CVE-2026-56315 picklescan - Remote Code Execution via Unblocked Standard Library Modules

picklescan before 1.0.4 fails to block at least seven Python standard library modules including uuid, osxsupport, aixsupport, pyrepl.pager, and imaplib exposing eight functions that provide direct arbitrary command execution. Attackers can craft malicious pickle files importing these unblocked...

CVE-2026-10711 RCE in Akınsoft's CafePlus

Missing authentication for critical function vulnerability in AKIN Software Computer Import Export Industry and Trade Ltd. CafePlus allows Accessing Functionality Not Properly Constrained by ACLs. This issue affects CafePlus: from 12.05.03 before 12.05.04...

CVE-2026-44089 Buffer Overflow in Totolink EX1200L router

Totolink EX1200L router is vulnerable to Buffer Overflow in the login functionality in cgi-bin/cstecgi.cgi endpoint. This vulnerability could be exploited to cause the program to crash and to execute code remotely. This allows the attacker to perform actions as root including reading and editing...

postgresql: integer overflow can cause an undersized allocation and an out-of-bounds write

A flaw was found in PostgreSQL. An integer overflow in multiple server features allows an unprivileged database user to cause an undersized memory allocation that leads to an out-of-bounds write. This issue allows an attacker to execute arbitrary code as the operating system user running the...

redis: RESTORE invalid memory access may allow remote code execution

A flaw was found in Redis. An authenticated attacker with permission to execute the RESTORE command can send a crafted serialized payload that may lead to an invalid memory access due to an improper validation of the serialized values. This flaw can cause the server to crash and may allow arbitra...

redis: RESTORE invalid memory access may allow remote code execution

A flaw was found in Redis. An authenticated attacker with permission to execute the RESTORE command can send a crafted serialized payload that may lead to an invalid memory access due to an improper validation of the serialized values. This flaw can cause the server to crash and may allow arbitra...

Important: Red Hat Security Advisory: redis security update

An update for redis is now available for Red Hat Enterprise Linux 9.4 Update Services for SAP Solutions. Red Hat Product Security has rated this update as having a security impact of Important. A Common Vulnerability Scoring System CVSS base score, which gives a detailed severity rating, is...

vim: Vim: Command injection allows arbitrary code execution via malicious tag files

A flaw was found in Vim, an open-source command-line text editor. This command injection vulnerability occurs during tag file processing. A local user could craft a malicious tags file containing backtick syntax in the filename field. When Vim resolves a tag from this file, it executes the embedd...

CVE-2026-12866

All versions of the package expr-eval are vulnerable to Code Execution via the toJSFunction API. An attacker can execute arbitrary JavaScript by supplying crafted expressions that are compiled into native code using new Function. Because user-controlled expressions are transformed directly into...

Shirne CMS 1.2.0 - Local File Inclusion

Shirne CMS 1.2.0 is vulnerable to local file inclusion which could cause arbitrary file read via /static/ueditor/php/controller.php. id: CVE-2022-37299 info: name: Shirne CMS 1.2.0 - Local File Inclusion author: pikpikcu severity: medium description: Shirne CMS 1.2.0 is vulnerable to local file...

Atmail 6.5.0 - Cross-Site Scripting

Atmail 6.5.0 contains a cross-site scripting vulnerability in WebAdmin Control Pane via the format parameter to the default URI, which allows remote attackers to inject arbitrary web script or HTML via the “format” parameter. id: CVE-2021-43574 info: name: Atmail 6.5.0 - Cross-Site Scripting...

Zaver - Local File Inclusion

Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring. id: CVE-2022-38794 info: name: Zaver - Local File Inclusion author: pikpikcu severity: high description: | Zaver through 2020-12-15 is vulnerable to local file inclusion via the GET /.. substring. impact: |...

WAVLINK WN535 G3 - Improper Access Control

WAVLINK WN535 G3 M35G3R.V5030.180927 is susceptible to improper access control. A vulnerability in /cgi-bin/ExportAllSettings.sh allows an attacker to execute arbitrary code via a crafted POST request and thereby possibly obtain sensitive information, modify data, and/or execute unauthorized...

Microweber <1.2.12 - Integer Overflow

Microweber before 1.2.12 is susceptible to integer overflow. The application allows large characters to insert in the input field 'first & last name,' which can allow an attacker to cause a denial of service via a crafted HTTP request. id: CVE-2022-0968 info: name: Microweber 1.2.12 - Integer...

Wavlink WN535K2/WN535K3 - OS Command Injection

Wavlink WN535K2 and WN535K3 routers are susceptible to OS command injection in an unknown part of the file /cgi-bin/mesh.cgi?page=upgrade via manipulation of the argument key. An attacker can execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised...

Imgproxy <= 3.14.0 - Server-side request forgery (SSRF)

imgproxy =3.14.0 is vulnerable to Server-Side Request Forgery SSRF due to a lack of sanitization of the imageURL parameter. id: CVE-2023-30019 info: name: Imgproxy = 3.14.0 - Server-side request forgery SSRF author: DhiyaneshDK severity: medium description: | imgproxy =3.14.0 is vulnerable to...

vBulletin <= 5.6.9 - Pre-authentication Remote Code Execution

vBulletin before 5.6.9 PL1 allows an unauthenticated remote attacker to execute arbitrary code via a crafted HTTP request that triggers deserialization. This occurs because verifyserialized checks that a value is serialized by calling unserialize and then checking for errors. id: CVE-2023-25135...

Cuppa CMS v1.0 - Arbitrary File Upload

Cuppa CMS v1.0 was discovered to contain an arbitrary file upload vulnerability via the File Manager. id: CVE-2022-38296 info: name: Cuppa CMS v1.0 - Arbitrary File Upload author: theamanrawat severity: critical description: | Cuppa CMS v1.0 was discovered to contain an arbitrary file upload...

Codoforum 5.1 - Arbitrary File Upload

Codoforum 5.1 contains an arbitrary file upload vulnerability via the logo change option in the admin panel. An attacker can upload arbitrary files to the server, which in turn can be used to make the application execute file content as code. As a result, an attacker can potentially obtain...

WordPress InPost Gallery <2.1.4.1 - Local File Inclusion

WordPress InPost Gallery plugin before 2.1.4.1 is susceptible to local file inclusion. The plugin insecurely uses PHP's extract function when rendering HTML views, which can allow attackers to force inclusion of malicious files and URLs. This, in turn, can enable them to execute code remotely on...