CVE-2026-2852

The CVE-2026-2852 issue affects yeqifu warehouse’s Sales Endpoint, specifically the SalesController.java functions addSales/updateSales/deleteSales in the file dataset\repos\warehouse\src\main\java\com\yeqifu\bus\controller\SalesController.java. The vulnerability is caused by improper access cont...

GHSA-QHP6-635J-X7R2 Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames

Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...

Static Web Server affected by timing-based username enumeration in Basic Authentication due to early response on invalid usernames

Summary A Timing-based username enumeration in Basic Authentication vulnerability due to early response on invalid usernames could allow attackers to identify valid users and focus their efforts on targeted brute-force or credential-stuffing attacks. Details SWS validates the provided username...

CVE-2026-26721

An issue in Key Systems Inc Global Facilities Management Software v.20230721a allows a remote attacker to obtain sensitive information via the sid query parameter...

CVE-2025-69386

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in realvirtualmx RVCFDI para Woocommerce rvcfdi-para-woocommerce allows Reflected XSS.This issue affects RVCFDI para Woocommerce: from n/a through = 8.1.8...

CVE-2025-68845

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in aThemeArt Translations eDS Responsive Menu eds-responsive-menu allows Reflected XSS.This issue affects eDS Responsive Menu: from n/a through = 1.2...

CVE-2025-67971

Improper Neutralization of Input During Web Page Generation 'Cross-site Scripting' vulnerability in WPManageNinja FluentCart fluent-cart allows Reflected XSS.This issue affects FluentCart: from n/a through 1.3.0...

CVE-2025-68495

CVE-2025-68495 is a Reflected XSS in Crocoblock JetEngine (JetEngine) before version 3.8.0. Root cause: improper input neutralization during web page generation. Impact per sources includes HIGH severity (CVSS 3.1: AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L; base score 7.1). Remediation: upgrade JetEngi...

CVE-2025-53237

CVE-2025-53237 affects the Soflyy WP Wizard Cloak plugin for WordPress, specifically the wp-wizard-cloak component, with versions up to and including 1.0.1. The root cause is improper neutralization of input during web page generation, enabling a Reflected XSS vulnerability. Impact per the entry ...

CVE-2026-22885 EnOcean SmartServer IoT Out-of-bounds Read

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory...

CVE-2026-22885

A vulnerability exists in EnOcean SmartServer IoT version 4.60.009 and prior, which would allow remote attackers, in the LON IP-852 management messages, to send specially crafted IP-852 messages resulting in a memory leak from the program's memory...

CVE-2026-26994

A flaw was found in uTLS. An active network attacker could exploit this vulnerability by manipulating the initial connection message ClientHello during the TLS handshake. This manipulation forces a downgrade from the more secure TLS 1.3 protocol to an older, less secure version like TLS 1.2. As a...

CVE-2026-2709

A flaw has been found in busy up to 2.5.5. The affected element is an unknown function of the file source-code/busy-master/src/server/app.js of the component Callback Handler. Executing a manipulation of the argument state can lead to open redirect. It is possible to launch the attack remotely. T...

CVE-2026-2825 rachelos WeRSS we-mp-rss Article fix.py fix_html cross site scripting

A vulnerability has been found in rachelos WeRSS we-mp-rss up to 1.4.8. This impacts the function fixhtml of the file tools/fix.py of the component Article Module. The manipulation leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed to the...

CVE-2026-2824

Comfast CF-E7 firmware 2.6.0.9 contains a vulnerability in webmggnt’s /cgi-bin/mbox-config?method=SET&section=ping_config: the function sub_441CF4 can be tricked by altering the destination argument to achieve command injection. The flaw allows remote exploitation; multiple sources note the explo...

CVE-2026-26994

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...

UBUNTU-CVE-2026-26994

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...

CVE-2026-26994

uTLS is a fork of crypto/tls, created to customize ClientHello for fingerprinting resistance while still using it for the handshake. In versions 1.6.7 and below, uTLS did not implement the TLS 1.3 downgrade protection mechanism specified in RFC 8446 Section 4.1.3 when using a uTLS ClientHello spe...

CVE-2026-26993

CVE-2026-26993 affects the Flare file sharing platform (Next.js-based) up to version 1.7.0. An attacker can embed malicious JavaScript in an SVG (or HTML/XML) and trigger script execution in the app’s origin when a file is viewed in “raw” mode, enabling stored XSS and potential user data exfiltra...

CVE-2026-2820

A security flaw has been discovered in Fujian Smart Integrated Management Platform System up to 7.5. This issue affects some unknown processing of the file /Module/CRXT/Controller/XAccessPermissionPlus.ashx. The manipulation of the argument DeviceIDS results in sql injection. The attack may be...