PT-2026-34561

Jellystat is a free and open source Statistics App for Jellyfin. Prior to version 1.1.10, multiple API endpoints in Jellystat build SQL queries by interpolating unsanitized request-body fields directly into raw SQL strings. An authenticated user can inject arbitrary SQL via POST /api/getUserDetai...

PT-2026-34437

Name of the Vulnerable Software and Affected Versions PowerDNS dnsdist versions 1.9.0 through 1.9.12 PowerDNS dnsdist versions 2.0.0 through 2.0.3 Description An unauthenticated remote attacker can cause a denial-of-service by sending a crafted DNSCrypt query. This action triggers a divide-by-zer...

PT-2026-34596

Name of the Vulnerable Software and Affected Versions CI4MS versions prior to 0.31.5.0 Description A Stored DOM XSS Cross-Site Scripting issue exists in the backup module. An attacker can manipulate the filename field using an SQL file to inject a hidden XSS payload, potentially leading to full...

Statamic 安全漏洞

Statamic is a powerful flat-file CMS built using Laravel by Statamic Inc. It allows all content, templates, assets, and settings to be stored in files rather than in a database. There were security vulnerabilities in versions prior to Statamic 5.73.20 and 6.13.0, which stemmed from insufficient...

Jellystat SQL注入漏洞

Jellystat is a free and open-source statistical application developed by Thegan Govender as an individual project. Versions of Jellystat prior to 1.1.10 contained a SQL injection vulnerability. This vulnerability stemmed from multiple API endpoints that constructed queries by directly inserting...

PT-2026-34239

OwnTone Server versions 28.4 through 29.0 contain a SQL injection vulnerability in DAAP query and filter handling that allows attackers to inject arbitrary SQL expressions by supplying malicious values through the query= and filter= parameters for integer-mapped DAAP fields. Attackers can exploit...

Unity Linux 20.1060a / 20.1070a Security Update: kernel (UTSA-2026-013496)

"The Unity Linux 20 host has a package installed that is affected by a vulnerability as referenced in the UTSA-2026-013496 advisory. In the Linux kernel, the following vulnerability has been resolved: cifs: prevent bad output lengths in smb2ioctlqueryinfo When calling smb2ioctlqueryinfo with...

PowerDNS DNSdist 安全漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS that offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a security vulnerability that stems from the ability of clients to trigger excessive memory allocation by generating a large number of...

PT-2026-34444

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description A rogue backend can send a crafted UDP response with a query ID off by one relative to the maximum configured value. This triggers an out-of-bounds write, which ...

PT-2026-34246

CVE-2026-6833 The a+HRD developed by aEnrich has a SQL Injection vulnerability, allowing authenticated remote attackers to inject arbitrary SQL commands to read database contents. https://t.co/t19jGHdUjW...

Linux Distros Unpatched Vulnerability : CVE-2026-33596

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A client might theoretically be able to cause a mismatch between queries sent to a backend and the received responses by sending a flood of perfectly timed...

PowerDNS DNSdist 数字错误漏洞

PowerDNS DNSdist is a proxy software provided by PowerDNS, which offers capabilities for DNS traffic load balancing and security protection. PowerDNS DNSdist has a numerical error vulnerability; this vulnerability stems from the ability of clients to trigger a zero error by sending a specially...

PowerDNS Authoritative Server 注入漏洞

The PowerDNS Authoritative Server is a DNS server developed by the Dutch company PowerDNS. There is an injection vulnerability in the PowerDNS Authoritative Server, which stems from incomplete escape sequences in LDAP queries when 8bit-dns is enabled, allowing users to query internal domain...

PT-2026-34609

Name of the Vulnerable Software and Affected Versions @nocobase/database versions prior to 2.0.39 Description An issue exists in the queryParentSQL function within the core database package where a recursive CTE query is constructed by joining nodeIds using string concatenation instead of...

SQLi-Injection-Payloads

No d...

EUVD-2026-24569

Craft CMS is a content management system CMS. Versions on the 4.x branch through 4.17.8 and the 5.x branch through 5.9.14 are vulnerable to Server-Side Request Forgery. The exploitation requires a few permissions to be enabled in the used GraphQL schema: "Edit assets in the volume" and "Create...

CVE-2026-41062

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...

EUVD-2026-24541

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...

CVE-2026-41062

Summary: WWBN AVideo

CVE-2026-41062 WWBN/AVideo has an incomplete fix for a directory traversal bypass via query string in ReceiveImage downloadURL parameters

WWBN AVideo is an open source video platform. In versions 29.0 and below, the directory traversal fix introduced in commit 2375eb5e0 for objects/aVideoEncoderReceiveImage.json.php only checks the URL path component via parseurl$url, PHPURLPATH for .. sequences. However, the downstream function...