EUVD-2026-28398

A hidden, persistent backdoor was found in Yarbo firmware v2.3.9 that provides remote, unauthenticated or weakly authenticated access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and survives factory reset and ordinary firmware updates...

CVE-2026-7415

The MQTT broker embedded in Yarbo firmware v2.3.9 is configured to allow anonymous connections with no topic-level read or write ACLs. Any host on the same network can subscribe to sensitive telemetry topics or publish control messages directly to the robot without authentication or authorization...

CVE-2026-7414 Hardcoded credentials in Yarbo robot firmware

Yarbo firmware v2.3.9 contains hardcoded administrative credentials embedded in the firmware image. These credentials are identical across all devices running this firmware and cannot be changed or removed by end users, enabling trivial unauthorized access to device management interfaces by anyon...

CVE-2026-7413

The connected reports confirm CVE-2026-7413 affects Yarbo firmware v2.3.9, describing a hidden, persistent backdoor that grants remote, unauthenticated (or weakly authenticated) access to privileged functionality. The backdoor is undocumented, cannot be disabled via user-facing settings, and surv...

Yarbo 安全漏洞

Yarbo is a modular intelligent courtyard maintenance robot developed by the American company Yarbo. Version 2.3.9 of Yarbo contains a security vulnerability. This vulnerability stems from a hidden persistent backdoor, which may allow unauthorized, remote access with weak authentication to...

SUSE SLES16 Security Update : himmelblau (SUSE-SU-2026:21437-1)

The remote SUSE Linux SLES16 / SLESSAP16 host has packages installed that are affected by a vulnerability as referenced in the SUSE-SU-2026:21437-1 advisory. Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege...

openSUSE 16 Security Update : himmelblau (openSUSE-SU-2026:20658-1)

The remote openSUSE 16 host has packages installed that are affected by a vulnerability as referenced in the openSUSE- SU-2026:20658-1 advisory. Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation...

SUSE-SU-2026:21437-1 Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b. Security issues fixed: - CVE-2026-34397: Fixed naming collision that can lead to local privilege escalation bsc1261324. Other updates and bugfixes: - update aws-lc-sys to 0.39.0 for security fixes - updat...

Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b; jscPED-14511: CVE-2026-34397: Fix LPE due to name collision during NSS fake-primary group lookup bsc1261324. CVE-2026-31979: Fix race condition when accessiung /tmp/krb5ccuid bsc1259548. CVE-2026-25727:...

SUSE-SU-2026:1361-1 Security update for himmelblau

This update for himmelblau fixes the following issues: Update to version 2.3.9+git0.a9fd29b; jscPED-14511: - CVE-2026-34397: Fix LPE due to name collision during NSS fake-primary group lookup bsc1261324. - CVE-2026-31979: Fix race condition when accessiung /tmp/krb5ccuid bsc1259548. -...

OPENSUSE-SU-2026:10483-1 himmelblau-2.3.9+git0.a9fd29b-1.1 on GA media

These are all security issues fixed in the himmelblau-2.3.9+git0.a9fd29b-1.1 package on the GA media of openSUSE Tumbleweed...

CVE-2026-35056

Summary (supported by connected docs): XenForo versions before 2.3.9 and before 2.2.18 are affected by a remote code execution (RCE) vulnerability exploitable by authenticated, malicious admins who have access to the admin panel. The attacker can execute arbitrary code on the server. The referenc...

CVE-2026-35056

XenForo before 2.3.9 and before 2.2.18 allows remote code execution RCE by authenticated, but malicious, admin users. An attacker with admin panel access can execute arbitrary code on the server...

CVE-2026-35054 XenForo Stored Cross-Site Scripting via BB Code Rendering

XenForo before 2.3.9 is vulnerable to stored cross-site scripting XSS related to BB code rendering. An attacker can inject malicious scripts through BB code that are stored and executed when other users view the content...

EUVD-2026-15728

Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...

CVE-2026-25447

Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...

CVE-2026-25447 WordPress Widget Wrangler plugin <= 2.3.9 - Remote Code Execution (RCE) vulnerability

Improper Control of Generation of Code 'Code Injection' vulnerability in Jonathan Daggerhart Widget Wrangler widget-wrangler allows Code Injection.This issue affects Widget Wrangler: from n/a through = 2.3.9...

CVE-2026-25447

CVE-2026-25447 describes an Unauthenticated remote code execution vector in the WordPress plugin Widget Wrangler (

PT-2026-27948

Name of the Vulnerable Software and Affected Versions Widget Wrangler versions prior to 2.3.9 Description A code injection issue exists in Jonathan Daggerhart Widget Wrangler. The issue involves improper control of code generation. This allows for code injection. Recommendations Update Widget...

CVE-2026-0944

The CVE-2026-0944 entry concerns Drupal Group Invite. Affected: Drupal Group invite module versions before 2.3.9, before 3.0.4, and before 4.0.4. Description: an improper check for unusual or exceptional conditions enables forceful browsing, effectively an access-bypass vulnerability. Impact: una...