Linux Distros Unpatched Vulnerability : CVE-2026-35239

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the MySQL Server product of Oracle MySQL component: Server: DML. Supported versions that are affected are 8.0.0-8.0.45, 8.4.0-8.4.8 and...

CVE-2026-1352 IBM® Db2® is vulnerable to a trap or return SQLCODE -901 when compiling a specially crafted query with a defined index

IBM Db2 11.5.0 through 11.5.9, and 12.1.0 through 12.1.4 for Linux, UNIX and Windows includes Db2 Connect Server could allow an authenticated user to cause a denial of service due to improper neutralization of special elements in data query logic...

CVE-2026-40517

radare2 prior to 6.1.4 contains a command injection vulnerability in the PDB parser's printgvars function that allows attackers to execute arbitrary commands by crafting a malicious PDB file with newline characters in symbol names. Attackers can inject arbitrary radare2 commands through unsanitiz...

GHSA-HJH7-R5W8-5872 SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)

Summary The fix for CVE-2026-30869 in SiYuan v3.5.10 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding %252e%252e to traverse directories and read arbitrary...

SiYuan: Path Traversal via Double URL Encoding in `/export/` Endpoint (Incomplete Fix Bypass for CVE-2026-30869)

Summary The fix for CVE-2026-30869 in SiYuan v3.5.10 only added a denylist check IsSensitivePath but did not address the root cause — a redundant url.PathUnescape call in serveExport. An authenticated attacker can use double URL encoding %252e%252e to traverse directories and read arbitrary...

@nocobase/actions (>=0.4.0-alpha.1 <=2.0.38), @nocobase/api (>=0.4.0-alpha.1 <=0.4.0-alpha.7) +37 more potentially affected by CVE-2026-41640 via @nocobase/database (>=0.10.0-alpha.2 <=2.0.38)

@nocobase/database NPM version =0.10.0-alpha.2, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.14.0-alpha.4, =0.7.0-alpha.1, =0.10.0-alpha.2, =0.14.0-alpha.4, =0.20.0-alpha.1, =0.18.0-alpha.1, =0.7.0-alpha.1, =0.4.0-alpha.1, =0.7.1-alpha.4, =0.10.1-alpha.1, =0.4.0-alpha.1, =0.4.0-alpha.1, =0.10.1-alpha.1 and...

@nocobase/actions (>=2.0.0 <=2.0.38), @nocobase/auth (>=2.0.0 <=2.0.38) +4 more potentially affected by CVE-2026-41640 via @nocobase/database (>=2.0.0-alpha.10 <=2.0.38)

@nocobase/database NPM version =2.0.0-alpha.10, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.0, =2.0.38 Source cves: CVE-2026-41640 Source advisory: SNYK:JS-NOCOBASEDATABASE-16421470...

GHSA-4948-F92Q-F432 @nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

SQL Injection

Overview @nocobase/database is a Affected versions of this package are vulnerable to SQL Injection via the queryParentSQL function. An attacker can execute arbitrary SQL commands, extract sensitive data, modify or delete database records, and potentially cause denial of service by injecting...

@nocobase/database has SQL Injection via String Concatenation through Recursive Eager Loading

Summary The queryParentSQL function in the core database package constructs a recursive CTE query by joining nodeIds with string concatenation instead of using parameterized queries. The nodeIds array contains primary key values read from database rows. An attacker who can create a record with a...

CVE-2025-70420

A SQL injection vulnerability exists in Genesys Latitude v25.1.0.420 that allows an authenticated attacker to execute arbitrary SQL queries against the backend database. The vulnerability is caused by unsanitized user-supplied input being concatenated directly into SQL statements...

nimiq-accounts (>=0.1.0 <=0.2.0), nimiq-block-production (>=0.1.0 <=0.2.0) +11 more potentially affected by CVE-2026-33471 via nimiq-block (>=0.1.0 <=0.2.0)

nimiq-block CARGO version =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.1.0, =0.2.0 Source cves: CVE-2026-33471 Source advisory: OSV:GHSA-6973-8887-87FF...

EUVD-2018-21789

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands v...

CLSA-2026-1776879643 mysql: Fix of CVE-2019-2627

CVE-2019-2627: fix crash when mysql.user table has missing password column...

CVE-2018-25272

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands v...

WordPress Feed KuantoKusta for WooCommerce – Free plugin <= 5.3 - SQL Injection vulnerability

SQL Injection vulnerability discovered by TruongLV1 From FPT Night Wolf in WordPress Plugin Feed KuantoKusta for WooCommerce – Free versions = 5.3...

EUVD-2026-24953

An issue was discovered in guardsix formerly Logpoint ODBC Enrichment Plugins before 5.2.1 5.2.1 is used in guardsix 7.9.0.0. A logic flaw allowed stored database credentials to be reused after modification of the target Host, IP address, or Port. When editing an existing Enrichment Source,...

EUVD-2026-24951

An operator allowed to use the REST API can cause the Authoritative server to produce invalid HTTPS or SVCB record data, which can in turn cause LMDB database corruption, if using the LMDB backend...

CVE-2018-25272

ELBA5 5.8.0 contains a Remote Code Execution vulnerability via database access. The issue allows an attacker to obtain database credentials, decrypt the DBA password, and run commands with SYSTEM-level permissions. Exploitation could occur by connecting with default connector credentials and usin...

CVE-2018-25272 ELBA5 5.8.0 Remote Code Execution via Database Access

ELBA5 5.8.0 contains a remote code execution vulnerability that allows attackers to obtain database credentials and execute arbitrary commands with SYSTEM level permissions. Attackers can connect to the database using default connector credentials, decrypt the DBA password, and execute commands v...