USN-8366-1 luanti vulnerabilities

It was discovered that Luanti, when using LuaJIT, did not properly enforce Lua sandbox restrictions. An attacker could possibly use this issue to execute arbitrary code. CVE-2026-40959 It was discovered that Luanti did not properly restrict access to insecure environments. An attacker could...

FlowiseAI Vulnerable to Credential Data Leak

Severity: HIGH CVSS 7.5 Type: CWE-200 Exposure of Sensitive Information File: packages/server/src/services/credentials/index.ts:62-71 Description: When credentials are fetched with a credentialName filter parameter, the encryptedData field is NOT stripped from the response. The code properly omit...

BIT-JRE-2024-21011

Vulnerability in the Oracle Java SE, Oracle GraalVM for JDK, Oracle GraalVM Enterprise Edition product of Oracle Java SE component: Hotspot. Supported versions that are affected are Oracle Java SE: 8u401, 8u401-perf, 11.0.22, 17.0.10, 21.0.2, 22; Oracle GraalVM for JDK: 17.0.10, 21.0.2, 22; Oracl...

CVE-2025-69691

PfSense Community Edition 2.8.0 is affected by CVE-2025-69691, an authenticated remote code execution via the XMLRPC API endpoint pfsense.exec_php. The vulnerability allows executing arbitrary PHP code as root after authenticating with Basic Auth (the PoC notes usage of admin:pfsense, and the XML...

EUVD-2026-26843

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

CVE-2026-7705

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

CVE-2026-7705

JD Cloud JDCOS 4.5.1.r4518 is affected. The vulnerability targets the /jdcap Service Interface’s set_iptv_info function, where manipulating the vid argument enables remote command injection. Exploitation is possible remotely and a published exploit exists. Vendor was contacted early but did not r...

CVE-2026-7705 JD Cloud JDCOS Service jdcap set_iptv_info command injection

A flaw has been found in JD Cloud JDCOS 4.5.1.r4518. This vulnerability affects the function setiptvinfo of the file /jdcap of the component Service Interface. Executing a manipulation of the argument vid can lead to command injection. It is possible to launch the attack remotely. The exploit has...

JD Cloud JDCOS 注入漏洞

JD Cloud JDCOS is a cloud object storage service provided by JD.com, a Chinese e-commerce company. The version JD Cloud JDCOS 4.5.1.r4518 contains a vulnerability due to an injection flaw in the Service Interface component. This flaw stems from the function setiptvinfo in the file/jdcap, which...

EUVD-2026-23388

Red Magic 11 Pro NX809J contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific...

PT-2026-33421

Red Magic 11 Pro NX809J contains a vulnerability that allows non-privileged applications to trigger sensitive operations. The vulnerability stems from the lack of validation for applications accessing the service interface. Exploiting this vulnerability, an attacker can write files to specific...

CVE-2026-40247

free5GC is an open-source implementation of the 5G core network. In versions 4.2.1 and below of the UDR service, the handler for reading Traffic Influence Subscriptions checks whether the influenceId path segment equals subs-to-notify, but does not return after sending the HTTP 404 response when...

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC such as 1.4.2 and earlier contain security vulnerabilities. These vulnerabilities stem from the UDR service’s handling of traffic affected by subscriptions. After a verification failure, the proce...

free5GC 安全漏洞

free5GC is an open-source project for the 5th generation 5G mobile core network. Versions of free5GC prior to 4.2.1 contained security vulnerabilities. These vulnerabilities stemmed from the process of creating or updating traffic-influenced subscriptions in the UDR service. After a verification...

free5gc UDR improper path validation allows unauthenticated creation and modification of Traffic Influence Subscriptions

Summary An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to create or overwrite Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment...

CVE-2026-27676 Missing Authorization check in SAP S/4HANA OData Service (Manage Technical Object Structures)

Due to missing authorization checks in the SAP S/4HANA OData Service Manage Technical Object Structures, an attacker could update and delete child entities via exposed OData services without proper authorization. This vulnerability results in a low impact on integrity, while confidentiality and...

SAP S/4HANA OData Service 安全漏洞

The SAP S/4HANA OData Service is an enterprise system data interface and service integration component provided by the German company SAP. There is a security vulnerability in the SAP S/4HANA OData Service. This vulnerability stems from the lack of authorization checks, which may allow attackers ...

PT-2026-32972

Summary An information disclosure vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to retrieve stored subscriber identifiers SUPI/IMSI with a single HTTP GET request requiring no parameters or credentials. Details The endpoint...

PT-2026-30955

ChurchCRM is an open-source church management system. Prior to 7.1.0, an authenticated API user can modify any family record's state without proper authorization by simply changing the familyId parameter in requests, regardless of whether they possess the required EditRecords privilege...

CVE-2026-20160

Cisco Smart Software Manager On-Prem (SSM On-Prem) is affected by CVE-2026-20160 due to an unintended exposure of an internal service. An unauthenticated, remote attacker could send a crafted request to the exposed service API and execute commands on the underlying OS with root-level privileges. ...