PT-2026-35587

A vulnerability was identified in eghuzefa engineer-your-data up to 0.1.3. This vulnerability affects the function read file/write file/list files/file inf of the file src/server.py. The manipulation of the argument WORKSPACE PATH leads to path traversal. The attack may be initiated remotely. The...

PT-2026-35681

A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal...

PT-2026-35682

A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file path results in path traversal. The attack may b...

PT-2026-35586

A vulnerability was detected in ef10007 MLOps MCP 1.0.0. This impacts an unknown function of the file fastmcp server.py of the component save file Tool. The manipulation of the argument filename/destination results in path traversal. The attack may be performed from remote. The exploit is now...

PT-2026-35574

A vulnerability was identified in duartium papers-mcp-server 9ceb3812a6458ba7922ca24a7406f8807bc55598. Impacted is the function search papers of the file src/main.py. Such manipulation of the argument topic leads to path traversal. The attack may be launched remotely. The exploit is publicly...

PT-2026-35669

A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the...

PT-2026-35585

A security vulnerability has been detected in edvardlindelof notes-mcp up to 0.1.4. This affects an unknown function of the file notes mcp.py. The manipulation of the argument root dir/path leads to path traversal. The attack is possible to be carried out remotely. The exploit has been disclosed...

PT-2026-35650

A vulnerability was detected in Totolink N300RT 3.4.0-B20250430. The impacted element is the function is cmd string valid of the file /boafrm/formWsc of the component libapmib.so. Performing a manipulation of the argument localPin results in buffer overflow. The attack is possible to be carried o...

PT-2026-35732

A vulnerability was identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This affects the function delete expired of the file /ajax.php?action=delete expired. The manipulation of the argument ID leads to sql injection. It is possible to initiate the attack remotely. The exploit i...

CVE-2026-40356

MIT Kerberos 5 (krb5) before 1.22.3 is affected by an integer underflow that causes an out-of-bounds read when an application calls gss_accept_sec_context() on systems with a NegoEx mechanism registered in /etc/gss/mech. An unauthenticated remote attacker can trigger this, potentially causing the...

CVE-2026-7202 Totolink A8000RU CGI cstecgi.cgi setWiFiWpsStart os command injection

A vulnerability has been found in Totolink A8000RU 7.1cu.643b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The...

EUVD-2026-25959

A vulnerability has been found in Totolink A8000RU 7.1cu.643b20200521. This affects the function setWiFiWpsStart of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument wscDisabled leads to os command injection. The attack can be initiated remotely. The...

EUVD-2026-25955

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The...

CVE-2026-7200

A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The...

CVE-2026-41364 OpenClaw < 2026.3.31 - Arbitrary File Write via Symlink Following in SSH Sandbox Tar Upload

OpenClaw before 2026.3.31 contains a symlink following vulnerability in SSH sandbox tar upload that allows remote attackers to write arbitrary files. Attackers can exploit this by uploading tar archives containing symlinks to escape the sandbox and overwrite files on the remote host...

CVE-2026-7199

SourceCodester Pharmacy Sales and Inventory System 1.0 contains a SQL injection in /ajax.php?action=delete_product via manipulation of the ID parameter. The vulnerability can be exploited remotely, with the exploit publicly available. The CVE records confirm an attacker could leverage this flaw t...

CVE-2026-7199 SourceCodester Pharmacy Sales and Inventory System ajax.php sql injection

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=deleteproduct. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the atta...

EUVD-2026-25954

A vulnerability was detected in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this vulnerability is an unknown functionality of the file /ajax.php?action=deleteproduct. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the atta...

CVE-2026-7196 CodeAstro Online Classroom guestdetails sql injection

A security vulnerability has been detected in CodeAstro Online Classroom 1.0. Affected is an unknown function of the file /guestdetails. Such manipulation of the argument deleteid leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be...

CVE-2026-7196

CodeAstro Online Classroom 1.0 is affected by CVE-2026-7196. The vulnerability exists in an unknown function under /guestdetails where manipulating the deleteid parameter enables SQL injection. The issue is exploitable remotely and an exploit has been publicly disclosed. No remediation details ar...