CVE-2026-7714 crocodilestick Calibre-Web-Automated Admin Endpoint cwa_functions.py missing authentication

A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwafunctions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The...

EUVD-2026-26865

A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwafunctions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The...

CVE-2026-7714

A flaw has been found in crocodilestick Calibre-Web-Automated up to 4.0.6. Affected by this issue is some unknown functionality of the file cps/cwafunctions.py of the component Admin Endpoint. This manipulation causes missing authentication. It is possible to initiate the attack remotely. The...

PT-2026-37160

Name of the Vulnerable Software and Affected Versions CI4MS versions 0.31.1.0 through 0.31.7.0 Description The deleteProcess function in the /backend/themes/delete-process/slug endpoint fails to validate the tables POST parameter. An authenticated administrator can send a crafted request containi...

PT-2026-37201

CVE-2026-42312 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value API method @permissionPerms.SETTINGS in src/p… https://t.co/ADtnuQJj56...

PT-2026-36791

A vulnerability was identified in SourceCodester Web-based Pharmacy Product Management System 1.0. Affected is an unknown function of the file /product expiry/edit-admin.php. Such manipulation of the argument ID leads to sql injection. It is possible to launch the attack remotely. The exploit is...

PT-2026-37051

CVE-2026-42313 pyLoad is a free and open-source download manager written in Python. Prior to 0.5.0b3.dev100, the set config value API method @permissionPerms.SETTINGS in src/p… https://t.co/8rZNAbQm5s...

PT-2026-37203

Name of the Vulnerable Software and Affected Versions Pelican versions 7.21.0 through 7.21.4 Pelican versions 7.22.0 through 7.22.2 Pelican versions 7.23.0 through 7.23.2 Pelican versions 7.24.0 through 7.24.1 Description A privilege escalation issue exists in the Web User Interface WebUI that...

PT-2026-36929

Name of the Vulnerable Software and Affected Versions Amazon WorkSpaces for Windows versions prior to 2.6.2034.0 Description Improper privilege management in the log rotation mechanism of the Skylight Workspace Config Service allows a local non-admin authenticated user to place arbitrary files in...

SourceCodester Web-based Pharmacy Product Management System 注入漏洞

SourceCodester Web-based Pharmacy Product Management System is an open-source pharmacy product management system developed by SourceCodester. Version 1.0 of the SourceCodester Web-based Pharmacy Product Management System has a SQL injection vulnerability. This vulnerability arises from unknown...

📄 UltimatePOS 4.8 Cross Site Scripting

The administrative panel in UltimatePOS version 4.8 suffers from a persistent cross site scripting vulnerability. CVE-2025-60503 — Stored Cross-Site Scripting XSS in UltimatePOS UltimateFosters v4.8 Publication date: 2025-10-30 CVE ID: CVE-2025-60503 RESERVED Researcher: Vivien Lebas Vendor:...

Calibre-Web Automated 授权问题漏洞

Calibre-Web Automated is a self-hosted digital library management tool developed by CrocodileStick’s individual developer. Versions of Calibre-Web Automated prior to 4.0.6 contained an authorization vulnerability. This vulnerability stemmed from an unknown feature in the Admin Endpoint component’...

PT-2026-36932

Name of the Vulnerable Software and Affected Versions CodeCanyon Perfex CRM versions prior to 3.4.2 Description A flaw in the Admin Kanban Endpoint allows for remote SQL injection, which is a technique where malicious SQL statements are inserted into entry fields for execution. The issue exists...

VulnCheck KEV: CVE-2026-2931

The Amelia Booking plugin for WordPress is vulnerable to Insecure Direct Object References in versions up to, and including, 9.1.2. This is due to the plugin providing user-controlled access to objects, letting a user bypass authorization and access system resources. This makes it possible for...

Nginx UI 访问控制错误漏洞

Nginx UI is a web interface for Nginx developed by Jacky. In versions 2.0.0 to 2.3.8 of Nginx UI, there was an access control vulnerability. This vulnerability stemmed from the fact that the public/api/install endpoint required no authentication during the first run, allowing unauthenticated...

VulnCheck KEV: CVE-2024-13421

The Real Estate 7 WordPress theme for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 3.5.1. This is due to the plugin not properly restricting the roles allowed to be selected during registration. This makes it possible for unauthenticated attackers to...

PT-2026-36742

Name of the Vulnerable Software and Affected Versions crocodilestick Calibre-Web-Automated versions prior to 4.0.7 Description A flaw in the Admin Endpoint component, specifically within the cps/cwa functions.py file, allows for missing authentication. This issue enables a remote attacker to bypa...

Astra Linux – Vulnerability in Linux 5.10

In the Linux kernel, the following vulnerability has been resolved: nvme-tcp: Remove the tag set when the second admin queue configuration fails. Commit 104d0e2f6222 “nvme-fabrics: Reset the admin connection for secure concatenation” modified nvmetcpsetupctrl to call nvmetcpconfigureadminqueue...

Astra Linux – Vulnerability in Linux, Linux 5.10

In the Linux kernel, the following vulnerabilities have been resolved: nvme-tcp: fixed a possible use-after-free issue in the transport errorrecovery process. While nvmetcpsubmitasynceventwork checks the ctrl and queue states before preparing the AER command and scheduling iowork, this check is...

Astra Linux – Vulnerability in Linux 5.10, Linux, Linux 5.15

A issue was discovered in the Linux kernel before version 6.1.11. In net/netrom/afnetrom.c, there is a use-after-free condition, as “accept” is also allowed for a successfully connected AFNETROM socket. However, for an attacker to exploit this vulnerability, the system must have netrom routing...