Apache ActiveMQ < 5.16.5/5.17.3 - Remote Code Execution

Once an user is authenticated on Jolokia, he can potentially trigger arbitrary code execution. In details, in ActiveMQ configurations, jetty allows org.jolokia.http.AgentServlet to handler request to /api/jolokia org.jolokia.http.HttpRequestHandlerhandlePostRequest is able to create JmxRequest...

CVE-2026-49121

A flaw was found in AI Tensor Engine for ROCm AITER. This vulnerability allows unauthenticated remote attackers to execute arbitrary code by sending a specially crafted data package, known as a pickle payload, to a ZeroMQ ZMQ subscriber socket. This exploitation is possible due to a lack of...

CVE-2026-8713

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

EUVD-2026-37987

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

CVE-2026-8713

The CVE-2026-8713 vulnerability affects Avada (Fusion) Builder for WordPress up to version 3.15.3, where the maybe_delete_files() path handling allows path traversal to delete files (e.g., wp-config.php) via a form entry value. An unauthenticated attacker can submit a crafted payload through the ...

CVE-2026-8713 Avada (Fusion) Builder <= 3.15.3 - Unauthenticated Arbitrary File Deletion via Form Entry Value

The Avada Fusion Builder plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the maybedeletefiles function in all versions up to, and including, 3.15.3. This makes it possible for unauthenticated attackers to delete arbitrary files on the...

Malicious code in eslint-helper-1 (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector cfadd6e70cf70ee03d7aae8bfcaa916d29073c5e09ca614bfcb4538c3efc1832 Package masquerades as an ESLint helper but contains code in index.js that decodes base64 blobs through Buffer.from..., 'base64'.toString and pipes t...

CVE-2026-12045

A flaw was found in the pgAdmin 4 AI Assistant. An attacker with the ability to influence database content that the assistant reads can exploit a transaction bypass vulnerability through prompt injection. This allows the attacker to execute arbitrary SQL queries with the privileges of the pgAdmin...

CVE-2026-12046

A flaw was found in pgAdmin 4. Critical functions within the SQL Editor blueprint lacked proper authentication, allowing a remote attacker to bypass security controls. When combined with specific preconditions, such as knowledge of the Flask SECRETKEY and write access to the sessions directory,...

CVE-2026-12047

A flaw was found in pgAdmin 4. An authenticated pgAdmin user can exploit an HTML injection vulnerability in the cloud deployment module. By submitting a crafted input that triggers an SDK exception, an attacker can embed structural HTML directly into the Cloud Wizard's interface. This can lead to...

SUSE CVE-2026-55200

libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on packetlength field. Remote attackers can send crafted SSH packets with excessively large packetlength values to corrupt heap memory and achieve...

EUVD-2026-37962

PraisonAI before 1.5.115 contains a path traversal vulnerability in MultiAgentMonitor that fails to sanitize agent IDs when building file paths. Attackers can include traversal sequences like ../ in agent IDs to read, write, or overwrite arbitrary files, enabling sensitive disclosure, denial of...

CVE-2026-40624

Improper input validation in AVer PTC500S, PTC115, PTC500+, and PTC115+ cameras may allow a remote, unauthenticated attacker to achieve arbitrary code execution via a specially crafted web request...

PT-2026-51102

Name of the Vulnerable Software and Affected Versions Langflow versions prior to 1.9.2 Description An issue exists in components based on BaseFileComponent, including Docling DoclingInlineComponent, Docling Serve DoclingRemoteComponent, Read File FileComponent, NVIDIA Retriever Extraction...

PT-2026-50843

Name of the Vulnerable Software and Affected Versions BetterDocs Pro versions prior to 3.8.1 Description The plugin is susceptible to Local File Inclusion, a condition where an application includes files on a local server unexpectedly. Unauthenticated attackers can exploit this via the doc style...

PT-2026-50846

Name of the Vulnerable Software and Affected Versions Avada Fusion Builder versions prior to 3.15.4 Description The Avada Fusion Builder plugin for WordPress allows unauthenticated attackers to delete arbitrary files on the server due to insufficient file path validation in the maybe delete files...

Python Library yt-dlp < 2026.6.9 Multiple Vulnerabilities

The detected version of the yt-dlp Python package is prior to 2026.6.9. It is, therefore, affected by multiple vulnerabilities: - A vulnerability exists in yt-dlp that allows a remote attacker to write arbitrary OS-shortcut files such as .desktop, .url, .webloc to the user's filesystem, bypassing...

CVE-2026-51846

CVE-2026-51846 affects Tenda AC7 v15.03.06.44. The vulnerability is a stack buffer overflow in the WAN speed parameter (wanSpeed) of the /goform/AdvSetMacMtuWan route, leading to remote arbitrary code execution. Affected component is the WAN configuration endpoint; root cause is improper handling...

PT-2026-50969

Name of the Vulnerable Software and Affected Versions Tenda AC7 version 15.03.06.44 Description A stack buffer overflow exists in the '/goform/AdvSetMacMtuWan' endpoint. This issue occurs when processing the wanSpeed parameter, which can lead to remote arbitrary code execution. Recommendations At...

PT-2026-50888

Name of the Vulnerable Software and Affected Versions NI grpc-device versions prior to 2.17.0 Description An untrusted pointer dereference exists in the sideband streaming API. This issue allows an attacker to trigger an arbitrary memory dereference, which could lead to remote code execution...