PT-2026-51207

Name of the Vulnerable Software and Affected Versions ILIAS Learning Management System version 11.0 Description An issue exists in the Learning Progress Tracking component within the ilTrQuery::executeQueries function of the components/ILIAS/Tracking/classes/class.ilTrQuery.php file. Remote...

PT-2026-51261

Name of the Vulnerable Software and Affected Versions Comfast CF-WR631AX V3 versions prior to 2.7.0.8 Description A remote OS command injection flaw exists in the API Endpoint component. The issue occurs within the system function of the '/cgi-bin/mbox-config?section=ping config' endpoint when th...

PT-2026-51259

Name of the Vulnerable Software and Affected Versions Radware Cyber Controller versions prior to 10.11.0 Description An issue exists within the HTML Report Generation component that allows for HTML injection. This flaw can be exploited remotely to inject malicious HTML code into reports...

VulnCheck KEV: CVE-2026-36356

The GoAhead web server on MeiG Smart FORGESLT711 devices firmware MDM9607.LE.1.0-00110-STD.PROD-1 allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint...

PT-2026-51199

Name of the Vulnerable Software and Affected Versions Montodel House-Rental-Management versions prior to 90010017b81265eb1ef3810268909f7719a33863 Description A SQL injection issue exists in the '/login.php' endpoint. Remote attackers can exploit this by manipulating the Username parameter. SQL...

PT-2026-51254

Name of the Vulnerable Software and Affected Versions Edimax BR-6478AC V2 version 1.23 Description Command injection can be triggered remotely via the POST Request Handler component. The issue exists within the setWAN function located in the '/goform/setWAN' endpoint. Manipulation of the...

PT-2026-51257

Name of the Vulnerable Software and Affected Versions Edimax BR-6478AC V2 version 1.23 Description A security flaw in the POST Request Handler component allows for remote command injection. This occurs through the manipulation of the command argument within the mp function of the '/goform/mp'...

PT-2026-51264

Name of the Vulnerable Software and Affected Versions langflow-ai langflow versions prior to 1.9.4 Description An issue exists in the Bundle URL Loader component where manipulation of an unknown function allows for code injection. This attack must be performed locally. Recommendations At the...

PT-2026-51229

Name of the Vulnerable Software and Affected Versions Craft CMS versions 5.0.0-RC1 and later Description A stored cross-site scripting issue exists in the User Permissions page. The software fails to properly perform HTML escaping when rendering user group names. This allows attackers with...

PT-2026-51255

Name of the Vulnerable Software and Affected Versions Edimax BR-6478AC V2 version 1.23 Description Command injection is possible via the POST Request Handler component. A remote attacker can exploit this by manipulating the interface argument within the stainfo function of the '/goform/stainfo'...

CVE-2026-56347

AVideo TopMenu plugin through version 26.0 contains a stored cross-site scripting vulnerability in menu item rendering due to missing output encoding of icon classes, URLs, and text labels. Attackers can inject malicious JavaScript through unescaped menu item fields that execute for all site...

EUVD-2026-38128

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commitsha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git...

CVE-2026-5366 Git Argument Injection in prefecthq/prefect

Prefect version 3.6.23 is vulnerable to remote code execution due to improper handling of user-controlled input in the GitRepository storage class. The commitsha parameter, which is passed to git commands, lacks validation and does not include a -- separator to distinguish user input from git...

CVE-2024-58351

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relie...

CVE-2024-58351 Flowise - Remote Code Execution via overrideConfig Parameter

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relie...

EUVD-2024-55642

Flowise before 2.1.4 allows configuration to be injected into the Chainflow during execution via the overrideConfig option, supported in both the frontend web integration and the backend Prediction API. Because this feature is enabled by default with no allow-list of permitted variables and relie...

CVE-2022-50972

WooCommerce 7.1.0 contains a remote code execution vulnerability that allows attackers to execute arbitrary PHP code by injecting shell commands through the product-type parameter. Attackers can send requests to the class-wc-meta-box-product-images.php endpoint with unsanitized product-type value...

PT-2026-51178

Name of the Vulnerable Software and Affected Versions GROCERY-STORE-MANAGEMENT-SYSTEM-USING-PHP-AND-MYSQL-PHPMYADMIN version 1.0 Description An issue exists where a crafted SQL statement can be used to access sensitive database information. This occurs via the scost parameter in the...

Linux Distros Unpatched Vulnerability : CVE-2026-9679

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Impact: undici's cookie parser in parseSetCookie percent-decodes cookie values via qsUnescape, turning encoded sequences like %0D%0A, %00, %3B, and %3D into the...

PT-2026-51141

Name of the Vulnerable Software and Affected Versions WooCommerce version 7.1.0 Description A remote code execution flaw exists in the 'class-wc-meta-box-product-images.php' endpoint. The product-type parameter is processed without proper sanitization, allowing attackers to inject shell commands...