CVE-2026-50873

The CVE concerns flatnotes v5.5.4, where the attachment handling component is vulnerable to arbitrary file upload. A crafted HTML or SVG file can lead to arbitrary code execution, per the provided descriptions. The sources consistently reference an upload vector in the attachment handling flow an...

PT-2026-49188

Quick.CMS deserializes user-controlled data received over plaintext HTTP without ensuring integrity or authenticity. This allows attackers to tamper with serialized payloads in transit and inject malicious objects. Because deserialization is performed without proper validation or class...

CVE-2026-50871

An OS command injection vulnerability in the media archiving and export pipeline component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input...

PT-2026-49321

Name of the Vulnerable Software and Affected Versions YouTransfer version 1.0.6 Description An issue in the sendmail transport integration component allows attackers to execute arbitrary code by supplying a crafted request. Recommendations At the moment, there is no information about a newer...

PT-2026-49282

Name of the Vulnerable Software and Affected Versions Rakuten Send Anywhere File Transfer for Android version 23.2.9 Description An issue in the application allows untrusted apps without permissions to force arbitrary file downloads into the app's scoped storage. These files then appear in the...

PT-2026-49314

Name of the Vulnerable Software and Affected Versions flatnotes version 5.5.4 Description An arbitrary file upload issue exists in the attachment handling component. This allows attackers to execute arbitrary code by uploading a specially crafted HTML or SVG file. Recommendations At the moment,...

PT-2026-49191

Name of the Vulnerable Software and Affected Versions The product name cannot be determined affected versions not specified Description An issue exists where the application fails to intercept certain dangerous interfaces when executing JavaScript scripts embedded in PDF files within the sandbox...

Qnap QTS and QuTS hero OS Command Injection (CVE-2026-24719)

A command injection vulnerability has been reported to affect several QNAP operating system versions. If a remote attacker gains an administrator account, they can then exploit the vulnerability to execute arbitrary commands. We have already fixed the vulnerability in the following versions: QTS...

CVE-2026-36933

The CVE-2026-36933 issue affects Boyleep K11 y108 firmware v2.3.0.11291. A physically proximate attacker can execute arbitrary code via the factory test feature. The impact is described as high for confidentiality, integrity, and availability; the root cause is tied to the factory test feature, w...

CVE-2026-50883

CVE-2026-50883 refers to an HTML injection in the matze wastebin project (v3.4.1) affecting the internal component /src/highlight.rs . The root cause is not explicitly detailed beyond mention of HTML injection via a crafted payload, leading to arbitrary script execution. The vulnerability is rate...

CVE-2026-38329

Bludit CMS is affected pre-3.18.4. The API Plugin's POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails authorization checks and lacks file extension validation, enabling an attacker with a valid API token to upload a PHP script and execute arbitrary code on the server (Remote Code ...

CVE-2026-50869

CVE-2026-50869 relates to Bludit v3.19.0, where the api/plugin.php component is vulnerable to a directory traversal via a crafted request. The CVE entry documents a high-severity issue (CVSS 3.1: 9.8, CRITICAL) with network attack vector, no privileges required, and no user interaction. The affec...

PT-2026-49336

Name of the Vulnerable Software and Affected Versions GStreamer affected versions not specified Description A heap buffer overflow exists in the librfb RFB/VNC client component of GStreamer. The issue occurs because the rectangle bounds check validates the total area instead of individual...

ROS-20260615-73-0003

The vulnerability in freerdp is related to buffer overflow in dynamic memory. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

ROS-20260615-73-0005

The vulnerability in freerdp is related to the use of memory after it is freed. Exploiting this vulnerability allows a remote attacker to execute arbitrary code...

CVE-2026-38329

Bludit CMS before version 3.18.4 allows Remote Code Execution RCE via the API Plugin. The POST /api/files/key endpoint in bl-plugins/api/plugin.php fails to perform authorization checks and lacks file extension validation. An attacker with a valid API token can upload a malicious PHP script and...

CVE-2026-30120

remotion-dev remotion v4.0.409 was discovered to contain a remote code execution RCE vulnerability...

CVE-2026-36933

An issue in Boyleep K11, y108 firmware v.2.3.0.11291 allows a physically proximate attacker to execute arbitrary code via the factory test feature...

CVE-2025-56814

A code injection vulnerability in the wxExecute function of OpenCPN v5.12.0 allows attackers to execute arbitrary code via embedding shell metacharacters...

PT-2026-49607

Name of the Vulnerable Software and Affected Versions LangBot affected versions not specified Description A critical flaw in the MCP STDIO implementation allows for remote code execution within AI pipelines. Recommendations At the moment, there is no information about a newer version that contain...