded systems (STM32MP1, Zynq, i.MX), large values = can cause the product to wrap around to a small value.</td>
<td>2026-05-01</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37540" target=3D= "_blank" rel=3D"noopener">CVE-2026-37540</a></td>
<a href=3D"
https://github.com/OpenAMP/open-amp" target=3D"_blank" rel=3D"no= opener">
https://github.com/OpenAMP/open-amp</a><br><a href=3D"
https://githu= b.com/OpenAMP/open-amp/blob/main/lib/remoteproc/elf_loader.c" target=3D"_bl= ank" rel=3D"noopener">
https://github.com/OpenAMP/open-amp/blob/main/lib/rem= oteproc/elf_loader.c</a><br><a href=3D"
https://gist.github.com/sgInnora/f4a= c66faeefe07a653ceeb3f58cdc381" target=3D"_blank" rel=3D"noopener">
https://g= ist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381</a><br>=C2=A0</td> </tr>
<td class=3D"vendor-product">n/a--MixPHP Framework 2.x</td>
<td>Unsafe deserialization vulnerability in MixPHP Framework 2.x thru 2.2.1=
7. The sync-invoke TCP server (Server.php:87) receives data from a TCP sock= et, passes it directly to Opis\Closure\unserialize(), then executes the res= ult via call_user_func(). No authentication or signature verification exist=
s on the TCP connection. An attacker with access to the localhost TCP port = (server binds 127.0.0.1) can send a crafted serialized PHP closure to achie=
ve arbitrary code execution.</td>
<td>2026-05-01</td>
<td>8.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37552" target=3D= "_blank" rel=3D"noopener">CVE-2026-37552</a></td>
<a href=3D"
https://github.com/mix-php/mix" target=3D"_blank" rel=3D"noopene= r">
https://github.com/mix-php/mix</a><br><a href=3D"
https://github.com/mix-= php/mix/blob/v2.2.17/src/sync-invoke/src/Server.php" target=3D"_blank" rel= =3D"noopener">
https://github.com/mix-php/mix/blob/v2.2.17/src/sync-invoke/s= rc/Server.php</a><br><a href=3D"
https://gist.github.com/sgInnora/fa46386840= fe978a30d7e53c458f2975" target=3D"_blank" rel=3D"noopener">
https://gist.git= hub.com/sgInnora/fa46386840fe978a30d7e53c458f2975</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">benjaminprojas--WP Editor</td>
<td>The WP Editor plugin for WordPress is vulnerable to Cross-Site Request = Forgery in all versions up to, and including, 1.2.9.2. This is due to missi=
ng nonce verification in the 'add_plugins_page' and 'add_themes_page' funct= ions. This makes it possible for unauthenticated attackers to overwrite arb= itrary plugin and theme PHP files with attacker-controlled code via a forge=
d request, granted they can trick a site administrator into performing an a= ction such as clicking a link.</td>
<td>2026-05-01</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3772" target=3D"= _blank" rel=3D"noopener">CVE-2026-3772</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a= 87-d5de-4d66-9cc5-802ef11f886c?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/b1bc4a87-d5d= e-4d66-9cc5-802ef11f886c?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/wp-editor/trunk/classes/WPEditorPlugins.php#L60" ta= rget=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser= /wp-editor/trunk/classes/WPEditorPlugins.php#L60</a><br><a href=3D"
https://= plugins.trac.wordpress.org/browser/wp-editor/trunk/classes/WPEditorThemes.p= hp#L103" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.= org/browser/wp-editor/trunk/classes/WPEditorThemes.php#L103</a><br><a href= =3D"
https://plugins.trac.wordpress.org/changeset/3480577/" target=3D"_blank=
" rel=3D"noopener">
https://plugins.trac.wordpress.org/changeset/3480577/</a= ><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. In version 4.9.0, C= hartbrew allows authenticated users with access to one project to update or=
delete a SharePolicy record that belongs to a different project. The affec= ted routes authorize the caller against the project in the URL path, but th=
ey never verify that policy_id belongs to that project. This permits cross-= project modification of dashboard sharing rules, including visibility, pass= word requirements, allowed parameters, and expiration settings. This issue = has been patched in version 5.0.0.</td>
<td>2026-04-30</td>
<td>8.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40600" target=3D= "_blank" rel=3D"noopener">CVE-2026-40600</a></td>
<a href=3D"
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= pq8h-2h99-39xm" target=3D"_blank" rel=3D"noopener">
https://github.com/chart= brew/chartbrew/security/advisories/GHSA-pq8h-2h99-39xm</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/releases/tag/v5.0.0" target=3D"_blank"=
rel=3D"noopener">
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.= 0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A security vulnerability has been detected in TRENDnet TEW-821DAP 1.12B= 01. Impacted is the function auto_update_firmware of the component Firmware=
Udpate. The manipulation of the argument str leads to buffer overflow. The=
attack may be initiated remotely. The vendor explains: "That firmware vers= ion will only work on our hardware version v1.xR. We have already EOL that = product 8 years ago and are no longer selling". This vulnerability only aff= ects products that are no longer supported by the maintainer.</td> <td>2026-05-02</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7607" target=3D"= _blank" rel=3D"noopener">CVE-2026-7607</a></td>
<a href=3D"
https://vuldb.com/vuln/360564" target=3D"_blank" rel=3D"noopener= ">VDB-360564 | TRENDnet TEW-821DAP Firmware Udpate auto_update_firmware buf= fer overflow</a><br><a href=3D"
https://vuldb.com/vuln/360564/cti" target=3D= "_blank" rel=3D"noopener">VDB-360564 | CTI Indicators (IOB, IOC, IOA)</a><b= r><a href=3D"
https://vuldb.com/submit/806214" target=3D"_blank" rel=3D"noop= ener">Submit #806214 | Trendnet TEW-821DAP v1.12B01 CWE-120 Buffer Copy wit= hout Checking Size of Input</a><br><a href=3D"
https://github.com/IOTRes/IOT= _Firmware_Update/blob/main/Trendnet/TEW-821DAP_BO.md" target=3D"_blank" rel= =3D"noopener">
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trend= net/TEW-821DAP_BO.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">carazo--Import and export users and customers<=
<td>The Import and export users and customers plugin for WordPress is vulne= rable to Privilege Escalation in all versions up to and including 2.0.8 via=
the `save_extra_user_profile_fields()` function. This is due to an incompl= ete blocklist that correctly restricts capability meta keys for the primary=
site (e.g., `wp_capabilities`, `wp_user_level`) but fails to block the equ= ivalent meta keys for any other subsite in a WordPress Multisite network (e= .g., `wp_2_capabilities`, `wp_2_user_level`), allowing these keys to pass t=
he `in_array()` check and be written directly to user meta via `update_user= _meta()`. This makes it possible for authenticated attackers, with Subscrib= er-level access and above, to escalate their privileges to Administrator on=
any subsite within the Multisite network by submitting a crafted profile u= pdate to `/wp-admin/profile.php`. Exploitation requires that an administrat=
or has previously imported a CSV file containing multisite-prefixed capabil= ity column headers and has enabled the 'Show fields in profile?' option, wh= ich causes those keys to be stored in the `acui_columns` option and exposed=
as editable fields on the user profile page.</td>
<td>2026-05-02</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7641" target=3D"= _blank" rel=3D"noopener">CVE-2026-7641</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff= 00-6a86-443e-aec4-4115a229a3c1?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/368cff00-6a8= 6-443e-aec4-4115a229a3c1?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/import-users-from-csv-with-meta/trunk/classes/colum= ns.php#L221" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpr= ess.org/browser/import-users-from-csv-with-meta/trunk/classes/columns.php#L= 221</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/import-use= rs-from-csv-with-meta/tags/2.0.8/classes/columns.php#L221" target=3D"_blank=
" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/import-users-= from-csv-with-meta/tags/2.0.8/classes/columns.php#L221</a><br><a href=3D"ht= tps://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tr= unk/classes/columns.php#L198" target=3D"_blank" rel=3D"noopener">
https://pl= ugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/trunk/clas= ses/columns.php#L198</a><br><a href=3D"
https://plugins.trac.wordpress.org/b= rowser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198"=
target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/brow= ser/import-users-from-csv-with-meta/tags/2.0.8/classes/columns.php#L198</a>= <br><a href=3D"
https://plugins.trac.wordpress.org/browser/import-users-from= -csv-with-meta/trunk/classes/helper.php#L150" target=3D"_blank" rel=3D"noop= ener">
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with= -meta/trunk/classes/helper.php#L150</a><br><a href=3D"
https://plugins.trac.= wordpress.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/he= lper.php#L150" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.word= press.org/browser/import-users-from-csv-with-meta/tags/2.0.8/classes/helper= .php#L150</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/impo= rt-users-from-csv-with-meta/trunk/classes/multisite.php#L21" target=3D"_bla= nk" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/import-user= s-from-csv-with-meta/trunk/classes/multisite.php#L21</a><br><a href=3D"http= s://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags= /2.0.8/classes/multisite.php#L21" target=3D"_blank" rel=3D"noopener">https:= //plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tags/2= .0.8/classes/multisite.php#L21</a><br><a href=3D"
https://plugins.trac.wordp= ress.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns= .php#L221" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpres= s.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/columns.ph= p#L221</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/import-= users-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198" target=3D"_bl= ank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/import-use= rs-from-csv-with-meta/tags/2.0.6/classes/columns.php#L198</a><br><a href=3D= "
https://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta= /tags/2.0.6/classes/helper.php#L150" target=3D"_blank" rel=3D"noopener">htt= ps://plugins.trac.wordpress.org/browser/import-users-from-csv-with-meta/tag= s/2.0.6/classes/helper.php#L150</a><br><a href=3D"
https://plugins.trac.word= press.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multis= ite.php#L21" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpr= ess.org/browser/import-users-from-csv-with-meta/tags/2.0.6/classes/multisit= e.php#L21</a><br><a href=3D"
https://plugins.trac.wordpress.org/changeset/35= 15646" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.or= g/changeset/3515646</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Cozmoslabs--Profile Builder Pro</td>
<td>The Profile Builder Pro plugin for WordPress is vulnerable to PHP Objec=
t Injection in all versions up to and including 3.14.5. This is due to the = use of PHP's maybe_unserialize() function on the attacker-controlled 'args'=
POST parameter within the wppb_request_users_pins_action_callback() AJAX h= andler, which lacked any nonce verification, type checking, or input valida= tion before deserialization. Because the handler was registered with both w= p_ajax_ and wp_ajax_nopriv_ hooks, it was reachable by completely unauthent= icated users. This makes it possible for unauthenticated attackers to injec=
t arbitrary PHP objects into application memory.</td>
<td>2026-05-02</td>
<td>8.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7647" target=3D"= _blank" rel=3D"noopener">CVE-2026-7647</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897= f5-f988-4515-83bc-456f041d7e2e?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/c7b897f5-f98= 8-4515-83bc-456f041d7e2e?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one-= map-listing.php#L271" target=3D"_blank" rel=3D"noopener">
https://plugins.tr= ac.wordpress.org/browser/profile-builder-pro/trunk/add-ons/user-listing/one= -map-listing.php#L271</a><br><a href=3D"
https://plugins.trac.wordpress.org/= browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listin= g.php#L271" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpre= ss.org/browser/profile-builder-pro/tags/3.14.5/add-ons/user-listing/one-map= -listing.php#L271</a><br><a href=3D"
https://plugins.trac.wordpress.org/brow= ser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13"=
target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/brow= ser/profile-builder-pro/trunk/add-ons/user-listing/one-map-listing.php#L13<= /a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/profile-builde= r-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13" target=3D"_= blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/profile-= builder-pro/tags/3.14.5/add-ons/user-listing/one-map-listing.php#L13</a><br= >=C2=A0</td>
</tr>
<td class=3D"vendor-product">Shenzhen Libituo Technology--LBT-T300-HW1</td> <td>A flaw has been found in Shenzhen Libituo Technology LBT-T300-HW1 up to=
1.2.8. This issue affects the function start_single_service of the compone=
nt Web Management Interface. Executing a manipulation of the argument vpn_p= ptp_server/vpn_l2tp_server can lead to buffer overflow. The attack can be e= xecuted remotely. The vendor was contacted early about this disclosure but = did not respond in any way.</td>
<td>2026-05-03</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7674" target=3D"= _blank" rel=3D"noopener">CVE-2026-7674</a></td>
<a href=3D"
https://vuldb.com/vuln/360827" target=3D"_blank" rel=3D"noopener= ">VDB-360827 | Shenzhen Libituo Technology LBT-T300-HW1 Web Management star= t_single_service buffer overflow</a><br><a href=3D"
https://vuldb.com/vuln/3= 60827/cti" target=3D"_blank" rel=3D"noopener">VDB-360827 | CTI Indicators (= IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/800705" target=3D= "_blank" rel=3D"noopener">Submit #800705 | Libtor Technology lbt-t300-hw1 &= lt;=3DV1.2.8 Buffer Overflow</a><br><a href=3D"
https://vuldb.com/submit/800= 706" target=3D"_blank" rel=3D"noopener">Submit #800706 | Libtor Technology = lbt-t300-hw1 <=3DV1.2.8 Buffer Overflow (Duplicate)</a><br><a href=3D"ht= tps://github.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%8= 8vpn_pptp_server%EF%BC%89.md" target=3D"_blank" rel=3D"noopener">
https://gi= thub.com/hmKunlun/lbt-t300-hw1/blob/main/reselov_vpn_server%EF%BC%88vpn_ppt= p_server%EF%BC%89.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Shenzhen Libituo Technology--LBT-T300-HW1</td> <td>A vulnerability has been found in Shenzhen Libituo Technology LBT-T300-= HW1 up to 1.2.8. Impacted is the function start_lan of the file /apply.cgi.=
The manipulation of the argument Channel/ApCliSsid leads to buffer overflo=
w. The attack is possible to be carried out remotely. The exploit has been = disclosed to the public and may be used. The vendor was contacted early abo=
ut this disclosure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7675" target=3D"= _blank" rel=3D"noopener">CVE-2026-7675</a></td>
<a href=3D"
https://vuldb.com/vuln/360828" target=3D"_blank" rel=3D"noopener= ">VDB-360828 | Shenzhen Libituo Technology LBT-T300-HW1 apply.cgi start_lan=
buffer overflow</a><br><a href=3D"
https://vuldb.com/vuln/360828/cti" targe= t=3D"_blank" rel=3D"noopener">VDB-360828 | CTI Indicators (IOB, IOC, IOA)</= a><br><a href=3D"
https://vuldb.com/submit/800708" target=3D"_blank" rel=3D"= noopener">Submit #800708 | Libtor Technology lbt-t300-hw1 <=3DV1.2.8 Buf= fer Overflow</a><br><a href=3D"
https://vuldb.com/submit/800709" target=3D"_= blank" rel=3D"noopener">Submit #800709 | Libtor Technology <=3DV1.2.8 Bu= ffer Overflow (Duplicate)</a><br><a href=3D"
https://github.com/hmKunlun/lbt= -t300-hw1/blob/main/generate_conf_router(Channel).md" target=3D"_blank" rel= =3D"noopener">
https://github.com/hmKunlun/lbt-t300-hw1/blob/main/generate_c= onf_router(Channel).md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Edimax--BR-6428nC</td>
<td>A security vulnerability has been detected in Edimax BR-6428nC up to 1.= 16. This impacts an unknown function of the file /goform/setWAN. Such manip= ulation of the argument pptpDfGateway=C2=A0 leads to buffer overflow. The a= ttack can be launched remotely. The exploit has been disclosed publicly and=
may be used. The vendor was contacted early about this disclosure but did = not respond in any way.</td>
<td>2026-05-03</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7684" target=3D"= _blank" rel=3D"noopener">CVE-2026-7684</a></td>
<a href=3D"
https://vuldb.com/vuln/360843" target=3D"_blank" rel=3D"noopener= ">VDB-360843 | Edimax BR-6428nC setWAN buffer overflow</a><br><a href=3D"ht= tps://vuldb.com/vuln/360843/cti" target=3D"_blank" rel=3D"noopener">VDB-360= 843 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/su= bmit/801599" target=3D"_blank" rel=3D"noopener">Submit #801599 | Edimax BR-= 6428nC v1.16 Buffer Overflow</a><br><a href=3D"
https://tzh00203.notion.site= /Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a80c= 1835dd4fab4b6c7f2" target=3D"_blank" rel=3D"noopener">
https://tzh00203.noti= on.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52= 018a80c1835dd4fab4b6c7f2</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Edimax--BR-6208AC</td>
<td>A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected i=
s an unknown function of the file /goform/setWAN. Performing a manipulation=
of the argument pptpDfGateway=C2=A0 results in buffer overflow. The attack=
may be initiated remotely. The exploit is now public and may be used. The = vendor was contacted early about this disclosure but did not respond in any=
way.</td>
<td>2026-05-03</td>
<td>8.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7685" target=3D"= _blank" rel=3D"noopener">CVE-2026-7685</a></td>
<a href=3D"
https://vuldb.com/vuln/360844" target=3D"_blank" rel=3D"noopener= ">VDB-360844 | Edimax BR-6208AC setWAN buffer overflow</a><br><a href=3D"ht= tps://vuldb.com/vuln/360844/cti" target=3D"_blank" rel=3D"noopener">VDB-360= 844 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/su= bmit/801606" target=3D"_blank" rel=3D"noopener">Submit #801606 | Edimax BR-= 6208AC V2_1.02 Buffer Overflow</a><br><a href=3D"
https://tzh00203.notion.si= te/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c52018a8= 0c1835dd4fab4b6c7f2" target=3D"_blank" rel=3D"noopener">
https://tzh00203.no= tion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpDfGateway-Stack-Overflow-33db5c= 52018a80c1835dd4fab4b6c7f2</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Alloksoft--Allok AVI to DVD SVCD VCD Converter= </td>
<td>Allok AVI to DVD SVCD VCD Converter 4.0.1217 contains a structured exce= ption handling (SEH) based buffer overflow vulnerability that allows local = attackers to execute arbitrary code by supplying a malicious string in the = License Name field. Attackers can craft a payload with junk data, NSEH bypa= ss, SEH handler address, and shellcode that triggers the overflow when past=
ed into the License Name field and the Register button is clicked, resultin=
g in code execution.</td>
<td>2026-04-29</td>
<td>7.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25302" target=3D= "_blank" rel=3D"noopener">CVE-2018-25302</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44549" target=3D"_blank" rel= =3D"noopener">ExploitDB-44549</a><br><a href=3D"
http://www.alloksoft.com/" = target=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href= =3D"
https://www.vulncheck.com/advisories/allok-avi-to-dvd-svcd-vcd-converte= r-buffer-overflow-seh" target=3D"_blank" rel=3D"noopener">VulnCheck Advisor=
y: Allok AVI to DVD SVCD VCD Converter 4.0.1217 Buffer Overflow SEH</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">mybb--MyBB Recent threads</td>
<td>MyBB Recent threads 17.0 contains a persistent cross-site scripting vul= nerability that allows attackers to inject malicious scripts by creating th= reads with crafted subject lines. Attackers can create threads with script = tags in the subject parameter to execute arbitrary JavaScript in the browse=
rs of all users viewing the index page.</td>
<td>2026-04-29</td>
<td>7.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25309" target=3D= "_blank" rel=3D"noopener">CVE-2018-25309</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44420" target=3D"_blank" rel= =3D"noopener">ExploitDB-44420</a><br><a href=3D"
https://community.mybb.com/= mods.php?action=3Dview&pid=3D191" target=3D"_blank" rel=3D"noopener">Produc=
t Reference</a><br><a href=3D"
https://www.vulncheck.com/advisories/mybb-rec= ent-threads-persistent-cross-site-scripting" target=3D"_blank" rel=3D"noope= ner">VulnCheck Advisory: MyBB Recent threads 17.0 Persistent Cross-Site Scr= ipting</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Weaver Network Co., Ltd.--E-cology</td>
<td>Weaver (Fanwei) E-cology 9.5 versions prior to 10.52 contain an arbitra=
ry file read vulnerability in the XmlRpcServlet interface at the XML-RPC en= dpoint that allows unauthenticated remote attackers to read arbitrary files=
by supplying file paths to the WorkflowService.getAttachment and WorkflowS= ervice.LoadTemplateProp methods. Attackers can exploit these methods withou=
t authentication to retrieve sensitive files including system configuration=
files and database credentials from the server. Exploitation evidence was = first observed by the Shadowserver Foundation on 2022-12-14 (UTC).</td> <td>2026-04-30</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2022-50992" target=3D= "_blank" rel=3D"noopener">CVE-2022-50992</a></td>
<a href=3D"
https://www.weaver.com.cn/cs/securityDownload.html#" target=3D"_= blank" rel=3D"noopener">
https://www.weaver.com.cn/cs/securityDownload.html#= </a><br><a href=3D"
https://www.weaver.com.cn/cs/ecology_full_log.html" targ= et=3D"_blank" rel=3D"noopener">
https://www.weaver.com.cn/cs/ecology_full_lo= g.html</a><br><a href=3D"
https://www.cnvd.org.cn/flaw/show/CNVD-2022-43245"=
target=3D"_blank" rel=3D"noopener">
https://www.cnvd.org.cn/flaw/show/CNVD-= 2022-43245</a><br><a href=3D"
https://blog.csdn.net/qq_36618918/article/deta= ils/135104295" target=3D"_blank" rel=3D"noopener">
https://blog.csdn.net/qq_= 36618918/article/details/135104295</a><br><a href=3D"
https://blog.csdn.net/= xiayu729100940/article/details/135205082" target=3D"_blank" rel=3D"noopener= ">
https://blog.csdn.net/xiayu729100940/article/details/135205082</a><br><a = href=3D"
https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticate= d-arbitrary-file-read-via-xmlrpcservlet" target=3D"_blank" rel=3D"noopener"= >
https://www.vulncheck.com/advisories/weaver-e-cology-unauthenticated-arbit= rary-file-read-via-xmlrpcservlet</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--django-mdeditor</td>
<td>All versions of the package django-mdeditor are vulnerable to Missing A= uthentication for Critical Function in the image upload endpoint. An attack=
er can upload malicious files and achieve arbitrary code execution since th=
is endpoint lacks authentication protection and proper sanitisation of file=
names.</td>
<td>2026-04-30</td>
<td>7.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-13030" target=3D= "_blank" rel=3D"noopener">CVE-2025-13030</a></td>
<a href=3D"
https://security.snyk.io/vuln/SNYK-PYTHON-DJANGOMDEDITOR-8630926=
" target=3D"_blank" rel=3D"noopener">
https://security.snyk.io/vuln/SNYK-PYT= HON-DJANGOMDEDITOR-8630926</a><br><a href=3D"
https://github.com/pylixm/djan= go-mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py= %23L25" target=3D"_blank" rel=3D"noopener">
https://github.com/pylixm/django= -mdeditor/blob/e8dd73fb8571ddff2e7a20a4bfa88c376cc33b62/mdeditor/views.py%2= 3L25</a><br><a href=3D"
https://github.com/pylixm/django-mdeditor/issues/151=
" target=3D"_blank" rel=3D"noopener">
https://github.com/pylixm/django-mdedi= tor/issues/151</a><br><a href=3D"
https://github.com/pylixm/django-mdeditor/= pull/185" target=3D"_blank" rel=3D"noopener">
https://github.com/pylixm/djan= go-mdeditor/pull/185</a><br><a href=3D"
https://github.com/pylixm/django-mde= ditor/commit/3e80f9edcabc5d2fc136b05a501964b8a5e97cfe" target=3D"_blank" re= l=3D"noopener">
https://github.com/pylixm/django-mdeditor/commit/3e80f9edcab= c5d2fc136b05a501964b8a5e97cfe</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">CryptPad--CryptPad</td>
<td>CryptPad 2025.3.1 allows unbounded WebSocket frame flood. A remote, una= uthenticated attacker can significantly degrade or deny service for all use=
rs of a CryptPad instance. Fixed in 2026.2.2.</td>
<td>2026-04-30</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-51846" target=3D= "_blank" rel=3D"noopener">CVE-2025-51846</a></td>
<a href=3D"
https://github.com/cryptpad/cryptpad/pull/2239/changes/1e0c06ad8= a0c5dab795f85f9730ec2693320c62e" target=3D"_blank" rel=3D"noopener">url</a>= <br><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-51846" target=3D= "_blank" rel=3D"noopener">url</a><br><a href=3D"
https://raw.githubuserconte= nt.com/cisagov/CSAF/develop/csaf_files/IT/white/2026/va-26-119-01.json" tar= get=3D"_blank" rel=3D"noopener">url</a><br><a href=3D"
https://github.com/Jo= hnPerifanis/cryptpad-cve-2025-51846-advisory/blob/main/README.md" target=3D= "_blank" rel=3D"noopener">url</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Zyxel--DX3301-T0 firmware</td>
<td>A post-authentication command injection vulnerability in the "DomainNam=
e" parameter of the DHCP configuration file in Zyxel DX3301-T0 and EX3301-T=
0 firmware versions through 5.50(ABVY.7.1)C0 could allow an authenticated a= ttacker with administrator privileges to execute OS commands on an affected=
device.</td>
<td>2026-04-28</td>
<td>7.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-1460" target=3D"= _blank" rel=3D"noopener">CVE-2026-1460</a></td>
<a href=3D"
https://www.zyxel.com/global/en/support/security-advisories/zyxe= l-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte= -5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026" t= arget=3D"_blank" rel=3D"noopener">
https://www.zyxel.com/global/en/support/s= ecurity-advisories/zyxel-security-advisory-for-command-injection-vulnerabil= ities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-= extenders-04-28-2026</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">OPPO--ColorOS Assistant</td>
<td>ColorOS Assistant has an unauthenticated start-download channel, leadin=
g to file path traversal.</td>
<td>2026-04-30</td>
<td>7.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22070" target=3D= "_blank" rel=3D"noopener">CVE-2026-22070</a></td>
<a href=3D"
https://security.oppo.com/en/noticeDetail?notice_only_key=3DNOTI= CE-2049764240746881024" target=3D"_blank" rel=3D"noopener">
https://security= .oppo.com/en/noticeDetail?notice_only_key=3DNOTICE-2049764240746881024</a><= br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">VEGA Grieshaber--VEGAPULS 6X Two-wire PROFINET=
, Modbus TCP, OPC UA (Ethernet-APL)</td>
<td>An unsecured configuration interface on affected devices allows unauthe= nticated remote attackers to access sensitive information, including hashed=
credentials and access codes.</td>
<td>2026-04-28</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3323" target=3D"= _blank" rel=3D"noopener">CVE-2026-3323</a></td>
<a href=3D"
https://certvde.com/en/advisories/VDE-2026-016" target=3D"_blank=
" rel=3D"noopener">
https://certvde.com/en/advisories/VDE-2026-016</a><br><a=
href=3D"
https://vega.csaf-tp.certvde.com/.well-known/csaf/white/2026/vde-2= 026-016.json" target=3D"_blank" rel=3D"noopener">
https://vega.csaf-tp.certv= de.com/.well-known/csaf/white/2026/vde-2026-016.json</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">redhat[.]com--DTLS</td>
<td>A flaw in GnuTLS DTLS handshake parsing allows malformed fragments with=
zero length and non-zero offset, leading to an integer underflow during re= assembly and resulting in an out-of-bounds read. This issue is remotely exp= loitable and may cause information disclosure or denial of service.</td> <td>2026-04-30</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33845" target=3D= "_blank" rel=3D"noopener">CVE-2026-33845</a></td>
<a href=3D"
https://access.redhat.com/errata/RHSA-2026:13274" target=3D"_bla= nk" rel=3D"noopener">RHSA-2026:13274</a><br><a href=3D"
https://access.redha= t.com/security/cve/CVE-2026-33845" target=3D"_blank" rel=3D"noopener">https= ://access.redhat.com/security/cve/CVE-2026-33845</a><br><a href=3D"
https://= bugzilla.redhat.com/show_bug.cgi?id=3D2450624" target=3D"_blank" rel=3D"noo= pener">RHBZ#2450624</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dell--iDRAC10</td>
<td>Dell iDRAC10, versions 1.20.70.50 and 1.30.05.10, contains an Insuffici= ently Protected Credentials vulnerability. A race condition vulnerability e= xists that could allow an authenticated low=E2=80=91privileged attacker to = gain elevated access.</td>
<td>2026-04-29</td>
<td>7.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35155" target=3D= "_blank" rel=3D"noopener">CVE-2026-35155</a></td>
<a href=3D"
https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-= security-update-for-dell-idrac10-vulnerability" target=3D"_blank" rel=3D"no= opener">
https://www.dell.com/support/kbdoc/en-us/000452298/dsa-2026-187-sec= urity-update-for-dell-idrac10-vulnerability</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL) afb-daemon v= 19.90.0</td>
<td>AGL app-framework-binder (afb-daemon) through v19.90.0 contains a privi= lege escalation vulnerability in the supervision Do command. The on_supervi= sion_call function in src/afb-supervision.c explicitly nullifies the reques=
t credentials by calling afb_context_change_cred(&xreq->context, NUL=
L) before dispatching an attacker-controlled API call via xapi->itf->= call(xapi->closure, xreq). The NULL propagation chain through afb-contex= t.c:110 (context->credentials =3D afb_cred_addref(NULL)) and afb-cred.c:= 163 (returns NULL when cred is NULL) confirms that credentials are zeroed b= efore the target API executes. The attacker controls both api and verb para= meters via JSON input, allowing execution of any registered API with a NULL=
credential context. APIs that rely on context->credentials for authoriz= ation decisions may fail open when receiving NULL credentials, enabling pri= vilege escalation. This vulnerability was introduced in commit abbb4599f0b9= 21c6f434b6bd02bcfb277eecf745 on 2018-02-14.</td>
<td>2026-05-01</td>
<td>7.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37525" target=3D= "_blank" rel=3D"noopener">CVE-2026-37525</a></td>
<a href=3D"
https://gerrit.automotivelinux.org/gerrit/src/app-framework-bind= er" target=3D"_blank" rel=3D"noopener">
https://gerrit.automotivelinux.org/g= errit/src/app-framework-binder</a><br><a href=3D"
https://gist.github.com/sg= Innora/8526eedcfd826d05ef1fc45d8f405643" target=3D"_blank" rel=3D"noopener"= >
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL) afb-daemon v= 19.90.0</td>
<td>AGL app-framework-binder (afb-daemon) through v19.90.0 allows any local=
process to execute privileged supervision commands (Exit, Do, Sclose, Conf= ig, Trace, Debug, Token, slist) without authentication via the abstract Uni=
x socket @urn:AGL:afs:supervision:socket. The on_supervision_call function =
in src/afb-supervision.c dispatches all 8 commands without any credential v= erification. The abstract socket has no DAC protection, as acknowledged in = the official CAUTION comment in src/afs-supervision.h. This allows a low-pr= ivileged local process to kill the daemon (DoS via Exit command), execute a= rbitrary API calls (via Do command), close arbitrary user sessions (via Scl= ose command), or leak the entire global configuration (via Config command).=
The vulnerability was introduced in commit b8c9d5de384efcfa53ebdb3f0053d7b= 3723777e1 on 2017-06-29.</td>
<td>2026-05-01</td>
<td>7.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37526" target=3D= "_blank" rel=3D"noopener">CVE-2026-37526</a></td>
<a href=3D"
https://gerrit.automotivelinux.org/gerrit/src/app-framework-bind= er" target=3D"_blank" rel=3D"noopener">
https://gerrit.automotivelinux.org/g= errit/src/app-framework-binder</a><br><a href=3D"
https://gist.github.com/sg= Innora/8526eedcfd826d05ef1fc45d8f405643" target=3D"_blank" rel=3D"noopener"= >
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL) aglservice v= 17.1.12</td>
<td>AGL agl-service-can-low-level thru 17.1.12 contains a heap buffer over-= read in the isotp-c library. In isotp_continue_receive (receive.c:87-89), t=
he payload_length for a Single Frame is extracted from a 4-bit nibble in th=
e CAN frame data, yielding values 0-15. However, a standard CAN frame is on=
ly 8 bytes, with payload starting at data[1] (7 bytes available). When payl= oad_length exceeds the available data (e.g., nibble=3D15 but only 7 payload=
bytes exist), memcpy(message.payload, &data[1], payload_length) reads =
up to 8 bytes past the end of the data buffer.</td>
<td>2026-05-01</td>
<td>7.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37532" target=3D= "_blank" rel=3D"noopener">CVE-2026-37532</a></td>
<a href=3D"
https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-l= ow-level" target=3D"_blank" rel=3D"noopener">
https://gerrit.automotivelinux= .org/gerrit/apps/agl-service-can-low-level</a><br><a href=3D"
https://gist.g= ithub.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643" target=3D"_blank" rel= =3D"noopener">
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f40= 5643</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL) isotp-c</td> <td>openxc/isotp-c thru commit 5a5d19245f65189202719321facd49ce6f5d46ac (20= 21-08-09) contains an out-of-bounds read in the ISO-TP Single Frame receive=
handler, where the 4-bit payload length nibble is used directly as the mem= cpy size without validating it against the actual CAN data length. A malici= ous CAN frame with an oversized length nibble can cause memory reads beyond=
the buffer, allowing attackers to cause a denial of service, or gain sensi= tive information.</td>
<td>2026-05-01</td>
<td>7.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37535" target=3D= "_blank" rel=3D"noopener">CVE-2026-37535</a></td>
<a href=3D"
https://github.com/openxc/isotp-c" target=3D"_blank" rel=3D"noop= ener">
https://github.com/openxc/isotp-c</a><br><a href=3D"
https://github.co= m/openxc/isotp-c/blob/master/src/isotp/receive.c" target=3D"_blank" rel=3D"= noopener">
https://github.com/openxc/isotp-c/blob/master/src/isotp/receive.c= </a><br><a href=3D"
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3= f58cdc381" target=3D"_blank" rel=3D"noopener">
https://gist.github.com/sgInn= ora/f4ac66faeefe07a653ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a-- Vanetza V2X v26.02</td>
<td>An issue was discovered in Vanetza V2X v26.02 allowing remote unauthori= zed attackers to cause a denial of service. The vulnerability exists in the=
GeoNetworking packet processing pipeline where OpenSSL exceptions from ECC=
point validation (invalid compressed point, point not on curve) are not pr= operly caught by the Router::indicate() call chain. The openssl_wrapper.cpp=
check() function (line 19) throws openssl::Exception when OpenSSL operatio=
ns fail. The parser's catch block in parse_secured() should catch these, bu=
t the exception escapes through subsequent processing stages (indicate_comm= on, indicate_extended). This causes std::terminate, crashing the V2X receiv= er.</td>
<td>2026-05-01</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37554" target=3D= "_blank" rel=3D"noopener">CVE-2026-37554</a></td>
<a href=3D"
https://github.com/riebl/vanetza" target=3D"_blank" rel=3D"noope= ner">
https://github.com/riebl/vanetza</a><br><a href=3D"
https://github.com/= riebl/vanetza/blob/master/vanetza/security/openssl_wrapper.cpp" target=3D"_= blank" rel=3D"noopener">
https://github.com/riebl/vanetza/blob/master/vanetz= a/security/openssl_wrapper.cpp</a><br><a href=3D"
https://github.com/riebl/v= anetza/blob/master/vanetza/geonet/router.cpp" target=3D"_blank" rel=3D"noop= ener">
https://github.com/riebl/vanetza/blob/master/vanetza/geonet/router.cp= p</a><br><a href=3D"
https://gist.github.com/sgInnora/45128ae15d52df7238680a= 8f2da8359f" target=3D"_blank" rel=3D"noopener">
https://gist.github.com/sgIn= nora/45128ae15d52df7238680a8f2da8359f</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. In version 4.9.0, C= hartbrew exposes public chart retrieval and export routes that only verify = project-level public access and, for exports, a team-level export toggle. T=
he routes do not verify whether the target chart is actually allowed on the=
public report or whether the governing SharePolicy permits public access. =
An unauthenticated attacker who knows a chart identifier in a public projec=
t can read or export chart data for charts that were intentionally hidden f= rom the report. This issue has been patched in version 5.0.0.</td> <td>2026-04-30</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40595" target=3D= "_blank" rel=3D"noopener">CVE-2026-40595</a></td>
<a href=3D"
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= mq7q-6xh6-5649" target=3D"_blank" rel=3D"noopener">
https://github.com/chart= brew/chartbrew/security/advisories/GHSA-mq7q-6xh6-5649</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/releases/tag/v5.0.0" target=3D"_blank"=
rel=3D"noopener">
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.= 0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">cyberhobo--Geo Mashup</td>
<td>The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Inj= ection via the 'sort' parameter in all versions up to, and including, 1.13.= 18. This is due to insufficient escaping on the user supplied parameter and=
lack of sufficient preparation on the existing SQL query. The `esc_sql()` = function is applied but is ineffective in the `ORDER BY` context because th=
e value is not enclosed in quotes. Additionally, while a `sanitize_sort_arg= ()` allowlist-based sanitizer was added in version 1.13.18, it is only appl= ied in the AJAX code path (`sanitize_query_args()`) and not in the `render-= map.php` or template tag code paths. This makes it possible for unauthentic= ated attackers to append additional SQL queries into already existing queri=
es that can be used to extract sensitive information from the database via =
a time-based blind approach.</td>
<td>2026-05-02</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-4060" target=3D"= _blank" rel=3D"noopener">CVE-2026-4060</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae= 9a-532c-40f9-b70a-217f0f9cd473?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/2fa5ae9a-532= c-40f9-b70a-217f0f9cd473?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1767" target=3D= "_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-ma= shup/trunk/geo-mashup-db.php#L1767</a><br><a href=3D"
https://plugins.trac.w= ordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1785" target=3D"_b= lank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-mashu= p/trunk/geo-mashup-db.php#L1785</a><br><a href=3D"
https://plugins.trac.word= press.org/browser/geo-mashup/trunk/render-map.php#L166" target=3D"_blank" r= el=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk= /render-map.php#L166</a><br><a href=3D"
https://plugins.trac.wordpress.org/c= hangeset/3503627/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.= wordpress.org/changeset/3503627/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. In version 4.9.0, C= hartbrew exposes POST /api/chart/:chart_id/query without authentication. Th=
e endpoint only checks team.allowReportRefresh and does not verify that the=
target chart belongs to a public report, that the project is public, or th=
at sharing policy allows the operation. An unauthenticated attacker who kno=
ws a chart identifier can trigger a data refresh and retrieve the current d= ata of private charts. This issue has been patched in version 5.0.0.</td> <td>2026-04-30</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40601" target=3D= "_blank" rel=3D"noopener">CVE-2026-40601</a></td>
<a href=3D"
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= cpr6-mhgm-893w" target=3D"_blank" rel=3D"noopener">
https://github.com/chart= brew/chartbrew/security/advisories/GHSA-cpr6-mhgm-893w</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/releases/tag/v5.0.0" target=3D"_blank"=
rel=3D"noopener">
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.= 0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">cyberhobo--Geo Mashup</td>
<td>The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Inj= ection via the 'map_post_type' parameter in all versions up to, and includi= ng, 1.13.18. This is due to the `SearchResults` hook explicitly calling `st= ripslashes_deep($_POST)` which removes WordPress magic quotes protection, f= ollowed by the unsanitized `map_post_type` value being concatenated into an=
`IN(...)` clause without `esc_sql()` or `$wpdb->prepare()`. The 'any' b= ranch of the same code correctly applies `array_map('esc_sql', ...)`, but t=
he else branch does not. This makes it possible for unauthenticated attacke=
rs to append additional SQL queries into already existing queries that can =
be used to extract sensitive information from the database via a time-based=
blind approach. Exploitation requires the Geo Search feature to be enabled=
in plugin settings.</td>
<td>2026-05-02</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-4061" target=3D"= _blank" rel=3D"noopener">CVE-2026-4061</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6= c5-643e-49ca-b09c-bd7cfec328ee?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/cc3cf6c5-643= e-49ca-b09c-bd7cfec328ee?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1748" target=3D= "_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-ma= shup/trunk/geo-mashup-db.php#L1748</a><br><a href=3D"
https://plugins.trac.w= ordpress.org/browser/geo-mashup/trunk/php/Hooks/SearchResults.php#L39" targ= et=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/g= eo-mashup/trunk/php/Hooks/SearchResults.php#L39</a><br><a href=3D"
https://p= lugins.trac.wordpress.org/browser/geo-mashup/trunk/php/Search.php#L152" tar= get=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/= geo-mashup/trunk/php/Search.php#L152</a><br><a href=3D"
https://plugins.trac= .wordpress.org/changeset/3503627/" target=3D"_blank" rel=3D"noopener">https= ://plugins.trac.wordpress.org/changeset/3503627/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">cyberhobo--Geo Mashup</td>
<td>The Geo Mashup plugin for WordPress is vulnerable to Time-Based SQL Inj= ection via the 'object_ids' and 'exclude_object_ids' parameters in all vers= ions up to, and including, 1.13.18. This is due to insufficient escaping on=
the user supplied parameters and lack of sufficient preparation on the exi= sting SQL query. The `esc_sql()` function is applied but is ineffective bec= ause the values are placed in an unquoted `IN(...)` / `NOT IN(...)` SQL con= text - `esc_sql()` only escapes quote characters and provides no protection=
against parenthesis or SQL keyword injection. Additionally, while a numeri= c-only sanitizer exists in `sanitize_query_args()`, it is only applied in t=
he AJAX code path and not in the `render-map.php` or template tag code path=
s. This makes it possible for unauthenticated attackers to append additiona=
l SQL queries into already existing queries that can be used to extract sen= sitive information from the database via a time-based blind approach.</td> <td>2026-05-02</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-4062" target=3D"= _blank" rel=3D"noopener">CVE-2026-4062</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed= 0a-504f-4d8c-9662-a4c9f7c7acb8?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/abc5ed0a-504= f-4d8c-9662-a4c9f7c7acb8?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1755" target=3D= "_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-ma= shup/trunk/geo-mashup-db.php#L1755</a><br><a href=3D"
https://plugins.trac.w= ordpress.org/browser/geo-mashup/trunk/geo-mashup-db.php#L1759" target=3D"_b= lank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-mashu= p/trunk/geo-mashup-db.php#L1759</a><br><a href=3D"
https://plugins.trac.word= press.org/browser/geo-mashup/trunk/render-map.php#L166" target=3D"_blank" r= el=3D"noopener">
https://plugins.trac.wordpress.org/browser/geo-mashup/trunk= /render-map.php#L166</a><br><a href=3D"
https://plugins.trac.wordpress.org/c= hangeset/3503627/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.= wordpress.org/changeset/3503627/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--libssh2</td>
<td>A security vulnerability has been detected in libssh2 up to 1.11.1. The=
impacted element is the function userauth_password of the file src/useraut= h.c. Such manipulation of the argument username_len/password_len leads to i= nteger overflow. The attack may be launched remotely. The name of the patch=
is 256d04b60d80bf1190e96b0ad1e91b2174d744b1. A patch should be applied to = remediate this issue.</td>
<td>2026-05-01</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7598" target=3D"= _blank" rel=3D"noopener">CVE-2026-7598</a></td>
<a href=3D"
https://vuldb.com/vuln/360555" target=3D"_blank" rel=3D"noopener= ">VDB-360555 | libssh2 userauth.c userauth_password integer overflow</a><br= ><a href=3D"
https://vuldb.com/vuln/360555/cti" target=3D"_blank" rel=3D"noo= pener">VDB-360555 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"https:= //vuldb.com/submit/805564" target=3D"_blank" rel=3D"noopener">Submit #80556=
4 | libssh2 <=3D 1.11.1 Integer Overflow</a><br><a href=3D"
https://githu= b.com/libssh2/libssh2/pull/1858" target=3D"_blank" rel=3D"noopener">https:/= /github.com/libssh2/libssh2/pull/1858</a><br><a href=3D"
https://github.com/= libssh2/libssh2/commit/256d04b60d80bf1190e96b0ad1e91b2174d744b1" target=3D"= _blank" rel=3D"noopener">
https://github.com/libssh2/libssh2/commit/256d04b6= 0d80bf1190e96b0ad1e91b2174d744b1</a><br><a href=3D"
https://github.com/libss= h2/libssh2/" target=3D"_blank" rel=3D"noopener">
https://github.com/libssh2/= libssh2/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">innocommerce--InnoShop</td>
<td>A vulnerability has been found in innocommerce InnoShop up to 0.7.8. Th=
e affected element is the function InstallServiceProvider::boot of the file=
innopacks/install/src/InstallServiceProvider.php of the component Installa= tion Endpoint. The manipulation leads to improper authentication. Remote ex= ploitation of the attack is possible. The exploit has been disclosed to the=
public and may be used. The identifier of the patch is 45758e4ec22451ab944= ae2ae826b1e70f6450dc9. It is recommended to apply a patch to fix this issue= .</td>
<td>2026-05-02</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7630" target=3D"= _blank" rel=3D"noopener">CVE-2026-7630</a></td>
<a href=3D"
https://vuldb.com/vuln/360576" target=3D"_blank" rel=3D"noopener= ">VDB-360576 | innocommerce InnoShop Installation Endpoint InstallServicePr= ovider.php boot improper authentication</a><br><a href=3D"
https://vuldb.com= /vuln/360576/cti" target=3D"_blank" rel=3D"noopener">VDB-360576 | CTI Indic= ators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806484" ta= rget=3D"_blank" rel=3D"noopener">Submit #806484 | innocommerce innoshop <= ;=3D 0.7.3 Missing Authorization</a><br><a href=3D"
https://github.com/innoc= ommerce/innoshop/issues/314" target=3D"_blank" rel=3D"noopener">
https://git= hub.com/innocommerce/innoshop/issues/314</a><br><a href=3D"
https://github.c= om/innocommerce/innoshop/issues/314#issuecomment-4357464458" target=3D"_bla= nk" rel=3D"noopener">
https://github.com/innocommerce/innoshop/issues/314#is= suecomment-4357464458</a><br><a href=3D"
https://github.com/innocommerce/inn= oshop/commit/45758e4ec22451ab944ae2ae826b1e70f6450dc9" target=3D"_blank" re= l=3D"noopener">
https://github.com/innocommerce/innoshop/commit/45758e4ec224= 51ab944ae2ae826b1e70f6450dc9</a><br><a href=3D"
https://github.com/innocomme= rce/innoshop/" target=3D"_blank" rel=3D"noopener">
https://github.com/innoco= mmerce/innoshop/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">code-projects--Online Hospital Management Syst= em</td>
<td>A vulnerability was determined in code-projects Online Hospital Managem= ent System 1.0. This affects an unknown function of the file /viewappointme= nt.php. This manipulation of the argument delid causes sql injection. The a= ttack is possible to be carried out remotely. The exploit has been publicly=
disclosed and may be utilized.</td>
<td>2026-05-02</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7632" target=3D"= _blank" rel=3D"noopener">CVE-2026-7632</a></td>
<a href=3D"
https://vuldb.com/vuln/360578" target=3D"_blank" rel=3D"noopener= ">VDB-360578 | code-projects Online Hospital Management System viewappointm= ent.php sql injection</a><br><a href=3D"
https://vuldb.com/vuln/360578/cti" = target=3D"_blank" rel=3D"noopener">VDB-360578 | CTI Indicators (IOB, IOC, T= TP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806633" target=3D"_blan=
k" rel=3D"noopener">Submit #806633 | code-projects Online Hospital Manageme=
nt System In PHP 1.0 SQL Injection</a><br><a href=3D"
https://github.com/Sh1= tKing/cve/blob/main/time-blind-sql.md" target=3D"_blank" rel=3D"noopener">h= ttps://github.com/Sh1tKing/cve/blob/main/time-blind-sql.md</a><br><a href= =3D"
https://github.com/Sh1tKing/cve/blob/main/CVE-2026-7632.md" target=3D"_= blank" rel=3D"noopener">
https://github.com/Sh1tKing/cve/blob/main/CVE-2026-= 7632.md</a><br><a href=3D"
https://code-projects.org/" target=3D"_blank" rel= =3D"noopener">
https://code-projects.org/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">ChatGPTNextWeb--NextChat</td>
<td>A vulnerability has been found in ChatGPTNextWeb NextChat up to 2.16.1.=
Affected is the function addMcpServer of the file app/mcp/actions.ts. The = manipulation leads to improper authorization. Remote exploitation of the at= tack is possible. The exploit has been disclosed to the public and may be u= sed. The project was informed of the problem early through an issue report = but has not responded yet.</td>
<td>2026-05-02</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7644" target=3D"= _blank" rel=3D"noopener">CVE-2026-7644</a></td>
<a href=3D"
https://vuldb.com/vuln/360756" target=3D"_blank" rel=3D"noopener= ">VDB-360756 | ChatGPTNextWeb NextChat actions.ts addMcpServer improper aut= horization</a><br><a href=3D"
https://vuldb.com/vuln/360756/cti" target=3D"_= blank" rel=3D"noopener">VDB-360756 | CTI Indicators (IOB, IOC, TTP, IOA)</a= ><br><a href=3D"
https://vuldb.com/submit/806851" target=3D"_blank" rel=3D"n= oopener">Submit #806851 | ChatGPTNextWeb NextChat 2.16.1 Unauthenticated Re= mote Code Execution</a><br><a href=3D"
https://github.com/ChatGPTNextWeb/Nex= tChat/issues/6757" target=3D"_blank" rel=3D"noopener">
https://github.com/Ch= atGPTNextWeb/NextChat/issues/6757</a><br><a href=3D"
https://github.com/Chat= GPTNextWeb/NextChat/" target=3D"_blank" rel=3D"noopener">
https://github.com= /ChatGPTNextWeb/NextChat/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">reputeinfosystems--ARMember Membership Plugin,=
Content Restriction, Member Levels, User Profile & User signup</td> <td>The ARMember - Membership Plugin, Content Restriction, Member Levels, U= ser Profile & User signup plugin for WordPress is vulnerable to time-ba= sed blind SQL Injection via the 'orderby' parameter in all versions up to, = and including, 4.0.60 due to insufficient escaping on the user supplied par= ameter and lack of sufficient preparation on the existing SQL query. This m= akes it possible for unauthenticated attackers to append additional SQL que= ries into already existing queries that can be used to extract sensitive in= formation from the database.</td>
<td>2026-05-02</td>
<td>7.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7649" target=3D"= _blank" rel=3D"noopener">CVE-2026-7649</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/eb0641= 56-f54b-4401-9d4f-29f0952deb24?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/eb064156-f54= b-4401-9d4f-29f0952deb24?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_me= mbers_directory.php#L1019" target=3D"_blank" rel=3D"noopener">
https://plugi= ns.trac.wordpress.org/browser/armember-membership/trunk/core/classes/class.= arm_members_directory.php#L1019</a><br><a href=3D"
https://plugins.trac.word= press.org/browser/armember-membership/tags/4.0.60/core/classes/class.arm_me= mbers_directory.php#L1019" target=3D"_blank" rel=3D"noopener">
https://plugi= ns.trac.wordpress.org/browser/armember-membership/tags/4.0.60/core/classes/= class.arm_members_directory.php#L1019</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_sh= ortcodes.php#L434" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.= wordpress.org/browser/armember-membership/trunk/core/classes/class.arm_shor= tcodes.php#L434</a><br><a href=3D"
https://plugins.trac.wordpress.org/browse= r/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php#L43=
4" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/br= owser/armember-membership/tags/4.0.60/core/classes/class.arm_shortcodes.php= #L434</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/armember= -membership/trunk/core/classes/class.arm_shortcodes.php#L36" target=3D"_bla= nk" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/armember-me= mbership/trunk/core/classes/class.arm_shortcodes.php#L36</a><br><a href=3D"=
https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.60/= core/classes/class.arm_shortcodes.php#L36" target=3D"_blank" rel=3D"noopene= r">
https://plugins.trac.wordpress.org/browser/armember-membership/tags/4.0.= 60/core/classes/class.arm_shortcodes.php#L36</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">MikroTik--RouterOS</td>
<td>A vulnerability was identified in MikroTik RouterOS 6.49.8. This vulner= ability affects the function ASN1_STRING_data in the library nova/lib/www/s= cep.p of the component SCEP Endpoint. The manipulation of the argument tran= sactionID/messageType leads to out-of-bounds read. The attack may be initia= ted remotely. The exploit is publicly available and might be used. The vend=
or was contacted early about this disclosure but did not respond in any way= .</td>
<td>2026-05-02</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7668" target=3D"= _blank" rel=3D"noopener">CVE-2026-7668</a></td>
<a href=3D"
https://vuldb.com/vuln/360804" target=3D"_blank" rel=3D"noopener= ">VDB-360804 | MikroTik RouterOS SCEP Endpoint scep.p ASN1_STRING_data out-= of-bounds</a><br><a href=3D"
https://vuldb.com/vuln/360804/cti" target=3D"_b= lank" rel=3D"noopener">VDB-360804 | CTI Indicators (IOB, IOC, IOA)</a><br><=
a href=3D"
https://vuldb.com/submit/798623" target=3D"_blank" rel=3D"noopene= r">Submit #798623 | MikroTik RouterOS 6.49.8 Out-of-Bounds Read</a><br><a h= ref=3D"
https://github.com/ezio315/cve/issues/4" target=3D"_blank" rel=3D"no= opener">
https://github.com/ezio315/cve/issues/4</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Jinher--OA</td>
<td>A flaw has been found in Jinher OA 1.0. The affected element is an unkn= own function of the file /C6/JHSoft.Web.PlanSummarize/UserSel.aspx. This ma= nipulation of the argument DeptIDList causes sql injection. The attack is p= ossible to be carried out remotely. The exploit has been published and may =
be used. The vendor was contacted early about this disclosure but did not r= espond in any way.</td>
<td>2026-05-02</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7670" target=3D"= _blank" rel=3D"noopener">CVE-2026-7670</a></td>
<a href=3D"
https://vuldb.com/vuln/360818" target=3D"_blank" rel=3D"noopener= ">VDB-360818 | Jinher OA UserSel.aspx sql injection</a><br><a href=3D"https= ://vuldb.com/vuln/360818/cti" target=3D"_blank" rel=3D"noopener">VDB-360818=
| CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/= submit/799506" target=3D"_blank" rel=3D"noopener">Submit #799506 | Jinhe OA=
V1.0 SQL Injection</a><br><a href=3D"
https://github.com/zzlln/cvecve/issue= s/1" target=3D"_blank" rel=3D"noopener">
https://github.com/zzlln/cvecve/iss= ues/1</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">YunaiV--yudao-cloud</td>
<td>A security flaw has been discovered in YunaiV yudao-cloud up to 2026.01=
. This impacts the function getAccessToken of the file yudao-module-system-= biz/src/main/java/io/github/ruoyi/common/oauth2/service/impl/OAuth2TokenSer= viceImpl.java. Performing a manipulation results in improper authentication=
. The attack can be initiated remotely. The exploit has been released to th=
e public and may be used for attacks. The vendor was contacted early about = this disclosure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7679" target=3D"= _blank" rel=3D"noopener">CVE-2026-7679</a></td>
<a href=3D"
https://vuldb.com/vuln/360832" target=3D"_blank" rel=3D"noopener= ">VDB-360832 | YunaiV yudao-cloud OAuth2TokenServiceImpl.java getAccessToke=
n improper authentication</a><br><a href=3D"
https://vuldb.com/vuln/360832/c= ti" target=3D"_blank" rel=3D"noopener">VDB-360832 | CTI Indicators (IOB, IO=
C, IOA)</a><br><a href=3D"
https://vuldb.com/submit/800866" target=3D"_blank=
" rel=3D"noopener">Submit #800866 | YunaiV yudao-cloud up to 2026.01 Authen= tication Bypass by Primary Weakness</a><br><a href=3D"
https://github.com/9s= tr0IL/CVE/issues/1" target=3D"_blank" rel=3D"noopener">
https://github.com/9= str0IL/CVE/issues/1</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Acrel Electrical--ECEMS Enterprise Microgrid E= nergy Efficiency Management System</td>
<td>A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid En= ergy Efficiency Management System 1.3.0. The impacted element is an unknown=
function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a=
manipulation of the argument fCircuitids can lead to sql injection. The at= tack can be launched remotely. The exploit has been published and may be us= ed. The vendor was contacted early about this disclosure but did not respon=
d in any way.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7694" target=3D"= _blank" rel=3D"noopener">CVE-2026-7694</a></td>
<a href=3D"
https://vuldb.com/vuln/360863" target=3D"_blank" rel=3D"noopener= ">VDB-360863 | Acrel Electrical ECEMS Enterprise Microgrid Energy Efficienc=
y Management System elecMaxMinAvgValue sql injection</a><br><a href=3D"http= s://vuldb.com/vuln/360863/cti" target=3D"_blank" rel=3D"noopener">VDB-36086=
3 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com= /submit/803271" target=3D"_blank" rel=3D"noopener">Submit #803271 | Acrel E= lectric Co., Ltd. Enterprise Microgrid Energy Efficiency Management System = (ECEMS) 1.3.0 SQL Injection</a><br><a href=3D"
https://ucn9h68n9289.feishu.c= n/wiki/WZMewApmsiT3PMkCJfzcASEznOb" target=3D"_blank" rel=3D"noopener">http= s://ucn9h68n9289.feishu.cn/wiki/WZMewApmsiT3PMkCJfzcASEznOb</a><br>=C2=A0</=
</tr>
<td class=3D"vendor-product">Acrel Electrical--EEMS Enterprise Power Operat= ion and Maintenance Cloud Platform</td>
<td>A vulnerability has been found in Acrel Electrical EEMS Enterprise Powe=
r Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown f= unction of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulat= ion of the argument fCircuitids leads to sql injection. The attack may be i= nitiated remotely. The exploit has been disclosed to the public and may be = used. The vendor was contacted early about this disclosure but did not resp= ond in any way.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7695" target=3D"= _blank" rel=3D"noopener">CVE-2026-7695</a></td>
<a href=3D"
https://vuldb.com/vuln/360864" target=3D"_blank" rel=3D"noopener= ">VDB-360864 | Acrel Electrical EEMS Enterprise Power Operation and Mainten= ance Cloud Platform elecMaxMinAvgValue sql injection</a><br><a href=3D"http= s://vuldb.com/vuln/360864/cti" target=3D"_blank" rel=3D"noopener">VDB-36086=
4 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com= /submit/803275" target=3D"_blank" rel=3D"noopener">Submit #803275 | Acrel E= lectric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Pla= tform 1.3.0 SQL Injection</a><br><a href=3D"
https://ucn9h68n9289.feishu.cn/= wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg" target=3D"_blank" rel=3D"noopener">https:= //ucn9h68n9289.feishu.cn/wiki/QoXfwTAOiiYw2OkO0vAc7b7SnGg</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">Tiandy--Easy7 Integrated Management Platform</=
<td>A vulnerability was identified in Tiandy Easy7 Integrated Management Pl= atform 7.17.0. Affected by this vulnerability is an unknown functionality o=
f the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of = the argument week leads to os command injection. The attack can be executed=
remotely. The exploit is publicly available and might be used. The vendor = was contacted early about this disclosure but did not respond in any way.</=
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7698" target=3D"= _blank" rel=3D"noopener">CVE-2026-7698</a></td>
<a href=3D"
https://vuldb.com/vuln/360867" target=3D"_blank" rel=3D"noopener= ">VDB-360867 | Tiandy Easy7 Integrated Management Platform updateDbBackupIn=
fo os command injection</a><br><a href=3D"
https://vuldb.com/vuln/360867/cti=
" target=3D"_blank" rel=3D"noopener">VDB-360867 | CTI Indicators (IOB, IOC,=
TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/804048" target=3D"_bl= ank" rel=3D"noopener">Submit #804048 | Tiandy Technologies Co., Ltd. Tiandy= -Easy7 7.17.0 OS Command Injection</a><br><a href=3D"
https://ucn9h68n9289.f= eishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c" target=3D"_blank" rel=3D"noopene= r">
https://ucn9h68n9289.feishu.cn/wiki/Yslcw7QqWiRjUZkCcvkcJI62n2c</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">AV Stumpfl--Pixera Two Media Server</td>
<td>A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 = R2. Impacted is an unknown function of the component Websocket API. This ma= nipulation causes code injection. The attack can be initiated remotely. The=
exploit has been published and may be used. Upgrading to version 25.2 R3 i=
s recommended to address this issue. Upgrading the affected component is ad= vised.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7703" target=3D"= _blank" rel=3D"noopener">CVE-2026-7703</a></td>
<a href=3D"
https://vuldb.com/vuln/360872" target=3D"_blank" rel=3D"noopener= ">VDB-360872 | AV Stumpfl Pixera Two Media Server Websocket API code inject= ion</a><br><a href=3D"
https://vuldb.com/vuln/360872/cti" target=3D"_blank" = rel=3D"noopener">VDB-360872 | CTI Indicators (IOB, IOC, TTP)</a><br><a href= =3D"
https://vuldb.com/submit/805274" target=3D"_blank" rel=3D"noopener">Sub= mit #805274 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Remote Code E= xecution</a><br><a href=3D"
https://gist.github.com/TrebledJ/585a20525e45549= f299d282233632608" target=3D"_blank" rel=3D"noopener">
https://gist.github.c= om/TrebledJ/585a20525e45549f299d282233632608</a><br><a href=3D"
https://help= .pixera.one/changelogs-version-overviews/pixera-252-overview-changelog" tar= get=3D"_blank" rel=3D"noopener">
https://help.pixera.one/changelogs-version-= overviews/pixera-252-overview-changelog</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">YunaiV--yudao-cloud</td>
<td>A security flaw has been discovered in YunaiV yudao-cloud up to 3.8.0. = This affects the function doFilterInternal of the file JwtAuthenticationTok= enFilter.java of the component Ruoyi-Vue-Pro. Performing a manipulation of = the argument mock-token results in improper authentication. Remote exploita= tion of the attack is possible. The exploit has been released to the public=
and may be used for attacks. The vendor was contacted early about this dis= closure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7710" target=3D"= _blank" rel=3D"noopener">CVE-2026-7710</a></td>
<a href=3D"
https://vuldb.com/vuln/360886" target=3D"_blank" rel=3D"noopener= ">VDB-360886 | YunaiV yudao-cloud Ruoyi-Vue-Pro JwtAuthenticationTokenFilte= r.java doFilterInternal improper authentication</a><br><a href=3D"
https://v= uldb.com/vuln/360886/cti" target=3D"_blank" rel=3D"noopener">VDB-360886 | C=
TI Indicators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/80= 6493" target=3D"_blank" rel=3D"noopener">Submit #806493 | YunaiV yudao-clou=
d yudao-cloud up to 2026.01 Authentication Bypass by Primary Weakness</a><b= r><a href=3D"
https://github.com/9str0IL/CVE/issues/5" target=3D"_blank" rel= =3D"noopener">
https://github.com/9str0IL/CVE/issues/5</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--MindsDB</td>
<td>A weakness has been identified in MindsDB up to 26.01. This impacts the=
function exec of the file mindsdb/integrations/handlers/byom_handler/proc_= wrapper.py of the component Engine Handler. Executing a manipulation can le=
ad to unrestricted upload. The attack can be executed remotely. The exploit=
has been made available to the public and could be used for attacks. The v= endor was contacted early about this disclosure but did not respond in any = way.</td>
<td>2026-05-03</td>
<td>7.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7711" target=3D"= _blank" rel=3D"noopener">CVE-2026-7711</a></td>
<a href=3D"
https://vuldb.com/vuln/360887" target=3D"_blank" rel=3D"noopener= ">VDB-360887 | MindsDB Engine proc_wrapper.py exec unrestricted upload</a><= br><a href=3D"
https://vuldb.com/vuln/360887/cti" target=3D"_blank" rel=3D"n= oopener">VDB-360887 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D= "
https://vuldb.com/submit/806822" target=3D"_blank" rel=3D"noopener">Submit=
#806822 | mindsdb <=3D26.01 Remote Code Execution</a><br><a href=3D"htt= ps://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.= md" target=3D"_blank" rel=3D"noopener">
https://github.com/nn0nkey/JD-Securi= ty-SHENYI-Team/blob/main/MindsDB_BYOM_RCE.md</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"medium_v">
<h2 id=3D"medium_v_title">Medium Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"Medium Vulnerabilities">
<thead>
<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>
<td class=3D"vendor-product">xenial--RSVG</td>
<td>librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allo=
ws local attackers to cause a denial of service by processing malformed SVG=
files. Attackers can supply crafted SVG input to the rsvg conversion tool =
to trigger a segmentation fault in the cairo image compositor.</td> <td>2026-04-29</td>
<td>6.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25305" target=3D= "_blank" rel=3D"noopener">CVE-2018-25305</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44491" target=3D"_blank" rel= =3D"noopener">ExploitDB-44491</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/librsvg2-bin-buffer-overflow-via-malformed-svg" target=3D"_blank"=
rel=3D"noopener">VulnCheck Advisory: librsvg2-bin 2.40.13 Buffer Overflow = via Malformed SVG</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">poppler-utils--PDFunite</td>
<td>PDFunite 0.41.0 contains a buffer overflow vulnerability that allows lo= cal attackers to crash the application by processing malformed PDF files du= ring merge operations. Attackers can trigger a segmentation fault in the XR= ef::getEntry function within libpoppler by providing a specially crafted PD=
F file to the pdfunite utility.</td>
<td>2026-04-29</td>
<td>6.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25306" target=3D= "_blank" rel=3D"noopener">CVE-2018-25306</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44490" target=3D"_blank" rel= =3D"noopener">ExploitDB-44490</a><br><a href=3D"
https://launchpad.net/ubunt= u/artful/+package/poppler-utils" target=3D"_blank" rel=3D"noopener">Officia=
l Product Homepage</a><br><a href=3D"
https://launchpad.net/ubuntu/+source/p= oppler/0.57.0-2ubuntu4.2" target=3D"_blank" rel=3D"noopener">Product Refere= nce</a><br><a href=3D"
https://www.vulncheck.com/advisories/pdfunite-buffer-= overflow-via-malformed-pdf" target=3D"_blank" rel=3D"noopener">VulnCheck Ad= visory: PDFunite 0.41.0 Buffer Overflow via Malformed PDF</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">VideoFlow Ltd.--VideoFlow Digital Video Protec= tion</td>
<td>VideoFlow Digital Video Protection DVP 2.10 contains an authenticated d= irectory traversal vulnerability that allows authenticated attackers to dis= close arbitrary files by injecting path traversal sequences in the ID param= eter. Attackers can submit requests to downloadsys.pl, download_xml.pl, dow= nload.pl, downloadmib.pl, or downloadFile.pl with directory traversal paylo= ads to read sensitive system files like /etc/passwd.</td>
<td>2026-04-29</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25311" target=3D= "_blank" rel=3D"noopener">CVE-2018-25311</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44386" target=3D"_blank" rel= =3D"noopener">ExploitDB-44386</a><br><a href=3D"
https://www.zeroscience.mk/= en/vulnerabilities/ZSL-2018-5454.php" target=3D"_blank" rel=3D"noopener">Vu= lnerability Advisory</a><br><a href=3D"
https://www.vulncheck.com/advisories= /videoflow-digital-video-protection-dvp-10-authenticated-directory-traversa= l-x-prototype-version" target=3D"_blank" rel=3D"noopener">VulnCheck Advisor=
y: VideoFlow Digital Video Protection DVP 10 Authenticated Directory Traver= sal 2.10 (X-Prototype-Version: 1.6.0.2)</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">LifeSize--ClearSea</td>
<td>LifeSize ClearSea 3.1.4 contains directory traversal vulnerabilities th=
at allow authenticated attackers to download and upload arbitrary files by = manipulating path parameters in the smartgui interface. Attackers can explo=
it the upload endpoint with directory traversal sequences to write files to=
arbitrary locations on the system, enabling remote code execution.</td> <td>2026-04-29</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25312" target=3D= "_blank" rel=3D"noopener">CVE-2018-25312</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44390" target=3D"_blank" rel= =3D"noopener">ExploitDB-44390</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/lifesize-clearsea-directory-traversal-remote-code-execution" targ= et=3D"_blank" rel=3D"noopener">VulnCheck Advisory: LifeSize ClearSea 3.1.4 = Directory Traversal Remote Code Execution</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Sysgauge--SysGauge</td>
<td>SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy c= onfiguration handler that allows local attackers to cause a denial of servi=
ce by supplying an oversized string. Attackers can inject a large payload t= hrough the Proxy Server Host Name field in the Options menu to crash the ap= plication.</td>
<td>2026-04-29</td>
<td>6.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25313" target=3D= "_blank" rel=3D"noopener">CVE-2018-25313</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44372" target=3D"_blank" rel= =3D"noopener">ExploitDB-44372</a><br><a href=3D"
https://www.vulncheck.com/a= dvisories/sysgauge-local-denial-of-service-via-proxy-configuration" target= =3D"_blank" rel=3D"noopener">VulnCheck Advisory: SysGauge 4.5.18 Local Deni=
al of Service via Proxy Configuration</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">sebet--Go Fetch Jobs (for WP Job Manager)</td> <td>Multiple plugins and/or themes for WordPress are vulnerable to Reflecte=
d Cross-Site Scripting via the url parameter in various versions due to ins= ufficient input sanitization and output escaping. This makes it possible fo=
r unauthenticated attackers to inject arbitrary web scripts in pages that e= xecute if they can successfully trick a user into performing an action such=
as clicking on a link.</td>
<td>2026-05-01</td>
<td>6.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-13362" target=3D= "_blank" rel=3D"noopener">CVE-2024-13362</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/d69449= 1c-c0f5-4418-805a-db792ea4f712?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/d694491c-c0f= 5-4418-805a-db792ea4f712?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/prici= ng/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">
https://plugins.= trac.wordpress.org/browser/tablepress/trunk/libraries/freemius/assets/js/pr= icing/freemius-pricing.js</a><br><a href=3D"
https://plugins.trac.wordpress.= org/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-pric= ing.js" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.o= rg/browser/widgets-on-pages/trunk/freemius/assets/js/pricing/freemius-prici= ng.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/menu-ima= ge/trunk/freemius/assets/js/pricing/freemius-pricing.js" target=3D"_blank" = rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/menu-image/trun= k/freemius/assets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://= plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/asse= ts/js/pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">https= ://plugins.trac.wordpress.org/browser/simply-gallery-block/trunk/freemius/a= ssets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://plugins.trac= .wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius/assets/js= /pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">
https://pl= ugins.trac.wordpress.org/browser/foobox-image-lightbox/tags/2.7.33/freemius= /assets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://plugins.tr= ac.wordpress.org/browser/featured-images-for-rss-feeds/trunk/includes/freem= ius/assets/js/pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopene= r">
https://plugins.trac.wordpress.org/browser/featured-images-for-rss-feeds= /trunk/includes/freemius/assets/js/pricing/freemius-pricing.js</a><br><a hr= ef=3D"
https://plugins.trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pric= ing/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">
https://plugins= .trac.wordpress.org/browser/wpide/tags/3.5.0/dist/pricing/freemius-pricing.= js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/add-search-= to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricing.js" targ= et=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/a= dd-search-to-menu/trunk/includes/freemius/assets/js/pricing/freemius-pricin= g.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/master-ad= dons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js" target=3D"_b= lank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/master-ad= dons/trunk/lib/freemius/assets/js/pricing/freemius-pricing.js</a><br><a hre= f=3D"
https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/free= mius/assets/js/pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopen= er">
https://plugins.trac.wordpress.org/browser/foogallery/tags/2.4.27/freem= ius/assets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://plugins= .trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/js/p= ricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">
https://plug= ins.trac.wordpress.org/browser/ocean-extra/trunk/includes/freemius/assets/j= s/pricing/freemius-pricing.js</a><br><a href=3D"
https://plugins.trac.wordpr= ess.org/browser/internal-links/trunk/vendor/freemius/wordpress-sdk/assets/j= s/pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopener">
https://p= lugins.trac.wordpress.org/browser/internal-links/trunk/vendor/freemius/word= press-sdk/assets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://p= lugins.trac.wordpress.org/browser/interactive-geo-maps/tags/1.6.21/vendor/f= reemius/wordpress-sdk/assets/js/pricing/freemius-pricing.js" target=3D"_bla= nk" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/interactive= -geo-maps/tags/1.6.21/vendor/freemius/wordpress-sdk/assets/js/pricing/freem= ius-pricing.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser= /independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricing.js=
" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/bro= wser/independent-analytics/trunk/freemius/assets/js/pricing/freemius-pricin= g.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/spotlight= -social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js" target= =3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/spo= tlight-social-photo-feeds/trunk/ui/freemius-pricing/freemius-pricing.js</a>= <br><a href=3D"
https://plugins.trac.wordpress.org/browser/woo-permalink-man= ager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricing.js" target= =3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/woo= -permalink-manager/tags/2.3.11/assets/admin/js/pricing-page/freemius-pricin= g.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/pdf-poste= r/trunk/freemius/assets/js/pricing/freemius-pricing.js" target=3D"_blank" r= el=3D"noopener">
https://plugins.trac.wordpress.org/browser/pdf-poster/trunk= /freemius/assets/js/pricing/freemius-pricing.js</a><br><a href=3D"
https://p= lugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags/2.3.4/freem= ius/assets/js/pricing/freemius-pricing.js" target=3D"_blank" rel=3D"noopene= r">
https://plugins.trac.wordpress.org/browser/wp-meta-and-date-remover/tags= /2.3.4/freemius/assets/js/pricing/freemius-pricing.js</a><br><a href=3D"htt= ps://plugins.trac.wordpress.org/browser/unlimited-elements-for-elementor/tr= unk/provider/freemius/assets/js/pricing/freemius-pricing.js" target=3D"_bla= nk" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/unlimited-e= lements-for-elementor/trunk/provider/freemius/assets/js/pricing/freemius-pr= icing.js</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/short= codes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js" target= =3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/sho= rtcodes-ultimate/trunk/freemius/assets/js/pricing/freemius-pricing.js</a><b= r><a href=3D"
https://plugins.trac.wordpress.org/changeset/3235286/" target= =3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/changeset/3= 235286/</a><br><a href=3D"
https://plugins.trac.wordpress.org/changeset/3249= 130/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org= /changeset/3249130/</a><br><a href=3D"
https://plugins.trac.wordpress.org/ch= angeset/3229060/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.w= ordpress.org/changeset/3229060/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">WSO2--WSO2 Identity Server</td>
<td>The authentication endpoint accepts user-supplied input without enforci=
ng expected validation constraints, leading to a lack of proper output enco= ding. This allows for the injection of malicious JavaScript payloads, enabl= ing reflected cross-site scripting. An attacker can leverage this vulnerabi= lity to redirect the user's browser to a malicious website, modify the user=
interface of the web page, retrieve information from the browser, or cause=
other harmful actions. However, due to the protection of session-related c= ookies with the httpOnly flag, session hijacking is not possible.</td> <td>2026-04-29</td>
<td>6.1</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-10503" target=3D= "_blank" rel=3D"noopener">CVE-2025-10503</a></td>
<a href=3D"
https://security.docs.wso2.com/en/latest/security-announcements/= security-advisories/2026/WSO2-2025-4577/" target=3D"_blank" rel=3D"noopener= ">
https://security.docs.wso2.com/en/latest/security-announcements/security-= advisories/2026/WSO2-2025-4577/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">trustindex--Widgets for Social Photo Feed</td> <td>The Widgets for Social Photo Feed plugin for WordPress is vulnerable to=
unauthorized access of data and modification of data due to a missing capa= bility check on the '/trustindex_feed_hook_instagram/troubleshooting' and '= /trustindex_feed_hook_instagram/submit-data' REST API endpoints in all vers= ions up to, and including, 1.8. This makes it possible for unauthenticated = attackers to access and update plugin settings.</td>
<td>2026-05-02</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-14726" target=3D= "_blank" rel=3D"noopener">CVE-2025-14726</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa= 8b-4072-435a-8a1c-ca6fd964a260?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/ab15fa8b-407= 2-435a-8a1c-ca6fd964a260?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/changeset/3513612/social-photo-feed-widget" target=3D"_blan=
k" rel=3D"noopener">
https://plugins.trac.wordpress.org/changeset/3513612/so= cial-photo-feed-widget</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--Db2</td>
<td>IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNI=
X and Windows (includes DB2 Connect Server) could allow an authenticated us=
er to cause a denial of service using a specially crafted SQL query due to = improper allocation of system resources.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-36122" target=3D= "_blank" rel=3D"noopener">CVE-2025-36122</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7267642" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7267642</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--watsonx.data intelligence</td>
<td>IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user cr= edentials in plain text which can be read by a local user.</td> <td>2026-04-30</td>
<td>6.2</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-36335" target=3D= "_blank" rel=3D"noopener">CVE-2025-36335</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7270923" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7270923</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">xlplugins--NextMove Lite Thank You Page for Wo= oCommerce</td>
<td>The NextMove Lite - Thank You Page for WooCommerce plugin for WordPress=
is vulnerable to Stored Cross-Site Scripting via the plugin's 'xlwcty_curr= ent_date' shortcode in all versions up to, and including, 2.23.0 due to ins= ufficient input sanitization and output escaping on user supplied attribute=
s. This makes it possible for authenticated attackers, with contributor-lev=
el access and above, to inject arbitrary web scripts in pages that will exe= cute whenever a user accesses an injected page.</td>
<td>2026-05-02</td>
<td>6.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-0703" target=3D"= _blank" rel=3D"noopener">CVE-2026-0703</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab2= 01-04a5-43df-bb9b-2964c50a1833?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/a8eab201-04a= 5-43df-bb9b-2964c50a1833?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/woo-thank-you-page-nextmove-lite/tags/2.23.0/merge-= tags/xlwcty-shortcode-merge-tags.php#L79" target=3D"_blank" rel=3D"noopener= ">
https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove-li= te/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L79</a><br><a hre= f=3D"
https://plugins.trac.wordpress.org/browser/woo-thank-you-page-nextmove= -lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-tags.php#L87" target=3D= "_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/woo-th= ank-you-page-nextmove-lite/tags/2.23.0/merge-tags/xlwcty-shortcode-merge-ta= gs.php#L87</a><br><a href=3D"
https://plugins.trac.wordpress.org/changeset/3= 482613/" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.= org/changeset/3482613/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Zyxel--DX3300-T0 firmware</td>
<td>A post-authentication command injection vulnerability in the EasyMesh-r= elated APIs of Zyxel DX3300-T0 firmware versions through 5.50(ABVY.7.1)C0 c= ould allow an authenticated, adjacent attacker with administrator privilege=
s to execute OS commands on an affected device.</td>
<td>2026-04-28</td>
<td>6.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-0711" target=3D"= _blank" rel=3D"noopener">CVE-2026-0711</a></td>
<a href=3D"
https://www.zyxel.com/global/en/support/security-advisories/zyxe= l-security-advisory-for-command-injection-vulnerabilities-in-certain-4g-lte= -5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-extenders-04-28-2026" t= arget=3D"_blank" rel=3D"noopener">
https://www.zyxel.com/global/en/support/s= ecurity-advisories/zyxel-security-advisory-for-command-injection-vulnerabil= ities-in-certain-4g-lte-5g-nr-cpe-dsl-ethernet-cpe-fiber-onts-and-wireless-= extenders-04-28-2026</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--Db2</td>
<td>IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNI=
X and Windows (includes Db2 Connect Server) could allow an=C2=A0authenticat=
ed user to cause a denial of service due to improper neutralization of spec= ial=C2=A0elements in data query logic.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-1577" target=3D"= _blank" rel=3D"noopener">CVE-2026-1577</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7269434" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7269434</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Dell--Alienware Command Center (AWCC)</td> <td>Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, conta=
in an Execution with Unnecessary Privileges vulnerability in the AWCC. A lo=
w privileged attacker with local access could potentially exploit this vuln= erability, leading to Elevation of Privileges.</td>
<td>2026-04-27</td>
<td>6.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-25908" target=3D= "_blank" rel=3D"noopener">CVE-2026-25908</a></td>
<a href=3D"
https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-= security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerab= ilities" target=3D"_blank" rel=3D"noopener">
https://www.dell.com/support/kb= doc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command= -center-6-x-for-multiple-vulnerabilities</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">wazuh--wazuh</td>
<td>Wazuh is a free and open source platform used for threat prevention, de= tection, and response. From version 4.0.0 to before version 4.14.4, Wazuh's=
server API brute-force protection for POST /security/user/authenticate can=
be bypassed by sending concurrent authentication requests. Although the co= nfigured threshold (max_login_attempts, default 50) is enforced correctly f=
or sequential requests, a parallel burst allows significantly more failed l= ogin attempts to be processed before the IP block is applied. This enables =
an attacker to perform more password guesses than the configured policy int= ends (e.g., 100 attempts processed where 50 should be allowed). This issue = has been patched in version 4.14.4.</td>
<td>2026-04-29</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-26206" target=3D= "_blank" rel=3D"noopener">CVE-2026-26206</a></td>
<a href=3D"
https://github.com/wazuh/wazuh/security/advisories/GHSA-m2mr-xhh= v-jx58" target=3D"_blank" rel=3D"noopener">
https://github.com/wazuh/wazuh/s= ecurity/advisories/GHSA-m2mr-xhhv-jx58</a><br><a href=3D"
https://github.com= /wazuh/wazuh/releases/tag/v4.14.4" target=3D"_blank" rel=3D"noopener">https= ://github.com/wazuh/wazuh/releases/tag/v4.14.4</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dell--Dell/Alienware Purchased Apps</td> <td>Dell/Alienware Purchased Apps, versions prior to 1.1.31.0, contain an I= mproper Link Resolution Before File Access ('Link Following') vulnerability=
. A low privileged attacker with local access could potentially exploit thi=
s vulnerability, leading to Arbitrary File Write</td>
<td>2026-04-29</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-27105" target=3D= "_blank" rel=3D"noopener">CVE-2026-27105</a></td>
<a href=3D"
https://www.dell.com/support/kbdoc/en-us/000438321/dsa-2026-131-= security-update-for-dell-alienware-purchased-apps-for-an-improper-link-reso= lution-before-file-access-vulnerability" target=3D"_blank" rel=3D"noopener"= >
https://www.dell.com/support/kbdoc/en-us/000438321/dsa-2026-131-security-u= pdate-for-dell-alienware-purchased-apps-for-an-improper-link-resolution-bef= ore-file-access-vulnerability</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Milesight--MS-Cxx63-PD</td>
<td>A command injection vulnerability exists in the web server of specific = firmware versions of Milesight cameras.</td>
<td>2026-04-27</td>
<td>6.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-32649" target=3D= "_blank" rel=3D"noopener">CVE-2026-32649</a></td>
<a href=3D"
https://www.cisa.gov/news-events/ics-advisories/icsa-26-113-03" = target=3D"_blank" rel=3D"noopener">
https://www.cisa.gov/news-events/ics-adv= isories/icsa-26-113-03</a><br><a href=3D"
https://github.com/cisagov/CSAF/bl= ob/develop/csaf_files/OT/white/2026/icsa-26-113-03.json" target=3D"_blank" = rel=3D"noopener">
https://github.com/cisagov/CSAF/blob/develop/csaf_files/OT= /white/2026/icsa-26-113-03.json</a><br><a href=3D"
https://www.milesight.com= /support/download/firmware" target=3D"_blank" rel=3D"noopener">
https://www.= milesight.com/support/download/firmware</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--Langflow Desktop</td>
<td>IBM Langflow Desktop 1.0.0 through 1.8.4 IBM Langflow is vulnerable to = server-side request forgery (SSRF). This may allow an authenticated attacke=
r to send unauthorized requests from the system, potentially leading to net= work enumeration or facilitating other attacks.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3340" target=3D"= _blank" rel=3D"noopener">CVE-2026-3340</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7271096" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7271096</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--Langflow Desktop</td>
<td>IBM Langflow Desktop <=3D1.8.4 Langflow could allow a remote attacke=
r to traverse directories on the system. An attacker could send a specially=
crafted URL request containing "dot dot" sequences (/../) to view arbitrar=
y files on the system.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3345" target=3D"= _blank" rel=3D"noopener">CVE-2026-3345</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7271094" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7271094</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--Langflow Desktop</td>
<td>IBM Langflow Desktop 1.6.0 through 1.8.4 Lanflow is vulnerable to store=
d cross-site scripting. This vulnerability allows an authenticated user to = embed arbitrary JavaScript code in the Web UI thus altering the intended fu= nctionality potentially leading to credentials disclosure within a trusted = session.</td>
<td>2026-04-30</td>
<td>6.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3346" target=3D"= _blank" rel=3D"noopener">CVE-2026-3346</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7271095" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7271095</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. In version 4.9.0, t=
he endpoint POST /user/invited does not validate any invite token, authenti= cation header, or session. Any unauthenticated attacker can call this endpo= int directly to create a fully active account and receive a valid JWT - eve=
n when the instance has existing users and signupRestricted is enabled. Thi=
s bypass is distinct from the normal registration endpoint (POST /user) whi=
ch enforces signupRestricted and sets active: false pending verification. T= his issue has been patched in version 5.0.0.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35514" target=3D= "_blank" rel=3D"noopener">CVE-2026-35514</a></td>
<a href=3D"
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= g47g-v5cp-j8hp" target=3D"_blank" rel=3D"noopener">
https://github.com/chart= brew/chartbrew/security/advisories/GHSA-g47g-v5cp-j8hp</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/releases/tag/v5.0.0" target=3D"_blank"=
rel=3D"noopener">
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.= 0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a-- V2Board =C2=A0v1.7.4</td>
<td>Cross-Site Scripting (XSS) in V2Board thru 1.7.4. The custom_html field=
in theme configuration is rendered using Blade unescaped output in public/= theme/v2board/dashboard.blade.php. An admin can inject arbitrary JavaScript=
via the saveThemeConfig API. All site visitors execute the payload, enabli=
ng cookie theft, session hijacking, or phishing.</td>
<td>2026-05-01</td>
<td>6.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37503" target=3D= "_blank" rel=3D"noopener">CVE-2026-37503</a></td>
<a href=3D"
https://github.com/v2board/v2board" target=3D"_blank" rel=3D"noo= pener">
https://github.com/v2board/v2board</a><br><a href=3D"
https://gist.gi= thub.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9" target=3D"_blank" rel= =3D"noopener">
https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c= 99b9</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">redhat[.]com--gnutls</td>
<td>A flaw was found in gnutls. This vulnerability occurs because gnutls pe= rforms case-sensitive comparisons of `nameConstraints` labels, specifically=
for `dNSName` (DNS) or `rfc822Name` (email) constraints within `excludedSu= btrees` or `permittedSubtrees`. A remote attacker can exploit this by craft= ing a leaf certificate with casing differences in the Subject Alternative N= ame (SAN), leading to a policy bypass where a certificate that should be re= jected is instead accepted. This could result in unauthorized access or inf= ormation disclosure.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3833" target=3D"= _blank" rel=3D"noopener">CVE-2026-3833</a></td>
<a href=3D"
https://access.redhat.com/errata/RHSA-2026:13274" target=3D"_bla= nk" rel=3D"noopener">RHSA-2026:13274</a><br><a href=3D"
https://access.redha= t.com/security/cve/CVE-2026-3833" target=3D"_blank" rel=3D"noopener">https:= //access.redhat.com/security/cve/CVE-2026-3833</a><br><a href=3D"
https://bu= gzilla.redhat.com/show_bug.cgi?id=3D2445763" target=3D"_blank" rel=3D"noope= ner">RHBZ#2445763</a><br><a href=3D"
https://gitlab.com/gnutls/gnutls/-/issu= es/1803" target=3D"_blank" rel=3D"noopener">
https://gitlab.com/gnutls/gnutl= s/-/issues/1803</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">chartbrew--chartbrew</td>
<td>Chartbrew is an open-source web application that can connect directly t=
o databases and APIs and use the data to create charts. In version 4.9.0, C= hartbrew exposes a legacy dashboard route that returns a project's report d= ata to any authenticated member of the same team, even when that user does = not have access to the specific project. The route bypasses project-level a= uthorization and returns the raw project object. As a result, a low-privile= ged same-team user can read another project's dashboard data and recover th=
e project's stored report password from the response. This issue has been p= atched in version 5.0.0.</td>
<td>2026-04-30</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40603" target=3D= "_blank" rel=3D"noopener">CVE-2026-40603</a></td>
<a href=3D"
https://github.com/chartbrew/chartbrew/security/advisories/GHSA-= 6qr3-g75h-xm3f" target=3D"_blank" rel=3D"noopener">
https://github.com/chart= brew/chartbrew/security/advisories/GHSA-6qr3-g75h-xm3f</a><br><a href=3D"ht= tps://github.com/chartbrew/chartbrew/releases/tag/v5.0.0" target=3D"_blank"=
rel=3D"noopener">
https://github.com/chartbrew/chartbrew/releases/tag/v5.0.= 0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">nextlevelbuilder--ui-ux-pro-max-skill</td>
<td>A flaw has been found in nextlevelbuilder ui-ux-pro-max-skill up to 2.5= .0. Affected by this vulnerability is the function _format_plugins of the f= ile .claude/skills/ui-styling/scripts/tailwind_config_gen.py of the compone=
nt Tailwind Config Generator. This manipulation causes code injection. The = attack is possible to be carried out remotely. The exploit has been publish=
ed and may be used. The project was informed of the problem early through a=
pull request but has not reacted yet.</td>
<td>2026-05-01</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7595" target=3D"= _blank" rel=3D"noopener">CVE-2026-7595</a></td>
<a href=3D"
https://vuldb.com/vuln/360548" target=3D"_blank" rel=3D"noopener= ">VDB-360548 | nextlevelbuilder ui-ux-pro-max-skill Tailwind Config Generat=
or tailwind_config_gen.py _format_plugins code injection</a><br><a href=3D"=
https://vuldb.com/vuln/360548/cti" target=3D"_blank" rel=3D"noopener">VDB-3= 60548 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb= .com/submit/805509" target=3D"_blank" rel=3D"noopener">Submit #805509 | nex= tlevelbuilder ui-ux-pro-max-skill 2.5.0 Tailwind Config Generator Code Inje= ction Leading to RCE</a><br><a href=3D"
https://github.com/nextlevelbuilder/= ui-ux-pro-max-skill/issues/246" target=3D"_blank" rel=3D"noopener">
https://= github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/246</a><br><a href= =3D"
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/275" targe= t=3D"_blank" rel=3D"noopener">
https://github.com/nextlevelbuilder/ui-ux-pro= -max-skill/pull/275</a><br><a href=3D"
https://github.com/nextlevelbuilder/u= i-ux-pro-max-skill/" target=3D"_blank" rel=3D"noopener">
https://github.com/= nextlevelbuilder/ui-ux-pro-max-skill/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">mem0ai--mem0</td>
<td>A vulnerability was found in mem0ai mem0 up to 1.0.11. This affects the=
function pickle.load/pickle.dump of the file mem0/vector_stores/faiss.py. = Performing a manipulation results in deserialization. It is possible to ini= tiate the attack remotely. The exploit has been made public and could be us= ed. The patch is named 62dca096f9236010ca15fea9ba369ba740b86b7a. Applying a=
patch is the recommended action to fix this issue.</td>
<td>2026-05-01</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7597" target=3D"= _blank" rel=3D"noopener">CVE-2026-7597</a></td>
<a href=3D"
https://vuldb.com/vuln/360550" target=3D"_blank" rel=3D"noopener= ">VDB-360550 | mem0ai mem0 faiss.py pickle.dump deserialization</a><br><a h= ref=3D"
https://vuldb.com/vuln/360550/cti" target=3D"_blank" rel=3D"noopener= ">VDB-360550 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"
https://vul= db.com/submit/805562" target=3D"_blank" rel=3D"noopener">Submit #805562 | M= em0 <=3D v1.0.11 Unsafe Deserialization</a><br><a href=3D"
https://github= .com/mem0ai/mem0/issues/3778" target=3D"_blank" rel=3D"noopener">
https://gi= thub.com/mem0ai/mem0/issues/3778</a><br><a href=3D"
https://github.com/mem0a= i/mem0/pull/4833" target=3D"_blank" rel=3D"noopener">
https://github.com/mem= 0ai/mem0/pull/4833</a><br><a href=3D"
https://github.com/mem0ai/mem0/commit/= 62dca096f9236010ca15fea9ba369ba740b86b7a" target=3D"_blank" rel=3D"noopener= ">
https://github.com/mem0ai/mem0/commit/62dca096f9236010ca15fea9ba369ba740b= 86b7a</a><br><a href=3D"
https://github.com/mem0ai/mem0/" target=3D"_blank" = rel=3D"noopener">
https://github.com/mem0ai/mem0/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dayoooun--hwpx-mcp</td>
<td>A vulnerability was detected in Dayoooun hwpx-mcp 0.2.0. This affects t=
he function save_document/export_to_text/export_to_html of the file mcp-ser= ver/src/index.ts of the component MCP Interface. Performing a manipulation =
of the argument output_path results in path traversal. Remote exploitation =
of the attack is possible. The exploit is now public and may be used. The p= roject was informed of the problem early through an issue report but has no=
t responded yet.</td>
<td>2026-05-01</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7599" target=3D"= _blank" rel=3D"noopener">CVE-2026-7599</a></td>
<a href=3D"
https://vuldb.com/vuln/360556" target=3D"_blank" rel=3D"noopener= ">VDB-360556 | Dayoooun hwpx-mcp MCP index.ts export_to_html path traversal= </a><br><a href=3D"
https://vuldb.com/vuln/360556/cti" target=3D"_blank" rel= =3D"noopener">VDB-360556 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a hr= ef=3D"
https://vuldb.com/submit/805608" target=3D"_blank" rel=3D"noopener">S= ubmit #805608 | Dayoooun hwpx-mcp Commit 87850fd67f0488d79fcbf061a29938cae9= 14a15d Path Traversal</a><br><a href=3D"
https://github.com/Dayoooun/hwpx-mc= p/issues/3" target=3D"_blank" rel=3D"noopener">
https://github.com/Dayoooun/= hwpx-mcp/issues/3</a><br><a href=3D"
https://github.com/BruceJqs/public_exp/= issues/28" target=3D"_blank" rel=3D"noopener">
https://github.com/BruceJqs/p= ublic_exp/issues/28</a><br><a href=3D"
https://github.com/Dayoooun/hwpx-mcp/=
" target=3D"_blank" rel=3D"noopener">
https://github.com/Dayoooun/hwpx-mcp/<= /a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">ArtMin96--yii2-mcp-server</td>
<td>A flaw has been found in ArtMin96 yii2-mcp-server 1.0.2. This impacts t=
he function yii_command_help/yii_execute_command of the file src/index.ts o=
f the component MCP Interface. Executing a manipulation can lead to os comm= and injection. The attack can be executed remotely. The exploit has been pu= blished and may be used. The project was informed of the problem early thro= ugh an issue report but has not responded yet.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7600" target=3D"= _blank" rel=3D"noopener">CVE-2026-7600</a></td>
<a href=3D"
https://vuldb.com/vuln/360557" target=3D"_blank" rel=3D"noopener= ">VDB-360557 | ArtMin96 yii2-mcp-server MCP index.ts yii_execute_command os=
command injection</a><br><a href=3D"
https://vuldb.com/vuln/360557/cti" tar= get=3D"_blank" rel=3D"noopener">VDB-360557 | CTI Indicators (IOB, IOC, TTP,=
IOA)</a><br><a href=3D"
https://vuldb.com/submit/805613" target=3D"_blank" = rel=3D"noopener">Submit #805613 | ArtMin96 yii2-mcp-server 1.0.2 Command In= jection</a><br><a href=3D"
https://github.com/ArtMin96/yii2-mcp-server/issue= s/3" target=3D"_blank" rel=3D"noopener">
https://github.com/ArtMin96/yii2-mc= p-server/issues/3</a><br><a href=3D"
https://github.com/BruceJqs/public_exp/= issues/29" target=3D"_blank" rel=3D"noopener">
https://github.com/BruceJqs/p= ublic_exp/issues/29</a><br><a href=3D"
https://github.com/ArtMin96/yii2-mcp-= server/" target=3D"_blank" rel=3D"noopener">
https://github.com/ArtMin96/yii= 2-mcp-server/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--JeecgBoot</td>
<td>A vulnerability was found in JeecgBoot up to 3.9.1. Affected by this vu= lnerability is an unknown functionality of the file /sys/fillRule/edit of t=
he component FillRuleUtil Component. The manipulation of the argument ruleC= lass results in improper authorization. The attack may be performed from re= mote. The exploit has been made public and could be used. You should upgrad=
e the affected component. The vendor confirmed the issue and will provide a=
fix in the upcoming release.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7602" target=3D"= _blank" rel=3D"noopener">CVE-2026-7602</a></td>
<a href=3D"
https://vuldb.com/vuln/360559" target=3D"_blank" rel=3D"noopener= ">VDB-360559 | JeecgBoot FillRuleUtil edit improper authorization</a><br><a=
href=3D"
https://vuldb.com/vuln/360559/cti" target=3D"_blank" rel=3D"noopen= er">VDB-360559 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"http= s://vuldb.com/submit/805706" target=3D"_blank" rel=3D"noopener">Submit #805= 706 | jeecgboot JeecgBoot <=3D v3.9.1 Remote Code Execution</a><br><a hr= ef=3D"
https://github.com/jeecgboot/JeecgBoot/issues/9552" target=3D"_blank"=
rel=3D"noopener">
https://github.com/jeecgboot/JeecgBoot/issues/9552</a><br= ><a href=3D"
https://github.com/jeecgboot/JeecgBoot/issues/9552#issuecomment= -4251391314" target=3D"_blank" rel=3D"noopener">
https://github.com/jeecgboo= t/JeecgBoot/issues/9552#issuecomment-4251391314</a><br><a href=3D"
https://g= ithub.com/jeecgboot/JeecgBoot/" target=3D"_blank" rel=3D"noopener">
https://= github.com/jeecgboot/JeecgBoot/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--JeecgBoot</td>
<td>A vulnerability was determined in JeecgBoot up to 3.9.1. Affected by th=
is issue is the function checkPathTraversalBatch of the file FileDownloadUt= ils.jav of the component LoadFile Endpoint. This manipulation of the argume=
nt files causes server-side request forgery. It is possible to initiate the=
attack remotely. The exploit has been publicly disclosed and may be utiliz= ed. The affected component should be upgraded. The vendor confirmed the iss=
ue and will provide a fix in the upcoming release.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7603" target=3D"= _blank" rel=3D"noopener">CVE-2026-7603</a></td>
<a href=3D"
https://vuldb.com/vuln/360560" target=3D"_blank" rel=3D"noopener= ">VDB-360560 | JeecgBoot LoadFile Endpoint FileDownloadUtils.jav checkPathT= raversalBatch server-side request forgery</a><br><a href=3D"
https://vuldb.c= om/vuln/360560/cti" target=3D"_blank" rel=3D"noopener">VDB-360560 | CTI Ind= icators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/805707" = target=3D"_blank" rel=3D"noopener">Submit #805707 | jeecgboot JeecgBoot <= ;=3D v3.9.1 SSRF</a><br><a href=3D"
https://github.com/jeecgboot/JeecgBoot/i= ssues/9553" target=3D"_blank" rel=3D"noopener">
https://github.com/jeecgboot= /JeecgBoot/issues/9553</a><br><a href=3D"
https://github.com/jeecgboot/Jeecg= Boot/issues/9553#issuecomment-4251745014" target=3D"_blank" rel=3D"noopener= ">
https://github.com/jeecgboot/JeecgBoot/issues/9553#issuecomment-425174501= 4</a><br><a href=3D"
https://github.com/jeecgboot/JeecgBoot/" target=3D"_bla= nk" rel=3D"noopener">
https://github.com/jeecgboot/JeecgBoot/</a><br>=C2=A0<=
</tr>
<td class=3D"vendor-product">n/a--JeecgBoot</td>
<td>A vulnerability was identified in JeecgBoot up to 3.9.1. This affects t=
he function OpenApiController.add/OpenApiController.call of the file OpenAp= iController.java of the component OpenApi Service. Such manipulation of the=
argument originUrl database leads to server-side request forgery. It is po= ssible to launch the attack remotely. The exploit is publicly available and=
might be used. It is suggested to upgrade the affected component. The vend=
or confirmed the issue and will provide a fix in the upcoming release.</td> <td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7604" target=3D"= _blank" rel=3D"noopener">CVE-2026-7604</a></td>
<a href=3D"
https://vuldb.com/vuln/360561" target=3D"_blank" rel=3D"noopener= ">VDB-360561 | JeecgBoot OpenApi Service OpenApiController.java OpenApiCont= roller.call server-side request forgery</a><br><a href=3D"
https://vuldb.com= /vuln/360561/cti" target=3D"_blank" rel=3D"noopener">VDB-360561 | CTI Indic= ators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/805708" ta= rget=3D"_blank" rel=3D"noopener">Submit #805708 | jeecgboot JeecgBoot <=
=3D v3.9.1 SSRF</a><br><a href=3D"
https://github.com/jeecgboot/JeecgBoot/is= sues/9554" target=3D"_blank" rel=3D"noopener">
https://github.com/jeecgboot/= JeecgBoot/issues/9554</a><br><a href=3D"
https://github.com/jeecgboot/JeecgB= oot/issues/9554#issuecomment-4251574151" target=3D"_blank" rel=3D"noopener"= >
https://github.com/jeecgboot/JeecgBoot/issues/9554#issuecomment-4251574151= </a><br><a href=3D"
https://github.com/jeecgboot/JeecgBoot/" target=3D"_blan=
k" rel=3D"noopener">
https://github.com/jeecgboot/JeecgBoot/</a><br>=C2=A0</=
</tr>
<td class=3D"vendor-product">n/a--JeecgBoot</td>
<td>A security flaw has been discovered in JeecgBoot up to 3.9.1. This vuln= erability affects the function CommonController.uploadImgByHttp/HttpFileToM= ultipartFileUtil.httpFileToMultipartFile/HttpFileToMultipartFileUtil.downlo= adImageData of the file CommonController.java of the component uploadImgByH= ttpEndpoint. Performing a manipulation results in server-side request forge= ry. The attack can be initiated remotely. The exploit has been released to = the public and may be used for attacks. Upgrading the affected component is=
recommended. The vendor confirmed the issue and will provide a fix in the = upcoming release.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7605" target=3D"= _blank" rel=3D"noopener">CVE-2026-7605</a></td>
<a href=3D"
https://vuldb.com/vuln/360562" target=3D"_blank" rel=3D"noopener= ">VDB-360562 | JeecgBoot uploadImgByHttpEndpoint CommonController.java Http= FileToMultipartFileUtil.downloadImageData server-side request forgery</a><b= r><a href=3D"
https://vuldb.com/vuln/360562/cti" target=3D"_blank" rel=3D"no= opener">VDB-360562 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"https= ://vuldb.com/submit/805709" target=3D"_blank" rel=3D"noopener">Submit #8057=
09 | jeecgboot JeecgBoot <=3D v3.9.1 SSRF</a><br><a href=3D"
https://gith= ub.com/jeecgboot/JeecgBoot/issues/9555" target=3D"_blank" rel=3D"noopener">=
https://github.com/jeecgboot/JeecgBoot/issues/9555</a><br><a href=3D"https:= //github.com/jeecgboot/JeecgBoot/issues/9555#issuecomment-4251745271" targe= t=3D"_blank" rel=3D"noopener">
https://github.com/jeecgboot/JeecgBoot/issues= /9555#issuecomment-4251745271</a><br><a href=3D"
https://github.com/jeecgboo= t/JeecgBoot/" target=3D"_blank" rel=3D"noopener">
https://github.com/jeecgbo= ot/JeecgBoot/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A flaw has been found in TRENDnet TEW-821DAP up to 1.12B01. The impacte=
d element is the function tools_diagnostic of the file /tmp/diagnostic of t=
he component Firmware Udpate. This manipulation causes os command injection=
. Remote exploitation of the attack is possible. The exploit has been publi= shed and may be used. The vendor explains: "That firmware version will only=
work on our hardware version v1.xR. We have already EOL that product 8 yea=
rs ago and are no longer selling". This vulnerability only affects products=
that are no longer supported by the maintainer.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7609" target=3D"= _blank" rel=3D"noopener">CVE-2026-7609</a></td>
<a href=3D"
https://vuldb.com/vuln/360566" target=3D"_blank" rel=3D"noopener= ">VDB-360566 | TRENDnet TEW-821DAP Firmware Udpate diagnostic tools_diagnos= tic os command injection</a><br><a href=3D"
https://vuldb.com/vuln/360566/ct=
i" target=3D"_blank" rel=3D"noopener">VDB-360566 | CTI Indicators (IOB, IOC=
, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806216" target=3D"_b= lank" rel=3D"noopener">Submit #806216 | Trendnet TEW-821DAP v1.12B01 CWE-78=
Improper Neutralization of Special Elements used in an O</a><br><a href=3D= "
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DA= P_CI2.md" target=3D"_blank" rel=3D"noopener">
https://github.com/IOTRes/IOT_= Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI2.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">8nite--metatrader-4-mcp</td>
<td>A security vulnerability has been detected in 8nite metatrader-4-mcp 1.= 0.0. This vulnerability affects the function CallToolRequestSchema of the f= ile src/index.ts of the component sync_ea_from_file. Such manipulation of t=
he argument ea_name leads to path traversal. The attack can be launched rem= otely. The exploit has been disclosed publicly and may be used. The project=
was informed of the problem early through an issue report but has not resp= onded yet.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7627" target=3D"= _blank" rel=3D"noopener">CVE-2026-7627</a></td>
<a href=3D"
https://vuldb.com/vuln/360573" target=3D"_blank" rel=3D"noopener= ">VDB-360573 | 8nite metatrader-4-mcp sync_ea_from_file index.ts CallToolRe= questSchema path traversal</a><br><a href=3D"
https://vuldb.com/vuln/360573/= cti" target=3D"_blank" rel=3D"noopener">VDB-360573 | CTI Indicators (IOB, I= OC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806286" target=3D"= _blank" rel=3D"noopener">Submit #806286 | 8nite metatrader-4-mcp 1.0.0 Path=
Traversal</a><br><a href=3D"
https://github.com/8nite/metatrader-4-mcp/issu= es/1" target=3D"_blank" rel=3D"noopener">
https://github.com/8nite/metatrade= r-4-mcp/issues/1</a><br><a href=3D"
https://github.com/8nite/metatrader-4-mc= p/" target=3D"_blank" rel=3D"noopener">
https://github.com/8nite/metatrader-= 4-mcp/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">crazyrabbitLTC--mcp-code-review-server</td>
<td>A vulnerability was detected in crazyrabbitLTC mcp-code-review-server u=
p to 0.1.0. This issue affects the function executeRepomix of the file src/= repomix.ts of the component RepoMix Command Handler. Performing a manipulat= ion results in command injection. The attack may be initiated remotely. The=
exploit is now public and may be used. The project was informed of the pro= blem early through a pull request but has not reacted yet.</td> <td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7628" target=3D"= _blank" rel=3D"noopener">CVE-2026-7628</a></td>
<a href=3D"
https://vuldb.com/vuln/360574" target=3D"_blank" rel=3D"noopener= ">VDB-360574 | crazyrabbitLTC mcp-code-review-server RepoMix repomix.ts exe= cuteRepomix command injection</a><br><a href=3D"
https://vuldb.com/vuln/3605= 74/cti" target=3D"_blank" rel=3D"noopener">VDB-360574 | CTI Indicators (IOB=
, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806469" target= =3D"_blank" rel=3D"noopener">Submit #806469 | crazyrabbitLTC mcp-code-revie= w-server <=3D0.1.0 Command Injection</a><br><a href=3D"
https://github.co= m/crazyrabbitLTC/mcp-code-review-server/issues/4" target=3D"_blank" rel=3D"= noopener">
https://github.com/crazyrabbitLTC/mcp-code-review-server/issues/4= </a><br><a href=3D"
https://github.com/crazyrabbitLTC/mcp-code-review-server= /pull/5" target=3D"_blank" rel=3D"noopener">
https://github.com/crazyrabbitL= TC/mcp-code-review-server/pull/5</a><br><a href=3D"
https://github.com/user-= attachments/files/26018245/mcp-code-review-server_bug.pdf" target=3D"_blank=
" rel=3D"noopener">
https://github.com/user-attachments/files/26018245/mcp-c= ode-review-server_bug.pdf</a><br><a href=3D"
https://github.com/crazyrabbitL= TC/mcp-code-review-server/" target=3D"_blank" rel=3D"noopener">
https://gith= ub.com/crazyrabbitLTC/mcp-code-review-server/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">kleneway--awesome-cursor-mpc-server</td>
<td>A flaw has been found in kleneway awesome-cursor-mpc-server up to 2.0.1=
. Impacted is the function runCodeReviewTool of the file src/tools/codeRevi= ew.ts of the component Ccode-Review Tool. Executing a manipulation can lead=
to command injection. The attack may be launched remotely. The exploit has=
been published and may be used. The project was informed of the problem ea= rly through a pull request but has not reacted yet.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7629" target=3D"= _blank" rel=3D"noopener">CVE-2026-7629</a></td>
<a href=3D"
https://vuldb.com/vuln/360575" target=3D"_blank" rel=3D"noopener= ">VDB-360575 | kleneway awesome-cursor-mpc-server Ccode-Review Tool codeRev= iew.ts runCodeReviewTool command injection</a><br><a href=3D"
https://vuldb.= com/vuln/360575/cti" target=3D"_blank" rel=3D"noopener">VDB-360575 | CTI In= dicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/80= 6470" target=3D"_blank" rel=3D"noopener">Submit #806470 | kleneway awesome-= cursor-mpc-server <=3D2.0.1 Command Injection</a><br><a href=3D"
https://= github.com/kleneway/awesome-cursor-mpc-server/issues/6" target=3D"_blank" r= el=3D"noopener">
https://github.com/kleneway/awesome-cursor-mpc-server/issue= s/6</a><br><a href=3D"
https://github.com/kleneway/awesome-cursor-mpc-server= /pull/14" target=3D"_blank" rel=3D"noopener">
https://github.com/kleneway/aw= esome-cursor-mpc-server/pull/14</a><br><a href=3D"
https://github.com/user-a= ttachments/files/26019723/awesome-cursor-mpc-server_bug.pdf" target=3D"_bla= nk" rel=3D"noopener">
https://github.com/user-attachments/files/26019723/awe= some-cursor-mpc-server_bug.pdf</a><br><a href=3D"
https://github.com/klenewa= y/awesome-cursor-mpc-server/" target=3D"_blank" rel=3D"noopener">
https://gi= thub.com/kleneway/awesome-cursor-mpc-server/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Totolink--N300RH</td>
<td>A vulnerability was identified in Totolink N300RH 6.1c.1353_B20190305. = This impacts the function setUploadSetting of the file /cgi-bin/cstecgi.cgi=
. Such manipulation of the argument FileName leads to file inclusion. The a= ttack may be performed from remote. The exploit is publicly available and m= ight be used.</td>
<td>2026-05-02</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7633" target=3D"= _blank" rel=3D"noopener">CVE-2026-7633</a></td>
<a href=3D"
https://vuldb.com/vuln/360579" target=3D"_blank" rel=3D"noopener= ">VDB-360579 | Totolink N300RH cstecgi.cgi setUploadSetting file inclusion<= /a><br><a href=3D"
https://vuldb.com/vuln/360579/cti" target=3D"_blank" rel= =3D"noopener">VDB-360579 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D= "
https://vuldb.com/submit/806597" target=3D"_blank" rel=3D"noopener">Submit=
#806597 | TOTOLINK N300RH_V4 V6.1c.1353_B20190305 External Control of Syst=
em or Configuration Setting</a><br><a href=3D"
https://github.com/xyh4ck/iot= _poc/tree/main/TOTOLINK/N300RHv4/03_setUploadSetting_ECFNP" target=3D"_blan=
k" rel=3D"noopener">
https://github.com/xyh4ck/iot_poc/tree/main/TOTOLINK/N3= 00RHv4/03_setUploadSetting_ECFNP</a><br><a href=3D"
https://www.totolink.net=
/" target=3D"_blank" rel=3D"noopener">
https://www.totolink.net/</a><br>=C2= =A0</td>
</tr>
<td class=3D"vendor-product">pskill9--website-downloader</td>
<td>A vulnerability was detected in pskill9 website-downloader up to 0.1.0.=
This affects the function download_website of the file src/index.ts of the=
component MCP Interface. Performing a manipulation of the argument outputP= ath results in os command injection. The attack may be initiated remotely. = The exploit is now public and may be used. The project was informed of the = problem early through an issue report but has not responded yet.</td> <td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7642" target=3D"= _blank" rel=3D"noopener">CVE-2026-7642</a></td>
<a href=3D"
https://vuldb.com/vuln/360754" target=3D"_blank" rel=3D"noopener= ">VDB-360754 | pskill9 website-downloader MCP index.ts download_website os = command injection</a><br><a href=3D"
https://vuldb.com/vuln/360754/cti" targ= et=3D"_blank" rel=3D"noopener">VDB-360754 | CTI Indicators (IOB, IOC, TTP, = IOA)</a><br><a href=3D"
https://vuldb.com/submit/806812" target=3D"_blank" r= el=3D"noopener">Submit #806812 | pskill9 website-downloader Commit 5b399beb= ad1800ac6df5052b63eaea37117092b6 Command Injection</a><br><a href=3D"https:= //github.com/pskill9/website-downloader/issues/7" target=3D"_blank" rel=3D"= noopener">
https://github.com/pskill9/website-downloader/issues/7</a><br><a = href=3D"
https://github.com/BruceJqs/public_exp/issues/31" target=3D"_blank"=
rel=3D"noopener">
https://github.com/BruceJqs/public_exp/issues/31</a><br><=
a href=3D"
https://github.com/pskill9/website-downloader/" target=3D"_blank"=
rel=3D"noopener">
https://github.com/pskill9/website-downloader/</a><br>=C2= =A0</td>
</tr>
<td class=3D"vendor-product">ruvnet--sublinear-time-solver</td>
<td>A vulnerability was found in ruvnet sublinear-time-solver 1.5.0. Affect=
ed by this vulnerability is the function export_state of the file src/consc= iousness-explorer/mcp/server.js of the component MCP Interface. The manipul= ation results in path traversal. The attack can be executed remotely. The e= xploit has been made public and could be used. The project was informed of = the problem early through an issue report but has not responded yet.</td> <td>2026-05-02</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7645" target=3D"= _blank" rel=3D"noopener">CVE-2026-7645</a></td>
<a href=3D"
https://vuldb.com/vuln/360757" target=3D"_blank" rel=3D"noopener= ">VDB-360757 | ruvnet sublinear-time-solver MCP server.js export_state path=
traversal</a><br><a href=3D"
https://vuldb.com/vuln/360757/cti" target=3D"_= blank" rel=3D"noopener">VDB-360757 | CTI Indicators (IOB, IOC, TTP, IOA)</a= ><br><a href=3D"
https://vuldb.com/submit/806895" target=3D"_blank" rel=3D"n= oopener">Submit #806895 | ruvnet sublinear-time-solver / consciousness-expl= orer sublinear-time-solver 1.5.0, consciousness-explorer 1.1.1, commit 1210= 646955f33abe5c91f894cc7b04d024f62408 Path Traversal</a><br><a href=3D"https= ://github.com/ruvnet/sublinear-time-solver/issues/19" target=3D"_blank" rel= =3D"noopener">
https://github.com/ruvnet/sublinear-time-solver/issues/19</a>= <br><a href=3D"
https://github.com/ruvnet/sublinear-time-solver/" target=3D"= _blank" rel=3D"noopener">
https://github.com/ruvnet/sublinear-time-solver/</= a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">r-huijts--mcp-server-rijksmuseum</td>
<td>A security flaw has been discovered in r-huijts mcp-server-rijksmuseum =
up to 1.0.4. Affected is the function open_image_in_browser of the file src= /index.ts of the component MCP Interface. Performing a manipulation of the = argument imageUrl results in os command injection. The attack is possible t=
o be carried out remotely. The exploit has been released to the public and = may be used for attacks. The project was informed of the problem early thro= ugh an issue report but has not responded yet.</td>
<td>2026-05-02</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7653" target=3D"= _blank" rel=3D"noopener">CVE-2026-7653</a></td>
<a href=3D"
https://vuldb.com/vuln/360778" target=3D"_blank" rel=3D"noopener= ">VDB-360778 | r-huijts mcp-server-rijksmuseum MCP index.ts open_image_in_b= rowser os command injection</a><br><a href=3D"
https://vuldb.com/vuln/360778= /cti" target=3D"_blank" rel=3D"noopener">VDB-360778 | CTI Indicators (IOB, = IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806909" target=3D= "_blank" rel=3D"noopener">Submit #806909 | r-huijts mcp-server-rijksmuseum = 1.0.4 Command Injection</a><br><a href=3D"
https://github.com/r-huijts/rijks= museum-mcp/issues/9" target=3D"_blank" rel=3D"noopener">
https://github.com/= r-huijts/rijksmuseum-mcp/issues/9</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">youlaitech--youlai-boot</td>
<td>A security vulnerability has been detected in youlaitech youlai-boot up=
to 2.21.1. This affects the function getUserList of the file src/main/java= /com/youlai/boot/system/controller/UserController.java of the component Use=
rs Endpoint. Such manipulation of the argument order leads to sql injection=
. The attack may be launched remotely. The exploit has been disclosed publi= cly and may be used. The vendor was contacted early about this disclosure b=
ut did not respond in any way.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7672" target=3D"= _blank" rel=3D"noopener">CVE-2026-7672</a></td>
<a href=3D"
https://vuldb.com/vuln/360825" target=3D"_blank" rel=3D"noopener= ">VDB-360825 | youlaitech youlai-boot Users Endpoint UserController.java ge= tUserList sql injection</a><br><a href=3D"
https://vuldb.com/vuln/360825/cti=
" target=3D"_blank" rel=3D"noopener">VDB-360825 | CTI Indicators (IOB, IOC,=
TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/800658" target=3D"_bl= ank" rel=3D"noopener">Submit #800658 | youlaitech youlai-boot v2.21.1 SQL I= njection</a><br><a href=3D"
https://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4= Px7jxuck1RQnHe?from=3Dfrom_copylink" target=3D"_blank" rel=3D"noopener">htt= ps://fx4tqqfvdw4.feishu.cn/docx/EBZLdUqt4ogm4Px7jxuck1RQnHe?from=3Dfrom_cop= ylink</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">YunaiV--yudao-cloud</td>
<td>A vulnerability was identified in YunaiV yudao-cloud up to 2026.01. Thi=
s affects the function getDataBySQL of the file yudao-module-report-biz/src= /main/java/io/github/ruoyi/report/service/impl/GoViewDataServiceImpl.java. = Such manipulation leads to sql injection. It is possible to launch the atta=
ck remotely. The exploit is publicly available and might be used. The vendo=
r was contacted early about this disclosure but did not respond in any way.= </td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7678" target=3D"= _blank" rel=3D"noopener">CVE-2026-7678</a></td>
<a href=3D"
https://vuldb.com/vuln/360831" target=3D"_blank" rel=3D"noopener= ">VDB-360831 | YunaiV yudao-cloud GoViewDataServiceImpl.java getDataBySQL s=
ql injection</a><br><a href=3D"
https://vuldb.com/vuln/360831/cti" target=3D= "_blank" rel=3D"noopener">VDB-360831 | CTI Indicators (IOB, IOC, TTP, IOA)<= /a><br><a href=3D"
https://vuldb.com/submit/800865" target=3D"_blank" rel=3D= "noopener">Submit #800865 | YunaiV yudao-cloud yudao-cloud up to 2026.01 SQ=
L Injection</a><br><a href=3D"
https://github.com/9str0IL/CVE/issues/2" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/9str0IL/CVE/issues/2</a><= br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">jsbroks--COCO Annotator</td>
<td>A security vulnerability has been detected in jsbroks COCO Annotator up=
to 0.11.1. Affected by this vulnerability is an unknown functionality of t=
he file backend/webserver/api/datasets.py of the component Dataset API. The=
manipulation of the argument DatasetId leads to authorization bypass. The = attack may be initiated remotely. The exploit has been disclosed publicly a=
nd may be used. The vendor was contacted early about this disclosure but di=
d not respond in any way.</td>
<td>2026-05-03</td>
<td>6.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7681" target=3D"= _blank" rel=3D"noopener">CVE-2026-7681</a></td>
<a href=3D"
https://vuldb.com/vuln/360834" target=3D"_blank" rel=3D"noopener= ">VDB-360834 | jsbroks COCO Annotator Dataset API datasets.py authorization= </a><br><a href=3D"
https://vuldb.com/vuln/360834/cti" target=3D"_blank" rel= =3D"noopener">VDB-360834 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D= "
https://vuldb.com/submit/801408" target=3D"_blank" rel=3D"noopener">Submit=
#801408 | jsbroks COCO Annotator 0.11.1 Authorization Bypass</a><br><a hre= f=3D"
https://github.com/natanmorette-thoropass/thoropass-vuln-research-prog= ram/tree/main/2026/Unauthenticated%20Dataset%20Modification%20via%20Missing= %20Authentication" target=3D"_blank" rel=3D"noopener">
https://github.com/na= tanmorette-thoropass/thoropass-vuln-research-program/tree/main/2026/Unauthe= nticated%20Dataset%20Modification%20via%20Missing%20Authentication</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Edimax--BR-6208AC</td>
<td>A security flaw has been discovered in Edimax BR-6208AC 1.02. The impac= ted element is the function setWAN of the file /goform/setWAN of the compon= ent L2TP Mode. The manipulation of the argument L2TPUserName results in com= mand injection. It is possible to launch the attack remotely. The exploit h=
as been released to the public and may be used for attacks. The vendor was = contacted early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7682" target=3D"= _blank" rel=3D"noopener">CVE-2026-7682</a></td>
<a href=3D"
https://vuldb.com/vuln/360841" target=3D"_blank" rel=3D"noopener= ">VDB-360841 | Edimax BR-6208AC L2TP Mode setWAN command injection</a><br><=
a href=3D"
https://vuldb.com/vuln/360841/cti" target=3D"_blank" rel=3D"noope= ner">VDB-360841 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"htt= ps://vuldb.com/submit/801572" target=3D"_blank" rel=3D"noopener">Submit #80= 1572 | Edimax BR-6208AC V2_1.02 Command Injection</a><br><a href=3D"https:/= /tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserName-Command-= Injection-33db5c52018a80c1b3aac6db8927bd0f" target=3D"_blank" rel=3D"noopen= er">
https://tzh00203.notion.site/Edimax-BR-6208AC-V2-1-02-setWAN-L2TPUserNa= me-Command-Injection-33db5c52018a80c1b3aac6db8927bd0f</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Edimax--BR-6428nC</td>
<td>A weakness has been identified in Edimax BR-6428nC up to 1.16. This aff= ects an unknown function of the file /goform/setWAN of the component Web In= terface. This manipulation of the argument pppUserName/pptpUserName causes = command injection. The attack can be initiated remotely. The exploit has be=
en made available to the public and could be used for attacks. The vendor w=
as contacted early about this disclosure but did not respond in any way.</t=
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7683" target=3D"= _blank" rel=3D"noopener">CVE-2026-7683</a></td>
<a href=3D"
https://vuldb.com/vuln/360842" target=3D"_blank" rel=3D"noopener= ">VDB-360842 | Edimax BR-6428nC Web setWAN command injection</a><br><a href= =3D"
https://vuldb.com/vuln/360842/cti" target=3D"_blank" rel=3D"noopener">V= DB-360842 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://v= uldb.com/submit/801597" target=3D"_blank" rel=3D"noopener">Submit #801597 |=
Edimax BR-6428nC v1.16 v1.16 Command Injection</a><br><a href=3D"
https://v= uldb.com/submit/801598" target=3D"_blank" rel=3D"noopener">Submit #801598 |=
Edimax BR-6428nC v1.16 v1.16 Command Injection (Duplicate)</a><br><a href= =3D"
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pppUserName-= Command-Injection-33db5c52018a80dab299ef508e810d00" target=3D"_blank" rel= =3D"noopener">
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pp= pUserName-Command-Injection-33db5c52018a80dab299ef508e810d00</a><br><a href= =3D"
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pptpUserName= -Command-Injection-33db5c52018a80949cfbcc2091340c80" target=3D"_blank" rel= =3D"noopener">
https://tzh00203.notion.site/Edimax-BR-6428nC-v1-16-setWAN-pp= tpUserName-Command-Injection-33db5c52018a80949cfbcc2091340c80</a><br>=C2=A0= </td>
</tr>
<td class=3D"vendor-product">langflow-ai--langflow</td>
<td>A vulnerability was determined in langflow-ai langflow up to 1.8.4. Aff= ected by this issue is the function CodeParser.parse_callable_details of th=
e file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component F= ull Builtins Module Handler. Executing a manipulation can lead to command i= njection. The attack can be executed remotely. The exploit has been publicl=
y disclosed and may be utilized. The vendor was contacted early about this = disclosure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7687" target=3D"= _blank" rel=3D"noopener">CVE-2026-7687</a></td>
<a href=3D"
https://vuldb.com/vuln/360857" target=3D"_blank" rel=3D"noopener= ">VDB-360857 | langflow-ai langflow Full Builtins code_parser.py CodeParser= .parse_callable_details command injection</a><br><a href=3D"
https://vuldb.c= om/vuln/360857/cti" target=3D"_blank" rel=3D"noopener">VDB-360857 | CTI Ind= icators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/798= 731" target=3D"_blank" rel=3D"noopener">Submit #798731 | langflow-ai langfl=
ow 1.8.4 Command Injection</a><br><a href=3D"
https://www.yuque.com/yuqueyon= ghuqy8yu4/ghuay4/ylrgoyyfrucp8opo?singleDoc=3D#g4kyb" target=3D"_blank" rel= =3D"noopener">
https://www.yuque.com/yuqueyonghuqy8yu4/ghuay4/ylrgoyyfrucp8o= po?singleDoc=3D#g4kyb</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Wavlink--WL-WN570HA1</td>
<td>A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_2211= 10. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cg=
i. This manipulation of the argument Username causes command injection. It =
is possible to initiate the attack remotely. The exploit has been made avai= lable to the public and could be used for attacks. Once again the vendors a= cted very professional and confirms, "that the WN570HA1 firmware version R7= 0HA1 V1410_221110 has been removed from our website." This vulnerability on=
ly affects products that are no longer supported by the maintainer.</td> <td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7690" target=3D"= _blank" rel=3D"noopener">CVE-2026-7690</a></td>
<a href=3D"
https://vuldb.com/vuln/360860" target=3D"_blank" rel=3D"noopener= ">VDB-360860 | Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection</a= ><br><a href=3D"
https://vuldb.com/vuln/360860/cti" target=3D"_blank" rel=3D= "noopener">VDB-360860 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href= =3D"
https://vuldb.com/submit/807805" target=3D"_blank" rel=3D"noopener">Sub= mit #807805 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection</a><br>=
<a href=3D"
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sy= s_adm-34753a41781f809d8043f0a7a3e07e50?source=3Dcopy_link" target=3D"_blank=
" rel=3D"noopener">
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA= 1-set_sys_adm-34753a41781f809d8043f0a7a3e07e50?source=3Dcopy_link</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Wavlink--WL-WN570HA1</td>
<td>A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA=
1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/a= dm.cgi. Such manipulation of the argument command leads to command injectio=
n. It is possible to launch the attack remotely. The exploit has been discl= osed publicly and may be used. Once again the vendors acted very profession=
al and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 ha=
s been removed from our website." This vulnerability only affects products = that are no longer supported by the maintainer.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7691" target=3D"= _blank" rel=3D"noopener">CVE-2026-7691</a></td>
<a href=3D"
https://vuldb.com/vuln/360861" target=3D"_blank" rel=3D"noopener= ">VDB-360861 | Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection</a= ><br><a href=3D"
https://vuldb.com/vuln/360861/cti" target=3D"_blank" rel=3D= "noopener">VDB-360861 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href= =3D"
https://vuldb.com/submit/807806" target=3D"_blank" rel=3D"noopener">Sub= mit #807806 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection</a><br>=
<a href=3D"
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-set_sy= s_cmd-34753a41781f80ab88a1d95d4f798d1f?source=3Dcopy_link" target=3D"_blank=
" rel=3D"noopener">
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA= 1-set_sys_cmd-34753a41781f80ab88a1d95d4f798d1f?source=3Dcopy_link</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Wavlink--WL-WN570HA1</td>
<td>A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110=
. The affected element is the function ping_ddns of the file /cgi-bin/adm.c= gi. Performing a manipulation of the argument DDNS results in command injec= tion. The attack can be initiated remotely. The exploit is now public and m=
ay be used. Once again the vendors acted very professional and confirms, "t= hat the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from=
our website." This vulnerability only affects products that are no longer = supported by the maintainer.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7692" target=3D"= _blank" rel=3D"noopener">CVE-2026-7692</a></td>
<a href=3D"
https://vuldb.com/vuln/360862" target=3D"_blank" rel=3D"noopener= ">VDB-360862 | Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection</a><= br><a href=3D"
https://vuldb.com/vuln/360862/cti" target=3D"_blank" rel=3D"n= oopener">VDB-360862 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D= "
https://vuldb.com/submit/807807" target=3D"_blank" rel=3D"noopener">Submit=
#807807 | Wavlink WN570HA1 WL-WN570HA1 221110 Command Injection</a><br><a = href=3D"
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-ping_ddns= -34753a41781f80c0a6c6c1b09b7cdf1c?source=3Dcopy_link" target=3D"_blank" rel= =3D"noopener">
https://lavender-bicycle-a5a.notion.site/Wavlink-WN570HA1-pin= g_ddns-34753a41781f80c0a6c6c1b09b7cdf1c?source=3Dcopy_link</a><br>=C2=A0</t=
</tr>
<td class=3D"vendor-product">Acrel Electrical--EEMS Enterprise Power Operat= ion and Maintenance Cloud Platform</td>
<td>A vulnerability was found in Acrel Electrical EEMS Enterprise Power Ope= ration and Maintenance Cloud Platform 1.3.0. This impacts an unknown functi=
on of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the=
argument File results in unrestricted upload. The attack may be launched r= emotely. The exploit has been made public and could be used. The vendor was=
contacted early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7696" target=3D"= _blank" rel=3D"noopener">CVE-2026-7696</a></td>
<a href=3D"
https://vuldb.com/vuln/360865" target=3D"_blank" rel=3D"noopener= ">VDB-360865 | Acrel Electrical EEMS Enterprise Power Operation and Mainten= ance Cloud Platform uploadH5Files unrestricted upload</a><br><a href=3D"htt= ps://vuldb.com/vuln/360865/cti" target=3D"_blank" rel=3D"noopener">VDB-3608=
65 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.co= m/submit/807944" target=3D"_blank" rel=3D"noopener">Submit #807944 | Acrel = Electric Co., Ltd. EEMS Enterprise Power Operation and Maintenance Cloud Pl= atform 1.3.0 Unrestricted Upload of File with Dangerous Type</a><br><a href= =3D"
https://ucn9h68n9289.feishu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=3D= from_copylink" target=3D"_blank" rel=3D"noopener">
https://ucn9h68n9289.feis= hu.cn/wiki/X9PAw4i5kiPueKkZqCCcNVYZnnc?from=3Dfrom_copylink</a><br>=C2=A0</=
</tr>
<td class=3D"vendor-product">Dromara--MaxKey</td>
<td>A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Aff= ected by this issue is the function StrUtils.checkSqlInjection of the file = StrUtils.java. Performing a manipulation of the argument filtersfields resu= lts in sql injection. The attack is possible to be carried out remotely. Th=
e exploit has been released to the public and may be used for attacks. The = vendor was contacted early about this disclosure but did not respond in any=
way.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7699" target=3D"= _blank" rel=3D"noopener">CVE-2026-7699</a></td>
<a href=3D"
https://vuldb.com/vuln/360868" target=3D"_blank" rel=3D"noopener= ">VDB-360868 | Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql = injection</a><br><a href=3D"
https://vuldb.com/vuln/360868/cti" target=3D"_b= lank" rel=3D"noopener">VDB-360868 | CTI Indicators (IOB, IOC, TTP, IOA)</a>= <br><a href=3D"
https://vuldb.com/submit/804260" target=3D"_blank" rel=3D"no= opener">Submit #804260 | Dromara MaxKey 3.5.13 SQL Injection</a><br><a href= =3D"
https://github.com/xpp3901/CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQ= L_Injection" target=3D"_blank" rel=3D"noopener">
https://github.com/xpp3901/= CVE_APPLY/tree/main/V-M001_MaxKey_Filters_SQL_Injection</a><br>=C2=A0</td> </tr>
<td class=3D"vendor-product">langflow-ai--langflow</td>
<td>A weakness has been identified in langflow-ai langflow up to 1.8.4. Thi=
s affects the function eval of the file src/lfx/src/lfx/components/llm_oper= ations/lambda_filter.p of the component LambdaFilterComponent. Executing a = manipulation can lead to code injection. The attack may be performed from r= emote. The exploit has been made available to the public and could be used = for attacks. The vendor was contacted early about this disclosure but did n=
ot respond in any way.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7700" target=3D"= _blank" rel=3D"noopener">CVE-2026-7700</a></td>
<a href=3D"
https://vuldb.com/vuln/360869" target=3D"_blank" rel=3D"noopener= ">VDB-360869 | langflow-ai langflow LambdaFilterComponent lambda_filter.p e= val code injection</a><br><a href=3D"
https://vuldb.com/vuln/360869/cti" tar= get=3D"_blank" rel=3D"noopener">VDB-360869 | CTI Indicators (IOB, IOC, TTP,=
IOA)</a><br><a href=3D"
https://vuldb.com/submit/804305" target=3D"_blank" = rel=3D"noopener">Submit #804305 | langflow-ai Langflow Desktop 1.8.3 Execut= ion with Unnecessary Privileges</a><br><a href=3D"
https://www.yuque.com/men= gnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%20%E3%80%8AFirst%20release%2= 0of%20Langflow%201.8.3%20Smart%20Transform%20eval()/Lambda%20injection%20RC= E%20vulnerability%20analysis+POC%E3%80%8B" target=3D"_blank" rel=3D"noopene= r">
https://www.yuque.com/mengnanbulalei/ognlsk/hte2a98ro5gf8tp9?singleDoc#%= 20%E3%80%8AFirst%20release%20of%20Langflow%201.8.3%20Smart%20Transform%20ev= al()/Lambda%20injection%20RCE%20vulnerability%20analysis+POC%E3%80%8B</a><b= r>=C2=A0</td>
</tr>
<td class=3D"vendor-product">JD Cloud--JDCOS</td>
<td>A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability=
affects the function set_iptv_info of the file /jdcap of the component Ser= vice Interface. Executing a manipulation of the argument vid can lead to co= mmand injection. It is possible to launch the attack remotely. The exploit = has been published and may be used. The vendor was contacted early about th=
is disclosure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7705" target=3D"= _blank" rel=3D"noopener">CVE-2026-7705</a></td>
<a href=3D"
https://vuldb.com/vuln/360881" target=3D"_blank" rel=3D"noopener= ">VDB-360881 | JD Cloud JDCOS Service jdcap set_iptv_info command injection= </a><br><a href=3D"
https://vuldb.com/vuln/360881/cti" target=3D"_blank" rel= =3D"noopener">VDB-360881 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a hr= ef=3D"
https://vuldb.com/submit/805644" target=3D"_blank" rel=3D"noopener">S= ubmit #805644 | jdcloud =E4=BA=AC=E4=B8=9C=E4=BA=91=E6=97=A0=E7=BA=BF=E5=AE= =9DER1 =E5=A4=AA=E4=B9=99 =E6=9C=89=E7=BA=BF=E8=B7=AF=E7=94=B1 =E5=8D=83=E5= =85=86=E8=B7=AF=E7=94=B1=E5=99=A8 JDCOS-JDC08-4.5.1.r4518 Remote code execu= tion</a><br><a href=3D"
https://www.notion.so/3430c75766a8802dbde3dc8a372c7f= 46" target=3D"_blank" rel=3D"noopener">
https://www.notion.so/3430c75766a880= 2dbde3dc8a372c7f46</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">janeczku--Calibre-Web</td>
<td>A vulnerability was identified in janeczku Calibre-Web up to 0.6.26. Th=
e impacted element is the function generate_auth_token of the file cps/kobo= _auth.py of the component Endpoint. Such manipulation of the argument user_=
id leads to improper authorization. The attack may be launched remotely. Th=
e exploit is publicly available and might be used. The vendor was contacted=
early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7709" target=3D"= _blank" rel=3D"noopener">CVE-2026-7709</a></td>
<a href=3D"
https://vuldb.com/vuln/360885" target=3D"_blank" rel=3D"noopener= ">VDB-360885 | janeczku Calibre-Web Endpoint kobo_auth.py generate_auth_tok=
en improper authorization</a><br><a href=3D"
https://vuldb.com/vuln/360885/c= ti" target=3D"_blank" rel=3D"noopener">VDB-360885 | CTI Indicators (IOB, IO=
C, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/805823" target=3D"_= blank" rel=3D"noopener">Submit #805823 | Janeczku Calibre-web V0.6.7-V0.6.2=
6 IDOR in auth-token generation leading to account takeover / user</a><br><=
a href=3D"
https://drive.google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnC= fXoFuVR?usp=3Ddrive_link" target=3D"_blank" rel=3D"noopener">
https://drive.= google.com/drive/folders/1rosrcfxcHrQM7_GOiBwzY_GnCfXoFuVR?usp=3Ddrive_link= </a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--MindsDB</td>
<td>A security vulnerability has been detected in MindsDB up to 26.01. Affe= cted is the function pickle.loads of the component Pickle Handler. The mani= pulation leads to deserialization. The attack is possible to be carried out=
remotely. The exploit has been disclosed publicly and may be used. The ven= dor was contacted early about this disclosure but did not respond in any wa= y.</td>
<td>2026-05-03</td>
<td>6.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7712" target=3D"= _blank" rel=3D"noopener">CVE-2026-7712</a></td>
<a href=3D"
https://vuldb.com/vuln/360888" target=3D"_blank" rel=3D"noopener= ">VDB-360888 | MindsDB Pickle pickle.loads deserialization</a><br><a href= =3D"
https://vuldb.com/vuln/360888/cti" target=3D"_blank" rel=3D"noopener">V= DB-360888 | CTI Indicators (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.= com/submit/806827" target=3D"_blank" rel=3D"noopener">Submit #806827 | http= s://github.com/mindsdb/mindsdb <=3D26.01 Remote Code Execution</a><br><a=
href=3D"
https://github.com/nn0nkey/JD-Security-SHENYI-Team/blob/main/Minds= DB_Pickle_RCE.md" target=3D"_blank" rel=3D"noopener">
https://github.com/nn0= nkey/JD-Security-SHENYI-Team/blob/main/MindsDB_Pickle_RCE.md</a><br>=C2=A0<=
</tr>
<td class=3D"vendor-product">Merge--Merge PACS</td>
<td>Merge PACS 7.0 contains a cross-site request forgery vulnerability that=
allows attackers to perform unauthorized actions by crafting malicious HTM=
L forms targeting the merge-viewer endpoint. Attackers can submit POST requ= ests to /servlet/actions/merge-viewer/summary with login credentials to hij= ack user sessions and gain unauthorized access to the PACS system.</td> <td>2026-04-29</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25298" target=3D= "_blank" rel=3D"noopener">CVE-2018-25298</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44681" target=3D"_blank" rel= =3D"noopener">ExploitDB-44681</a><br><a href=3D"
http://www.merge.com/" targ= et=3D"_blank" rel=3D"noopener">Official Product Homepage</a><br><a href=3D"=
https://www.vulncheck.com/advisories/merge-pacs-cross-site-request-forgery-= via-merge-viewer" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: Me= rge PACS 7.0 Cross-Site Request Forgery via merge-viewer</a><br>=C2=A0</td> </tr>
<td class=3D"vendor-product">IBM--Db2</td>
<td>IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.3 for Linux, UNI=
X and Windows (includes Db2 Connect Server) could allow an authenticated us=
er to cause a denial of service due to improper neutralization of special e= lements in data query logic when certain configurations exist.</td> <td>2026-04-30</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-14688" target=3D= "_blank" rel=3D"noopener">CVE-2025-14688</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7269424" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7269424</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">IBM--watsonx.data</td>
<td>IBM watsonx.data 2.2 through 2.3 IBM Lakehouse does not properly restri=
ct communication between pods which could allow an attacker to transfer dat=
a between pods without restrictions.</td>
<td>2026-04-30</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-36180" target=3D= "_blank" rel=3D"noopener">CVE-2025-36180</a></td>
<a href=3D"
https://www.ibm.com/support/pages/node/7270593" target=3D"_blank=
" rel=3D"noopener">
https://www.ibm.com/support/pages/node/7270593</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">Dell--Alienware Command Center (AWCC)</td> <td>Dell Alienware Command Center (AWCC), versions prior to 6.13.8.0, conta=
in a Least Privilege Violation vulnerability. A low privileged attacker wit=
h local access could potentially exploit this vulnerability, leading to Ele= vation of Privileges.</td>
<td>2026-04-27</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-32655" target=3D= "_blank" rel=3D"noopener">CVE-2026-32655</a></td>
<a href=3D"
https://www.dell.com/support/kbdoc/en-us/000451018/dsa-2026-192-= security-update-for-dell-alienware-command-center-6-x-for-multiple-vulnerab= ilities" target=3D"_blank" rel=3D"noopener">
https://www.dell.com/support/kb= doc/en-us/000451018/dsa-2026-192-security-update-for-dell-alienware-command= -center-6-x-for-multiple-vulnerabilities</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Elastic--Elastic Package Registry</td> <td>Improper Verification of Cryptographic Signature (CWE-347) in Elastic P= ackage Registry could allow an attacker positioned to intercept network tra= ffic, or to otherwise influence the contents served to a self-hosted regist= ry, to substitute a tampered package without the integrity check failing cl= osed.</td>
<td>2026-04-28</td>
<td>5.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33467" target=3D= "_blank" rel=3D"noopener">CVE-2026-33467</a></td>
<a href=3D"
https://discuss.elastic.co/t/elastic-package-registry-1-38-0-sec= urity-update-esa-2026-27/386081" target=3D"_blank" rel=3D"noopener">https:/= /discuss.elastic.co/t/elastic-package-registry-1-38-0-security-update-esa-2= 026-27/386081</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">dokaninc--Dokan: AI Powered WooCommerce Multiv= endor Marketplace Solution Build Your Own Amazon, eBay, Etsy</td>
<td>The Dokan: AI Powered WooCommerce Multivendor Marketplace Solution plug=
in for WordPress is vulnerable to Sensitive Information Exposure in all ver= sions up to, and including, 4.3.1 via the '/dokan/v1/stores/{id}/reviews' R= EST API endpoint. This is due to the 'prepare_reviews_for_response' method = including reviewer email addresses, usernames, and user IDs in the API resp= onse. This makes it possible for unauthenticated attackers to extract email=
addresses, usernames, and user IDs of all customers who left reviews on an=
y vendor's store. The Pro version of the plugin must be installed and activ= ated, with store reviews enabled, in order to exploit the vulnerability.</t=
<td>2026-05-02</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3504" target=3D"= _blank" rel=3D"noopener">CVE-2026-3504</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7= d7-8a10-48de-b1e1-7e1f1fda6ffe?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/02b0d7d7-8a1= 0-48de-b1e1-7e1f1fda6ffe?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreController.php#= L125" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org= /browser/dokan-lite/trunk/includes/REST/StoreController.php#L125</a><br><a = href=3D"
https://plugins.trac.wordpress.org/browser/dokan-lite/trunk/include= s/REST/StoreController.php#L835" target=3D"_blank" rel=3D"noopener">https:/= /plugins.trac.wordpress.org/browser/dokan-lite/trunk/includes/REST/StoreCon= troller.php#L835</a><br><a href=3D"
https://plugins.trac.wordpress.org/brows= er/dokan-lite/trunk/includes/REST/StoreController.php#L854" target=3D"_blan=
k" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/dokan-lite/t= runk/includes/REST/StoreController.php#L854</a><br><a href=3D"
https://plugi= ns.trac.wordpress.org/changeset/3481799/" target=3D"_blank" rel=3D"noopener= ">
https://plugins.trac.wordpress.org/changeset/3481799/</a><br>=C2=A0</td> </tr>
<td class=3D"vendor-product">n/a-- V2Board =C2=A0v1.7.4</td>
<td>Sensitive server_token exposed via GET parameter in V2Board thru 1.7.4.=
In app/Http/Controllers/Server/UniProxyController.php, the server authenti= cation token is accepted via GET parameter transmission. The token appears =
in URLs such as /api/v1/server/UniProxy/user?token=3DSECRET, causing it to =
be recorded in web server access logs, browser history, HTTP Referer header=
s, and proxy/CDN logs. An attacker who gains access to any log source can e= xtract the token and impersonate a proxy server node, potentially intercept= ing all user traffic.</td>
<td>2026-05-01</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37504" target=3D= "_blank" rel=3D"noopener">CVE-2026-37504</a></td>
<a href=3D"
https://github.com/v2board/v2board" target=3D"_blank" rel=3D"noo= pener">
https://github.com/v2board/v2board</a><br><a href=3D"
https://gist.gi= thub.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9" target=3D"_blank" rel= =3D"noopener">
https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c= 99b9</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">complianz--Complianz GDPR/CCPA Cookie Consent<=
<td>The Complianz - GDPR/CCPA Cookie Consent plugin for WordPress is vulner= able to unauthorized data access in all versions up to, and including, 7.4.=
5 This is due to the REST API endpoint at /wp-json/complianz/v1/consent-are= a/{post_id}/{block_id} using __return_true as the permission_callback, allo= wing any unauthenticated user to access it. The cmplz_rest_consented_conten= t() function retrieves a post by ID via get_post() and returns the consente= dContent attribute of any complianz/consent-area block found in it, without=
checking if the post is published or if the user has permission to read it=
. This makes it possible for unauthenticated attackers to read the consent = area block content from private, draft, or unpublished posts.</td> <td>2026-04-29</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-4019" target=3D"= _blank" rel=3D"noopener">CVE-2026-4019</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/389248= 9e-6ff7-4664-bb06-b8edff6dd659?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/3892489e-6ff= 7-4664-bb06-b8edff6dd659?source=3Dcve</a><br><a href=3D"
https://github.com/= complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/rest= -api/rest-api.php#L61" target=3D"_blank" rel=3D"noopener">
https://github.co= m/complianz/complianz-gdpr/blob/64c09657bd028f62d7b50a54d83ca19b87df2cef/re= st-api/rest-api.php#L61</a><br><a href=3D"
https://plugins.trac.wordpress.or= g/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54" target=3D"= _blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/complia= nz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L54</a><br><a href=3D"
https://pl= ugins.trac.wordpress.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-= api.php#L61" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpr= ess.org/browser/complianz-gdpr/tags/7.4.4.2/rest-api/rest-api.php#L61</a><b= r><a href=3D"
https://plugins.trac.wordpress.org/changeset/3508713/complianz= -gdpr/trunk/rest-api/rest-api.php" target=3D"_blank" rel=3D"noopener">https= ://plugins.trac.wordpress.org/changeset/3508713/complianz-gdpr/trunk/rest-a= pi/rest-api.php</a><br><a href=3D"
https://plugins.trac.wordpress.org/change= set?old_path=3D%2Fcomplianz-gdpr/tags/7.4.5&new_path=3D%2Fcomplianz-gdpr/ta= gs/7.4.6" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress= .org/changeset?old_path=3D%2Fcomplianz-gdpr/tags/7.4.5&new_path=3D%2Fcompli= anz-gdpr/tags/7.4.6</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">diplodoc-platform--@diplodoc/search-extension<=
<td>@diplodoc/search-extension 1.0.0 through 3.x before 3.0.3 allows stored=
XSS via the title in a .md file.</td>
<td>2026-05-01</td>
<td>5.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40201" target=3D= "_blank" rel=3D"noopener">CVE-2026-40201</a></td>
<a href=3D"
https://github.com/diplodoc-platform/search-extension/releases" = target=3D"_blank" rel=3D"noopener">
https://github.com/diplodoc-platform/sea= rch-extension/releases</a><br><a href=3D"
https://github.com/diplodoc-platfo= rm/search-extension/pull/41" target=3D"_blank" rel=3D"noopener">
https://git= hub.com/diplodoc-platform/search-extension/pull/41</a><br><a href=3D"https:= //github.com/diplodoc-platform/search-extension/releases/tag/v3.0.3" target= =3D"_blank" rel=3D"noopener">
https://github.com/diplodoc-platform/search-ex= tension/releases/tag/v3.0.3</a><br><a href=3D"
https://github.com/eyelessgod= dd/eyelessgoddd/blob/main/README.md" target=3D"_blank" rel=3D"noopener">htt= ps://github.com/eyelessgoddd/eyelessgoddd/blob/main/README.md</a><br>=C2=A0= </td>
</tr>
<td class=3D"vendor-product">wproyal--Royal Addons for Elementor Addons and=
Templates Kit for Elementor</td>
<td>The Royal Addons for Elementor plugin for WordPress is vulnerable to un= authorized modification of data due to a missing capability check on the `w= pr_update_form_action_meta` AJAX action in all versions up to, and includin=
g, 1.7.1056. The handler is registered on both `wp_ajax` and `wp_ajax_nopri=
v` hooks, making it accessible to unauthenticated users. Although a nonce i=
s verified, the nonce (`wpr-addons-js`) is publicly exposed in frontend Jav= aScript via `WprConfig.nonce` on any page that loads Royal Addons widgets, = rendering the protection ineffective. The endpoint also lacks any capabilit=
y or ownership checks and directly calls `update_post_meta()` with user-con= trolled input on a whitelisted set of form action meta keys. This makes it = possible for unauthenticated attackers to modify form action configuration = metadata (email, submissions, Mailchimp, and webhook settings) on any post,=
potentially leading to webhook/email action tampering and data exfiltratio=
n via modified webhook URLs.</td>
<td>2026-05-02</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-4024" target=3D"= _blank" rel=3D"noopener">CVE-2026-4024</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7= d7-d1b2-4ccf-ade6-1f78224968c6?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/2ecec7d7-d1b= 2-4ccf-ade6-1f78224968c6?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules/forms/= wpr-actions-status.php#L21" target=3D"_blank" rel=3D"noopener">
https://plug= ins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/modules= /forms/wpr-actions-status.php#L21</a><br><a href=3D"
https://plugins.trac.wo= rdpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/modules/fo= rms/wpr-actions-status.php#L21" target=3D"_blank" rel=3D"noopener">
https://= plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/cla= sses/modules/forms/wpr-actions-status.php#L21</a><br><a href=3D"
https://plu= gins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes/module= s/forms/wpr-actions-status.php#L73" target=3D"_blank" rel=3D"noopener">http= s://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/classes= /modules/forms/wpr-actions-status.php#L73</a><br><a href=3D"
https://plugins= .trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/classes/mo= dules/forms/wpr-actions-status.php#L73" target=3D"_blank" rel=3D"noopener">=
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.= 1049/classes/modules/forms/wpr-actions-status.php#L73</a><br><a href=3D"htt= ps://plugins.trac.wordpress.org/browser/royal-elementor-addons/trunk/plugin= .php#L592" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpres= s.org/browser/royal-elementor-addons/trunk/plugin.php#L592</a><br><a href= =3D"
https://plugins.trac.wordpress.org/browser/royal-elementor-addons/tags/= 1.7.1049/plugin.php#L592" target=3D"_blank" rel=3D"noopener">
https://plugin= s.trac.wordpress.org/browser/royal-elementor-addons/tags/1.7.1049/plugin.ph= p#L592</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">MIT--Kerberos 5</td>
<td>In MIT Kerberos 5 (aka krb5) before 1.22.3, there is a NULL pointer der= eference if an application calls gss_accept_sec_context() on a system with =
a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote a= ttacker can trigger this, causing the process to terminate in parse_nego_me= ssage.</td>
<td>2026-04-28</td>
<td>5.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40355" target=3D= "_blank" rel=3D"noopener">CVE-2026-40355</a></td>
<a href=3D"
https://web.mit.edu/kerberos/advisories/" target=3D"_blank" rel= =3D"noopener">
https://web.mit.edu/kerberos/advisories/</a><br><a href=3D"ht= tps://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.= html" target=3D"_blank" rel=3D"noopener">
https://cems.fun/2026/04/27/krb5-t= wo-unauthenticated-network-vulnerabilities.html</a><br><a href=3D"
https://g= ithub.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f" target= =3D"_blank" rel=3D"noopener">
https://github.com/krb5/krb5/commit/2e75f0d936= 2fb979f5fc92829431a590a130929f</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">MIT--Kerberos 5</td>
<td>In MIT Kerberos 5 (aka krb5) before 1.22.3, there is an integer underfl=
ow and resultant out-of-bounds read if an application calls gss_accept_sec_= context() on a system with a NegoEx mechanism registered in /etc/gss/mech. =
An unauthenticated remote attacker can trigger this, possibly causing the p= rocess to terminate in parse_message.</td>
<td>2026-04-28</td>
<td>5.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40356" target=3D= "_blank" rel=3D"noopener">CVE-2026-40356</a></td>
<a href=3D"
https://web.mit.edu/kerberos/advisories/" target=3D"_blank" rel= =3D"noopener">
https://web.mit.edu/kerberos/advisories/</a><br><a href=3D"ht= tps://cems.fun/2026/04/27/krb5-two-unauthenticated-network-vulnerabilities.= html" target=3D"_blank" rel=3D"noopener">
https://cems.fun/2026/04/27/krb5-t= wo-unauthenticated-network-vulnerabilities.html</a><br><a href=3D"
https://g= ithub.com/krb5/krb5/commit/2e75f0d9362fb979f5fc92829431a590a130929f" target= =3D"_blank" rel=3D"noopener">
https://github.com/krb5/krb5/commit/2e75f0d936= 2fb979f5fc92829431a590a130929f</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">SmarterTools Inc.--SmarterMail</td> <td>SmarterTools SmarterMail builds prior to 9610 contain a cryptographic w= eakness in the file and email sharing endpoints that use DES-CBC encryption=
with keys and initialization vectors derived from System.Random seeded wit=
h insufficient entropy, reducing the seed space to approximately 19,000 pos= sible values. An unauthenticated attacker can use the attachment download e= ndpoint as an oracle to determine the seed in use and derive encryption key=
s and initialization vectors to forge sharing tokens for arbitrary emails, = attachments, or file storage contents without prior access to the targeted = content.</td>
<td>2026-04-27</td>
<td>5.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40514" target=3D= "_blank" rel=3D"noopener">CVE-2026-40514</a></td>
<a href=3D"
https://www.smartertools.com/smartermail/release-notes/current" = target=3D"_blank" rel=3D"noopener">
https://www.smartertools.com/smartermail= /release-notes/current</a><br><a href=3D"
https://www.vulncheck.com/advisori= es/smartertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng"=
target=3D"_blank" rel=3D"noopener">
https://www.vulncheck.com/advisories/sm= artertools-smartermail-build-9610-cryptographic-weakness-via-weak-rng</a><b= r>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Exim--Exim</td>
<td>In Exim before 4.99.2, on systems using musl libc (not glibc), an attac= ker can crash the connection instance when malformed DNS data is present in=
PTR records. This is caused by a dn_expand oddity in octal printing.</td> <td>2026-04-30</td>
<td>5.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40684" target=3D= "_blank" rel=3D"noopener">CVE-2026-40684</a></td>
<a href=3D"
https://www.openwall.com/lists/oss-security/2026/04/30/21" targe= t=3D"_blank" rel=3D"noopener">
https://www.openwall.com/lists/oss-security/2= 026/04/30/21</a><br><a href=3D"
https://exim.org/static/doc/security/cve-202= 6-04.1/CVE2026-40684.assessment" target=3D"_blank" rel=3D"noopener">https:/= /exim.org/static/doc/security/cve-2026-04.1/CVE2026-40684.assessment</a><br= ><a href=3D"
https://code.exim.org/exim/exim/commit/628bbaca7672748d941a12e7= cd5f0122a4e18c81" target=3D"_blank" rel=3D"noopener">
https://code.exim.org/= exim/exim/commit/628bbaca7672748d941a12e7cd5f0122a4e18c81</a><br><a href=3D= "
https://exim.org/static/doc/security/CVE-2026-40684.txt" target=3D"_blank"=
rel=3D"noopener">
https://exim.org/static/doc/security/CVE-2026-40684.txt</= a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A vulnerability was detected in TRENDnet TEW-821DAP up to 1.12B01. The = affected element is the function tools_diagnostic. The manipulation results=
in os command injection. The exploit is now public and may be used. The ve= ndor explains: "That firmware version will only work on our hardware versio=
n v1.xR. We have already EOL that product 8 years ago and are no longer sel= ling". This vulnerability only affects products that are no longer supporte=
d by the maintainer.</td>
<td>2026-05-02</td>
<td>5.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7608" target=3D"= _blank" rel=3D"noopener">CVE-2026-7608</a></td>
<a href=3D"
https://vuldb.com/vuln/360565" target=3D"_blank" rel=3D"noopener= ">VDB-360565 | TRENDnet TEW-821DAP tools_diagnostic os command injection</a= ><br><a href=3D"
https://vuldb.com/vuln/360565/cti" target=3D"_blank" rel=3D= "noopener">VDB-360565 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href= =3D"
https://vuldb.com/submit/806215" target=3D"_blank" rel=3D"noopener">Sub= mit #806215 | Trendnet TEW-821DAP v1.12B01 CWE-78 Improper Neutralization o=
f Special Elements used in an OS</a><br><a href=3D"
https://github.com/IOTRe= s/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DAP_CI1.md" target=3D"_blan=
k" rel=3D"noopener">
https://github.com/IOTRes/IOT_Firmware_Update/blob/main= /Trendnet/TEW-821DAP_CI1.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">code-projects--Online Hospital Management Syst= em</td>
<td>A vulnerability was found in code-projects Online Hospital Management S= ystem 1.0. The impacted element is an unknown function of the component Reg= istration Handler. The manipulation of the argument Username results in imp= roper authorization. The attack can be executed remotely. The exploit has b= een made public and could be used.</td>
<td>2026-05-02</td>
<td>5.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7631" target=3D"= _blank" rel=3D"noopener">CVE-2026-7631</a></td>
<a href=3D"
https://vuldb.com/vuln/360577" target=3D"_blank" rel=3D"noopener= ">VDB-360577 | code-projects Online Hospital Management System Registration=
improper authorization</a><br><a href=3D"
https://vuldb.com/vuln/360577/cti=
" target=3D"_blank" rel=3D"noopener">VDB-360577 | CTI Indicators (IOB, IOC,=
TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806565" target=3D"_bl= ank" rel=3D"noopener">Submit #806565 | Code-projects Online Hospital Manage= ment System V1.0 unauthorized access</a><br><a href=3D"
https://github.com/M= yMySSS/CVE123/blob/main/cve2/cve2.md" target=3D"_blank" rel=3D"noopener">ht= tps://github.com/MyMySSS/CVE123/blob/main/cve2/cve2.md</a><br><a href=3D"ht= tps://code-projects.org/" target=3D"_blank" rel=3D"noopener">
https://code-p= rojects.org/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">appcheap--App Builder Create Native Android &a= mp; iOS Apps On The Flight</td>
<td>The App Builder - Create Native Android & iOS Apps On The Flight pl= ugin for WordPress is vulnerable to Insecure Direct Object Reference in all=
versions up to and including 5.6.0. This is due to missing authorization v= alidation in the `upload_avatar()` function, which accepts an attacker-cont= rolled `user_id` parameter from the POST request body and uses it to update=
user meta without verifying that the authenticated requester owns or has p= ermission to modify the target account. This makes it possible for authenti= cated attackers, with Subscriber-level access and above, to overwrite the p= rofile avatar of any arbitrary user on the site, including administrators, =
by supplying a target `user_id` in the request body to the `/wp-json/app-bu= ilder/v1/upload-avatar` endpoint.</td>
<td>2026-05-02</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7638" target=3D"= _blank" rel=3D"noopener">CVE-2026-7638</a></td>
<a href=3D"
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532f= fc-c6f1-41e3-9a59-0706802ab8e2?source=3Dcve" target=3D"_blank" rel=3D"noope= ner">
https://www.wordfence.com/threat-intel/vulnerabilities/id/2d532ffc-c6f= 1-41e3-9a59-0706802ab8e2?source=3Dcve</a><br><a href=3D"
https://plugins.tra= c.wordpress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAv= atar.php#L80" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordp= ress.org/browser/app-builder/trunk/includes/Di/Service/Auth/UploadAvatar.ph= p#L80</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/app-buil= der/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80" target=3D"_bl= ank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/app-builde= r/tags/5.6.0/includes/Di/Service/Auth/UploadAvatar.php#L80</a><br><a href= =3D"
https://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/D= i/Service/Auth/UploadAvatar.php#L161" target=3D"_blank" rel=3D"noopener">ht= tps://plugins.trac.wordpress.org/browser/app-builder/trunk/includes/Di/Serv= ice/Auth/UploadAvatar.php#L161</a><br><a href=3D"
https://plugins.trac.wordp= ress.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvat= ar.php#L161" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpr= ess.org/browser/app-builder/tags/5.6.0/includes/Di/Service/Auth/UploadAvata= r.php#L161</a><br><a href=3D"
https://plugins.trac.wordpress.org/browser/app= -builder/trunk/includes/Traits/Permission.php#L33" target=3D"_blank" rel=3D= "noopener">
https://plugins.trac.wordpress.org/browser/app-builder/trunk/inc= ludes/Traits/Permission.php#L33</a><br><a href=3D"
https://plugins.trac.word= press.org/browser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33=
" target=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/bro= wser/app-builder/tags/5.6.0/includes/Traits/Permission.php#L33</a><br><a hr= ef=3D"
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/in= cludes/Di/Service/Auth/UploadAvatar.php#L80" target=3D"_blank" rel=3D"noope= ner">
https://plugins.trac.wordpress.org/browser/app-builder/tags/5.5.10/inc= ludes/Di/Service/Auth/UploadAvatar.php#L80</a><br><a href=3D"
https://plugin= s.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Au= th/UploadAvatar.php#L161" target=3D"_blank" rel=3D"noopener">
https://plugin= s.trac.wordpress.org/browser/app-builder/tags/5.5.10/includes/Di/Service/Au= th/UploadAvatar.php#L161</a><br><a href=3D"
https://plugins.trac.wordpress.o= rg/browser/app-builder/tags/5.5.10/includes/Traits/Permission.php#L33" targ= et=3D"_blank" rel=3D"noopener">
https://plugins.trac.wordpress.org/browser/a= pp-builder/tags/5.5.10/includes/Traits/Permission.php#L33</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">sgl-project--SGLang</td>
<td>A vulnerability was detected in sgl-project SGLang up to 0.5.9. Impacte=
d is the function get_tokenizer of the file python/sglang/srt/utils/hf_tran= sformers_utils.py of the component HuggingFace Transformer Handler. The man= ipulation of the argument trust_remote_code with the input False as part of=
Boolean results in code injection. The attack can be executed remotely. A = high complexity level is associated with this attack. The exploitability is=
considered difficult. In get_tokenizer(), when the caller passes trust_rem= ote_code=3DFalse and HuggingFace transformers v5 returns a TokenizersBacken=
d instance (the generic fallback for tokenizer classes not in the registry)=
, SGLang silently re-invokes AutoTokenizer.from_pretrained with trust_remot= e_code=3DTrue, overriding the caller's explicit security setting. A model r= epository containing a malicious tokenizer.py referenced via auto_map in to= kenizer_config.json will execute arbitrary Python in the SGLang process dur= ing this second call. No log line or warning is emitted. The override affec=
ts all current SGLang versions because transformers=3D=3D5.3.0 is pinned in=
pyproject.toml. Both tokenizer_mode=3D"auto" and tokenizer_mode=3D"slow" a=
re affected. The exploit is now public and may be used. The vendor was cont= acted early about this disclosure but did not respond in any way.</td> <td>2026-05-02</td>
<td>5.6</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7669" target=3D"= _blank" rel=3D"noopener">CVE-2026-7669</a></td>
<a href=3D"
https://vuldb.com/vuln/360817" target=3D"_blank" rel=3D"noopener= ">VDB-360817 | sgl-project SGLang HuggingFace Transformer hf_transformers_u= tils.py get_tokenizer code injection</a><br><a href=3D"
https://vuldb.com/vu= ln/360817/cti" target=3D"_blank" rel=3D"noopener">VDB-360817 | CTI Indicato=
rs (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/799263" = target=3D"_blank" rel=3D"noopener">Submit #799263 | sgl-project sglang <= =3D0.5.9 Protection Mechanism Failure</a><br><a href=3D"
https://github.com/= gouldnicholas/CVE-2026-7669-PoC" target=3D"_blank" rel=3D"noopener">https:/= /github.com/gouldnicholas/CVE-2026-7669-PoC</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">eyeo--Adblock Plus</td>
<td>A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. = Affected by this vulnerability is the function postMessage of the file prem= ium.preload.js of the component Legacy Premium Activation. Performing a man= ipulation results in improper access controls. Remote exploitation of the a= ttack is possible. The exploit has been made public and could be used. Upgr= ading the affected component is recommended. The vendor provides additional=
details: "The affected code path is a legacy Premium activation flow that = has been deprecated. eyeo has already migrated to a new user account-based = licensing system. The exploit does not grant permanent Premium access. The = licensing server issues a short-lived trial license (valid for approximatel=
y 24 hours) for any submitted userId. On the next license check, the server=
validates against a real subscription and the trial expires if no valid su= bscription is found. The researcher's claim of permanently unlocking all Pr= emium features is therefore incorrect. (...) The old flow has been present = for years and has not been weaponized at scale to our knowledge. The risk t=
o eyeo and to users is minimal."</td>
<td>2026-05-03</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7686" target=3D"= _blank" rel=3D"noopener">CVE-2026-7686</a></td>
<a href=3D"
https://vuldb.com/vuln/360856" target=3D"_blank" rel=3D"noopener= ">VDB-360856 | eyeo Adblock Plus Legacy Premium Activation premium.preload.=
js postMessage access control</a><br><a href=3D"
https://vuldb.com/vuln/3608= 56/cti" target=3D"_blank" rel=3D"noopener">VDB-360856 | CTI Indicators (IOB=
, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/793551" target= =3D"_blank" rel=3D"noopener">Submit #793551 | Eyeo GmbH Adblock Plus 4.36.2=
Privilege Escalation</a><br><a href=3D"
https://github.com/xryj920/CVE/blob= /main/adblock_plus_CVE_report.md" target=3D"_blank" rel=3D"noopener">https:= //github.com/xryj920/CVE/blob/main/adblock_plus_CVE_report.md</a><br><a hre= f=3D"
https://adblockplus.org/en/download" target=3D"_blank" rel=3D"noopener= ">
https://adblockplus.org/en/download</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dolibarr--ERP CRM</td>
<td>A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This a= ffects the function _checkValForAPI of the file htdocs/expedition/class/exp= edition.class.php of the component Shipments API Endpoint. The manipulation=
of the argument fields leads to sql injection. The attack is possible to b=
e carried out remotely. A high degree of complexity is needed for the attac=
k. It is indicated that the exploitability is difficult. The exploit is pub= licly available and might be used. The vendor was contacted early about thi=
s disclosure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7688" target=3D"= _blank" rel=3D"noopener">CVE-2026-7688</a></td>
<a href=3D"
https://vuldb.com/vuln/360858" target=3D"_blank" rel=3D"noopener= ">VDB-360858 | Dolibarr ERP CRM Shipments API Endpoint expedition.class.php=
_checkValForAPI sql injection</a><br><a href=3D"
https://vuldb.com/vuln/360= 858/cti" target=3D"_blank" rel=3D"noopener">VDB-360858 | CTI Indicators (IO=
B, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/799337" target= =3D"_blank" rel=3D"noopener">Submit #799337 | Dolibarr Dolibarr ERP CRM 23.= 0.2 and earlier SQL Injection</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">toeverything--AFFiNE</td>
<td>A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This = issue affects the function allowDocPreview of the file /workspace/:workspac= eId/:docId of the component Public Markdown Preview Endpoint. The manipulat= ion results in authorization bypass. It is possible to launch the attack re= motely. The exploit is now public and may be used. The vendor was contacted=
early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>5.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7702" target=3D"= _blank" rel=3D"noopener">CVE-2026-7702</a></td>
<a href=3D"
https://vuldb.com/vuln/360871" target=3D"_blank" rel=3D"noopener= ">VDB-360871 | toeverything AFFiNE Public Markdown Preview Endpoint :docId = allowDocPreview authorization</a><br><a href=3D"
https://vuldb.com/vuln/3608= 71/cti" target=3D"_blank" rel=3D"noopener">VDB-360871 | CTI Indicators (IOB=
, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/804455" target=3D"_b= lank" rel=3D"noopener">Submit #804455 | AFFiNE AFFiNE (
https://github.com/t= oeverything/AFFiNE) 0.26.3 Authorization Bypass</a><br><a href=3D"
https://g= ithub.com/ngocnn97/security-advisories/blob/main/AFFiNE_BAC_PoC.mp4" target= =3D"_blank" rel=3D"noopener">
https://github.com/ngocnn97/security-advisorie= s/blob/main/AFFiNE_BAC_PoC.mp4</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">VideoFlow Ltd.--VideoFlow Digital Video Protec= tion</td>
<td>VideoFlow Digital Video Protection DVP 2.10 contains an authenticated r= emote code execution vulnerability that allows authenticated attackers to e= xecute arbitrary system commands by exploiting a cross-site request forgery=
flaw in the web management interface. Attackers with valid credentials can=
leverage the CSRF vulnerability to inject and execute system commands thro= ugh the Tools > System > Shell interface, gaining root-level access t=
o the device.</td>
<td>2026-04-29</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2018-25310" target=3D= "_blank" rel=3D"noopener">CVE-2018-25310</a></td>
<a href=3D"
https://www.exploit-db.com/exploits/44387" target=3D"_blank" rel= =3D"noopener">ExploitDB-44387</a><br><a href=3D"
https://www.zeroscience.mk/= en/vulnerabilities/ZSL-2018-5455.php" target=3D"_blank" rel=3D"noopener">Vu= lnerability Advisory</a><br><a href=3D"
https://www.vulncheck.com/advisories= /videoflow-digital-video-protection-dvp-10-authenticated-remote-code-execut= ion" target=3D"_blank" rel=3D"noopener">VulnCheck Advisory: VideoFlow Digit=
al Video Protection DVP 10 Authenticated Remote Code Execution</a><br>=C2= =A0</td>
</tr>
<td class=3D"vendor-product">gnu--wget2</td>
<td>wget2 accepts a server certificate with incorrect Key Usage (KU) or Ext= ended Key Usage (EKU). If the attackers compromise a certificate (with the = associated private key) issued for a different purpose, they may be able to=
reuse it for TLS server authentication.</td>
<td>2026-04-29</td>
<td>4.8</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-1858" target=3D"= _blank" rel=3D"noopener">CVE-2026-1858</a></td>
<a href=3D"
https://www.tenable.com/security/research/tra-2026-37" target=3D= "_blank" rel=3D"noopener">
https://www.tenable.com/security/research/tra-202= 6-37</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">wazuh--wazuh</td>
<td>Wazuh is a free and open source platform used for threat prevention, de= tection, and response. From version 1.0.0 to before version 4.14.4, a heap-= based out-of-bounds WRITE occurs in GetAlertData, resulting in writing a NU=
LL byte exactly 1 byte before the start of the buffer allocated by strdup. = Due to unsigned integer underflow and pointer arithmetic wrapping, the writ=
e lands at offset -1 from the buffer, corrupting heap metadata. A malicious=
actor can potentially leverage this issue through a compromised agent to c= ause denial of service or heap corruption by injecting a specially crafted = alert into the alerts log file monitored by wazuh-logcollector. This issue = has been patched in version 4.14.4.</td>
<td>2026-04-29</td>
<td>4.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-26204" target=3D= "_blank" rel=3D"noopener">CVE-2026-26204</a></td>
<a href=3D"
https://github.com/wazuh/wazuh/security/advisories/GHSA-j4c7-hwj= w-8857" target=3D"_blank" rel=3D"noopener">
https://github.com/wazuh/wazuh/s= ecurity/advisories/GHSA-j4c7-hwjw-8857</a><br><a href=3D"
https://github.com= /wazuh/wazuh/releases/tag/v4.14.4" target=3D"_blank" rel=3D"noopener">https= ://github.com/wazuh/wazuh/releases/tag/v4.14.4</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Oracle Corporation--Oracle Linux</td>
<td>An unprivileged attacker can craft a user-space process with a maliciou=
s ELF binary containing an out-of-range sh_link field. When root-level dtra=
ce attaches to -- or instruments -- that process (via dtrace -p , pid probe=
s, or USDT), the ELF parser reads heap memory beyond the allocated section = cache array without any bounds check. This results in an uninitialized/out-= of-bounds heap read that can cause a NULL pointer dereference crash of the = dtrace process (DoS), or -- depending on heap layout -- a read-then-use of =
a garbage pointer controlled by adjacent allocations, providing a foothold = toward further exploitation in a privileged context.</td>
<td>2026-05-01</td>
<td>4.4</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35233" target=3D= "_blank" rel=3D"noopener">CVE-2026-35233</a></td>
<a href=3D"
https://linux.oracle.com/cve/CVE-2026-35233.html" target=3D"_bla= nk" rel=3D"noopener">Oracle Advisory</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a-- V2Board =C2=A0v1.7.4</td>
<td>SQL Injection via ORDER BY clause in V2Board thru 1.7.4. In app/Http/Co= ntrollers/Admin/UserController.php, the sort parameter from user input is p= assed directly to User::orderBy($sort, $sortType) without validation. An au= thenticated admin can sort users by any database column including password,=
remember_token, and other sensitive fields, enabling information disclosur=
e through ordering analysis.</td>
<td>2026-05-01</td>
<td>4.9</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37505" target=3D= "_blank" rel=3D"noopener">CVE-2026-37505</a></td>
<a href=3D"
https://github.com/v2board/v2board" target=3D"_blank" rel=3D"noo= pener">
https://github.com/v2board/v2board</a><br><a href=3D"
https://gist.gi= thub.com/sgInnora/1330e1a82caa79906eec55eeff2c99b9" target=3D"_blank" rel= =3D"noopener">
https://gist.github.com/sgInnora/1330e1a82caa79906eec55eeff2c= 99b9</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">nextlevelbuilder--ui-ux-pro-max-skill</td>
<td>A vulnerability has been found in nextlevelbuilder ui-ux-pro-max-skill =
up to 2.5.0. Affected by this issue is the function data.get of the file .c= laude/skills/design-system/scripts/generate-slide.py of the component Slide=
Generator. Such manipulation leads to cross site scripting. The attack may=
be performed from remote. The exploit has been disclosed to the public and=
may be used. The project was informed of the problem early through a pull = request but has not reacted yet.</td>
<td>2026-05-01</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7596" target=3D"= _blank" rel=3D"noopener">CVE-2026-7596</a></td>
<a href=3D"
https://vuldb.com/vuln/360549" target=3D"_blank" rel=3D"noopener= ">VDB-360549 | nextlevelbuilder ui-ux-pro-max-skill Slide Generator generat= e-slide.py data.get cross site scripting</a><br><a href=3D"
https://vuldb.co= m/vuln/360549/cti" target=3D"_blank" rel=3D"noopener">VDB-360549 | CTI Indi= cators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/8055= 10" target=3D"_blank" rel=3D"noopener">Submit #805510 | nextlevelbuilder ui= -ux-pro-max-skill 2.5.0 Slide Generator Multiple Stored XSS</a><br><a href= =3D"
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/issues/247" tar= get=3D"_blank" rel=3D"noopener">
https://github.com/nextlevelbuilder/ui-ux-p= ro-max-skill/issues/247</a><br><a href=3D"
https://github.com/nextlevelbuild= er/ui-ux-pro-max-skill/pull/274" target=3D"_blank" rel=3D"noopener">https:/= /github.com/nextlevelbuilder/ui-ux-pro-max-skill/pull/274</a><br><a href=3D= "
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/" target=3D"_blank=
" rel=3D"noopener">
https://github.com/nextlevelbuilder/ui-ux-pro-max-skill/= </a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Open5GS</td>
<td>A vulnerability has been found in Open5GS up to 2.7.6. Affected is an u= nknown function of the file src/amf/gmm-handler.c of the component AMF. The=
manipulation of the argument reg_type leads to denial of service. The atta=
ck is possible to be carried out remotely. Upgrading to version 2.7.7 is ab=
le to address this issue. The identifier of the patch is ebc66942b6f8f1fab2= d640e71cf4e9f1a423b426. It is advisable to upgrade the affected component.<=
<td>2026-05-02</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7601" target=3D"= _blank" rel=3D"noopener">CVE-2026-7601</a></td>
<a href=3D"
https://vuldb.com/vuln/360558" target=3D"_blank" rel=3D"noopener= ">VDB-360558 | Open5GS AMF gmm-handler.c denial of service</a><br><a href= =3D"
https://vuldb.com/vuln/360558/cti" target=3D"_blank" rel=3D"noopener">V= DB-360558 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://v= uldb.com/submit/805675" target=3D"_blank" rel=3D"noopener">Submit #805675 |=
Open5GS v.2.7.6 Denial of Service</a><br><a href=3D"
https://github.com/ope= n5gs/open5gs/issues/4321" target=3D"_blank" rel=3D"noopener">
https://github= .com/open5gs/open5gs/issues/4321</a><br><a href=3D"
https://github.com/open5= gs/open5gs/commit/ebc66942b6f8f1fab2d640e71cf4e9f1a423b426" target=3D"_blan=
k" rel=3D"noopener">
https://github.com/open5gs/open5gs/commit/ebc66942b6f8f= 1fab2d640e71cf4e9f1a423b426</a><br><a href=3D"
https://github.com/open5gs/op= en5gs/releases/tag/v2.7.7" target=3D"_blank" rel=3D"noopener">
https://githu= b.com/open5gs/open5gs/releases/tag/v2.7.7</a><br><a href=3D"
https://github.= com/open5gs/open5gs/" target=3D"_blank" rel=3D"noopener">
https://github.com= /open5gs/open5gs/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">itsourcecode--Courier Management System</td>
<td>A vulnerability was determined in itsourcecode Courier Management Syste=
m 1.0. Affected is an unknown function of the file /edit_user.php. Executin=
g a manipulation of the argument ID can lead to sql injection. The attack m=
ay be performed from remote. The exploit has been publicly disclosed and ma=
y be utilized.</td>
<td>2026-05-02</td>
<td>4.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7612" target=3D"= _blank" rel=3D"noopener">CVE-2026-7612</a></td>
<a href=3D"
https://vuldb.com/vuln/360569" target=3D"_blank" rel=3D"noopener= ">VDB-360569 | itsourcecode Courier Management System edit_user.php sql inj= ection</a><br><a href=3D"
https://vuldb.com/vuln/360569/cti" target=3D"_blan=
k" rel=3D"noopener">VDB-360569 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br= ><a href=3D"
https://vuldb.com/submit/806275" target=3D"_blank" rel=3D"noope= ner">Submit #806275 | itsourcecode Courier Management System V1.0 SQL Injec= tion</a><br><a href=3D"
https://github.com/ltranquility/submit/issues/12" ta= rget=3D"_blank" rel=3D"noopener">
https://github.com/ltranquility/submit/iss= ues/12</a><br><a href=3D"
https://itsourcecode.com/" target=3D"_blank" rel= =3D"noopener">
https://itsourcecode.com/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">ChatGPTNextWeb--NextChat</td>
<td>A flaw has been found in ChatGPTNextWeb NextChat up to 2.16.1. This imp= acts an unknown function of the file Next.js of the component API Endpoint.=
Executing a manipulation can lead to permissive cross-domain policy with u= ntrusted domains. The attack may be launched remotely. The exploit has been=
published and may be used. The project was informed of the problem early t= hrough an issue report but has not responded yet.</td>
<td>2026-05-02</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7643" target=3D"= _blank" rel=3D"noopener">CVE-2026-7643</a></td>
<a href=3D"
https://vuldb.com/vuln/360755" target=3D"_blank" rel=3D"noopener= ">VDB-360755 | ChatGPTNextWeb NextChat API Endpoint Next.js cross-domain po= licy</a><br><a href=3D"
https://vuldb.com/vuln/360755/cti" target=3D"_blank"=
rel=3D"noopener">VDB-360755 | CTI Indicators (IOB, IOC, IOA)</a><br><a hre= f=3D"
https://vuldb.com/submit/806833" target=3D"_blank" rel=3D"noopener">Su= bmit #806833 | ChatGPTNextWeb NextChat 2.16.1 Permissive CORS Wildcard Poli= cy</a><br><a href=3D"
https://github.com/ChatGPTNextWeb/NextChat/issues/6756=
" target=3D"_blank" rel=3D"noopener">
https://github.com/ChatGPTNextWeb/Next= Chat/issues/6756</a><br><a href=3D"
https://github.com/ChatGPTNextWeb/NextCh= at/" target=3D"_blank" rel=3D"noopener">
https://github.com/ChatGPTNextWeb/N= extChat/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--crmeb_java</td>
<td>A vulnerability was detected in crmeb_java up to 1.3.4. This vulnerabil= ity affects unknown code of the file crmeb/crmeb-service/src/main/java/com/= zbkj/service/service/impl/UploadServiceImpl.java of the component Admin Upl= oad. Performing a manipulation of the argument model results in unrestricte=
d upload. Remote exploitation of the attack is possible. The exploit is now=
public and may be used. The vendor was contacted early about this disclosu=
re but did not respond in any way.</td>
<td>2026-05-03</td>
<td>4.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7673" target=3D"= _blank" rel=3D"noopener">CVE-2026-7673</a></td>
<a href=3D"
https://vuldb.com/vuln/360826" target=3D"_blank" rel=3D"noopener= ">VDB-360826 | crmeb_java Admin Upload UploadServiceImpl.java unrestricted = upload</a><br><a href=3D"
https://vuldb.com/vuln/360826/cti" target=3D"_blan=
k" rel=3D"noopener">VDB-360826 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br= ><a href=3D"
https://vuldb.com/submit/800684" target=3D"_blank" rel=3D"noope= ner">Submit #800684 | crmeb crmeb_java 1.3.4 Unrestricted Upload</a><br><a = href=3D"
https://fx4tqqfvdw4.feishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from= =3Dfrom_copylink" target=3D"_blank" rel=3D"noopener">
https://fx4tqqfvdw4.fe= ishu.cn/docx/EgMOdHyq6oyxhux5vpJcr5cgnAf?from=3Dfrom_copylink</a><br>=C2=A0= </td>
</tr>
<td class=3D"vendor-product">kerwincui--FastBee</td>
<td>A vulnerability was found in kerwincui FastBee up to 1.2.1. The affecte=
d element is the function ToolController.download of the file springboot/fa= stbee-open-api/src/main/java/com/fastbee/data/controller/ToolController.jav=
a of the component Tool Download Endpoint. The manipulation of the argument=
fileName results in path traversal. The attack may be performed from remot=
e. The exploit has been made public and could be used. The vendor was conta= cted early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7676" target=3D"= _blank" rel=3D"noopener">CVE-2026-7676</a></td>
<a href=3D"
https://vuldb.com/vuln/360829" target=3D"_blank" rel=3D"noopener= ">VDB-360829 | kerwincui FastBee Tool Download Endpoint ToolController.java=
ToolController.download path traversal</a><br><a href=3D"
https://vuldb.com= /vuln/360829/cti" target=3D"_blank" rel=3D"noopener">VDB-360829 | CTI Indic= ators (IOB, IOC, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/80072=
3" target=3D"_blank" rel=3D"noopener">Submit #800723 | kerwincui FastBee = =E2=89=A4 1.2.1 Path Traversal</a><br><a href=3D"
https://fx4tqqfvdw4.feishu= .cn/docx/Yv1gdAzFpoHCUUxDdKSculR4nKf?from=3Dfrom_copylink" target=3D"_blank=
" rel=3D"noopener">
https://fx4tqqfvdw4.feishu.cn/docx/Yv1gdAzFpoHCUUxDdKScu= lR4nKf?from=3Dfrom_copylink</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">jsbroks--COCO Annotator</td>
<td>A weakness has been identified in jsbroks COCO Annotator up to 0.11.1. = Affected is an unknown function of the file backend/webserver/api/datasets.=
py of the component Data Endpoint. Executing a manipulation of the argument=
folder can lead to path traversal. The attack can be launched remotely. Th=
e exploit has been made available to the public and could be used for attac= ks. The vendor was contacted early about this disclosure but did not respon=
d in any way.</td>
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7680" target=3D"= _blank" rel=3D"noopener">CVE-2026-7680</a></td>
<a href=3D"
https://vuldb.com/vuln/360833" target=3D"_blank" rel=3D"noopener= ">VDB-360833 | jsbroks COCO Annotator Data Endpoint datasets.py path traver= sal</a><br><a href=3D"
https://vuldb.com/vuln/360833/cti" target=3D"_blank" = rel=3D"noopener">VDB-360833 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a=
href=3D"
https://vuldb.com/submit/801150" target=3D"_blank" rel=3D"noopener= ">Submit #801150 | jsbroks COCO Annotator 0.11.1 Absolute Path Traversal</a= ><br><a href=3D"
https://github.com/natanmorette-thoropass/thoropass-vuln-re= search-program/tree/main/2026/Path%20Traversal%20via%20Dataset%20Folder%20P= arameter" target=3D"_blank" rel=3D"noopener">
https://github.com/natanmorett= e-thoropass/thoropass-vuln-research-program/tree/main/2026/Path%20Traversal= %20via%20Dataset%20Folder%20Parameter</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">AMTT--Hotel Broadband Operation System</td>
<td>A vulnerability was determined in AMTT Hotel Broadband Operation System=
1.0. Affected is an unknown function of the file /manager/card/cardhand_su= bmit.php. This manipulation of the argument ID causes sql injection. Remote=
exploitation of the attack is possible. The exploit has been publicly disc= losed and may be utilized. The vendor was contacted early about this disclo= sure but did not respond in any way.</td>
<td>2026-05-03</td>
<td>4.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7697" target=3D"= _blank" rel=3D"noopener">CVE-2026-7697</a></td>
<a href=3D"
https://vuldb.com/vuln/360866" target=3D"_blank" rel=3D"noopener= ">VDB-360866 | AMTT Hotel Broadband Operation System cardhand_submit.php sq=
l injection</a><br><a href=3D"
https://vuldb.com/vuln/360866/cti" target=3D"= _blank" rel=3D"noopener">VDB-360866 | CTI Indicators (IOB, IOC, TTP, IOA)</= a><br><a href=3D"
https://vuldb.com/submit/803272" target=3D"_blank" rel=3D"= noopener">Submit #803272 | Anmei Century (Beijing) Technology Co., Ltd. Hot=
el Broadband Operation System v1.0 SQL Injection</a><br><a href=3D"
https://= github.com/testnet0/testnet/issues/74" target=3D"_blank" rel=3D"noopener">h= ttps://github.com/testnet0/testnet/issues/74</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Telegram--Desktop</td>
<td>A security vulnerability has been detected in Telegram Desktop up to 6.= 7.5. This vulnerability affects the function RequestButton of the file Tele= gram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manip= ulation of the argument login_url leads to null pointer dereference. It is = possible to initiate the attack remotely. The exploit has been disclosed pu= blicly and may be used. The vendor was contacted early about this disclosur=
e but did not respond in any way.</td>
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7701" target=3D"= _blank" rel=3D"noopener">CVE-2026-7701</a></td>
<a href=3D"
https://vuldb.com/vuln/360870" target=3D"_blank" rel=3D"noopener= ">VDB-360870 | Telegram Desktop Bot API url_auth_box.cpp RequestButton null=
pointer dereference</a><br><a href=3D"
https://vuldb.com/vuln/360870/cti" t= arget=3D"_blank" rel=3D"noopener">VDB-360870 | CTI Indicators (IOB, IOC, IO= A)</a><br><a href=3D"
https://vuldb.com/submit/804341" target=3D"_blank" rel= =3D"noopener">Submit #804341 | Telegram Telegram Desktop <=3D 6.7.5 NULL=
Pointer Dereference</a><br><a href=3D"
https://www.youtube.com/watch?v=3Dxo= 9Bplsy1K8" target=3D"_blank" rel=3D"noopener">
https://www.youtube.com/watch= ?v=3Dxo9Bplsy1K8</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">AV Stumpfl--Pixera Two Media Server</td>
<td>A vulnerability has been found in AV Stumpfl Pixera Two Media Server up=
to 25.1 R2. The affected element is an unknown function of the component S= ervice Port 1338. Such manipulation leads to path traversal. The exploit ha=
s been disclosed to the public and may be used. Upgrading to version 25.2 R=
3 is sufficient to fix this issue. It is advisable to upgrade the affected = component.</td>
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7704" target=3D"= _blank" rel=3D"noopener">CVE-2026-7704</a></td>
<a href=3D"
https://vuldb.com/vuln/360873" target=3D"_blank" rel=3D"noopener= ">VDB-360873 | AV Stumpfl Pixera Two Media Server Service Port 1338 path tr= aversal</a><br><a href=3D"
https://vuldb.com/vuln/360873/cti" target=3D"_bla= nk" rel=3D"noopener">VDB-360873 | CTI Indicators (IOB, IOC, TTP)</a><br><a = href=3D"
https://vuldb.com/submit/805275" target=3D"_blank" rel=3D"noopener"= >Submit #805275 | AV Stumpfl Pixera Two Media Server < 25.2 R3 Arbitrary=
File Read</a><br><a href=3D"
https://gist.github.com/TrebledJ/585a20525e455= 49f299d282233632608" target=3D"_blank" rel=3D"noopener">
https://gist.github= .com/TrebledJ/585a20525e45549f299d282233632608</a><br><a href=3D"
https://he= lp.pixera.one/changelogs-version-overviews/pixera-252-overview-changelog" t= arget=3D"_blank" rel=3D"noopener">
https://help.pixera.one/changelogs-versio= n-overviews/pixera-252-overview-changelog</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Open5GS</td>
<td>A vulnerability has been found in Open5GS up to 2.7.7. This issue affec=
ts the function gmm_handle_service_request of the file /src/amf/gmm-handler=
.c of the component AMF. The manipulation leads to denial of service. The a= ttack can be initiated remotely. The exploit has been disclosed to the publ=
ic and may be used. The project was informed of the problem early through a=
n issue report but has not responded yet.</td>
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7706" target=3D"= _blank" rel=3D"noopener">CVE-2026-7706</a></td>
<a href=3D"
https://vuldb.com/vuln/360882" target=3D"_blank" rel=3D"noopener= ">VDB-360882 | Open5GS AMF gmm-handler.c gmm_handle_service_request denial =
of service</a><br><a href=3D"
https://vuldb.com/vuln/360882/cti" target=3D"_= blank" rel=3D"noopener">VDB-360882 | CTI Indicators (IOB, IOC, TTP, IOA)</a= ><br><a href=3D"
https://vuldb.com/submit/805698" target=3D"_blank" rel=3D"n= oopener">Submit #805698 | Open5GS AMF v2.7.7 Denial of Service</a><br><a hr= ef=3D"
https://github.com/open5gs/open5gs/issues/4409" target=3D"_blank" rel= =3D"noopener">
https://github.com/open5gs/open5gs/issues/4409</a><br><a href= =3D"
https://github.com/open5gs/open5gs/" target=3D"_blank" rel=3D"noopener"= >
https://github.com/open5gs/open5gs/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Open5GS</td>
<td>A vulnerability was found in Open5GS up to 2.7.7. Impacted is the funct= ion udr_nudr_dr_handle_subscription_context of the file /src/udr/nudr-handl= er.c of the component UDR. The manipulation of the argument pei results in = denial of service. The attack can be launched remotely. The exploit has bee=
n made public and could be used. The project was informed of the problem ea= rly through an issue report but has not responded yet.</td>
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7707" target=3D"= _blank" rel=3D"noopener">CVE-2026-7707</a></td>
<a href=3D"
https://vuldb.com/vuln/360883" target=3D"_blank" rel=3D"noopener= ">VDB-360883 | Open5GS UDR nudr-handler.c udr_nudr_dr_handle_subscription_c= ontext denial of service</a><br><a href=3D"
https://vuldb.com/vuln/360883/ct=
i" target=3D"_blank" rel=3D"noopener">VDB-360883 | CTI Indicators (IOB, IOC=
, TTP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/805699" target=3D"_b= lank" rel=3D"noopener">Submit #805699 | Open5gs UDR v2.7.7 Denial of Servic= e</a><br><a href=3D"
https://vuldb.com/submit/805700" target=3D"_blank" rel= =3D"noopener">Submit #805700 | Open5gs UDR v2.7.7 Denial of Service (Duplic= ate)</a><br><a href=3D"
https://github.com/open5gs/open5gs/issues/4410" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/open5gs/open5gs/issues/44= 10</a><br><a href=3D"
https://github.com/open5gs/open5gs/issues/4411" target= =3D"_blank" rel=3D"noopener">
https://github.com/open5gs/open5gs/issues/4411= </a><br><a href=3D"
https://github.com/open5gs/open5gs/" target=3D"_blank" r= el=3D"noopener">
https://github.com/open5gs/open5gs/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Open5GS</td>
<td>A vulnerability was determined in Open5GS up to 2.7.7. The affected ele= ment is the function ogs_dbi_subscription_data in the library /lib/dbi/subs= cription.c of the component UDR. This manipulation of the argument supi_id = causes denial of service. The attack may be initiated remotely. The exploit=
has been publicly disclosed and may be utilized. The project was informed =
of the problem early through an issue report but has not responded yet.</td=
<td>2026-05-03</td>
<td>4.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7708" target=3D"= _blank" rel=3D"noopener">CVE-2026-7708</a></td>
<a href=3D"
https://vuldb.com/vuln/360884" target=3D"_blank" rel=3D"noopener= ">VDB-360884 | Open5GS UDR subscription.c ogs_dbi_subscription_data denial =
of service</a><br><a href=3D"
https://vuldb.com/vuln/360884/cti" target=3D"_= blank" rel=3D"noopener">VDB-360884 | CTI Indicators (IOB, IOC, TTP, IOA)</a= ><br><a href=3D"
https://vuldb.com/submit/805701" target=3D"_blank" rel=3D"n= oopener">Submit #805701 | Open5gs UDR v2.7.7 Denial of Service</a><br><a hr= ef=3D"
https://github.com/open5gs/open5gs/issues/4412" target=3D"_blank" rel= =3D"noopener">
https://github.com/open5gs/open5gs/issues/4412</a><br><a href= =3D"
https://github.com/open5gs/open5gs/" target=3D"_blank" rel=3D"noopener"= >
https://github.com/open5gs/open5gs/</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"low_v">
<h2 id=3D"low_v_title">Low Vulnerabilities</h2>
<table class=3D"table no-tablesaw" style=3D"table-layout: fixed; width: 100= %;" border=3D"1" summary=3D"Low Vulnerabilities">
<thead>
<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>
<td class=3D"vendor-product">Oracle Corporation--Oracle Linux</td>
<td>An unprivileged attacker can reliably trigger a crash of the dtrace pro= cess with a malicious ELF binary due to an integer Divide-by-Zero in Pbuild= _file_symtab()</td>
<td>2026-05-01</td>
<td>3.3</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-21996" target=3D= "_blank" rel=3D"noopener">CVE-2026-21996</a></td>
<a href=3D"
https://linux.oracle.com/cve/CVE-2026-21996.html" target=3D"_bla= nk" rel=3D"noopener">Oracle Advisory</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">redhat[.]com--gnutls</td>
<td>A flaw was found in gnutls. A remote attacker could exploit this vulner= ability by presenting a specially crafted Online Certificate Status Protoco=
l (OCSP) response during a TLS handshake. Due to a logic error in how gnutl=
s processes multi-record OCSP responses, a client with OCSP verification en= abled may incorrectly accept a revoked server certificate, potentially lead= ing to a compromise of trust.</td>
<td>2026-04-30</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3832" target=3D"= _blank" rel=3D"noopener">CVE-2026-3832</a></td>
<a href=3D"
https://access.redhat.com/errata/RHSA-2026:13274" target=3D"_bla= nk" rel=3D"noopener">RHSA-2026:13274</a><br><a href=3D"
https://access.redha= t.com/security/cve/CVE-2026-3832" target=3D"_blank" rel=3D"noopener">https:= //access.redhat.com/security/cve/CVE-2026-3832</a><br><a href=3D"
https://bu= gzilla.redhat.com/show_bug.cgi?id=3D2445762" target=3D"_blank" rel=3D"noope= ner">RHBZ#2445762</a><br><a href=3D"
https://gitlab.com/gnutls/gnutls/-/issu= es/1801" target=3D"_blank" rel=3D"noopener">
https://gitlab.com/gnutls/gnutl= s/-/issues/1801</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A weakness has been identified in TRENDnet TEW-821DAP 1.12B01. This iss=
ue affects the function find_hwid/new_gui_update_firmware of the component = Firmware Update Handler. Executing a manipulation of the argument dest can = lead to insufficient verification of data authenticity. The attack can be l= aunched remotely. Attacks of this nature are highly complex. The exploitabi= lity is assessed as difficult. The vendor explains: "That firmware version = will only work on our hardware version v1.xR. We have already EOL that prod= uct 8 years ago and are no longer selling". This vulnerability only affects=
products that are no longer supported by the maintainer.</td> <td>2026-05-02</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7606" target=3D"= _blank" rel=3D"noopener">CVE-2026-7606</a></td>
<a href=3D"
https://vuldb.com/vuln/360563" target=3D"_blank" rel=3D"noopener= ">VDB-360563 | TRENDnet TEW-821DAP Firmware Update new_gui_update_firmware = data authenticity</a><br><a href=3D"
https://vuldb.com/vuln/360563/cti" targ= et=3D"_blank" rel=3D"noopener">VDB-360563 | CTI Indicators (IOB, IOC, IOA)<= /a><br><a href=3D"
https://vuldb.com/submit/806213" target=3D"_blank" rel=3D= "noopener">Submit #806213 | Trendnet TEW-821DAP v1.12B01 CWE-287 Improper A= uthentication</a><br><a href=3D"
https://github.com/IOTRes/IOT_Firmware_Upda= te/blob/main/Trendnet/TEW-821DAP_Auth.md" target=3D"_blank" rel=3D"noopener= ">
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821D= AP_Auth.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A vulnerability has been found in TRENDnet TEW-821DAP 1.12B01. This aff= ects an unknown function of the file /www/cgi/ssi of the component Firmware=
Update. Such manipulation leads to cleartext transmission of sensitive inf= ormation. The attack can be executed remotely. This attack is characterized=
by high complexity. The exploitability is reported as difficult. The explo=
it has been disclosed to the public and may be used. The vendor explains: "= That firmware version will only work on our hardware version v1.xR. We have=
already EOL that product 8 years ago and are no longer selling". This vuln= erability only affects products that are no longer supported by the maintai= ner.</td>
<td>2026-05-02</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7610" target=3D"= _blank" rel=3D"noopener">CVE-2026-7610</a></td>
<a href=3D"
https://vuldb.com/vuln/360567" target=3D"_blank" rel=3D"noopener= ">VDB-360567 | TRENDnet TEW-821DAP Firmware Update ssi cleartext transmissi= on</a><br><a href=3D"
https://vuldb.com/vuln/360567/cti" target=3D"_blank" r= el=3D"noopener">VDB-360567 | CTI Indicators (IOB, IOC, TTP, IOA)</a><br><a = href=3D"
https://vuldb.com/submit/806217" target=3D"_blank" rel=3D"noopener"= >Submit #806217 | Trendnet TEW-821DAP v1.12B01 CWE-319: Cleartext Transmiss= ion of Sensitive Information</a><br><a href=3D"
https://github.com/IOTRes/IO= T_Firmware_Update/blob/main/Trendnet/TEW-821DAP_Down.md" target=3D"_blank" = rel=3D"noopener">
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Tr= endnet/TEW-821DAP_Down.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">TRENDnet--TEW-821DAP</td>
<td>A vulnerability was found in TRENDnet TEW-821DAP up to 1.12B01. This im= pacts the function platform_do_upgrade_cameo_dev of the file cameo_dev.sh o=
f the component Firmware Update Handler. Performing a manipulation results =
in insufficient verification of data authenticity. The attack is possible t=
o be carried out remotely. The complexity of an attack is rather high. The = exploitability is said to be difficult. The vendor explains: "That firmware=
version will only work on our hardware version v1.xR. We have already EOL = that product 8 years ago and are no longer selling". This vulnerability onl=
y affects products that are no longer supported by the maintainer.</td> <td>2026-05-02</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7611" target=3D"= _blank" rel=3D"noopener">CVE-2026-7611</a></td>
<a href=3D"
https://vuldb.com/vuln/360568" target=3D"_blank" rel=3D"noopener= ">VDB-360568 | TRENDnet TEW-821DAP Firmware Update cameo_dev.sh platform_do= _upgrade_cameo_dev data authenticity</a><br><a href=3D"
https://vuldb.com/vu= ln/360568/cti" target=3D"_blank" rel=3D"noopener">VDB-360568 | CTI Indicato=
rs (IOB, IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/806218" targe= t=3D"_blank" rel=3D"noopener">Submit #806218 | Trendnet TEW-821DAP v1.12B01=
CWE-327 Use of a Broken or Risky Cryptographic Algorithm</a><br><a href=3D= "
https://github.com/IOTRes/IOT_Firmware_Update/blob/main/Trendnet/TEW-821DA= P_Inte.md" target=3D"_blank" rel=3D"noopener">
https://github.com/IOTRes/IOT= _Firmware_Update/blob/main/Trendnet/TEW-821DAP_Inte.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">CodeWise--Tornet Scooter Mobile App</td>
<td>A vulnerability has been found in CodeWise Tornet Scooter Mobile App 4.=
75 on iOS/Android. The impacted element is an unknown function of the file = /TwoFactor. Such manipulation leads to improper restriction of excessive au= thentication attempts. The attack may be performed from remote. Attacks of = this nature are highly complex. The exploitability is regarded as difficult=
. The exploit has been disclosed to the public and may be used. The vendor = was contacted early about this disclosure but did not respond in any way.</=
<td>2026-05-02</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7671" target=3D"= _blank" rel=3D"noopener">CVE-2026-7671</a></td>
<a href=3D"
https://vuldb.com/vuln/360819" target=3D"_blank" rel=3D"noopener= ">VDB-360819 | CodeWise Tornet Scooter Mobile App TwoFactor excessive authe= ntication</a><br><a href=3D"
https://vuldb.com/vuln/360819/cti" target=3D"_b= lank" rel=3D"noopener">VDB-360819 | CTI Indicators (IOB, IOC, TTP, IOA)</a>= <br><a href=3D"
https://vuldb.com/submit/799987" target=3D"_blank" rel=3D"no= opener">Submit #799987 | CodeWise Technologies, Tornet Scooter (Mobile APP)=
4.75 Improper Restriction of Excessive Authentication Attempts (CWE-3</a><= br><a href=3D"
https://drive.proton.me/urls/M0WFM4137W#MY0jA6pjHYPO" target= =3D"_blank" rel=3D"noopener">
https://drive.proton.me/urls/M0WFM4137W#MY0jA6= pjHYPO</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">kerwincui--FastBee</td>
<td>A vulnerability was determined in kerwincui FastBee up to 1.2.1. The im= pacted element is the function Add of the file springboot/fastbee-admin/src= /main/java/com/fastbee/web/controller/system/SysNoticeController.java of th=
e component System Notice Handler. This manipulation of the argument notice= Content causes cross site scripting. It is possible to initiate the attack = remotely. The exploit has been publicly disclosed and may be utilized. The = vendor was contacted early about this disclosure but did not respond in any=
way.</td>
<td>2026-05-03</td>
<td>3.5</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7677" target=3D"= _blank" rel=3D"noopener">CVE-2026-7677</a></td>
<a href=3D"
https://vuldb.com/vuln/360830" target=3D"_blank" rel=3D"noopener= ">VDB-360830 | kerwincui FastBee System Notice SysNoticeController.java add=
cross site scripting</a><br><a href=3D"
https://vuldb.com/vuln/360830/cti" = target=3D"_blank" rel=3D"noopener">VDB-360830 | CTI Indicators (IOB, IOC, T= TP, IOA)</a><br><a href=3D"
https://vuldb.com/submit/800724" target=3D"_blan=
k" rel=3D"noopener">Submit #800724 | kerwincui FastBee =E2=89=A4 1.2.1 Impr= oper Neutralization of Alternate XSS Syntax</a><br><a href=3D"
https://fx4tq= qfvdw4.feishu.cn/docx/Iu5Dd558UoS4uIxhH9YcgNsWnjc?from=3Dfrom_copylink" tar= get=3D"_blank" rel=3D"noopener">
https://fx4tqqfvdw4.feishu.cn/docx/Iu5Dd558= UoS4uIxhH9YcgNsWnjc?from=3Dfrom_copylink</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dolibarr--ERP CRM</td>
<td>A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. T= his vulnerability affects the function dol_verifyHash in the library htdocs= /core/lib/security.lib.php of the component Online Signature Module. The ma= nipulation results in improper verification of cryptographic signature. The=
attack may be performed from remote. Attacks of this nature are highly com= plex. It is stated that the exploitability is difficult. The exploit has be=
en released to the public and may be used for attacks. The vendor was conta= cted early about this disclosure but did not respond in any way.</td> <td>2026-05-03</td>
<td>3.7</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-7689" target=3D"= _blank" rel=3D"noopener">CVE-2026-7689</a></td>
<a href=3D"
https://vuldb.com/vuln/360859" target=3D"_blank" rel=3D"noopener= ">VDB-360859 | Dolibarr ERP CRM Online Signature security.lib.php dol_verif= yHash signature verification</a><br><a href=3D"
https://vuldb.com/vuln/36085= 9/cti" target=3D"_blank" rel=3D"noopener">VDB-360859 | CTI Indicators (IOB,=
IOC, IOA)</a><br><a href=3D"
https://vuldb.com/submit/801794" target=3D"_bl= ank" rel=3D"noopener">Submit #801794 | Dolibarr Dolibarr ERP/CRM 23.0.2 Aut= hentication Bypass Issues</a><br><a href=3D"
https://gist.github.com/Shaon-X= is/d6ae069fc54f006457b68a91d5a8e158" target=3D"_blank" rel=3D"noopener">htt= ps://gist.github.com/Shaon-Xis/d6ae069fc54f006457b68a91d5a8e158</a><br>=C2= =A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
<div id=3D"snya_v">
<h2 id=3D"snya_v_title">Severity Not Yet Assigned</h2>
<table id=3D"table_severity_not_yet_assigned" class=3D"table no-tablesaw" s= tyle=3D"table-layout: fixed; width: 100%;" border=3D"1" summary=3D"Severity=
Not Yet Assigned">
<thead>
<th class=3D"vendor-product" style=3D"width: 24%;" scope=3D"col">
<span class=3D"primary-vendor">Primary</span><br><span class=3D"primary-ven= dor">Vendor</span> -- Product</th>
<th style=3D"width: 44%;" scope=3D"col">Description</th>
<th style=3D"width: 10%;" scope=3D"col">Published</th>
<th style=3D"width: 8%;" scope=3D"col">CVSS Score</th>
<th style=3D"width: 7%;" scope=3D"col">Source Info</th>
<th style=3D"width: 7%;" scope=3D"col">Patch Info</th>
</tr>
</thead>
<tbody>
<td class=3D"vendor-product">n/a--Sourcecodester Online Job Portal phppdo 1= .0</td>
<td>SQL Injection vulnerability exists in Sourcecodester Online Job Portal = phppdo 1.0 ivia the category parameter in /jobportal/index.php.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2021-36438" target=3D= "_blank" rel=3D"noopener">CVE-2021-36438</a></td>
<a href=3D"
https://www.linkedin.com/in/mohamed-elobeid-oscp-ewptxv2-crtp-ci= ssp-mba-537ba485/" target=3D"_blank" rel=3D"noopener">
https://www.linkedin.= com/in/mohamed-elobeid-oscp-ewptxv2-crtp-cissp-mba-537ba485/</a><br><a href= =3D"
https://thecyberpost.com/tools/exploits-cve/online-job-portal-in-php-pd= o-1-0-sql-injection/" target=3D"_blank" rel=3D"noopener">
https://thecyberpo= st.com/tools/exploits-cve/online-job-portal-in-php-pdo-1-0-sql-injection/</= a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Lobster GmbH--Lobster_pro</td>
<td>Unauthenticated attackers can exploit a weakness in the XML parser func= tionality of Lobster_pro prior to version 4.12.6-GA. This allows them to ob= tain read access to files on the application server and adjacent network sh= ares, and perform HTTP GET requests to arbitrary services.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-13971" target=3D= "_blank" rel=3D"noopener">CVE-2024-13971</a></td>
<a href=3D"
https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-005/" targ= et=3D"_blank" rel=3D"noopener">
https://www.schutzwerk.com/en/blog/schutzwer= k-sa-2024-005/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">4D--4D Server</td>
<td>Unauthenticated attackers can exploit a weakness in the XML parser func= tionality of the SOAP endpoints in 4D server. This allows them to obtain re=
ad access to files on the application server and adjacent network shares, a=
nd perform HTTP GET requests to arbitrary services.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-39847" target=3D= "_blank" rel=3D"noopener">CVE-2024-39847</a></td>
<a href=3D"
https://www.schutzwerk.com/en/blog/schutzwerk-sa-2024-002/" targ= et=3D"_blank" rel=3D"noopener">
https://www.schutzwerk.com/en/blog/schutzwer= k-sa-2024-002/</a><br><a href=3D"
https://4d.com" target=3D"_blank" rel=3D"n= oopener">
https://4d.com</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--NASA EOSDIS MODAPS</td>
<td>NASA Earth Observing System Data and Information System (EOSDIS) MODAPS=
v8.1 was discovered to contain a SQL injection vulnerability in the catego=
ry parameter</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-46636" target=3D= "_blank" rel=3D"noopener">CVE-2024-46636</a></td>
<a href=3D"
https://www.linkedin.com/in/abdulrahman-aldossary-842b6b26b/" ta= rget=3D"_blank" rel=3D"noopener">
https://www.linkedin.com/in/abdulrahman-al= dossary-842b6b26b/</a><br><a href=3D"
https://bugcrowd.com/Xnu11" target=3D"= _blank" rel=3D"noopener">
https://bugcrowd.com/Xnu11</a><br><a href=3D"https= ://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS" target=3D"_blank" rel=3D"no= opener">
https://github.com/NU1L0/CVE-2024-46636-SQLi-MODAPS</a><br>=C2=A0</=
</tr>
<td class=3D"vendor-product">Hanwha Vision--QND-8080R</td>
<td>Penetration Testing engineers at Amazon have discovered a flaw where th=
e camera system fails to properly handle data supplied in certain requests,= =C2=A0causing a service disruption. The manufacturer has released patch fir= mware for the flaw, please refer to the manufacturer's report for details a=
nd workarounds.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-54011" target=3D= "_blank" rel=3D"noopener">CVE-2024-54011</a></td>
<a href=3D"
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-V= ulnerability-ReportCVE-2024-5401154013.pdf" target=3D"_blank" rel=3D"noopen= er">
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerab= ility-ReportCVE-2024-5401154013.pdf</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Hanwha Vision--QND-8080R</td>
<td>Penetration Testing engineers at Amazon discovered a vulnerability wher=
e the camera system failed to properly validate input, allowing specially c= rafted requests containing malicious commands to be executed on the device.=
The manufacturer has released patch firmware for the flaw; please refer to=
the manufacturer's report for details and workarounds.</td> <td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-54012" target=3D= "_blank" rel=3D"noopener">CVE-2024-54012</a></td>
<a href=3D"
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-V= ulnerability-ReportCVE-2024-5401154013.pdf" target=3D"_blank" rel=3D"noopen= er">
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerab= ility-ReportCVE-2024-5401154013.pdf</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Hanwha Vision--QND-8080R</td>
<td>Penetration Testing engineers at Amazon have identified a security flaw=
related to request handling in the web server component that could, under = certain conditions, lead to unintended access to protected functions. The m= anufacturer has released patch firmware for the flaw, please refer to the m= anufacturer's report for details and workarounds</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2024-54013" target=3D= "_blank" rel=3D"noopener">CVE-2024-54013</a></td>
<a href=3D"
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-V= ulnerability-ReportCVE-2024-5401154013.pdf" target=3D"_blank" rel=3D"noopen= er">
https://www.hanwhavision.com/wp-content/uploads/2026/04/Camera-Vulnerab= ility-ReportCVE-2024-5401154013.pdf</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">DeskTime--DeskTime Time Tracking App</td>
<td>Due to improper TLS certificate validation in the DeskTime Time Trackin=
g App before version 1.3.674, attackers who can position themselves in the = network path between the client and the DeskTime update servers can return =
a malicious executable in response to an update request. This allows the at= tacker to achieve user-level remote code execution on the affected client.<=
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-10539" target=3D= "_blank" rel=3D"noopener">CVE-2025-10539</a></td>
<a href=3D"
https://r.sec-consult.com/desktime" target=3D"_blank" rel=3D"noo= pener">
https://r.sec-consult.com/desktime</a><br><a href=3D"
https://desktim= e.com/download" target=3D"_blank" rel=3D"noopener">
https://desktime.com/dow= nload</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">RTI--Connext Professional</td>
<td>Improper Restriction of XML External Entity Reference vulnerability in = Connext Professional (Core Libraries) allows Serialized Data External Linki= ng.This issue affects Connext Professional: from 7.4.0 before 7.7.0, from 7= .0.0 before 7.3.1.1, from 6.1.0 before 6.1.*, from 6.0.0 before 6.0.*, from=
5.3.0 before 5.3.*, from 4.3x before 5.2.*.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-14543" target=3D= "_blank" rel=3D"noopener">CVE-2025-14543</a></td>
<a href=3D"
https://www.rti.com/vulnerabilities/#cve-2025-14543" target=3D"_= blank" rel=3D"noopener">
https://www.rti.com/vulnerabilities/#cve-2025-14543= </a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">The Qt Company--Qt</td>
<td>Insufficient validation of node IDs in Qt SVG module allows arbitrary Q= ML/JavaScript code injection when loading malicious SVG files through the V= ectorImage component in Qt Quick. While QML execution is typically more res= tricted than native code execution, this could still lead to denial of serv= ice, information disclosure, or other impacts depending on the application'=
s privilege level and data access.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-14576" target=3D= "_blank" rel=3D"noopener">CVE-2025-14576</a></td>
<a href=3D"
https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273" t= arget=3D"_blank" rel=3D"noopener">Qt Code Review - Fix for QTBUG-142556</a>= <br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Ribblr--Crotchet and Knitting</td> <td>Authenticated user can bypass authorization in Ribblr - Crochet & K= nitting iOS application</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-15626" target=3D= "_blank" rel=3D"noopener">CVE-2025-15626</a></td>
<a href=3D"
https://ribblr.com/" target=3D"_blank" rel=3D"noopener">
https://= ribblr.com/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Thrift</td> <td>Mismatched Memory Management Routines vulnerability in Apache Thrift c_= glib language bindings. This issue affects Apache Thrift: before 0.23.0. Us= ers are recommended to upgrade to version 0.23.0, which fixes the issue. De= scription: Specially crafted requests can crash an c_glib-based Thrift serv=
er with a clean but fatal "free(): invalid pointer" error message.</td> <td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-48431" target=3D= "_blank" rel=3D"noopener">CVE-2025-48431</a></td>
<a href=3D"
https://lists.apache.org/thread/lb4j0zyd5f3g36cos0wql925przpnwql=
" target=3D"_blank" rel=3D"noopener">
https://lists.apache.org/thread/lb4j0z= yd5f3g36cos0wql925przpnwql</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--B1 Free Archiver v1.5.86</td>
<td>A vulnerability in B1 Free Archiver v1.5.86 allows files extracted from=
downloaded archives to bypass Windows Mark of the Web (MotW) protections. = When an archive is downloaded from the internet and extracted using B1 Free=
Archiver, the software fails to propagate the 'Zone.Identifier' alternate = data stream to the extracted files. As a result, these files can be execute=
d without triggering Windows Defender SmartScreen warnings or security prom= pts, enabling untrusted code execution without standard security restrictio= ns.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-50328" target=3D= "_blank" rel=3D"noopener">CVE-2025-50328</a></td>
<a href=3D"
https://b1.org/" target=3D"_blank" rel=3D"noopener">
https://b1.o= rg/</a><br><a href=3D"
https://github.com/math69b/B1FREE/blob/main/B1%20Free= %20Archiver%20version" target=3D"_blank" rel=3D"noopener">
https://github.co= m/math69b/B1FREE/blob/main/B1%20Free%20Archiver%20version</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">passmark[.]com-- BurnInTest v11.0</td>
<td>An issue in the component DirectIo64.sys of PassMark BurnInTest v11.0 B= uild 1011, OSForensics v11.1 Build 1007, and PerformanceTest v11.1 Build 10=
04 allows attackers to access kernel memory and escalate privileges via a c= rafted IOCTL 0x8011E044 call.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-52347" target=3D= "_blank" rel=3D"noopener">CVE-2025-52347</a></td>
<a href=3D"
https://www.passmark.com/products/performancetest/history.php" t= arget=3D"_blank" rel=3D"noopener">
https://www.passmark.com/products/perform= ancetest/history.php</a><br><a href=3D"
https://www.osforensics.com/whats-ne= w.html" target=3D"_blank" rel=3D"noopener">
https://www.osforensics.com/what= s-new.html</a><br><a href=3D"
https://www.passmark.com/products/burnintest/h= istory.php" target=3D"_blank" rel=3D"noopener">
https://www.passmark.com/pro= ducts/burnintest/history.php</a><br><a href=3D"
https://github.com/netero101= 0/Vulnerability-Disclosure/tree/main/CVE-2025-52347" target=3D"_blank" rel= =3D"noopener">
https://github.com/netero1010/Vulnerability-Disclosure/tree/m= ain/CVE-2025-52347</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1</td=
<td>An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attac= ker to cause a denial of service via a crafted packet to the MTU length fie= ld</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-63547" target=3D= "_blank" rel=3D"noopener">CVE-2025-63547</a></td>
<a href=3D"
https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/390" tar= get=3D"_blank" rel=3D"noopener">
https://github.com/eProsima/Micro-XRCE-DDS-= Agent/issues/390</a><br><a href=3D"
https://github.com/j4kb4dw0lf/CVEs/blob/= main/README.md" target=3D"_blank" rel=3D"noopener">
https://github.com/j4kb4= dw0lf/CVEs/blob/main/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Eprosima Micro-XREC-DDS Agent v.3.0.1</td=
<td>An issue in Eprosima Micro-XREC-DDS Agent v.3.0.1 allows a remote attac= ker to cause a denial of service via a packet specially crafted to bear a n= on-valid value in any Boolean field.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-63548" target=3D= "_blank" rel=3D"noopener">CVE-2025-63548</a></td>
<a href=3D"
https://github.com/eProsima/Micro-XRCE-DDS-Agent/issues/389" tar= get=3D"_blank" rel=3D"noopener">
https://github.com/eProsima/Micro-XRCE-DDS-= Agent/issues/389</a><br><a href=3D"
https://github.com/j4kb4dw0lf/CVEs/blob/= main/README.md" target=3D"_blank" rel=3D"noopener">
https://github.com/j4kb4= dw0lf/CVEs/blob/main/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Pro-Bit</td>
<td>An issue in Pro-Bit before v1.77.4 allows unauthenticated attackers to = directly access sensitive directory and its subdirectories.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-69428" target=3D= "_blank" rel=3D"noopener">CVE-2025-69428</a></td>
<a href=3D"
https://github.com/jasetpen/CVE-2025-69428" target=3D"_blank" re= l=3D"noopener">
https://github.com/jasetpen/CVE-2025-69428</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">n/a--GSVoIP web panel v2.0.90</td>
<td>Cross-Site Scripting (XSS) vulnerability was discovered in the GSVoIP w=
eb panel version 2.0.90. The `msg` parameter in the `/painel/gateways.php/e= rror` endpoint does not properly sanitize user-supplied input, allowing att= ackers to inject arbitrary JavaScript into the HTML response. A remote atta= cker can exploit this vulnerability by sending a crafted URL to a victim, l= eading to unauthorized script execution, session hijacking, phishing, or ot= her client-side attacks.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-69606" target=3D= "_blank" rel=3D"noopener">CVE-2025-69606</a></td>
<a href=3D"
https://sip2.solutionsvoip.com.br/painel/gateways.php/error?msg= =3D%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%29%3C%2Fscript%3E" ta= rget=3D"_blank" rel=3D"noopener">
https://sip2.solutionsvoip.com.br/painel/g= ateways.php/error?msg=3D%3C%2Fscript%3E%3Cscript%3Ealert%28document.domain%= 29%3C%2Fscript%3E</a><br><a href=3D"
https://www.solutionsvoip.com.br/" targ= et=3D"_blank" rel=3D"noopener">
https://www.solutionsvoip.com.br/</a><br><a = href=3D"
https://github.com/Razielx64/CVE-2025-69606-GSVoIP-XSS" target=3D"_= blank" rel=3D"noopener">
https://github.com/Razielx64/CVE-2025-69606-GSVoIP-= XSS</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">getfancontrol[.]com--Fan Control App v251</td> <td>The Fan Control application V251 contains an improper privilege handlin=
g vulnerability in its Open File Dialog. The dialog processes user-supplied=
paths with elevated permissions, which can be exploited by a local attacke=
r to perform actions with administrator-level privileges.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2025-69689" target=3D= "_blank" rel=3D"noopener">CVE-2025-69689</a></td>
<a href=3D"
https://getfancontrol.com" target=3D"_blank" rel=3D"noopener">ht= tps://getfancontrol.com</a><br><a href=3D"
https://github.com/Rem0o/FanContr= ol.Releases" target=3D"_blank" rel=3D"noopener">
https://github.com/Rem0o/Fa= nControl.Releases</a><br><a href=3D"
https://github.com/Rem0o/FanControl.Rel= eases/releases/tag/V251" target=3D"_blank" rel=3D"noopener">
https://github.= com/Rem0o/FanControl.Releases/releases/tag/V251</a><br><a href=3D"
https://g= ist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb557a529" target=3D"_blank" = rel=3D"noopener">
https://gist.github.com/ahrixia/7c89bb3f1af6e85aeedde5ddb5= 57a529</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">SonicWall--SonicOS</td>
<td>A vulnerability in the access control mechanism of SonicOS may allow ce= rtain management interface functions to be accessible under specific condit= ions.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-0204" target=3D"= _blank" rel=3D"noopener">CVE-2026-0204</a></td>
<a href=3D"
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004"=
target=3D"_blank" rel=3D"noopener">
https://psirt.global.sonicwall.com/vuln= -detail/SNWLID-2026-0004</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">SonicWall--SonicOS</td>
<td>A post-authentication Path Traversal vulnerability in SonicOS allows an=
attacker to interact with usually restricted services.</td> <td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-0205" target=3D"= _blank" rel=3D"noopener">CVE-2026-0205</a></td>
<a href=3D"
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004"=
target=3D"_blank" rel=3D"noopener">
https://psirt.global.sonicwall.com/vuln= -detail/SNWLID-2026-0004</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">SonicWall--SonicOS</td>
<td>A post-authentication Stack-based Buffer Overflow vulnerabilities in So= nicOS allows a remote attacker to crash a firewall.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-0206" target=3D"= _blank" rel=3D"noopener">CVE-2026-0206</a></td>
<a href=3D"
https://psirt.global.sonicwall.com/vuln-detail/SNWLID-2026-0004"=
target=3D"_blank" rel=3D"noopener">
https://psirt.global.sonicwall.com/vuln= -detail/SNWLID-2026-0004</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Wolters Kluwer Polska--LEX Baza Dokumentw</td> <td>LEX Baza Dokument=C3=B3w is vulnerable to DOM-based XSS in "em"=C2=A0co= okie parameter.=C2=A0The application unsafely processes the parameter on th=
e client side, allowing an attacker to execute arbitrary JavaScript in the = context of the victim's browser. An attacker with ability to set a cookie c=
an perform a more severe attack, so we evaluate the impact and risk of expl= oitation as minimal. However, the vendor considered this a vulnerability an=
d released a security patch. This issue was fixed in version 1.3.4.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-1493" target=3D"= _blank" rel=3D"noopener">CVE-2026-1493</a></td>
<a href=3D"
https://www.wolterskluwer.com/pl-pl/solutions/lex-baza-dokumento=
w" target=3D"_blank" rel=3D"noopener">
https://www.wolterskluwer.com/pl-pl/s= olutions/lex-baza-dokumentow</a><br><a href=3D"
https://cert.pl/posts/2026/0= 4/CVE-2025-1493" target=3D"_blank" rel=3D"noopener">
https://cert.pl/posts/2= 026/04/CVE-2025-1493</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Samsung Mobile--Samsung Mobile Devices</td> <td>Insufficient verification of data authenticity in PackageManagerService=
prior to SMR Mar-2026 Release 1 allows local attackers to modify the insta= llation restriction of specific application.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-21023" target=3D= "_blank" rel=3D"noopener">CVE-2026-21023</a></td>
<a href=3D"
https://security.samsungmobile.com/securityUpdate.smsb?year=3D20= 26&month=3D03" target=3D"_blank" rel=3D"noopener">
https://security.samsungm= obile.com/securityUpdate.smsb?year=3D2026&month=3D03</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">OPPO--OPPO Wallet APP</td>
<td>OPPO Wallet APP contains a trusted domain validation flaw that allows a= ttackers to bypass protected interface access restrictions, which may lead =
to account token hijacking and sensitive information disclosure.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22077" target=3D= "_blank" rel=3D"noopener">CVE-2026-22077</a></td>
<a href=3D"
https://security.oppo.com/en/noticeDetail?notice_only_key=3DNOTI= CE-2048652556296790016" target=3D"_blank" rel=3D"noopener">
https://security= .oppo.com/en/noticeDetail?notice_only_key=3DNOTICE-2048652556296790016</a><= br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Imagination Technologies--Graphics DDK</td>
<td>A web page that contains unusual WebGPU content loaded into the GPU GLE=
S render process and can trigger a write UAF crash in the GPU GLES user-spa=
ce shared library. On certain platforms, when the process executing graphic=
s workload has system privileges this could enable further exploits on the = device.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22165" target=3D= "_blank" rel=3D"noopener">CVE-2026-22165</a></td>
<a href=3D"
https://www.imaginationtech.com/gpu-driver-vulnerabilities/" tar= get=3D"_blank" rel=3D"noopener">
https://www.imaginationtech.com/gpu-driver-= vulnerabilities/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Imagination Technologies--Graphics DDK</td>
<td>A web page that contains unusual WebGPU content loaded into the GPU GLE=
S render process and can trigger write UAF crash in the GPU GLES user-space=
shared library. On certain platforms, when the process executing graphics = workload has system privileges this could enable subsequent exploit on the = system.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22166" target=3D= "_blank" rel=3D"noopener">CVE-2026-22166</a></td>
<a href=3D"
https://www.imaginationtech.com/gpu-driver-vulnerabilities/" tar= get=3D"_blank" rel=3D"noopener">
https://www.imaginationtech.com/gpu-driver-= vulnerabilities/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Imagination Technologies--Graphics DDK</td> <td>Software installed and run as a non-privileged user may conduct imprope=
r GPU system calls to force GPU to write to arbitrary physical memory pages=
. Under certain circumstances this exploit could be used to corrupt data pa= ges not allocated by the GPU driver but memory pages in use by the kernel a=
nd drivers running on the platform altering their behaviour. This attack ca=
n lead the GPU to perform write operations on restricted internal GPU buffe=
rs that can lead to a second order affect of corrupted arbitrary physical m= emory.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-22167" target=3D= "_blank" rel=3D"noopener">CVE-2026-22167</a></td>
<a href=3D"
https://www.imaginationtech.com/gpu-driver-vulnerabilities/" tar= get=3D"_blank" rel=3D"noopener">
https://www.imaginationtech.com/gpu-driver-= vulnerabilities/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Acronis--Acronis DeviceLock DLP</td>
<td>Local privilege escalation due to DLL hijacking vulnerability. The foll= owing products are affected: Acronis DeviceLock DLP (Windows) before build = 9.0.93212.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-25852" target=3D= "_blank" rel=3D"noopener">CVE-2026-25852</a></td>
<a href=3D"
https://security-advisory.acronis.com/advisories/SEC-7217" targe= t=3D"_blank" rel=3D"noopener">SEC-7217</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">arc53--DocsGPT</td>
<td>DocsGPT is a GPT-powered chat for documentation. From version 0.15.0 to=
before version 0.16.0, an attacker accessing both the official DocsGPT web= site or any local and public deployment, can craft a malicious payload bypa= ssing the "MCP test" behavior to achieve arbitrary remote code execution (R= CE). This issue has been patched in version 0.16.0.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-26015" target=3D= "_blank" rel=3D"noopener">CVE-2026-26015</a></td>
<a href=3D"
https://github.com/arc53/DocsGPT/security/advisories/GHSA-gcrq-f= 296-2j74" target=3D"_blank" rel=3D"noopener">
https://github.com/arc53/DocsG= PT/security/advisories/GHSA-gcrq-f296-2j74</a><br><a href=3D"
https://github= .com/arc53/DocsGPT/releases/tag/0.16.0" target=3D"_blank" rel=3D"noopener">=
https://github.com/arc53/DocsGPT/releases/tag/0.16.0</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">aver[.]com-- web mgt interface v0.1.0000.65</t=
<td>A Command Injection vulnerability in the web management interface in Av=
er PTC320UV2 0.1.0000.65 allows an unauthenticated attacker to execute arbi= trary commands via a crafted web request.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-26461" target=3D= "_blank" rel=3D"noopener">CVE-2026-26461</a></td>
<a href=3D"
https://www.aver.com/Downloads/search?q=3DPTC320UV2" target=3D"_= blank" rel=3D"noopener">
https://www.aver.com/Downloads/search?q=3DPTC320UV2= </a><br><a href=3D"
https://github.com/spaceraccoon/disclosures/blob/main/20= 26/CVE-2026-26461.md" target=3D"_blank" rel=3D"noopener">
https://github.com= /spaceraccoon/disclosures/blob/main/2026/CVE-2026-26461.md</a><br>=C2=A0</t=
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel</td> <td>The ConsulRegistry in the camel-consul component (class org.apache.came= l.component.consul.ConsulRegistry and its inner ConsulRegistryUtils.deseria= lize method) read Java-serialized values from the Consul KV store and passe=
d them to ObjectInputStream.readObject() without configuring an ObjectInput= Filter. An attacker who can write to the Consul KV store backing a Camel Co= nsulRegistry instance could inject a malicious serialized Java object that =
is deserialized the next time Camel performs a lookup against that registry=
, leading to arbitrary code execution in the Camel process. The issue mirro=
rs the class of vulnerability already addressed for other Camel components =
in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747, and was overlooked du= ring the original remediation of those CVEs. This issue affects Apache Came=
l: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.1. Users are recommend=
ed to upgrade to version 4.19.0, which fixes the issue. If users are on the=
4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. =
If users are on the 4.18.x releases stream, then they are suggested to upgr= ade to 4.18.1.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-27172" target=3D= "_blank" rel=3D"noopener">CVE-2026-27172</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-27172.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-27172.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Netskope--Client</td>
<td>Netskope was notified about a potential gap in the Endpoint DLP Module = for Netskope Client on Windows systems. The successful exploitation of the = gap can potentially allow an unprivileged user to trigger an out-of-bounds = read within a driver, leading to a Blue-Screen-of-Death (BSOD). Successful = exploitation would require the Endpoint DLP module to be enabled in the cli= ent configuration. A successful exploit can potentially result in a denial-= of-service for the local machine.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-2810" target=3D"= _blank" rel=3D"noopener">CVE-2026-2810</a></td>
<a href=3D"
https://www.netskope.com/resources/netskope-resources/netskope-s= ecurity-advisory-nskpsa-2026-002" target=3D"_blank" rel=3D"noopener">https:= //www.netskope.com/resources/netskope-resources/netskope-security-advisory-= nskpsa-2026-002</a><br><a href=3D"
https://support.netskope.com/s/article/Ne= tskope-Security-Advisory-NSKPSA-2026-002-Netskope-Endpoint-DLP-Driver-Secur= ity-Advisory" target=3D"_blank" rel=3D"noopener">
https://support.netskope.c= om/s/article/Netskope-Security-Advisory-NSKPSA-2026-002-Netskope-Endpoint-D= LP-Driver-Security-Advisory</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">elixir-plug--plug_cowboy</td>
<td>Allocation of Resources Without Limits or Throttling vulnerability in e= lixir-plug plug_cowboy allows unauthenticated remote denial of service via = atom table exhaustion. Plug.Cowboy.Conn.conn/1 in lib/plug/cowboy/conn.ex c= alls String.to_atom/1 on the value returned by :cowboy_req.scheme/1. For HT= TP/2 connections, cowlib passes the client-supplied :scheme pseudo-header v= alue through verbatim without validation. Each unique value permanently all= ocates a new entry in the BEAM atom table. Since atoms are never garbage-co= llected and the atom table has a fixed limit (default 1,048,576), an unauth= enticated attacker can exhaust the table by sending HTTP/2 requests with un= ique :scheme values, causing the Erlang VM to abort with system_limit and t= aking down the entire node. This vulnerability does not affect HTTP/1.1, wh= ere cowboy derives the scheme from the listener type rather than from a cli= ent-supplied header. This issue affects plug_cowboy: from 2.0.0 before 2.8.= 1.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-32688" target=3D= "_blank" rel=3D"noopener">CVE-2026-32688</a></td>
<a href=3D"
https://github.com/elixir-plug/plug_cowboy/security/advisories/G= HSA-q8x4-x7mp-5vg2" target=3D"_blank" rel=3D"noopener">
https://github.com/e= lixir-plug/plug_cowboy/security/advisories/GHSA-q8x4-x7mp-5vg2</a><br><a hr= ef=3D"
https://cna.erlef.org/cves/CVE-2026-32688.html" target=3D"_blank" rel= =3D"noopener">
https://cna.erlef.org/cves/CVE-2026-32688.html</a><br><a href= =3D"
https://osv.dev/vulnerability/EEF-CVE-2026-32688" target=3D"_blank" rel= =3D"noopener">
https://osv.dev/vulnerability/EEF-CVE-2026-32688</a><br><a hr= ef=3D"
https://github.com/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e5643= 7f7023fb306de1bf9c19b" target=3D"_blank" rel=3D"noopener">
https://github.co= m/elixir-plug/plug_cowboy/commit/bfb34cb45eb354e56437f7023fb306de1bf9c19b</= a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">CRM Sistemas de Fidelizacin--MegaCMS</td>
<td>SQL injection (SQLi) in MegaCMS v12.0.0, specifically in the "id_territ= orio" parameter of the "/web_comunications/cms/get_provincias" endpoint. Th=
e vulnerability arises from inadequate validation and sanitisation of user = input. Specifically, via a POST request, the "id_territorio" parameter, use=
d immediately after the registration form is submitted, could be manipulate=
d by an unauthenticated attacker to execute arbitrary SQL queries.</td> <td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3325" target=3D"= _blank" rel=3D"noopener">CVE-2026-3325</a></td>
<a href=3D"
https://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection= -megacms-crm-sistemas-de-fidelizacion" target=3D"_blank" rel=3D"noopener">h= ttps://www.incibe.es/en/incibe-cert/notices/aviso/sql-injection-megacms-crm= -sistemas-de-fidelizacion</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Japan Computer Emergency Response Team Coordin= ation Center (JPCERT/CC)--LogonTracer</td>
<td>An OS command Injection issue exists in LogonTracer prior to v2.0.0. An=
arbitrary OS command may be executed by a logged-in user.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33277" target=3D= "_blank" rel=3D"noopener">CVE-2026-33277</a></td>
<a href=3D"
https://www.jpcert.or.jp/press/2026/PR20260423.html" target=3D"_= blank" rel=3D"noopener">
https://www.jpcert.or.jp/press/2026/PR20260423.html= </a><br><a href=3D"
https://jvn.jp/en/jp/JVN57877356/" target=3D"_blank" rel= =3D"noopener">
https://jvn.jp/en/jp/JVN57877356/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33446 is a buffer overflow in the authentication sub-system of=
the Secure Access client prior to 14.50. Attackers with control of a modif= ied server can send a special packet that can overwrite a small portion of = memory conceivably leading to memory corruption or a denial of service.</td=
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33446" target=3D= "_blank" rel=3D"noopener">CVE-2026-33446</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33446" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33446</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33447 is a buffer overflow in a message parsing function of th=
e Secure Access client prior to 14.50. Attackers with control of a modified=
server can send a special packet that can overwrite a small portion of mem= ory conceivably leading to memory corruption or denial of service.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33447" target=3D= "_blank" rel=3D"noopener">CVE-2026-33447</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33447" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33447</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33448 is a format string vulnerability in the logging subsyste=
m of Secure Access client for MacOS prior to 14.50. Attackers with control =
of a modified server can force the client to dump the contents of a small p= ortion of memory to the log files potentially revealing secrets.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33448" target=3D= "_blank" rel=3D"noopener">CVE-2026-33448</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33448" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33448</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33449 is a buffer overflow in a message handling function of t=
he Secure Access client prior to 14.50. Attackers with control of a modifie=
d server can send a cryptographically valid message to the client, overwrit= ing a small portion of memory conceivably leading to a denial of service.</=
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33449" target=3D= "_blank" rel=3D"noopener">CVE-2026-33449</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33449" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33449</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33450 is an out of bounds read vulnerability in the Secure Acc= ess MacOS client prior to 14.50. Attackers with control of a modified serve=
r can send a malformed packet to the client causing a denial of service.</t=
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33450" target=3D= "_blank" rel=3D"noopener">CVE-2026-33450</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33450" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33450</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33451 is an arbitrary read/write vulnerability in the Secure A= ccess Windows client prior to 14.50. Attackers with local control of the Wi= ndows client can send malformed data to an API and elevate their level of p= rivilege to system.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33451" target=3D= "_blank" rel=3D"noopener">CVE-2026-33451</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33451" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33451</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Absolute Software--Secure Access</td> <td>CVE-2026-33452 is a buffer overflow vulnerability in the Secure Access = Windows client prior to 14.50. Attackers with local control of the Windows = client can use it to 'blue screen' the system.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33452" target=3D= "_blank" rel=3D"noopener">CVE-2026-33452</a></td>
<a href=3D"
https://www.absolute.com/platform/security-information/vulnerabi= lity-archive/cve-2026-33452" target=3D"_blank" rel=3D"noopener">
https://www= .absolute.com/platform/security-information/vulnerability-archive/cve-2026-= 33452</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel</td> <td>Improperly Controlled Modification of Dynamically-Determined Object Att= ributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's = camel-coap component is vulnerable to Camel message header injection, leadi=
ng to remote code execution when routes forward CoAP requests to header-sen= sitive producers (e.g. camel-exec) The camel-coap component maps incoming C= oAP request URI query parameters directly into Camel Exchange In message he= aders without applying any HeaderFilterStrategy. =C2=A0 Specifically, Camel= CoapResource.handleRequest() iterates over OptionSet.getUriQuery() and call=
s camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpo= int extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint=
, and CoAPComponent does not implement HeaderFilterStrategyComponent; the c= omponent contains no references to HeaderFilterStrategy at all. As a result=
, an unauthenticated attacker who can send a single CoAP UDP packet to a Ca= mel route consuming from coap:// can inject arbitrary Camel internal header=
s (those prefixed with Camel*) into the Exchange. When the route delivers t=
he message to a header-sensitive producer such as camel-exec, camel-sql, ca= mel-bean, camel-file, or template components (camel-freemarker, camel-veloc= ity), the injected headers can alter the producer's behavior. In the case o=
f camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs heade=
rs override the executable and arguments configured on the endpoint, result= ing in arbitrary OS command execution under the privileges of the Camel pro= cess. The producer's output is written back to the Exchange body and return=
ed in the CoAP response payload by CamelCoapResource, giving the attacker a=
n interactive RCE channel without any need for out-of-band exfiltration. = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 = =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=
=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 E= xploitation prerequisites are minimal: a single unauthenticated UDP datagra=
m to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authenti= cation, and DTLS is optional and disabled by default. Because the protocol =
is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects = Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0=
. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the = issue.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33453" target=3D= "_blank" rel=3D"noopener">CVE-2026-33453</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-33453.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-33453.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel</td> <td>The Camel-Mail component is vulnerable to Camel message header injectio=
n. The custom header filter strategy used by the component (MailHeaderFilte= rStrategy) only filters the 'out' direction via setOutFilterStartsWith, whi=
le it does not configure the 'in' direction via setInFilterStartsWith. As a=
result, when a Camel application consumes mail through camel-mail (for exa= mple via from(\"imap://...\") or from(\"pop3://...\")) the inbound filter c= heck is skipped and Camel-prefixed MIME headers are mapped unfiltered into = the Exchange. An attacker who can deliver an email to a mailbox monitored b=
y such a consumer can inject Camel-specific headers that, for some Camel co= mponents downstream of the mail consumer (such as camel-bean, camel-exec, o=
r camel-sql), can alter the behaviour of the route. This is the same patter=
n that was previously addressed in camel-undertow (CVE-2025-30177) and the = broader incoming-header filter (CVE-2025-27636 and CVE-2025-29891). This is= sue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18= .1. Users are recommended to upgrade to version 4.19.0, which fixes the iss= ue. If users are on the 4.18.x LTS releases stream, then they are suggested=
to upgrade to 4.18.1. If users are on the 4.14.x LTS releases stream, then=
they are suggested to upgrade to 4.14.6.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33454" target=3D= "_blank" rel=3D"noopener">CVE-2026-33454</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-33454.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-33454.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Japan Computer Emergency Response Team Coordin= ation Center (JPCERT/CC)--LogonTracer</td>
<td>There is a cypher injection issue in LogonTracer prior to v2.0.0. If sp= ecially crafted Windows event log data is loaded, the contents of the datab= ase may be altered.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-33566" target=3D= "_blank" rel=3D"noopener">CVE-2026-33566</a></td>
<a href=3D"
https://www.jpcert.or.jp/press/2026/PR20260423.html" target=3D"_= blank" rel=3D"noopener">
https://www.jpcert.or.jp/press/2026/PR20260423.html= </a><br><a href=3D"
https://jvn.jp/en/jp/JVN57877356/" target=3D"_blank" rel= =3D"noopener">
https://jvn.jp/en/jp/JVN57877356/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">traefik--traefik</td>
<td>Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2= .11.43, 3.6.14, and 3.7.0-rc.2, there is an authentication bypass vulnerabi= lity in Traefik's ForwardAuth middleware when trustForwardHeader=3Dfalse is=
configured and Traefik is deployed behind a trusted upstream proxy. This i= ssue has been patched in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35051" target=3D= "_blank" rel=3D"noopener">CVE-2026-35051</a></td>
<a href=3D"
https://github.com/traefik/traefik/security/advisories/GHSA-6384= -m2mw-rf54" target=3D"_blank" rel=3D"noopener">
https://github.com/traefik/t= raefik/security/advisories/GHSA-6384-m2mw-rf54</a><br><a href=3D"
https://gi= thub.com/traefik/traefik/releases/tag/v2.11.43" target=3D"_blank" rel=3D"no= opener">
https://github.com/traefik/traefik/releases/tag/v2.11.43</a><br><a = href=3D"
https://github.com/traefik/traefik/releases/tag/v3.6.14" target=3D"= _blank" rel=3D"noopener">
https://github.com/traefik/traefik/releases/tag/v3= .6.14</a><br><a href=3D"
https://github.com/traefik/traefik/releases/tag/v3.= 7.0-rc.2" target=3D"_blank" rel=3D"noopener">
https://github.com/traefik/tra= efik/releases/tag/v3.7.0-rc.2</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">FreeBSD--FreeBSD</td>
<td>When processing the header of an incoming message, libnv failed to prop= erly validate the message size. The lack of validation allows a malicious p= rogram to write outside the bounds of a heap allocation. This can trigger a=
crash or system panic, and it may be possible for an unprivileged user to = exploit the bug to elevate their privileges.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35547" target=3D= "_blank" rel=3D"noopener">CVE-2026-35547</a></td>
<a href=3D"
https://security.freebsd.org/advisories/FreeBSD-SA-26:17.libnv.a= sc" target=3D"_blank" rel=3D"noopener">
https://security.freebsd.org/advisor= ies/FreeBSD-SA-26:17.libnv.asc</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">merkurysmart[.]com-- MIPC252W v1.0.5</td>
<td>A handling issue in the RTSP service of the Mercury MIPC252W 1.0.5 Buil=
d 230306 Rel.79931n allows an authenticated attacker to trigger session ter= mination by repeatedly sending SETUP requests for the same media track with=
in a single RTSP session. This causes the server to reset the RTSP connecti= on, leading to a denial-of-service condition.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35901" target=3D= "_blank" rel=3D"noopener">CVE-2026-35901</a></td>
<a href=3D"
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md" target=3D"_blank" rel=3D= "noopener">
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_2th/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">merkurysmart[.]com-- MIPC252W v1.0.5</td>
<td>The RTSP service of MERCURY IP camera MIPC252W 1.0.5 Build 230306 has a=
n issue handling failed Digest authentication attempts. By repeatedly sendi=
ng RTSP requests with invalid authentication parameters, an unauthenticated=
attacker can cause the RTSP service to enter a persistent authentication f= ailure state, preventing legitimate clients from authenticating and leading=
to a denial of service.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35902" target=3D= "_blank" rel=3D"noopener">CVE-2026-35902</a></td>
<a href=3D"
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md" target=3D"_blank" rel=3D= "noopener">
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_3th/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">merkurysmart[.]com-- MIPC252W v1.0.5</td> <td>MERCURY MIPC252W IP camera 1.0.5 Build 230306 Rel.79931n contains an im= proper authentication vulnerability in the RTSP service. After successful D= igest authentication in an initial DESCRIBE request, the device does not ve= rify the Digest response parameter in subsequent RTSP requests within the s= ame session. As a result, RTSP methods such as SETUP, PLAY, and TEARDOWN ca=
n be processed even when the Authorization header contains an empty or inva= lid response value, as long as the nonce and session identifier correspond =
to a previously authenticated session. This allows an attacker with network=
access to reuse session parameters and issue unauthorized RTSP control com= mands without computing a valid Digest response.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-35903" target=3D= "_blank" rel=3D"noopener">CVE-2026-35903</a></td>
<a href=3D"
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md" target=3D"_blank" rel=3D= "noopener">
https://github.com/izxnfirh8148/CVE_REQUESTS_references/blob/mai= n/MERCURY_MIPC252W/MERCURY_MIPC252W_4th/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Krayin CRM v.2.1.5</td>
<td>An issue in Krayin CRM v.2.1.5 and fixed in v.2.1.6 allows a remote att= acker to execute arbitrary code via the compose email function</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36340" target=3D= "_blank" rel=3D"noopener">CVE-2026-36340</a></td>
<a href=3D"
https://drive.google.com/file/d/1yBdvbrXGf9fsFckmK9zTe2v8_vDtdic= H/view" target=3D"_blank" rel=3D"noopener">
https://drive.google.com/file/d/= 1yBdvbrXGf9fsFckmK9zTe2v8_vDtdicH/view</a><br><a href=3D"
https://github.com= /krayin/laravel-crm/releases/tag/v2.1.6" target=3D"_blank" rel=3D"noopener"= >
https://github.com/krayin/laravel-crm/releases/tag/v2.1.6</a><br><a href= =3D"
https://github.com/cybercrewinc/CVE-2026-36340" target=3D"_blank" rel= =3D"noopener">
https://github.com/cybercrewinc/CVE-2026-36340</a><br>=C2=A0<=
</tr>
<td class=3D"vendor-product">n/a--halo v2.22.14</td>
<td>A Server-Side Request Forgery (SSRF) in the /plugins/-/install-from-uri=
endpoint of halo v2.22.14 allows authenticated attackers to scan internal = resources via a crafted GET request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36756" target=3D= "_blank" rel=3D"noopener">CVE-2026-36756</a></td>
<a href=3D"
https://github.com/halo-dev/halo" target=3D"_blank" rel=3D"noope= ner">
https://github.com/halo-dev/halo</a><br><a href=3D"
https://github.com/= Arron-bit/Vul_report/blob/main/halo/ssrf2/readme.md" target=3D"_blank" rel= =3D"noopener">
https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf2/= readme.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--halo v2.22.14</td>
<td>A Server-Side Request Forgery (SSRF) in the /plugins/{name}/upgrade-fro= m-uri endpoint of halo v2.22.14 allows authenticated attackers to scan inte= rnal resources via a crafted GET request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36757" target=3D= "_blank" rel=3D"noopener">CVE-2026-36757</a></td>
<a href=3D"
https://github.com/halo-dev/halo" target=3D"_blank" rel=3D"noope= ner">
https://github.com/halo-dev/halo</a><br><a href=3D"
https://github.com/= Arron-bit/Vul_report/blob/main/halo/ssrf1/readme.md" target=3D"_blank" rel= =3D"noopener">
https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf1/= readme.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--halo v2.22.14</td>
<td>A Server-Side Request Forgery (SSRF) in the /themes/-/install-from-uri = endpoint of halo v2.22.14 allows authenticated attackers to scan internal r= esources via a crafted GET request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36758" target=3D= "_blank" rel=3D"noopener">CVE-2026-36758</a></td>
<a href=3D"
https://github.com/halo-dev/halo" target=3D"_blank" rel=3D"noope= ner">
https://github.com/halo-dev/halo</a><br><a href=3D"
https://github.com/= Arron-bit/Vul_report/blob/main/halo/ssrf3/readme.md" target=3D"_blank" rel= =3D"noopener">
https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf3/= readme.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--halo v2.22.14</td>
<td>A Server-Side Request Forgery (SSRF) in the /themes/{name}/upgrade-from= -uri endpoint of halo v2.22.14 allows authenticated attackers to scan inter= nal resources via a crafted GET request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36759" target=3D= "_blank" rel=3D"noopener">CVE-2026-36759</a></td>
<a href=3D"
https://github.com/halo-dev/halo" target=3D"_blank" rel=3D"noope= ner">
https://github.com/halo-dev/halo</a><br><a href=3D"
https://github.com/= Arron-bit/Vul_report/blob/main/halo/ssrf4/readme.md" target=3D"_blank" rel= =3D"noopener">
https://github.com/Arron-bit/Vul_report/blob/main/halo/ssrf4/= readme.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--JeeSite v5.15.1</td>
<td>An issue in the fileMd5 parameter in the /a/file/upload endpoint of Jee= Site v5.15.1 allows authenticated attackers with file upload permissions to=
execute a path traversal and write arbitrary files with whitelisted suffix=
es to arbitrary filesystem locations while chunked upload is enabled.</td> <td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36760" target=3D= "_blank" rel=3D"noopener">CVE-2026-36760</a></td>
<a href=3D"
https://github.com/thinkgem/jeesite" target=3D"_blank" rel=3D"no= opener">
https://github.com/thinkgem/jeesite</a><br><a href=3D"
https://githu= b.com/thinkgem/jeesite/issues/530" target=3D"_blank" rel=3D"noopener">https= ://github.com/thinkgem/jeesite/issues/530</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--JeeSite v5.15.1</td>
<td>A stored cross-site scripting (XSS) vulnerability in the /msg/msgInner/= save endpoint of JeeSite v5.15.1 allows attackers to execute arbitrary web = scripts or HTML via injecting a crafted input into the msgContent parameter= .</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36761" target=3D= "_blank" rel=3D"noopener">CVE-2026-36761</a></td>
<a href=3D"
https://github.com/thinkgem/jeesite" target=3D"_blank" rel=3D"no= opener">
https://github.com/thinkgem/jeesite</a><br><a href=3D"
https://githu= b.com/thinkgem/jeesite/issues/528" target=3D"_blank" rel=3D"noopener">https= ://github.com/thinkgem/jeesite/issues/528</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--JeeSite v5.15.1</td>
<td>An issue in the fileEntityId parameter in the /a/file/upload endpoint o=
f JeeSite v5.15.1 allows authenticated attackers with file upload permissio=
ns to execute a path traversal and write arbitrary files with whitelisted s= uffixes to arbitrary filesystem locations.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36762" target=3D= "_blank" rel=3D"noopener">CVE-2026-36762</a></td>
<a href=3D"
https://github.com/thinkgem/jeesite" target=3D"_blank" rel=3D"no= opener">
https://github.com/thinkgem/jeesite</a><br><a href=3D"
https://githu= b.com/thinkgem/jeesite/issues/529" target=3D"_blank" rel=3D"noopener">https= ://github.com/thinkgem/jeesite/issues/529</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--SpringBlade v4.8.0</td>
<td>A stored cross-site scripting (XSS) vulnerability in the /api/blade-des= k/notice/submit endpoint of SpringBlade v4.8.0 allows attackers to execute = arbitrary web scripts or HTML via injecting a crafted input into the conten=
t parameter.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36763" target=3D= "_blank" rel=3D"noopener">CVE-2026-36763</a></td>
<a href=3D"
https://github.com/chillzhuang/SpringBlade" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade</a><br><a href=3D= "
https://github.com/chillzhuang/SpringBlade/issues/38" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade/issues/38</a><br>=
<a href=3D"
https://github.com/shopizer-ecommerce/shopizer/issues/1091" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/shopizer-ecommerce/shopiz= er/issues/1091</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--SpringBlade v4.8.0</td>
<td>A Server-Side Request Forgery (SSRF) in the /ureport/datasource/testCon= nection endpoint of SpringBlade v4.8.0 allows authenticated attackers to sc=
an internal resources via a crafted GET request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36764" target=3D= "_blank" rel=3D"noopener">CVE-2026-36764</a></td>
<a href=3D"
https://github.com/chillzhuang/SpringBlade" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade</a><br><a href=3D= "
https://github.com/chillzhuang/SpringBlade/issues/36" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade/issues/36</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--SpringBlade v4.8.0</td>
<td>An XML external entity (XXE) vulnerability in the /designer/loadReport = endpoint of SpringBlade v4.8.0 allows authenticated attackers to execute ar= bitrary code via injecting a crafted payload.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36765" target=3D= "_blank" rel=3D"noopener">CVE-2026-36765</a></td>
<a href=3D"
https://github.com/chillzhuang/SpringBlade" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade</a><br><a href=3D= "
https://github.com/chillzhuang/SpringBlade/issues/37" target=3D"_blank" re= l=3D"noopener">
https://github.com/chillzhuang/SpringBlade/issues/37</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--shopizer v3.2.5</td>
<td>Multiple authenticated cross-site scripting (XSS) vulnerabilities in th=
e XssHttpServletRequestWrapper class of shopizer v3.2.5 allows attackers to=
execute arbitrary web scripts or HTML via injecting a crafted payload into=
the getInputStream() or getReader() functions.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36766" target=3D= "_blank" rel=3D"noopener">CVE-2026-36766</a></td>
<a href=3D"
https://github.com/shopizer-ecommerce/shopizer" target=3D"_blank=
" rel=3D"noopener">
https://github.com/shopizer-ecommerce/shopizer</a><br><a=
href=3D"
https://github.com/shopizer-ecommerce/shopizer/issues/1093" target= =3D"_blank" rel=3D"noopener">
https://github.com/shopizer-ecommerce/shopizer= /issues/1093</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--shopizer v3.2.5</td>
<td>A path traversal vulnerability in the /content/images/add endpoint of s= hopizer v3.2.5 allows attackers write arbitrary files to any writeable path=
via a crafted POST request.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36767" target=3D= "_blank" rel=3D"noopener">CVE-2026-36767</a></td>
<a href=3D"
https://github.com/shopizer-ecommerce/shopizer" target=3D"_blank=
" rel=3D"noopener">
https://github.com/shopizer-ecommerce/shopizer</a><br><a=
href=3D"
https://github.com/shopizer-ecommerce/shopizer/issues/1091" target= =3D"_blank" rel=3D"noopener">
https://github.com/shopizer-ecommerce/shopizer= /issues/1091</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Totolink[.]net -- TOTOLINK A3002RU v3</td> <td>TOTOLINK A3002RU V3 <=3D V3.0.0-B20220304.1804 was discovered to con= tain a stack-based buffer overflow via the hostname parameter in the formMa= pDelDevice function.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36837" target=3D= "_blank" rel=3D"noopener">CVE-2026-36837</a></td>
<a href=3D"
https://github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-bo= a-formMapDelDevice-StackOverflow" target=3D"_blank" rel=3D"noopener">https:= //github.com/0xmania/cve/tree/main/TOTOLINK-A3002RUV3.0-boa-formMapDelDevic= e-StackOverflow</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Totolink[.]net -- TOTOLINK N200RE v5</td> <td>TOTOLINK N200RE V5 was discovered to contain a command injection vulner= ability via the macstr and bandstr parameters in the formMapDelDevice funct= ion.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36841" target=3D= "_blank" rel=3D"noopener">CVE-2026-36841</a></td>
<a href=3D"
https://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cste= cgi-formMapDelDevice-CommandInjection" target=3D"_blank" rel=3D"noopener">h= ttps://github.com/0xmania/cve/tree/main/TOTOLINK-N200RE_V5-cstecgi-formMapD= elDevice-CommandInjection</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dbitnet[.]com -- Dbit N300 router v.1.0</td>
<td>A Cross-Site Request Forgery (CSRF) vulnerability exists in the web man= agement interface of the Dbit N300 T1 Pro wireless router V1.0.0. The route=
r fails to implement proper CSRF protection mechanisms such as anti-CSRF to= kens or strict Origin/Referer validation for administrative API endpoints. =
An attacker can craft a malicious webpage that sends forged HTTP requests t=
o configuration endpoints such as /api/setWlan. If an authenticated adminis= trator visits the malicious webpage, the victim's browser automatically inc= ludes the valid session cookie in the request, allowing the router to proce=
ss the request as a legitimate administrative action.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36956" target=3D= "_blank" rel=3D"noopener">CVE-2026-36956</a></td>
<a href=3D"
http://dbit.com" target=3D"_blank" rel=3D"noopener">
http://dbit.= com</a><br><a href=3D"
https://github.com/kirubel-cve/CVE-2026-36956" target= =3D"_blank" rel=3D"noopener">
https://github.com/kirubel-cve/CVE-2026-36956<= /a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dbitnet[.]com -- Dbit N300 router v.1.0</td> <td>Dbit N300 T1 Pro Easy Setup Wireless Wi-Fi Router V1.0.0 is vulnerable =
to Denial of Service via the boa web server URI handler. By initiating a hi= gh-volume flood of HTTP GET requests to non-existent URIs, an attacker can = exhaust critical system resources, including file descriptors and memory bu= ffers. This results in a kernel deadlock or system hang that disables the w=
eb management portal and all routing capabilities.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36957" target=3D= "_blank" rel=3D"noopener">CVE-2026-36957</a></td>
<a href=3D"
http://dbit.com" target=3D"_blank" rel=3D"noopener">
http://dbit.= com</a><br><a href=3D"
https://github.com/kirubel-cve/CVE-2026-36957" target= =3D"_blank" rel=3D"noopener">
https://github.com/kirubel-cve/CVE-2026-36957<= /a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dbitnet[.]com -- Dbit N300 router v.1.0</td>
<td>A denial-of-service vulnerability exists in the U-SPEED N300 V1.0.0 wir= eless router. By sending a large number of concurrent HTTP requests to rand=
om or non-existent endpoints on the web management interface, an attacker c=
an exhaust system resources in the embedded Boa HTTP server. This causes th=
e router web interface to become unresponsive and may require manual reboot=
to restore normal operation.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36958" target=3D= "_blank" rel=3D"noopener">CVE-2026-36958</a></td>
<a href=3D"
http://u-speed.com" target=3D"_blank" rel=3D"noopener">
http://u-= speed.com</a><br><a href=3D"
https://github.com/kirubel-cve/CVE-2026-36958" = target=3D"_blank" rel=3D"noopener">
https://github.com/kirubel-cve/CVE-2026-= 36958</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dbitnet[.]com -- Dbit N300 router v.1.0</td> <td>U-SPEED N300 router V1.0.0 does not implement rate limiting or account = lockout protections on the /api/login endpoint. This allows an attacker on = the local network to perform unlimited authentication attempts, enabling br= ute-force attacks against the administrator account and potential unauthori= zed access to the router management interface.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36959" target=3D= "_blank" rel=3D"noopener">CVE-2026-36959</a></td>
<a href=3D"
http://u-speed.com" target=3D"_blank" rel=3D"noopener">
http://u-= speed.com</a><br><a href=3D"
https://github.com/kirubel-cve/CVE-2026-36959" = target=3D"_blank" rel=3D"noopener">
https://github.com/kirubel-cve/CVE-2026-= 36959</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Dbitnet[.]com -- Dbit N300 router v.1.0</td>
<td>A Cross-Site Request Forgery (CSRF) vulnerability exists in the web man= agement interface of the U-SPEED N300 Rounter V1.0.0. The device does not i= mplement CSRF protection mechanisms such as anti-CSRF tokens or strict Orig= in/Referer validation for administrative API endpoints. An attacker can cra=
ft a malicious webpage that sends forged HTTP requests to configuration end= points. If an authenticated administrator visits the malicious webpage, the=
victim's browser automatically includes the valid session cookie in the re= quest, allowing the router to process the request as a legitimate administr= ative action.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-36960" target=3D= "_blank" rel=3D"noopener">CVE-2026-36960</a></td>
<a href=3D"
http://u-speed.com" target=3D"_blank" rel=3D"noopener">
http://u-= speed.com</a><br><a href=3D"
https://github.com/kirubel-cve/CVE-2026-36960" = target=3D"_blank" rel=3D"noopener">
https://github.com/kirubel-cve/CVE-2026-= 36960</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--FlowSpec operator array</td>
<td>An off-by-one out-of-bounds write vulnerability in the bgp_flowspec_op_= decode() function (bgpd/bgp_flowspec_util.c) of FRRouting (FRR) stable/10.0=
allows attackers to cause a Denial of Service (DoS) via supplying a crafte=
d FlowSpec component.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37457" target=3D= "_blank" rel=3D"noopener">CVE-2026-37457</a></td>
<a href=3D"
https://github.com/FRRouting/frr/commit/0e6882bc72c0278988a47b2f= 0f73b7a91099a25c" target=3D"_blank" rel=3D"noopener">
https://github.com/FRR= outing/frr/commit/0e6882bc72c0278988a47b2f0f73b7a91099a25c</a><br>=C2=A0</t=
</tr>
<td class=3D"vendor-product">n/a--Automotive Grade Linux (AGL)</td>
<td>AGL agl-service-can-low-level thru 17.1.12 contains a stack buffer over= flow in the uds-c library. The send_diagnostic_request function in uds.c al= locates a 6-byte stack buffer (MAX_DIAGNOSTIC_PAYLOAD_SIZE=3D6) but copies =
up to 7 bytes (MAX_UDS_REQUEST_PAYLOAD_LENGTH=3D7) via memcpy at an offset =
of 1+pid_length (2-3 bytes), resulting in 1-4 bytes of controlled stack ove= rflow. The payload_length field (uint8_t) has no bounds check against the d= estination buffer. On 32-bit ARM automotive ECUs without stack canaries, th=
is can lead to return address overwrite and RCE.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37530" target=3D= "_blank" rel=3D"noopener">CVE-2026-37530</a></td>
<a href=3D"
https://gerrit.automotivelinux.org/gerrit/apps/agl-service-can-l= ow-level" target=3D"_blank" rel=3D"noopener">
https://gerrit.automotivelinux= .org/gerrit/apps/agl-service-can-low-level</a><br><a href=3D"
https://gist.g= ithub.com/sgInnora/8526eedcfd826d05ef1fc45d8f405643" target=3D"_blank" rel= =3D"noopener">
https://gist.github.com/sgInnora/8526eedcfd826d05ef1fc45d8f40= 5643</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Automotive Open SAE J1939 protocol CAN-Bu= s)</td>
<td>Integer underflow vulnerability in Open-SAE-J1939 thru commit b6caf884d= f46435e539b1ecbf92b6c29b345bdfe (2025-11-30) in SAE_J1939_Read_Transport_Pr= otocol_Data_Transfer,allows attackers to write to arbitrary memory via craf= ted sequence number from the CAN frame.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37534" target=3D= "_blank" rel=3D"noopener">CVE-2026-37534</a></td>
<a href=3D"
https://github.com/DanielMartensson/Open-SAE-J1939" target=3D"_b= lank" rel=3D"noopener">
https://github.com/DanielMartensson/Open-SAE-J1939</= a><br><a href=3D"
https://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f5= 8cdc381" target=3D"_blank" rel=3D"noopener">
https://gist.github.com/sgInnor= a/f4ac66faeefe07a653ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--socketcand 0.4.2</td>
<td>Buffer overflow vulnerability in socketcand 0.4.2 in file socketcand.c =
in function main allows attackers to cause a denial of service or other uns= pecified impacts via crafted bus_name.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37538" target=3D= "_blank" rel=3D"noopener">CVE-2026-37538</a></td>
<a href=3D"
https://github.com/dschanoeh/socketcand" target=3D"_blank" rel= =3D"noopener">
https://github.com/dschanoeh/socketcand</a><br><a href=3D"htt= ps://gist.github.com/sgInnora/f4ac66faeefe07a653ceeb3f58cdc381" target=3D"_= blank" rel=3D"noopener">
https://gist.github.com/sgInnora/f4ac66faeefe07a653= ceeb3f58cdc381</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--libsndfile 1.2.2</td>
<td>An issue was discovered in libsndfile 1.2.2 IMA ADPCM codec. The AIFF c= ode path (line 241) was fixed with (sf_count_t) cast, but the WAV code path=
(line 235) and close path (line 167) were not. When samplesperblock (int) =
* blocks (int) exceeds INT_MAX, the 32-bit multiplication overflows before = being assigned to sf.frames (sf_count_t/int64). With samplesperblock=3D5000=
0 and blocks=3D50000, the product 2500000000 overflows to -1794967296. This=
causes incorrect frame count leading to heap buffer overflow or denial of = service. Both values come from the WAV file header and are attacker-control= led. This issue was discovered after an incomplete fix for CVE-2022-33065.<=
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37555" target=3D= "_blank" rel=3D"noopener">CVE-2026-37555</a></td>
<a href=3D"
https://github.com/libsndfile/libsndfile/issues/833" target=3D"_= blank" rel=3D"noopener">
https://github.com/libsndfile/libsndfile/issues/833= </a><br><a href=3D"
https://github.com/libsndfile/libsndfile/commit/9a829113= c88a51e57c1e46473e90609e4b7df151" target=3D"_blank" rel=3D"noopener">https:= //github.com/libsndfile/libsndfile/commit/9a829113c88a51e57c1e46473e90609e4= b7df151</a><br><a href=3D"
https://gist.github.com/sgInnora/a5f5c19e4bf6f4fb= 74fab7b0ef2bfcc1" target=3D"_blank" rel=3D"noopener">
https://gist.github.co= m/sgInnora/a5f5c19e4bf6f4fb74fab7b0ef2bfcc1</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--School Management System</td>
<td>A reflected Cross-Site Scripting (XSS) vulnerability in School Manageme=
nt System by mahmoudai1 allows unauthenticated remote attackers to execute = arbitrary JavaScript in victim's browsers via the unsanitized type paramete=
r in register.php.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-37750" target=3D= "_blank" rel=3D"noopener">CVE-2026-37750</a></td>
<a href=3D"
https://github.com/mahmoudai1/school-management-system" target= =3D"_blank" rel=3D"noopener">
https://github.com/mahmoudai1/school-managemen= t-system</a><br><a href=3D"
https://github.com/mahmoudai1/school-management-= system/blob/main/register.php" target=3D"_blank" rel=3D"noopener">
https://g= ithub.com/mahmoudai1/school-management-system/blob/main/register.php</a><br= ><a href=3D"
https://github.com/menevarad007/CVE-2026-37750" target=3D"_blan=
k" rel=3D"noopener">
https://github.com/menevarad007/CVE-2026-37750</a><br>= =C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Netmaker v1.5.0</td>
<td>Authentication Bypass vulnerability exists in Netmaker versions prior t=
o 1.5.0. The VerifyHostToken function in logic/jwts.go fails to validate th=
e JWT signature when verifying host tokens. An attacker can forge a JWT sig= ned with any arbitrary key and use it to impersonate any host in the networ=
k, gaining access to sensitive information</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38651" target=3D= "_blank" rel=3D"noopener">CVE-2026-38651</a></td>
<a href=3D"
https://github.com/gravitl/netmaker/commit/5309aa70d464ef5659113= 69714d661a61481a79b" target=3D"_blank" rel=3D"noopener">
https://github.com/= gravitl/netmaker/commit/5309aa70d464ef565911369714d661a61481a79b</a><br><a = href=3D"
https://www.zyenra.com/blog/netmaker-jwt-verification-bypass" targe= t=3D"_blank" rel=3D"noopener">
https://www.zyenra.com/blog/netmaker-jwt-veri= fication-bypass</a><br><a href=3D"
https://www.zyenra.com/advisories/netmake= r-jwt-verification-bypass" target=3D"_blank" rel=3D"noopener">
https://www.z= yenra.com/advisories/netmaker-jwt-verification-bypass</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Moxa--EDR-8010 Series</td>
<td>An improper ownership management vulnerability has been identified in M= oxa's Secure Router. Because of improper ownership management, a low-privil= eged authenticated user may access a configuration file containing the hash=
ed password of the administrative account. Successful exploitation of this = vulnerability could allow an attacker to obtain sensitive information. Expl= oitation is only possible under a specific condition - when the configurati=
on file has been exported. This vulnerability does not impact the integrity=
or availability of the affected product, and no confidentiality, integrity=
, or availability impact to the subsequent system has been identified.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3867" target=3D"= _blank" rel=3D"noopener">CVE-2026-3867</a></td>
<a href=3D"
https://www.moxa.com/en/support/product-support/security-advisor= y/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and= -improper-handling-of-length-parameter-incons" target=3D"_blank" rel=3D"noo= pener">
https://www.moxa.com/en/support/product-support/security-advisory/mp= sa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-imp= roper-handling-of-length-parameter-incons</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Moxa--EDR-8010 Series</td>
<td>An improper handling of the length parameter inconsistency vulnerabilit=
y has been identified in Moxa's Secure Router.=C2=A0Because of improper val= idation of length parameters in the HTTPS management interface, an unauthen= ticated remote attacker could send specially crafted requests that trigger =
a buffer overflow condition, causing the web service to become unresponsive= .=C2=A0Successful exploitation may result in a denial-of-service condition = requiring a device reboot to restore normal operation.=C2=A0While successfu=
l exploitation can=C2=A0severely=C2=A0impact the availability of the affect=
ed device, no impact to the confidentiality or integrity of the affected pr= oduct has been identified. Additionally, no confidentiality, integrity, or = availability impact to the subsequent system has been identified.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-3868" target=3D"= _blank" rel=3D"noopener">CVE-2026-3868</a></td>
<a href=3D"
https://www.moxa.com/en/support/product-support/security-advisor= y/mpsa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and= -improper-handling-of-length-parameter-incons" target=3D"_blank" rel=3D"noo= pener">
https://www.moxa.com/en/support/product-support/security-advisory/mp= sa-261521-cve-2026-3867-cve-2026-3868-improper-ownership-management-and-imp= roper-handling-of-length-parameter-incons</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--diskoverdata v.2.3.5</td>
<td>Cross Site Request Forgery vulnerability in diskoverdata diskover-commu= nity v.2.3.5. and before allows a remote attacker to escalate privileges an=
d obtain sensitive information via the public/settings_process.php</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38934" target=3D= "_blank" rel=3D"noopener">CVE-2026-38934</a></td>
<a href=3D"
http://diskover-community.com" target=3D"_blank" rel=3D"noopener= ">
http://diskover-community.com</a><br><a href=3D"
http://diskoverdata.com" = target=3D"_blank" rel=3D"noopener">
http://diskoverdata.com</a><br><a href= =3D"
https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CV= E-2026-38934" target=3D"_blank" rel=3D"noopener">
https://github.com/VadlaRe= ddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38934</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">n/a--diskoverdata v.2.3.5</td>
<td>A reflected cross-site scripting (XSS) vulnerability exists in diskover= -community <=3D 2.3.5 in public/view.php via the doctype parameter</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38935" target=3D= "_blank" rel=3D"noopener">CVE-2026-38935</a></td>
<a href=3D"
http://diskover-community.com" target=3D"_blank" rel=3D"noopener= ">
http://diskover-community.com</a><br><a href=3D"
http://diskoverdata.com" = target=3D"_blank" rel=3D"noopener">
http://diskoverdata.com</a><br><a href= =3D"
https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CV= E-2026-38935" target=3D"_blank" rel=3D"noopener">
https://github.com/VadlaRe= ddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38935</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">n/a--diskoverdata v.2.3.5</td>
<td>A reflected cross-site scripting (XSS) vulnerability exists in diskover= -community <=3D 2.3.5 in public/selectindices.php via the namecontains p= arameter</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38936" target=3D= "_blank" rel=3D"noopener">CVE-2026-38936</a></td>
<a href=3D"
http://diskover-community.com" target=3D"_blank" rel=3D"noopener= ">
http://diskover-community.com</a><br><a href=3D"
http://diskoverdata.com" = target=3D"_blank" rel=3D"noopener">
http://diskoverdata.com</a><br><a href= =3D"
https://github.com/VadlaReddySai/diskoverdata-cve-writeups/blob/main/CV= E-2026-38936" target=3D"_blank" rel=3D"noopener">
https://github.com/VadlaRe= ddySai/diskoverdata-cve-writeups/blob/main/CVE-2026-38936</a><br>=C2=A0</td=
</tr>
<td class=3D"vendor-product">n/a--mvc-ecommerce v.1.0</td>
<td>Cross Site Scripting vulnerability in andrewtch88 mvc-ecommerce v.1.0 a= llows a remote attacker to execute arbitrary code and obtain sensitive info= rmation via the product_catalogue.php component</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38939" target=3D= "_blank" rel=3D"noopener">CVE-2026-38939</a></td>
<a href=3D"
https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8"=
target=3D"_blank" rel=3D"noopener">
https://gist.github.com/spico8/3b8b64a5= 8069fc189ca28563dd1249e8</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--TOKO-ONLINE-ROTI v.1.0</td>
<td>Cross Site Scripting vulnerability in RafyMrX TOKO-ONLINE-ROTI v.1.0 al= lows a remote attacker to execute arbitrary code via the detail_produk.php = component</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38940" target=3D= "_blank" rel=3D"noopener">CVE-2026-38940</a></td>
<a href=3D"
https://gist.github.com/spico8/3b8b64a58069fc189ca28563dd1249e8"=
target=3D"_blank" rel=3D"noopener">
https://gist.github.com/spico8/3b8b64a5= 8069fc189ca28563dd1249e8</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--FUEL CMS v1.5.2</td>
<td>Cross-Site Scripting (XSS) vulnerability exists in FUEL CMS v1.5.2 and = before within the asset upload functionality. The application fails to prop= erly sanitize uploaded SVG files, allowing a low-privileged authenticated u= ser to upload a crafted SVG file containing malicious code.</td> <td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38948" target=3D= "_blank" rel=3D"noopener">CVE-2026-38948</a></td>
<a href=3D"
https://github.com/daylightstudio/FUEL-CMS" target=3D"_blank" re= l=3D"noopener">
https://github.com/daylightstudio/FUEL-CMS</a><br><a href=3D= "
https://www.youtube.com/watch?v=3DlLCF0xbjecQ" target=3D"_blank" rel=3D"no= opener">
https://www.youtube.com/watch?v=3DlLCF0xbjecQ</a><br><a href=3D"htt= ps://github.com/Chittu13/cve-research/blob/main/CVE-2026-38948/README.md" t= arget=3D"_blank" rel=3D"noopener">
https://github.com/Chittu13/cve-research/= blob/main/CVE-2026-38948/README.md</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--HTMLy v3.1.1</td>
<td>Cross-Site Scripting (XSS) vulnerability exists in HTMLy version 3.1.1 =
in the content creation functionality at the /add/content?type=3Dimage endp= oint. The application fails to properly sanitize user input, allowing injec= tion of arbitrary code</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38949" target=3D= "_blank" rel=3D"noopener">CVE-2026-38949</a></td>
<a href=3D"
https://github.com/danpros/htmly" target=3D"_blank" rel=3D"noope= ner">
https://github.com/danpros/htmly</a><br><a href=3D"
https://youtu.be/3e= -tzUMCox8" target=3D"_blank" rel=3D"noopener">
https://youtu.be/3e-tzUMCox8<= /a><br><a href=3D"
https://github.com/Chittu13/cve-research/blob/main/CVE-20= 26-38949/README.md" target=3D"_blank" rel=3D"noopener">
https://github.com/C= hittu13/cve-research/blob/main/CVE-2026-38949/README.md</a><br>=C2=A0</td> </tr>
<td class=3D"vendor-product">n/a--Cockpit v2.13.5</td>
<td>Cockpit 2.13.5 and earlier is affected by a misconfiguration within the=
Bucket component _isFileTypeAllowed function where a specially crafted fil= ename bypasses an extension filter. This allows an authenticated attacker t=
o rename arbitrary files with the .php file extension enabling arbitrary co=
de to be executed on the underlying server.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38991" target=3D= "_blank" rel=3D"noopener">CVE-2026-38991</a></td>
<a href=3D"
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0" targe= t=3D"_blank" rel=3D"noopener">
https://github.com/Cockpit-HQ/Cockpit/release= s/tag/2.14.0</a><br><a href=3D"
https://felsec.com/posts/cockpit-cms-2.13.5-= multi-vulns/" target=3D"_blank" rel=3D"noopener">
https://felsec.com/posts/c= ockpit-cms-2.13.5-multi-vulns/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Cockpit v2.13.5</td>
<td>Cockpit v2.13.5 and earlier is vulnerable to arbitrary code execution v=
ia the filter parameter within multiple endpoints. This vulnerability allow=
s an attacker to run system commands on the underlying infrastructure via t=
he MongoLite $func operator.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38992" target=3D= "_blank" rel=3D"noopener">CVE-2026-38992</a></td>
<a href=3D"
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0" targe= t=3D"_blank" rel=3D"noopener">
https://github.com/Cockpit-HQ/Cockpit/release= s/tag/2.14.0</a><br><a href=3D"
https://felsec.com/posts/cockpit-cms-2.13.5-= multi-vulns/" target=3D"_blank" rel=3D"noopener">
https://felsec.com/posts/c= ockpit-cms-2.13.5-multi-vulns/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">n/a--Cockpit v2.13.5</td>
<td>Cockpit 2.13.5 and earlier is vulnerable to directory traversal via the=
Buckets component. This vulnerability allows authenticated attackers to wr= ite files to arbitrary locations within the uploads directory or overwrite = assets with malicious versions.</td>
<td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-38993" target=3D= "_blank" rel=3D"noopener">CVE-2026-38993</a></td>
<a href=3D"
https://github.com/Cockpit-HQ/Cockpit/releases/tag/2.14.0" targe= t=3D"_blank" rel=3D"noopener">
https://github.com/Cockpit-HQ/Cockpit/release= s/tag/2.14.0</a><br><a href=3D"
https://felsec.com/posts/cockpit-cms-2.13.5-= multi-vulns/" target=3D"_blank" rel=3D"noopener">
https://felsec.com/posts/c= ockpit-cms-2.13.5-multi-vulns/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">FreeBSD--FreeBSD</td>
<td>When exchanging data over a socket, libnv uses select(2) to wait for da=
ta to arrive. However, it does not verify whether the provided socket descr= iptor fits in select(2)'s file descriptor set size limit of FD_SETSIZE (102= 4). An attacker who is able to force a libnv application to allocate large = file descriptors, e.g., by opening many descriptors and executing a program=
which is not careful to close them upon startup, can trigger stack corrupt= ion. If the target application is setuid-root, then this could be used to e= levate local privileges.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-39457" target=3D= "_blank" rel=3D"noopener">CVE-2026-39457</a></td>
<a href=3D"
https://security.freebsd.org/advisories/FreeBSD-SA-26:16.libnv.a= sc" target=3D"_blank" rel=3D"noopener">
https://security.freebsd.org/advisor= ies/FreeBSD-SA-26:16.libnv.asc</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">mtrudel--bandit</td>
<td>Allocation of Resources Without Limits or Throttling vulnerability in m= trudel bandit allows unauthenticated remote denial of service via memory ex= haustion when WebSocket permessage-deflate compression is enabled. 'Elixir.= Bandit.WebSocket.PerMessageDeflate':inflate/2 in lib/bandit/websocket/perme= ssage_deflate.ex calls :zlib.inflate/2 with no output-size cap, then materi= alizes the entire decompressed payload as a single binary via IO.iodata_to_= binary/1. The websocket_options.max_frame_size option only bounds the on-th= e-wire (compressed) frame size, not the decompressed output. A high-ratio c= ompressed frame (e.g. uniform data at ~1024:1 ratio) can stay well under an=
y wire-size limit while forcing GiB-scale heap allocations in the connectio=
n process before any application code runs. An unauthenticated attacker who=
can open a WebSocket connection can send a single such frame to exhaust th=
e BEAM node's memory and trigger an OOM kill. This vulnerability requires b= oth Bandit's server-level websocket_options.compress and the per-upgrade co= mpress: true option passed to WebSockAdapter.upgrade/4 to be enabled. Stock=
Phoenix and LiveView applications are not affected as they default to comp= ress: false. This issue affects bandit: from 0.5.9 before 1.11.0.</td> <td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-39804" target=3D= "_blank" rel=3D"noopener">CVE-2026-39804</a></td>
<a href=3D"
https://github.com/mtrudel/bandit/security/advisories/GHSA-frh3-= 6pv6-rc8j" target=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/ba= ndit/security/advisories/GHSA-frh3-6pv6-rc8j</a><br><a href=3D"
https://cna.= erlef.org/cves/CVE-2026-39804.html" target=3D"_blank" rel=3D"noopener">http= s://cna.erlef.org/cves/CVE-2026-39804.html</a><br><a href=3D"
https://osv.de= v/vulnerability/EEF-CVE-2026-39804" target=3D"_blank" rel=3D"noopener">http= s://osv.dev/vulnerability/EEF-CVE-2026-39804</a><br><a href=3D"
https://gith= ub.com/mtrudel/bandit/commit/8156921a51e684a951221da7bc30a70a022f722e" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/bandit/commit/815= 6921a51e684a951221da7bc30a70a022f722e</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">mtrudel--bandit</td>
<td>Inconsistent Interpretation of HTTP Requests vulnerability in mtrudel b= andit allows HTTP request smuggling via duplicate Content-Length headers. '= Elixir.Bandit.Headers':get_content_length/1 in lib/bandit/headers.ex uses L= ist.keyfind/3, which returns only the first matching header. When a request=
contains two Content-Length headers with different values, Bandit silently=
accepts it, uses the first value to read the body, and dispatches the rema= ining bytes as a second pipelined request on the same keep-alive connection=
. RFC 9112 =C2=A76.3 requires recipients to treat this as an unrecoverable = framing error. When Bandit sits behind a proxy that picks the last Content-= Length value and forwards the request rather than rejecting it, an unauthen= ticated attacker can smuggle requests past edge WAF rules, path-based ACLs,=
rate limiting, and audit logging. This issue affects bandit: before 1.11.0= .</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-39805" target=3D= "_blank" rel=3D"noopener">CVE-2026-39805</a></td>
<a href=3D"
https://github.com/mtrudel/bandit/security/advisories/GHSA-c67r-= gc9j-2qf7" target=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/ba= ndit/security/advisories/GHSA-c67r-gc9j-2qf7</a><br><a href=3D"
https://cna.= erlef.org/cves/CVE-2026-39805.html" target=3D"_blank" rel=3D"noopener">http= s://cna.erlef.org/cves/CVE-2026-39805.html</a><br><a href=3D"
https://osv.de= v/vulnerability/EEF-CVE-2026-39805" target=3D"_blank" rel=3D"noopener">http= s://osv.dev/vulnerability/EEF-CVE-2026-39805</a><br><a href=3D"
https://gith= ub.com/mtrudel/bandit/commit/f2ca636eb6df385219957e8934e9fc6efa1630d1" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/bandit/commit/f2c= a636eb6df385219957e8934e9fc6efa1630d1</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">mtrudel--bandit</td>
<td>Reliance on Untrusted Inputs in a Security Decision vulnerability in mt= rudel bandit allows unauthenticated transport-state spoofing on plaintext H= TTP connections. 'Elixir.Bandit.Pipeline':determine_scheme/2 in lib/bandit/= pipeline.ex returns the client-supplied URI scheme verbatim, ignoring the t= ransport's secure? flag. HTTP/1.1 absolute-form request targets (e.g. GET h= ttps://victim/path HTTP/1.1) and the HTTP/2 :scheme pseudo-header are both = attacker-controlled strings that flow through this function. Over a plainte=
xt TCP connection, a client can declare https and Bandit will set conn.sche=
me =3D :https even though no TLS was negotiated. Downstream Plug consumers = that branch on conn.scheme are silently misled: Plug.SSL's already-secure b= ranch skips its HTTP=E2=86=92HTTPS redirect, cookies emitted with secure: t= rue are sent over plaintext, audit logs record requests as having arrived o= ver HTTPS, and CSRF/SameSite gating may make incorrect decisions. This issu=
e affects bandit: from 1.0.0 before 1.11.0.</td>
<td>2026-05-01</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-39807" target=3D= "_blank" rel=3D"noopener">CVE-2026-39807</a></td>
<a href=3D"
https://github.com/mtrudel/bandit/security/advisories/GHSA-375f-= 4r2h-f99j" target=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/ba= ndit/security/advisories/GHSA-375f-4r2h-f99j</a><br><a href=3D"
https://cna.= erlef.org/cves/CVE-2026-39807.html" target=3D"_blank" rel=3D"noopener">http= s://cna.erlef.org/cves/CVE-2026-39807.html</a><br><a href=3D"
https://osv.de= v/vulnerability/EEF-CVE-2026-39807" target=3D"_blank" rel=3D"noopener">http= s://osv.dev/vulnerability/EEF-CVE-2026-39807</a><br><a href=3D"
https://gith= ub.com/mtrudel/bandit/commit/45feea20dea8af7ffd7245271107b695c040e667" targ= et=3D"_blank" rel=3D"noopener">
https://github.com/mtrudel/bandit/commit/45f= eea20dea8af7ffd7245271107b695c040e667</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">traefik--traefik</td>
<td>Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2= .11.43, 3.6.14, and 3.7.0-rc.2, there is a high severity authentication byp= ass vulnerability in Traefik's ForwardAuth and snippet-based authentication=
middleware. Traefik's forwarded-header sanitization logic targets only can= onical header names (e.g., X-Forwarded-Proto) and does not strip or normali=
ze alias variants that use underscores instead of dashes (e.g., X_Forwarded= _Proto). These unsanitized alias headers are forwarded intact to the authen= tication backend. When the backend normalizes underscore and dash header fo= rms equivalently, an attacker can inject spoofed trust context - such as a = trusted scheme or host - through the alias headers and bypass authenticatio=
n on protected routes without valid credentials. This issue has been patche=
d in versions 2.11.43, 3.6.14, and 3.7.0-rc.2.</td>
<td>2026-04-30</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-39858" target=3D= "_blank" rel=3D"noopener">CVE-2026-39858</a></td>
<a href=3D"
https://github.com/traefik/traefik/security/advisories/GHSA-5m6w= -wvh7-57vm" target=3D"_blank" rel=3D"noopener">
https://github.com/traefik/t= raefik/security/advisories/GHSA-5m6w-wvh7-57vm</a><br><a href=3D"
https://gi= thub.com/traefik/traefik/releases/tag/v2.11.43" target=3D"_blank" rel=3D"no= opener">
https://github.com/traefik/traefik/releases/tag/v2.11.43</a><br><a = href=3D"
https://github.com/traefik/traefik/releases/tag/v3.6.14" target=3D"= _blank" rel=3D"noopener">
https://github.com/traefik/traefik/releases/tag/v3= .6.14</a><br><a href=3D"
https://github.com/traefik/traefik/releases/tag/v3.= 7.0-rc.2" target=3D"_blank" rel=3D"noopener">
https://github.com/traefik/tra= efik/releases/tag/v3.7.0-rc.2</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel Platf= orm HTTP Main</td>
<td>When authentication is enabled on the Apache Camel embedded HTTP server=
or embedded management server (camel-platform-http-main) and a non-root co= ntext path such as /api or /admin is configured via camel.server.path or ca= mel.management.path, the BasicAuthenticationConfigurer and JWTAuthenticatio= nConfigurer classes derive the authentication path from properties.getPath(=
) when camel.server.authenticationPath / camel.management.authenticationPat=
h is not explicitly set. Combined with the Vert.x sub-router mounting model=
- the sub-router is mounted at _path_* and the authentication handler is r= egistered inside the sub-router at the resolved path - this causes the auth= entication handler to match only the exact configured context path, not its=
subpaths. Unauthenticated requests to subpaths such as /api/_route_ or /ad= min/observe/info therefore reach protected business routes and management e= ndpoints without being challenged for credentials. The /observe/info endpoi=
nt can disclose runtime metadata such as the user, working directory, home = directory, process ID, JVM and operating system information. This issue aff= ects Apache Camel: from 4.14.1 before 4.14.6, from 4.18.0 before 4.18.2. Us= ers are recommended to upgrade to version 4.20.0, which fixes the issue. If=
users are on the 4.14.x LTS releases stream, they are suggested to upgrade=
to 4.14.6. If users are on the 4.18.x LTS releases stream, they are sugges= ted to upgrade to 4.18.2.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40022" target=3D= "_blank" rel=3D"noopener">CVE-2026-40022</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-40022.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-40022.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel PQC</=
<td>The Camel-PQC FileBasedKeyLifecycleManager class deserializes the conte= nts of `<keyId>.key` files in the configured key directory using java= .io.ObjectInputStream without applying any ObjectInputFilter or class-loadi=
ng restrictions. The cast to `java.security.KeyPair` is evaluated only afte=
r `readObject()` has already returned, so any `readObject()` side effects i=
n the deserialized object run before the type check. An attacker who can wr= ite to the key directory used by a Camel application - for example through =
a path traversal into the directory, misconfigured filesystem permissions o=
n the volume where keys are stored, a compromised key provisioning pipeline=
, or a symlink attack - can place a crafted serialized Java object that, wh=
en deserialized during normal key lifecycle operations, results in arbitrar=
y code execution in the context of the application. This issue affects Apac=
he Camel: from 4.19.0 before 4.20.0, from 4.18.0 before 4.18.2. Users are r= ecommended to upgrade to version 4.20.0, which fixes the issue by replacing=
java.io.ObjectInputStream-based key and metadata storage with standard PKC= S#8 (private key) / X.509 SubjectPublicKeyInfo (public key) Base64 JSON enc= oding. For users on the 4.18.x LTS releases stream, upgrade to 4.18.2.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40048" target=3D= "_blank" rel=3D"noopener">CVE-2026-40048</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-40048.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-40048.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">helpyio--helpy</td>
<td>Helpy contains a stored cross-site scripting vulnerability in the post = author display logic. Any registered user can persist arbitrary HTML in the=
ir account name field and cause it to be rendered unescaped in public forum=
threads where they participate, in the admin ticket view, and in HTML noti= fication emails sent to other users.This issue affects helpy: 2.8.0.</td> <td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40229" target=3D= "_blank" rel=3D"noopener">CVE-2026-40229</a></td>
<a href=3D"
https://fluidattacks.com/es/advisories/offspring" target=3D"_bla= nk" rel=3D"noopener">
https://fluidattacks.com/es/advisories/offspring</a><b= r><a href=3D"
https://github.com/helpyio/helpy" target=3D"_blank" rel=3D"noo= pener">
https://github.com/helpyio/helpy</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">helpyio--helpy</td>
<td>Helpy contains a stored cross-site scripting vulnerability in the knowl= edge base Doc rendering logic. An authenticated attacker with admin or agen=
t editor privileges can persist arbitrary HTML or JavaScript in the body fi= eld of a knowledge base Doc.This issue affects helpy: 2.8.0.</td> <td>2026-04-29</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40230" target=3D= "_blank" rel=3D"noopener">CVE-2026-40230</a></td>
<a href=3D"
https://fluidattacks.com/es/advisories/prisioneros" target=3D"_b= lank" rel=3D"noopener">
https://fluidattacks.com/es/advisories/prisioneros</= a><br><a href=3D"
https://github.com/helpyio/helpy" target=3D"_blank" rel=3D= "noopener">
https://github.com/helpyio/helpy</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel JMS</=
<td>The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilter= Strategy so that case-variant header names such as 'CAmelExecCommandExecuta= ble' are filtered out alongside 'CamelExecCommandExecutable'. The same setL= owerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy i= mplementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy =
in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrat= egy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pub= sub. Because those strategies use case-sensitive String.startsWith('Camel'/= 'camel') filtering while the Camel Exchange stores headers in a case-insens= itive map, an attacker with JMS (or equivalent) producer access to the brok=
er consumed by a Camel route can inject case-variant Camel internal headers=
, which are then resolved by downstream components such as camel-exec and c= amel-file using their canonical casing. This enables remote code execution = and arbitrary file write on routes that forward JMS messages to header-driv=
en components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, f= rom 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended =
to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.= 14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If = users are on the 4.18.x releases stream, then they are suggested to upgrade=
to 4.18.2.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40453" target=3D= "_blank" rel=3D"noopener">CVE-2026-40453</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-40453.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-40453.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Camel Mina<=
<td>The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type c= onverter wraps an IoBuffer in a java.io.ObjectInputStream without applying = any ObjectInputFilter or class-loading restrictions. When a Camel route use=
s camel-mina as a TCP or UDP consumer and requests conversion to ObjectInpu=
t (for example via getBody(ObjectInput.class) or @Body ObjectInput), an att= acker sending a crafted serialized Java object over the network to the MINA=
consumer port can trigger arbitrary code execution in the context of the a= pplication during readObject(). This issue affects Apache Camel: from 3.0.0=
before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users=
are recommended to upgrade to version 4.20.0, which fixes the issue. If us= ers are on the 4.14.x LTS releases stream, then they are suggested to upgra=
de to 4.14.6. If users are on the 4.18.x releases stream, then they are sug= gested to upgrade to 4.18.2.</td>
<td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40473" target=3D= "_blank" rel=3D"noopener">CVE-2026-40473</a></td>
<a href=3D"
https://camel.apache.org/security/CVE-2026-40473.html" target=3D= "_blank" rel=3D"noopener">
https://camel.apache.org/security/CVE-2026-40473.= html</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">BinSoft--mpGabinet</td>
<td>mpGabinet is vulnerable to Privilege Escalation due to excessive databa=
se privileges assigned to the user used by the application. An attacker wit=
h access to any running application instance connected to the backend serve=
r can extract database credentials from the application's memory by inspect= ing the running process. While ability to retrieve credentials from memory =
is expected behavior, the exposed credentials grant administrative access t=
o the database, exceeding the privileges required for normal application fu= nctionality. This allows an attacker to perform actions beyond those permit= ted through the application interface. This issue affects mpGabinet version=
23.12.19 and below.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40550" target=3D= "_blank" rel=3D"noopener">CVE-2026-40550</a></td>
<a href=3D"
https://cert.pl/posts/2026/04/CVE-2026-40550/" target=3D"_blank"=
rel=3D"noopener">
https://cert.pl/posts/2026/04/CVE-2026-40550/</a><br><a h= ref=3D"
https://www.mpgabinet.pl/" target=3D"_blank" rel=3D"noopener">https:= //www.mpgabinet.pl/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">BinSoft--mpGabinet</td>
<td>mpGabinet performs client-side authentication. An attacker with access =
to any application instance connected to the backend server can bypass the = login verification process by manipulating the application binary and authe= nticate as an arbitrary user. This issue affects mpGabinet version 23.12.19=
and below.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40551" target=3D= "_blank" rel=3D"noopener">CVE-2026-40551</a></td>
<a href=3D"
https://cert.pl/posts/2026/04/CVE-2026-40550/" target=3D"_blank"=
rel=3D"noopener">
https://cert.pl/posts/2026/04/CVE-2026-40550/</a><br><a h= ref=3D"
https://www.mpgabinet.pl/" target=3D"_blank" rel=3D"noopener">https:= //www.mpgabinet.pl/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">BinSoft--mpGabinet</td>
<td>mpGabinet is vulnerable to Remote Command Execution. An authorized user=
with access to the application and direct access to the backend database c=
an achieve system command execution by uploading an attachment and modifyin=
g its storage path in the database to reference an attacker-controlled remo=
te network resource. Alternatively, it is possible to use a previously uplo= aded file and change its reference. When the application processes the atta= chment, and a user tries to open it, the referenced resource is executed by=
the system. Critically, this vulnerability can be exploited by any unauthe= nticated attacker by chaining it with CVE-2026-40550 and CVE-2026-40551, wh= ich allows obtaining database access, and logging onto any account. This is= sue affects mpGabinet version 23.12.19 and below.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40552" target=3D= "_blank" rel=3D"noopener">CVE-2026-40552</a></td>
<a href=3D"
https://cert.pl/posts/2026/04/CVE-2026-40550/" target=3D"_blank"=
rel=3D"noopener">
https://cert.pl/posts/2026/04/CVE-2026-40550/</a><br><a h= ref=3D"
https://www.mpgabinet.pl/" target=3D"_blank" rel=3D"noopener">https:= //www.mpgabinet.pl/</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">Apache Software Foundation--Apache Storm Prome= theus Reporter</td>
<td>Improper Certificate Validation via Global SSL Context Downgrade in Apa= che Storm Prometheus Reporter Versions Affected: from 2.6.3 to 2.8.6 Descri= ption:=C2=A0 In production deployments where an administrator enables storm= .daemon.metrics.reporter.plugin.prometheus.skip_tls_validation=C2=A0(by def= ault it is disabled)=C2=A0intending to affect only the Prometheus reporter,=
the undocumented global side effect creates an attack surface across every=
TLS-protected communication channel in the Storm daemon. The PrometheusPre= parableReporter class implements an INSECURE_TRUST_MANAGER that accepts all=
SSL certificates without validation, with empty checkClientTrusted and che= ckServerTrusted methods. Most critically, when the storm.daemon.metrics.rep= orter.plugin.prometheus.skip_tls_validation configuration option is enabled=
(default =3D disabled) for HTTPS Prometheus PushGateway connections, the I= NSECURE_CONNECTION_FACTORY calls SSLContext.setDefault(sslContext), which g= lobally replaces the JVM's default SSL context rather than applying the ins= ecure context only to the Prometheus connection. This payload flows through=
storm.yaml configuration =E2=86=92 PrometheusPreparableReporter.prepare() = =E2=86=92 INSECURE_CONNECTION_FACTORY =E2=86=92 SSLContext.setDefault(), re= sulting in a JVM-wide TLS security downgrade. All subsequent HTTPS connecti= ons in the process - including ZooKeeper, Thrift, Netty, and UI connections=
- silently trust all certificates, including self-signed, expired, and att= acker-generated ones, enabling man-in-the-middle interception of cluster st= ate, topology submissions, tuple data, and administrative credentials. Miti= gation: 2.x users should upgrade to 2.8.7 if the Prometheus Metrics Reporte=
r is used. Prometheus Metrics Reporter Users who cannot upgrade immediately=
should remove the storm.daemon.metrics.reporter.plugin.prometheus.skip_tls= _validation: true setting from their storm.yaml configuration and instead c= onfigure a proper truststore containing the PushGateway's certificate.</td> <td>2026-04-27</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40557" target=3D= "_blank" rel=3D"noopener">CVE-2026-40557</a></td>
<a href=3D"
https://lists.apache.org/thread/f5bv68z1y5xstz22psjk05p3wn86knjq=
" target=3D"_blank" rel=3D"noopener">
https://lists.apache.org/thread/f5bv68= z1y5xstz22psjk05p3wn86knjq</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">MIYAGAWA--Starman</td>
<td>Starman versions before 0.4018 for Perl allows HTTP Request Smuggling v=
ia Improper Header Precedence. Starman incorrectly prioritizes "Content-Len= gth" over "Transfer-Encoding: chunked" when both headers are present in an = HTTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. A=
n attacker could exploit this to smuggle malicious HTTP requests via a fron= t-end reverse proxy.</td>
<td>2026-04-28</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40560" target=3D= "_blank" rel=3D"noopener">CVE-2026-40560</a></td>
<a href=3D"
https://github.com/miyagawa/Starman/commit/ced205f0805027e9d9c07= 31f8c40b104220604ed.patch" target=3D"_blank" rel=3D"noopener">
https://githu= b.com/miyagawa/Starman/commit/ced205f0805027e9d9c0731f8c40b104220604ed.patc= h</a><br><a href=3D"
https://metacpan.org/release/MIYAGAWA/Starman-0.4018/ch= anges" target=3D"_blank" rel=3D"noopener">
https://metacpan.org/release/MIYA= GAWA/Starman-0.4018/changes</a><br><a href=3D"
https://datatracker.ietf.org/= doc/html/rfc7230#section-3.3.3" target=3D"_blank" rel=3D"noopener">
https://= datatracker.ietf.org/doc/html/rfc7230#section-3.3.3</a><br>=C2=A0</td>
</tr>
<td class=3D"vendor-product">KAZUHO--Starlet</td>
<td>Starlet versions through 0.31 for Perl allows HTTP Request Smuggling vi=
a Improper Header Precedence. Starlet incorrectly prioritizes "Content-Leng= th" over "Transfer-Encoding: chunked" when both headers are present in an H= TTP request. Per RFC 7230 3.3.3, Transfer-Encoding must take precedence. An=
attacker could exploit this to smuggle malicious HTTP requests via a front= -end reverse proxy.</td>
<td>2026-05-03</td>
<td>not yet calculated</td>
<td><a href=3D"
https://www.cve.org/CVERecord?id=3DCVE-2026-40561" target=3D= "_blank" rel=3D"noopener">CVE-2026-40561</a></td>
<a href=3D"
https://datatracker.ietf.org/doc/html/rfc7230#section-3.3.3" tar= get=3D"_blank" rel=3D"noopener">
https://datatracker.ietf.org/doc/html/rfc72= 30#section-3.3.3</a><br><a href=3D"
https://github.com/kazuho/Starlet/commit= /a7d5dfd1862aafa43e5eaca0fdb6acf4cc15b2d0.patch" target=3D"_blank" rel=3D"n= oopener">
https://github.com/kazuho/Starlet/commit/a7d5dfd1862aafa43e5eaca0f= db6acf4cc15b2d0.patch</a><br>=C2=A0</td>
</tr>
</tbody>
</table>
<p><a href=3D"#top">Back to top</a></p>
</div>
</div>
</div>
<style>body {
font-size: 1em; font-family: Arial, Verdana, sans-serif; font-weight: norma=
l; font-style: normal; color: #333333;
}
</style>
=20
<div id=3D"mail_footer">
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; colo=
r: #757575;">Having trouble viewing this message?=C2=A0</span><a href=3D"ht= tps://content.govdelivery.com/accounts/USDHSCISA/bulletins/415f47b" target= =3D"_blank" rel=3D"noopener">View it as a webpage</a>.=C2=A0<a href=3D"http= s://content.govdelivery.com/accounts/USDHS/bulletins/292141e" target=3D"_bl= ank" rel=3D"noopener"></a><span style=3D"font-size: 10.0pt; color: #757575;= "></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">You are subscribed to updates from the </span><a href=3D"
https://w= ww.cisa.gov"><span style=3D"font-size: 10.0pt;">Cybersecurity and Infrastru= cture Security Agency</span></a><span style=3D"font-size: 10.0pt; color: #7= 57575;"> (CISA)<br></span><a href=3D"
https://public.govdelivery.com/account= s/USDHSCISA/subscriber/edit?preferences=3Dtrue#tab1" target=3D"_blank" rel= =3D"noopener"><span style=3D"font-size: 10.0pt; color: #00568c;">Manage Sub= scriptions</span></a>=C2=A0=C2=A0<span style=3D"font-size: 10.0pt; color: #= 757575;">|=C2=A0=C2=A0</span><a href=3D"
https://www.cisa.gov/privacy-policy=
" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; colo=
r: #00568c;">Privacy Policy</span></a><span style=3D"font-size: 10.0pt; col= or: #757575;">=C2=A0=C2=A0|=C2=A0 <a href=3D"
https://subscriberhelp.granicu= s.com/s/article/Subscriber-Help-Center" target=3D"_blank" rel=3D"noopener">= Help</a><a href=3D"
https://insights.govdelivery.com/Communications/Subscrib= er_Help_Center" target=3D"_blank" rel=3D"noopener"></a></span><span style= =3D"font-size: 10.0pt; color: #757575;"></span></p>
<p style=3D"text-align: center;"><span style=3D"font-size: 10.0pt; color: #= 757575;">Connect with CISA: <br></span><a href=3D"
https://www.facebook.com/= CISA" target=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; = color: #00568c;">Facebook</span></a><span style=3D"font-size: 10.0pt; color=
: #757575;">=C2=A0 |=C2=A0 </span><a href=3D"
https://twitter.com/CISAgov" t= arget=3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: = #00568c;">Twitter</span></a><span style=3D"font-size: 10.0pt; color: #75757= 5;">=C2=A0 |=C2=A0 </span><a href=3D"
https://Instagram.com/cisagov" target= =3D"_blank" rel=3D"noopener"><span style=3D"font-size: 10.0pt; color: #0056= 8c;">Instagram</span></a><span style=3D"font-size: 10.0pt; color: #757575;"= >=C2=A0 |=C2=A0 </span><a href=3D"
https://www.linkedin.com/company/cybersec= urity-and-infrastructure-security-agency" target=3D"_blank" rel=3D"noopener= "><span style=3D"font-size: 10.0pt; color: #00568c;">LinkedIn</span></a><sp=
an style=3D"font-size: 10.0pt; color: #757575;">=C2=A0 |=C2=A0=C2=A0 </span= ><a href=3D"
https://www.youtube.com/channel/UCxyq9roe-npgzrVwbpoAy0A" targe= t=3D"_self"><span style=3D"font-size: 10.0pt; color: #00568c;">YouTube</spa= n></a><span style=3D"font-size: 10.0pt; color: #757575;"></span></p>
</div>
<div id=3D"tagline">
<hr>
<table style=3D"width: 100%;" border=3D"0" cellspacing=3D"0" cellpadding=3D=
<tbody>
<td style=3D"color: #757575; font-size: 10px; font-family: Arial;" width=3D= "89%">This email was sent to
cisa@toolazy.synchro.net using GovDelivery Com= munications Cloud, on behalf of: Cybersecurity and Infrastructure Security = Agency =C2=B7 707 17th St, Suite 4000 =C2=B7 Denver, CO 80202</td>
<td align=3D"right" width=3D"11%"><a href=3D"
https://subscriberhelp.granicu= s.com/" target=3D"_blank" rel=3D"noopener"><img src=3D"
https://content.govd= elivery.com/images/govd-logo-dark.png" border=3D"0" alt=3D"GovDelivery logo=
" width=3D"115"></a></td>
</tr>
</tbody>
</table>
<style type=3D"text/css">body .abe-column-block { min-height: 5px; } table.= gd_combo_table img {margin-left:10px; margin-right:10px;} table.gd_combo_ta= ble div.govd_image_display img, table.gd_combo_table td.gd_combo_image_cell=
img {margin-left:0px; margin-right:0px;}</style>
</div>
</td>
</tr>
</table>
<img alt=3D"" src=3D"
https://links-2.govdelivery.com/CI0/0101019df9a3e98b-8= 49390a0-8ec3-481c-8d8b-ab87fc56ff08-000000/o0Xy-MtYwaWYOnA2CgLc8l6pGs_nCfvy= sJnJ6T2rStU=3D452" style=3D"display: none; width: 1px; height: 1px;">
</body>
</html>
--===============7093670999237951758==--
--===============3783835882403185368==--