RLSA-2026:21757 Important: flatpak security update

Flatpak is a system for building, distributing, and running sandboxed desktop applications on Linux. Security Fixes: flatpak: Flatpak: Arbitrary code execution via crafted symlinks in sandbox-expose options CVE-2026-34078 flatpak: Flatpak: Arbitrary file deletion on host via improper cache file...

BEWARD N100 H.264 VGA IP Camera M2.1.6 - Arbitrary File Disclosure

Beward N100 H.264 VGA IP Camera M2.1.6 contains an authenticated file disclosure vulnerability caused by improper validation of the 'READ.filePath' parameter in fileread script and SendCGICMD API, letting authenticated attackers read arbitrary system files. id: CVE-2019-25246 info: name: BEWARD...

PT-2026-46398

A vulnerability was found in Shibby Tomato 1.28.0000. This issue affects the function start vpnserver of the file /sbin/rc of the component Web UI. Performing a manipulation results in os command injection. The attack can be initiated remotely. The exploit has been made public and could be used...

PT-2026-45745

Path traversal in restore handler in Collibra Agent, allows an attacker to write arbitrary files via a crafted ZIP archive. Collibra Agent fails to properly validate and canonicalize file path during ZIP extraction, this can allow an attacker to write files outside the intended extraction directo...

CVE-2026-10514 1Panel-dev CordysCRM RequestParamTrimConfig.java cross site scripting

A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit...

EUVD-2026-33763

A security flaw has been discovered in code-projects Hotel and Tourism Reservation System 1.0. Impacted is an unknown function of the file /ht/tour.php. Performing a manipulation of the argument name /email /people /number results in cross site scripting. The attack can be initiated remotely. The...

EUVD-2026-33731

A vulnerability was identified in hiraishikentaro wezterm-mcp 0.1.0. The affected element is an unknown function of the file src/weztermexecutor.ts of the component switchpane/writetospecificpane. The manipulation of the argument request.params.arguments.paneid leads to os command injection. The...

EUVD-2026-33725

A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component readfile/writefile. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. Th...

CVE-2026-10278 ishayoyo excel-mcp read_file/write_file index.ts path traversal

A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component readfile/writefile. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely. Th...

CVE-2026-10278

CVE-2026-10278 affects the project ishayoyo excel-mcp up to 1.0.2. The vulnerability targets the file handling in the component’s src/index.ts, specifically read_file/write_file, where manipulating filePath/outputPath can cause a path traversal. The issue can be triggered remotely, and publicly d...

CVE-2026-10171

A vulnerability has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. Such manipulation of the argument ID leads to sql injection. The attack may be launched remotely. The exploit has been disclosed to the public a...

CVE-2026-10234

CVE-2026-10234 affects Mettle SendPortal (up to 3.0.1). The vulnerability is a cross-site scripting issue in an unknown part of the file path /webview/ within the Campaign Handler, caused by manipulation of the argument content. It can be exploited remotely, and the exploit is public. No remediat...

CVE-2026-10216

A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched...

PT-2026-45499

A vulnerability was determined in ishayoyo excel-mcp up to 1.0.2. Impacted is an unknown function of the file src/index.ts of the component read file/write file. Executing a manipulation of the argument filePath/outputPath can lead to path traversal. It is possible to launch the attack remotely...

PT-2026-45248

A vulnerability was detected in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. The attack may be launched...

CVE-2026-10184

A security flaw has been discovered in SourceCodester Hospitals Patient Records Management System 1.0. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been...

EUVD-2026-33490

A flaw has been found in code-projects Visitor Management System 1.0. Affected by this issue is some unknown functionality of the file /vms/php/phone0.php. This manipulation of the argument phone causes sql injection. The attack may be initiated remotely. The exploit has been published and may be...

EUVD-2026-33366

xiaomusic v0.5.7 contains an unauthenticated path traversal vulnerability in the GET /music/filepath:path endpoint that allows unauthenticated attackers to read arbitrary files outside the intended music directory by exploiting an incomplete path prefix check. Attackers can request files from...

EUVD-2026-33306

WWBN AVideo is an open source video platform. In 29.0 and earlier, view/update.php reads $POST'updateFile' as a relative path under updatedb/ and passes it to PHP's file for line-by-line execution as part of a database migration. An authenticated administrator can abuse this to read arbitrary tex...

PT-2026-44973

Name of the Vulnerable Software and Affected Versions StrongDM Desktop Application versions prior to 23.74.0 StrongDM Desktop Client versions prior to 53.77.0 Description On Microsoft Windows, the software stores authentication state in cleartext within a per-user state file located at...