CVE-2026-39111

CVE-2026-39111 concerns an SQL injection vulnerability in the Apartment Visitors Management System V1.1. The flaw is triggered in the forgot-password.php page via the email parameter, allowing an unauthenticated attacker to manipulate backend SQL queries and retrieve sensitive user data. The conn...

New CGrabber and Direct-Sys Malware Spread Through GitHub ZIP Files

Hackers spread CGrabber and Direct-Sys malware through GitHub ZIP files, bypassing security tools to steal passwords, crypto wallets, and user data...

MAL-2026-2828 Malicious code in express-security-policy (npm)

Package is malicious. It exfiltrates user/host info to a remote server with obfuscation, delayed execution, and error suppression via preinstall script. --- -= Per source details. Do not edit below this line.=- Source: amazon-inspector...

GHSA-CCQ9-R5CW-5HWQ WWBN AVideo has CORS Origin Reflection with Credentials on Sensitive API Endpoints Enables Cross-Origin Account Takeover

Summary The allowOrigin$allowAll=true function in objects/functions.php reflects any arbitrary Origin header back in Access-Control-Allow-Origin along with Access-Control-Allow-Credentials: true. This function is called by both plugin/API/get.json.php and plugin/API/set.json.php — the primary API...

GHSA-X5R2-R74C-3W28 free5gc UDR improper path validation allows unauthenticated access to Traffic Influence Subscriptions

Summary An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to read Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment. Details The...

GHSA-G9CW-QWHF-24JP free5gc UDR improper path validation allows unauthenticated deletion of Traffic Influence Subscriptions

Summary An improper path validation vulnerability in the UDR service allows any unauthenticated attacker with access to the 5G Service Based Interface SBI to delete Traffic Influence Subscriptions by supplying an arbitrary value in place of the expected subs-to-notify path segment. Details The...

108 Malicious Chrome Extensions Steal Google and Telegram Data, Affecting 20,000 Users

Cybersecurity researchers have discovered a new campaign in which a cluster of 108 Google Chrome extensions has been found to communicate with the same command-and-control C2 infrastructure with the goal of collecting user data and enabling browser-level abuse by injecting ads and arbitrary...

CVE-2026-33708

Chamilo LMS is a learning management system. Prior to 1.11.38, the getuserinfofromusername REST API endpoint returns personal information email, first name, last name, user ID, active status of any user to any authenticated user, including students. There is no authorization check. This...

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

CVE-2026-33736 Chamilo LMS has an Insecure Direct Object Reference (IDOR) - User Data Exposure

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, any authenticated user including ROLESTUDENT can enumerate all platform users and access personal information email, phone, roles via GET /api/users, including administrator accounts. This vulnerability is fixed in 2.0.0-RC.3...

EUVD-2026-21563

Chamilo LMS is a learning management system. Prior to 1.11.38, the getuserinfofromusername REST API endpoint returns personal information email, first name, last name, user ID, active status of any user to any authenticated user, including students. There is no authorization check. This...

CVE-2026-33703 Chamilo LMS Critical IDOR: Any Authenticated User Can Extract All Users’ Personal Data and API Tokens

Chamilo LMS is a learning management system. Prior to 2.0.0-RC.3, an Insecure Direct Object Reference IDOR vulnerability in the /social-network/personal-data/userId endpoint allows any authenticated user to access full personal data and API tokens of arbitrary users by modifying the userId...

PT-2026-32023

Chamilo LMS is a learning management system. Prior to 1.11.38, the get user info from username REST API endpoint returns personal information email, first name, last name, user ID, active status of any user to any authenticated user, including students. There is no authorization check. This...

NSFW app leak exposes 70,000 prompts linked to individual users

MyLovely.AI, an AI “artwork” generation platform, has reportedly been compromised, affecting 106,362 registered users. The AI girlfriend app allows users to generate personalized NSFW content and engage in real-time conversations with AI-generated personas, often sharing highly personal prompts a...

CVE-2026-39937 Global vanishing does not completely remove user email

Improper removal of sensitive information before storage or transfer vulnerability in The Wikimedia Foundation Mediawiki - CentralAuth Extension allows Resource Leak Exposure. The issue has been remediated on the master branch, and in the release branches for MediaWiki versions 1.43, 1.44, and 1....

EUVD-2025-209268

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI...

CVE-2025-62818

An issue was discovered in Samsung Mobile Processor, Wearable Processor, and Modem Exynos 980, 990, 850, 1080, 2100, 1280, 2200, 1330, 1380, 1480, 2400, 1580, 2500, 9110, W920, W930, W1000, Modem 5123, Modem 5300, and Modem 5400. An out-of-bounds write occurs due to a mismatch between the TP-UDHI...

Samsung多款产品 安全漏洞

SAMSUNG Mobile Processors are products of South Korea’s Samsung Corporation. SAMSUNG Mobile Processors are a series of mobile processors. SAMSUNG Wearable Processors are a series of wearable processors. SAMSUNG Modem Exynos is a series of modem chips. Several Samsung products have security...

VulnCheck KEV: CVE-2025-43517

A privacy issue was addressed with improved private data redaction for log entries. This issue is fixed in macOS Sequoia 15.7.3, macOS Sonoma 14.8.3, macOS Tahoe 26.2. An app may be able to access protected user data...

CVE-2026-35050 text-generation-webui affected by Remote Code Execution (RCE) through Path Traversal at "Session -> Save extention settings to user_data/settings.yaml".

text-generation-webui is an open-source web interface for running Large Language Models. Prior to 4.1.1, users can save extention settings in "py" format and in the app root directory. This allows to overwrite python files, for instance the "download-model.py" file could be overwritten. Then, thi...