CVE-2026-25888

CVE-2026-25888 affects Chartbrew, an open‑source web application that can connect to databases and APIs to generate charts. A remote code execution vulnerability exists in versions prior to 4.8.1 through a vulnerable API, enabling an attacker with network access and low privileges, with no user i...

EUVD-2026-9976

Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1...

EUVD-2026-9941

FUXA Unauthenticated Remote Code Execution via Admin JWT Minting...

GStreamer H.266 Codec Parser Out-Of-Bounds Write Remote Code Execution Vulnerability

This vulnerability allows remote attackers to execute arbitrary code on affected installations of GStreamer. Interaction with this library is required to exploit this vulnerability but attack vectors may vary depending on the implementation. The specific flaw exists within the processing of APS...

PT-2026-23637

Name of the Vulnerable Software and Affected Versions Chartbrew versions prior to 4.8.1 Description Chartbrew is a web application designed for connecting to databases and APIs to create charts. A remote code execution issue exists in versions before 4.8.1 due to a vulnerable API. The issue has...

CVE-2026-28391

OpenClaw vulnerability CVE-2026-28391 affects OpenClaw versions prior to 2026.2.2. The issue stems from improper validation of Windows cmd.exe metacharacters in allowlist-gated exec requests, allowing remote attackers to bypass command approval and craft command strings with shell metacharacters ...

CVE-2026-28391 OpenClaw < 2026.2.2 - Command Injection via cmd.exe Parsing Bypass in Allowlist Enforcement

OpenClaw versions prior to 2026.2.2 fail to properly validate Windows cmd.exe metacharacters in allowlist-gated exec requests non-default configuration, allowing attackers to bypass command approval restrictions. Remote attackers can craft command strings with shell metacharacters like & or %...%...

CVE-2026-0848

NLTK versions =3.9.2 are vulnerable to arbitrary code execution due to improper input validation in the StanfordSegmenter module. The module dynamically loads external Java .jar files without verification or sandboxing. An attacker can supply or replace the JAR file, enabling the execution of...

SEPPmail 路径遍历漏洞

SEPPmail is an email encryption and signature solution provided by the Swiss company SEPPmail. Versions of SEPPmail 15.0.2.1 and earlier contained a path traversal vulnerability. This vulnerability stemmed from the large file transfer feature’s susceptibility to path traversal attacks, which coul...

WordPress plugin JetEngine 安全漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. There is...

CVE-2026-26279 Froxlor Admin-to-Root Privilege Escalation via Input Validation Bypass + OS Command Injection

Froxlor is open source server administration software. Prior to 2.3.4, a typo in Froxlor's input validation code == instead of = completely disables email format checking for all settings fields declared as email type. This allows an authenticated admin to store arbitrary strings in the...

Apache Ranger has a Code Injection vulnerability

Remote Code Execution Vulnerability in NashornScriptEngineCreator is reported in Apache Ranger versions = 2.7.0. Users are recommended to upgrade to version 2.8.0, which fixes this issue...

CVE-2026-3422

U-Office Force developed by e-Excellence has a Insecure Deserialization vulnerability, allowing unauthenticated remote attackers to execute arbitrary code on the server by sending maliciously crafted serialized content...

EUVD-2025-208230

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

PT-2026-22735

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

CVE-2025-52365

A command injection vulnerability in the szc script of the ccurtsinger/stabilizer repository allows remote attackers to execute arbitrary system commands via unsanitized user input passed to os.system. The vulnerability arises from improper input handling where command-line arguments are directly...

CVE-2025-66945

CVE-2025-66945 affects Zdir Pro 4.x ZIP extraction API (/api/extract). A path traversal vulnerability can cause files to be written outside the intended directory, enabling arbitrary file overwrites and potentially remote code execution. Connected sources confirm the issue exists; exploitation de...

📄 GVfs 1.58.1 FTP Backend CRLF Injection

A vulnerability was identified in the FTP backend of GVfs due to improper input validation. A remote attacker can exploit this flaw by supplying specially crafted file paths containing Carriage Return and Line Feed CRLF sequences. Because these CRLF sequences are not properly sanitized, they allo...

GRUB2 Vulnerable to Out-of-Bounds Write via Network Boot Process in 'grub_strcpy()' Function

A flaw was found in grub2. During the network boot process, when trying to search for the configuration file, grub copies data from a user controlled environment variable into an internal buffer using the grubstrcpy function. During this step, it fails to consider the environment variable length...

CVE-2026-0006

In multiple locations, there is a possible out of bounds read and write due to a heap buffer overflow. This could lead to remote code execution with no additional execution privileges needed. User interaction is not needed for exploitation...