EUVD-2026-34780

A heap-based buffer overflow vulnerability in the dot11ah.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.13 allows an unauthenticated attacker within radio range to cause a Denial of Service kernel panic or potentially achieve Remote Code Execution via a...

PT-2026-46902

Name of the Vulnerable Software and Affected Versions Graphite versions prior to 1.3.15 Description An integer underflow occurs via Graphite actions because the slotat function fails to ensure that an offset remains within the allowed slot-map range, leading to an out-of-bounds write...

PT-2026-49157

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=519646826 Crash type: Heap-buffer-overflow WRITE Crash state: opus repacketizer out range impl opus repacketizer out range codec parse...

Oracle Database Server (May 2026 CSPU)

The versions of Oracle Database Server installed on the remote host are affected by multiple vulnerabilities as referenced in the May 2026 CSPU advisory. - Vulnerability in the Net Service component of Oracle Database Server. Supported versions that are affected are 23.4.0-23.26.2. Difficult to...

open-apis 代码问题漏洞

open-apis is a microservice API within the HAX The Web open-source HAX network component repository. Versions of open-apis from 9.0.1 to 26.0.0 had code-related vulnerabilities. These vulnerabilities stemmed from multiple functions performing substring matching hostname only, which could allow...

GHSA-GQ96-5PFX-F4VC Shopware: SSRF in Media External-Link Endpoint Bypasses IP Validation

Summary The /api/action/media/external-link endpoint allows authenticated admin users to make server-side HTTP HEAD requests to arbitrary internal IP addresses. While the parallel uploadFromURL flow validates target IPs against private/reserved ranges via FileUrlValidator, the linkURL flow only...

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @abyedev/hono-dotenv (=1.0.0) +560 more potentially affected by CVE-2026-47674 via hono (>=0.5.10 <=4.12.2)

hono NPM version =0.5.10, =0.1.8-fix.3, =5.0.0, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.1.1, =0.0.1, =0.0.2-a, =0.1.22, =1.1.1, =1.3.0 and more Source cves: CVE-2026-47674 Source advisory: OSV:GHSA-XRHX-7G5J-RCJ5...

@3onedata/alsatian (>=0.1.8-fix.3 <=0.1.8-fix.5), @abyedev/hono-dotenv (=1.0.0) +560 more potentially affected by CVE-2026-47675 via hono (>=0.5.10 <=4.12.2)

hono NPM version =0.5.10, =0.1.8-fix.3, =5.0.0, =0.2.0, =0.2.0, =0.4.0, =0.2.0, =0.1.4, =2026.4.4, =1.0.2, =0.1.1, =0.0.1, =0.0.2-a, =0.1.22, =1.1.1, =1.3.0 and more Source cves: CVE-2026-47675 Source advisory: OSV:GHSA-3HRH-PFW6-9M5X...

mysql: Group Replication Plugin unspecified vulnerability (CPU Apr 2026)

Oracle CPU describes the issue as following: Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Group Replication Plugin. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and 9.0.0-9.6.0. Easily exploitable vulnerability allows low privileged attacker...

CVE-2026-5228 Improper Access Control in Kurt Software Studio's WriteUp Mobile App

Improper Access Control, Missing Authorization vulnerability in Kurt Software Studio WriteUp Mobile App allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects WriteUp Mobile App: from 1.3.0 through 04062026...

Allocation of Resources Without Limits or Throttling in Axios

Summary Axios versions 1.7.0 through 1.15.x did not enforce configured request and response size limits when requests were sent with the fetch adapter. Applications that selected adapter: 'fetch', or ran in environments where axios resolved to the fetch adapter, could receive or send bodies large...

crypt_guard (=0.1.4), env_encryption_tool (=0.9.17) +5 more potentially affected by unknown CVE via pqcrypto-hqc (>=0.0.4 <=0.2.2)

pqcrypto-hqc CARGO version =0.0.4, =0.12.2, =0.1.0, =0.1.0, =0.5.0 Source cves: unknown CVE Source advisory: OSV:RUSTSEC-2026-0168...

CVE-2026-4104 SQLi in Akmer Informatics' TeknoPass

Authorization bypass through User-Controlled SQL primary key vulnerability in Akmer Informatics Automation Industry and Trade Ltd. Co. TeknoPass allows SQL Injection. This issue affects TeknoPass: from 20210501 through 20260429...

CVE-2026-4104

TeknoPass (Akmer Informatics) is affected by CVE-2026-4104 due to an Authorization bypass that relies on a user-controlled SQL primary key, enabling SQL injection. Affected period is 20210501–20260429. The available documents specify the vulnerability type and affected product but do not provide ...

CVE-2026-48597

Allocation of Resources Without Limits or Throttling vulnerability in elixir-tesla tesla allows denial of service via atom table exhaustion in Tesla.Adapter.Mint. Tesla.Adapter.Mint.openconn/2 converts the URL scheme of every outgoing request to a BEAM atom via String.toatomuri.scheme with no...

SUSE CVE-2026-42039

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, toFormData recursively walks nested objects with no depth limit, so a deeply nested value passed as request data crashes the Node.js process with a RangeError. This vulnerability is fixed in 1.15.1 and...

SUSE CVE-2026-42043

Axios is a promise based HTTP client for the browser and Node.js. Prior to 1.15.1 and 0.31.1, an attacker who can influence the target URL of an Axios request can use any address in the 127.0.0.0/8 range other than 127.0.0.1 to completely bypass the NOPROXY protection. This vulnerability is due t...

EUVD-2026-34189

An out-of-bounds read vulnerability in the morse.ko HaLow Wi-Fi kernel driver in Morse Micro HaLowLink 2 software versions prior to 2.11.12 allows an unauthenticated attacker within radio range to disclose a small amount of kernel heap memory or cause a Denial of Service kernel oops/panic via a...

OpenStack oslo.messaging 安全漏洞

OpenStack oslo.messaging is an open-source messaging library for OpenStack. There are security vulnerabilities in the version of OpenStack oslo.messaging from 1.0.0 to 17.3.0. These vulnerabilities stem from the fact that the RabbitMQ driver does not perform TLS hostname verification. Any...

chartbrew 跨站脚本漏洞

Chartbrew is an open-source data visualization and dashboard-building tool developed by Chartbrew. Versions 4.9.0 to 5.0.0 of Chartbrew contain a cross-site scripting vulnerability. This vulnerability arises from the ChartDatasetConfig.legend field not being cleaned properly in HTML/JavaScript...