EUVD-2026-19434

A vulnerability was identified in Totolink A8000R 5.9c.681B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available...

CVE-2026-35408

Summary of CVE-2026-35408 (Directus): Prior to 11.17.0, Directus SSO login pages did not send COOP headers, enabling a malicious cross-origin window to access/manipulate the login page and potentially intercept/redirect the OAuth flow to an attacker-controlled client. This could lead to unauthori...

CVE-2026-34755

A flaw was found in vLLM, an inference and serving engine for large language models. A remote attacker can exploit a vulnerability in the VideoMediaIO.loadbase64 method by sending a single API request containing a large number of comma-separated base64-encoded JPEG frames. This bypasses the...

CVE-2026-5682

A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires ...

CVE-2026-35390 Content-Security-Policy was set to Report-Only mode, failing to block XSS attacks

Bulwark Webmail is a self-hosted webmail client for Stalwart Mail Server. Prior to 1.4.11, the reverse proxy proxy.ts set the Content-Security-Policy-Report-Only header instead of the enforcing Content-Security-Policy header. This means cross-site scripting XSS attacks were logged but not blocked...

Multi-Stage-Web-Attack-XSS-to-Admin-Takeover-and-RCE

🛡️ Multi-Stage Web Attack: XSS to Admin Takeover & RCE This p...

CVE-2026-5682 Meesho Online Shopping App com.meesho.supply endpoint risky encryption

A vulnerability has been found in Meesho Online Shopping App up to 27.3 on Android. Affected is an unknown function of the file /api/endpoint of the component com.meesho.supply. Such manipulation leads to risky cryptographic algorithm. The attack may be performed from remote. The attack requires ...

CVE-2026-5682

CVE-2026-5682 affects Meesho Online Shopping App (Android) in the com.meesho.supply component, specifically an unknown function in /api/endpoint. The issue arises from manipulation that leads to a risky cryptographic algorithm. Attack surface is remote, with high complexity required for exploitat...

CVE-2026-5676

A vulnerability was identified in Totolink A8000R 5.9c.681B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available...

CVE-2026-5677

A security flaw has been discovered in Totolink A7100RU 7.4cu.2313b20191024. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument resetFlags results in os command injection. The attack may be initiated remotely. The exploit has been...

EUVD-2026-19430

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /edit-category.php of the component Parameter Handler. The manipulation of the argument catid leads to sql injection. It is possible to initiate the...

CVE-2026-5676

A vulnerability was identified in Totolink A8000R 5.9c.681B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available...

CVE-2026-5676 Totolink A8000R cstecgi.cgi setLanguageCfg missing authentication

A vulnerability was identified in Totolink A8000R 5.9c.681B20180413. This issue affects the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi. Such manipulation of the argument langType leads to missing authentication. The attack can be launched remotely. The exploit is publicly available...

CVE-2026-34380

A flaw was found in OpenEXR, an image storage format library. A remote attacker could exploit a signed integer overflow vulnerability in the undopxr24impl function when processing a specially crafted EXR image file. This overflow can cause the application to write pixel data beyond its allocated...

CVE-2026-5672

A vulnerability has been found in code-projects Simple IT Discussion Forum 1.0. Affected by this issue is some unknown functionality of the file /edit-category.php of the component Parameter Handler. The manipulation of the argument catid leads to sql injection. It is possible to initiate the...

CVE-2026-5672

The CVE concerns code-projects Simple IT Discussion Forum 1.0. The issue resides in the Parameter Handler’s /edit-category.php, where manipulating the category ID (cat_id) enables SQL injection. This can be triggered remotely, and the exploit has been publicly disclosed. No remediation details ar...

CVE-2026-34841

Bruno is an open source IDE for exploring and testing APIs. Prior to 3.2.1, Bruno was affected by a supply chain attack involving compromised versions of the axios npm package, which introduced a hidden dependency deploying a cross-platform Remote Access Trojan RAT. Users of @usebruno/cli who ran...

Security Bulletin: IBM OpenAPI SDK Generator (Node.js) is affected by the Axios supply chain attack

Summary Due to an Axios supply chain attack, a fix for IBM Node.js SDK Core https://github.com/IBM/node-sdk-core was made available on April 2, 2026 21:03 UTC to mitigate the attack. If you used a previous version there is a possibility the affected Axios package could have been available on your...

CVE-2026-5572

A security flaw has been discovered in Technostrobe HI-LED-WR120-G2 5.5.0.1R6.03.30. This affects an unknown function. Performing a manipulation results in cross-site request forgery. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. Th...

CVE-2026-5579

A vulnerability was determined in CodeAstro Online Classroom 1.0. This issue affects some unknown processing of the file /OnlineClassroom/updatedetailsfromfaculty.php?myfid=108 of the component Parameter Handler. Executing a manipulation of the argument fname can lead to sql injection. The attack...