CVE-2026-11469

A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to...

PT-2026-47619

internal/configgen/generator.go:86,108,119 interpolates the operator-supplied ListenHost and TunDevice fields raw into a text/template that produces the agent's config.yml. internal/web/advanced.go:20-35 accepts both with only strings.TrimSpace — no character or shape validation. Exploit An...

PT-2026-47258

A vulnerability has been found in D-Link DCS-5615 1.01.00. Affected by this vulnerability is an unknown functionality of the file /etc/conf.d/boa/boa.conf of the component Boa Webserver. Such manipulation leads to least privilege violation. The attack can be executed remotely. The exploit has bee...

PT-2026-47256

A security vulnerability has been detected in TOTOLINK AC1200 T8 4.1.5cu.8611. This affects an unknown function of the file /etc/vsftpd.conf of the component vsftpd. The manipulation leads to least privilege violation. The attack may be initiated remotely. The exploit has been disclosed publicly...

PT-2026-47254

A security flaw has been discovered in D-Link DIR-823G 1.0.2B05. The affected element is an unknown function of the file /etc/vsftpd.conf of the component vsftpd. Performing a manipulation results in least privilege violation. The attack can be initiated remotely. The exploit has been released to...

PT-2026-47557

internal/configgen/generator.go:86,108,119 interpolates the operator-supplied ListenHost and TunDevice fields raw into a text/template that produces the agent's config.yml. internal/web/advanced.go:20-35 accepts both with only strings.TrimSpace — no character or shape validation. Exploit An...

CVE-2026-11469 jishenghua jshERP platformConfig Add Endpoint PlatformConfigService.java insertPlatformConfig server-side request forgery

A flaw has been found in jishenghua jshERP up to 3.6. Impacted is the function insertPlatformConfig of the file jshERP-boot/src/main/java/com/jsh/erp/service/PlatformConfigService.java of the component platformConfig Add Endpoint. Executing a manipulation of the argument platformValue can lead to...

Embedded Malicious Code

Overview Affected versions of this package are vulnerable to Embedded Malicious Code. This package contains malicious code associated with the Shai-Hulud / Miasma software supply chain campaign, a large scale operation that has affected numerous packages across open source ecosystems. The malicio...

CVE-2026-46389

UDS Identity Config builds the Keycloak configuration image realm, plugins, theme, truststore, JARs consumed by UDS Core's Identity deployment. In versions 0.11.0 through 0.26.0, a logic error in the client-kubernetes-secret Keycloak client authenticator shipped by uds-identity-config and consume...

CVE-2026-11406 GL.iNet MT3000 OpenVPN Client Import Workflow ovpnclient.sh command injection

A vulnerability was determined in GL.iNet MT3000 up to 4.4.5. This vulnerability affects unknown code of the file ovpnclient.sh of the component OpenVPN Client Import Workflow. This manipulation causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly...

SUSE CVE-2023-43633

On boot, the Pillar eve container checks for the existence and content of “/config/GlobalConfig/global.json”. If the file exists, it overrides the existing configuration on the device on boot. This allows an attacker to change the system's configuration, which also includes some debug functions...

CVE-2026-2500

The Quick Playground plugin for WordPress is vulnerable to Path Traversal in all versions up to, and including, 1.3.4. This is due to the qckplydata function passing the user-supplied filename POST parameter directly to filegetcontents without any validation, sanitization, or path restriction. Th...

CVE-2024-27890

Affected platforms running Arista EOS with OpenConfig configured, a gNMI Set request can be run when it should have been rejected. This can result in unexpected configuration being applied to the switch...

EulerOS Virtualization 2.10.1 : libssh (EulerOS-SA-2026-2027)

According to the versions of the libssh package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A malicious SCP server can send unexpected paths that could make the client application override local files outside of working...

EulerOS Virtualization 2.10.0 : libssh (EulerOS-SA-2026-2054)

According to the versions of the libssh package installed, the EulerOS Virtualization installation on the remote host is affected by the following vulnerabilities : A malicious SCP server can send unexpected paths that could make the client application override local files outside of working...

CVE-2026-11416

MoviePilot contains a path traversal vulnerability in the AliPan, U115, and Rclone cloud storage download handlers where the local destination path is constructed by concatenating the configured download directory with a filename taken directly from remote cloud API metadata without basename...

CVE-2026-3495

Mattermost versions 11.5.x = 11.5.1, 10.11.x = 10.11.13 fail to escape some variables that could contain malicious content during error page composition which allows an attacker with access to edit some site configuration to execute some malicious code via injecting some JS as part of those...

CVE-2026-30778

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-30994

Incorrect access control in the config.php component of Slah v1.5.0 and below allows unauthenticated attackers to access sensitive information, including active session credentials...

CVE-2026-38931

A stored cross-site scripting XSS vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff Latest as of 2026-02-27 via injecting a crafted payload...