CVE-2026-5189

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...

CVE-2026-5189 Nexus Repository 3 - Hardcoded Credential in Internal Database Component

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...

CVE-2026-5189

CVE-2026-5189 involves Sonatype Nexus Repository Manager versions 3.0.0–3.70.5 where a hard-coded credential in the internal database component can be exploited by an unauthenticated attacker with network access. The vulnerability enables read/write access to the internal database and allows exec...

CVE-2026-5189 Nexus Repository 3 - Hardcoded Credential in Internal Database Component

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...

EUVD-2026-22989

Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereadorver.php endpoint...

Information Exposure

Overview Affected versions of this package are vulnerable to Information Exposure via the /debugging/config/dump endpoint if there are second level Properties objects in the configuration. An attacker can obtain sensitive configuration details, including database credentials, by sending requests ...

CVE-2026-30778

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-30778 Apache SkyWalking: The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL.

The SkyWalking OAP /debugging/config/dump endpoint may leak sensitive configuration information of MySQL/PostgreSQL. This issue affects Apache SkyWalking: from 9.7.0 through 10.3.0. Users are recommended to upgrade to version 10.4.0, which fixes the issue...

CVE-2026-30778

CVE-2026-30778 affects Apache SkyWalking OAP where the /debugging/config/dump endpoint may leak sensitive configuration data (including MySQL/PostgreSQL-related details) in versions 9.7.0 through 10.3.0. The exposure is tied to the configuration dump functionality, potentially revealing credentia...

Exploit for SQL Injection in Dbgpt Db-Gpt

CVE-2025-51458-exp Pre-Auth SQL Injection in DB-GPThttps:/...

CVE-2026-40499

A flaw was found in radare2, specifically within the PDB parser's printgvars function. A remote attacker could exploit this vulnerability by crafting a malicious PDB Program Database file. By embedding a newline byte in the PE Portable Executable section header name field, the attacker can inject...

EUVD-2026-22826

radare2 prior to version 6.1.4 contains a command injection vulnerability in the PDB parser's printgvars function that allows attackers to execute arbitrary commands by embedding a newline byte in the PE section header name field. Attackers can craft a malicious PDB file with specially crafted...

CVE-2026-40104

CVE-2026-40104 affects XWiki Platform. A resource exhaustion vulnerability exists in REST API endpoints (for example, /xwiki/rest/wikis/xwiki/spaces/AnnotationCode/pages/AnnotationConfig/objects/AnnotationCode.AnnotationConfig/0/properties) that return metadata listing all pages without query lim...

PT-2026-33101

CVE-2026-30995 Slah CMS v1.5.0 and below was discovered to contain a SQL injection vulnerability via the id parameter in the vereador ver.php endpoint. https://t.co/FW642LmQMP...

Radare2 安全漏洞

Radare2 is an open-source reverse framework for Unix geeks developed by Radare. Versions of Radare2 prior to 6.1.4 contained security vulnerabilities. These vulnerabilities stemmed from the printgvars function in the PDB parser, which had issues with command injection, potentially allowing...

Drupal core - Moderately critical - Gadget Chain - SA-CORE-2026-002

Drupal core contains a chain of methods that could be exploitable when an insecure deserialization vulnerability exists on the site. This so-called "gadget chain" presents no direct threat, but is a vector that can be used to achieve remote code execution or SQL injection if the application...

PT-2026-33132

CWE-798: Use of Hard-coded Credentials in Sonatype Nexus Repository Manager versions 3.0.0 through 3.70.5 allows an unauthenticated attacker with network access to gain unauthorized read/write access to the internal database and execute arbitrary OS commands as the Nexus process user. Exploitatio...

Sonatype Nexus Repository Manager 安全漏洞

Sonatype Nexus Repository Manager NXRM is a repository manager developed by Sonatype, Inc., in the United States. It is primarily used for managing, storing, and distributing software. Versions of Sonatype Nexus Repository Manager from 3.0.0 to 3.70.5 have security vulnerabilities. These...

PT-2026-33053

Name of the Vulnerable Software and Affected Versions Apache SkyWalking versions 9.7.0 through 10.3.0 Description The SkyWalking OAP '/debugging/config/dump' endpoint may leak sensitive configuration information related to MySQL or PostgreSQL. Recommendations Upgrade to version 10.4.0...

pyLoad has Stale Session Privilege After Role/Permission Change (Privilege Revocation Bypass)

Summary pyLoad caches role and permission in the session at login and continues to authorize requests using these cached values, even after an admin changes the user's role/permissions in the database. As a result, an already logged-in user can keep old revoked privileges until logout/session...