CVE-2026-33817

CVE-2026-33817 affects go.etcd.io/bbolt. The issue is an index-out-of-range error when processing a branch page that has zero elements. Root cause and impact are described in the connected CVE records as a vulnerability in the bbolt component; no explicit exploit details, affected versions, or re...

CVE-2026-35174

Chyrp Lite is an ultra-lightweight blogging engine. Prior to 2026.01, a path traversal vulnerability exists in the administration console that allows an administrator or a user with Change Settings permission to change the uploads path to any folder. This vulnerability allows the user to download...

CVE-2026-35470

OpenSTAManager is an open source management software for technical assistance and invoicing. Prior to 2.10.2, confrontarighe.php files across different modules in OpenSTAManager contain an SQL Injection vulnerability. The righe parameter received via $GET'righe' is directly concatenated into an S...

CVE-2026-34976

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config admin.go, making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication,...

CVE-2026-34977

Aperi'Solve is an open-source steganalysis web platform. In versions 3.1.3 through 3.2.0, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command,...

CVE-2026-5580

A vulnerability was identified in CodeAstro Online Classroom 1.0. Impacted is an unknown function of the file /OnlineClassroom/addvideos.php of the component Parameter Handler. The manipulation of the argument videotitle leads to sql injection. It is possible to initiate the attack remotely. The...

CVE-2026-5669 Cyber-III Student-Management-System Parameter login.php sql injection

A vulnerability has been found in Cyber-III Student-Management-System up to 1a938fa61e9f735078e9b291d2e6215b4942af3f. This vulnerability affects unknown code of the file /login.php of the component Parameter Handler. Such manipulation of the argument Password leads to sql injection. It is possibl...

CVE-2026-5666

A vulnerability was detected in code-projects Online FIR System 1.0. Affected by this issue is some unknown functionality of the file /complaints.sql of the component SQL Database Backup File Handler. The manipulation results in insecure storage of sensitive information. The attack may be perform...

CVE-2026-34977 Aperi'Solve Affected by Unauthenticated RCE via JPSeek Analyzer Command

Aperi'Solve is an open-source steganalysis web platform. In versions 3.1.3 through 3.2.0, when uploading a JPEG, a user can specify an optional password to accompany the JPEG. This password is then directly passed into an expect command, which is then subsequently passed into a bash -c command,...

CVE-2026-34977

Aperi'Solve is an open-source steganalysis web platform. Prior to version 3.2.1, uploading a JPEG with an optional password leads the password to be passed into an expect command and then into a bash -c command without sanitization. An unauthenticated attacker can achieve root-level RCE inside th...

CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config admin.go, making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication,...

CVE-2026-34976

CVE-2026-34976 affects Dgraph prior to 25.3.1 where the restoreTenant admin mutation is missing from the authorization middleware, allowing an unauthenticated attacker to specify attacker-controlled backup locations (including file://), S3/MinIO credentials, encryption key paths, and Vault IDs. T...

CVE-2026-34976 Dgraph Affected by Pre-Auth Database Overwrite + SSRF + File Read via restoreTenant Missing Authorization

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config admin.go, making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication,...

EUVD-2026-19360

Dgraph is an open source distributed GraphQL database. Prior to 25.3.1, the restoreTenant admin mutation is missing from the authorization middleware config admin.go, making it completely unauthenticated. Unlike the similar restore mutation which requires Guardian-of-Galaxy authentication,...

SQL Injection

Overview glpi/glpi is a free Asset and IT Management Software package with ITIL Service Desk, licenses tracking and software auditing. Affected versions of this package are vulnerable to SQL Injection in the logs export process. An attacker can execute arbitrary SQL commands by submitting crafted...

CVE-2026-5666

Code-projects Online FIR System 1.0 is affected. The vulnerability lies in the SQL Database Backup File Handler’s /complaints.sql functionality, where manipulation leads to insecure storage of sensitive information. Attack surface is network-based with no authentication required (per CVSS data), ...

CVE-2026-32602

Homarr is an open-source dashboard. Prior to 1.57.0, the user registration endpoint /api/trpc/user.register is vulnerable to a race condition that allows an attacker to create multiple user accounts from a single-use invite token. The registration flow performs three sequential database operation...

CVE-2026-33404 Pi-hole has a Stored XSS / HTML injection in the Network page/Dashboard

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

EUVD-2026-19281

Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. From 6.0 to before 6.5, client hostnames and IP addresses from the FTL database are rendered into the DOM without escaping in network.js Network page and charts.js/index....

CVE-2026-34885 WordPress Media LIbrary Assistant plugin <= 3.34 - SQL Injection vulnerability

Improper Neutralization of Special Elements used in an SQL Command 'SQL Injection' vulnerability in David Lingren Media LIbrary Assistant allows SQL Injection.This issue affects Media LIbrary Assistant: from n/a through 3.34...