CVE-2026-34916

A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on the database and have it executed during banner delivery. Inpu...

CVE-2026-34916

CVE-2026-34916 affects Revive Adserver 6.0.6 and earlier. A missing validation of user input when saving delivery limitations could allow a low‑privileged user to use the logical parameter to inject PHP code into the compiledlimitations field, which could be executed during banner delivery. The a...

EUVD-2026-38500

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

EUVD-2026-38507

A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on the database and have it executed during banner delivery. Inpu...

CVE-2026-44959

A missing validation of user input exists when saving delivery limitations in Revive Adserver 6.0.6 and earlier. A low‑privileged user could add an unexpected component parameter and inject malicious PHP code into the compiledlimitations field, which would then be executed during banner delivery...

CVE-2026-34916

A missing validation of user input when saving delivery limitations in Revive Adserver 6.0.6 and earlier could allow a low‑privileged user to use the logical parameter to inject malicious PHP code into the compiledlimitations field on the database and have it executed during banner delivery. Inpu...

TP-Link Archer A20 v3 Router - Cross-site Scripting

The TP-Link Archer A20 v3 router is vulnerable to Cross-site Scripting XSS due to improper handling of directory listing paths in the web interface. When a specially crafted URL is visited, the router's web page renders the directory listing and executes arbitrary JavaScript embedded in the URL...

Google ADK-Python - Unauthenticated Builder Endpoint

Google Agent Development Kit ADK 1.7.0 through 1.28.1 and 2.0.0a1 through 2.0.0a2 on Python OSS, Cloud Run, and GKE contains a code injection and missing authentication vulnerability, letting unauthenticated remote attackers execute arbitrary code on the server, exploit requires no authentication...

Microweber <1.3.2 - Cross-Site Scripting

Code Injection in on search.php?keywords= GitHub repository microweber/microweber prior to 1.3.2. id: CVE-2022-3242 info: name: Microweber 1.3.2 - Cross-Site Scripting author: r3Y3r53 severity: medium description: | Code Injection in on search.php?keywords= GitHub repository microweber/microweber...

Citrix ADC and Citrix NetScaler Gateway - Remote Code Injection

Citrix ADC and NetScaler Gateway are susceptible to remote code injection. An attacker can potentially execute malware, obtain sensitive information, modify data, and/or gain full control over a compromised system without entering necessary credentials. Affected versions are before 13.0-58.30,...

Lantronix EDS5000 Code Injection Vulnerability

Lantronix EDS5000 contains a code injection vulnerability that could allow attackers to inject arbitrary OS commands into the username parameter. Injected commands are executed with root privileges...

CVE-2026-10789

Summary: CVE-2026-10789 is a code-injection vulnerability in the MCP extension for Autodesk Fusion Desktop. A malicious webpage visited by a user with Fusion Desktop running and MCP enabled can trigger arbitrary code execution with the current user’s privileges. The CVSS 3.1 score is 9.6 (CRITICA...

CVE-2026-54271

The CVE-2026-54271 entry concerns protobufjs-cli (pbjs) static code generation, where insecure handling of pre-parsed JSON descriptors could lead to attacker-controlled JavaScript in generated output. Concrete details across connected sources show that protobufjs-cli versions prior to the fixed r...

MetInfo CMS <= 8.1 - Remote Code Execution

MetInfo CMS 7.9, 8.0, and 8.1 contain an unauthenticated PHP code injection vulnerability caused by insufficient input neutralization in the execution path, letting remote attackers execute arbitrary code remotely, exploit requires crafted requests. id: CVE-2026-29014 info: name: MetInfo CMS = 8....

Netsweeper 4.0.3 - Cross-Site Scripting

A cross-site scripting vulnerability in webadmin/policy/grouptableajax.php/ in Netsweeper before 3.1.10, 4.0.x before 4.0.9, and 4.1.x before 4.1.2 allows remote attackers to inject arbitrary web script or HTML via the PATHINFO. id: CVE-2014-9608 info: name: Netsweeper 4.0.3 - Cross-Site Scriptin...

ISPConfig - PHP Code Injection

An issue was discovered in ISPConfig before 3.2.11p1. PHP code injection can be achieved in the language file editor by an admin if adminallowlangedit is enabled. id: CVE-2023-46818 info: name: ISPConfig - PHP Code Injection author: non-things severity: high description: | An issue was discovered...

CVE-2026-12822

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in...

CVE-2026-12822 langflow-ai langflow Bundle URL Loader code injection

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in...

CVE-2026-12822

Langflow AI (langflow) up to v1.9.3 is affected by CVE-2026-12822 due to a vulnerability in the Bundle URL Loader component leading to local code injection. The attack requires local access; the exact vulnerable function is unspecified. Vendor did not respond to disclosure. CVSS data indicate a M...

CVE-2026-12822

A vulnerability was identified in langflow-ai langflow up to 1.9.3. This affects an unknown function of the component Bundle URL Loader. The manipulation leads to code injection. The attack needs to be performed locally. The vendor was contacted early about this disclosure but did not respond in...