PT-2026-5389

Name of the Vulnerable Software and Affected Versions Johnson Controls Metasys versions 12.0 through 14.1 Johnson Controls Metasys Application and Data Server ADS versions 14.1 and prior Johnson Controls Metasys Extended Application and Data Server ADX version 14.1 Johnson Controls Metasys System...

Sick Beard operating system command injection vulnerability

Sick Beard is a television program download tool developed by Nic Wolfe personally. Sick Beard has a vulnerability related to operating system command injection, which stems from improper handling of extra script configuration parameters. This vulnerability may allow unvalidated remote command...

📄 Advantech IoTSuite / IoT Edge SQL Injection

A critical unauthenticated SQL injection vulnerability was identified in Advantech WISE-IoTSuite / SaaS Composer. The issue resides in the /displays/filename.json endpoint, where the filename parameter is improperly sanitized before being concatenated into a backend PostgreSQL query. An attacker...

Tenda HG10 command injection vulnerability

The Tenda HG10 is a fiber-optic router produced by the Chinese company Tenda. The Tenda HG10 USHG7HG9HG10re300001138enxpon has a command injection vulnerability. This vulnerability arises from an unknown function in the Boa Webserver component, which manipulates the parameter “serverString” in th...

CVE-2026-1340

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution...

CVE-2026-1340

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution...

CVE-2026-1340

CVE-2026-1340 affects Ivanti Endpoint Manager Mobile (EPMM) with a code-injection flaw that could allow unauthenticated remote code execution. The CVSS v3.1 base score is 9.8 (CRITICAL) with network attack vector, no privileges required, no user interaction, and high impact to confidentiality, in...

Security Advisory Ivanti Endpoint Manager Mobile (EPMM) (CVE-2026-1281 & CVE-2026-1340)

Update 29 Jan: Step by Step RPM Install KB included Update 4 Feb: Fixed in Security Update: 0S-4 and 0L-4 included Update: 6 Feb: RPM detection script available to help customers assess potential impact. Technical Analysis updated with reliable Indicators of Compromise IoC’s. Both in partnership...

CVE-2026-1597

A vulnerability has been found in Bdtask SalesERP up to 20260116. This issue affects some unknown processing of the component Administrative Endpoint. Such manipulation of the argument cisession leads to improper authorization. The attack may be performed from remote. The exploit has been disclos...

CVE-2020-37009 MedDream PACS Server 6.8.3.751 - Remote Code Execution

MedDream PACS Server 6.8.3.751 contains an authenticated remote code execution vulnerability that allows authorized users to upload malicious PHP files. Attackers can exploit the uploadImage.php endpoint by authenticating and uploading a PHP shell to execute arbitrary system commands with elevate...

gimp: GIMP: Remote Code Execution via JP2 file parsing heap-based buffer overflow

A flaw was found in GIMP. This heap-based buffer overflow vulnerability in the JP2 file parsing component allows a remote attacker to execute arbitrary code. Exploitation requires user interaction, where the target must open a specially crafted malicious JP2 file. Successful exploitation can lead...

CVE-2026-1400

The AI Engine – The Chatbot and AI Framework for WordPress plugin for WordPress is vulnerable to arbitrary file uploads due to missing file type validation in the resthelpersupdatemediametadata function in all versions up to, and including, 3.3.2. This makes it possible for authenticated attacker...

ajenti operating system command injection vulnerability

ajenti is an open-source Linux and BSD-based modular server management panel developed by ajenti. Version 2.1.36 of ajenti contains a vulnerability related to operating system command injection. This vulnerability stems from an authentication bypass, which could allow remote attackers to execute...

VulnCheck KEV: CVE-2026-1281

A code injection in Ivanti Endpoint Manager Mobile allowing attackers to achieve unauthenticated remote code execution...

Ivanti Endpoint Manager Mobile code injection vulnerability

Ivanti Endpoint Manager Mobile is a mobile management software engine developed by the American company Ivanti. Ivanti Endpoint Manager Mobile has a code injection vulnerability, which stems from code injection and may allow unauthenticated remote code execution...

Tactical RMM security vulnerabilities

Tactical RMM is an open-source remote monitoring and management tool developed by AmidaWare Inc. Versions of Tactical RMM prior to v1.3.1 contained security vulnerabilities. These vulnerabilities were caused by improper handling of the templatemd parameter, which could lead to server-side templat...

RHEL 9 : openssl (RHSA-2026:1594)

The remote Redhat Enterprise Linux 9 host has packages installed that are affected by multiple vulnerabilities as referenced in the RHSA-2026:1594 advisory. OpenSSL is a toolkit that implements the Secure Sockets Layer SSL and Transport Layer Security TLS protocols, as well as a full-strength...

Important: gimp:2.8 security update

The GIMP GNU Image Manipulation Program is an image composition and editing program. GIMP provides a large image manipulation toolbox, including channel operations and layers, effects, sub-pixel imaging and anti-aliasing, and conversions, all with multi-level undo. Security Fixes: gimp: GIMP:...

CVE-2026-24897 Authenticated Remote Code Execution via Arbitrary File Upload

Erugo is a self-hosted file-sharing platform. In versions up to and including 0.2.14, an authenticated low-privileged user can upload arbitrary files to any specified location due to insufficient validation of user‑supplied paths when creating shares. By specifying a writable path within the publ...

EUVD-2025-206461

Explorance Blue versions prior to 8.14.9 contain an authenticated unrestricted file upload vulnerability in the administrative interface. The application does not adequately restrict uploaded file types, allowing malicious files to be uploaded and executed by the server. This condition enables...