CVE-2026-35716

A stack-based buffer overflow in the motionprivacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or...

EUVD-2026-33969

A stack-based buffer overflow in the motionprivacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or...

PT-2026-45774

NamelessMC is website software for Minecraft servers. In versions 2.2.4 and prior, the OAuth callback handling does not validate the state parameter server-side before exchanging the authorization code. This allows an attacker to capture a valid OAuth callback URL for their own account and cause ...

LibreChat 安全漏洞

LibreChat is an open-source, free, and highly customizable unified AI dialogue platform. It allows for the aggregation and running of large models from any vendor within a single interface. LibreChat versions 0.7.6 and earlier contain security vulnerabilities. These vulnerabilities stem from...

WordPress plugin ARMember Premium SQL注入漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

NamelessMC 安全漏洞

NamelessMC is a free, easy-to-use, and powerful website software developed by the NamelessMC team. It’s suitable for your Minecraft server and comes with numerous features. Version 2.2.4 of NamelessMC has a security vulnerability. This vulnerability stems from the lack of proper cleaning or outpu...

WordPress plugin hiWeb Migration Simple 跨站脚本漏洞

WordPress and WordPress plugins are both products of the WordPress Foundation. WordPress is a blog platform developed using the PHP language. This platform allows for the creation of personal blog websites on servers based on PHP and MySQL. A WordPress plugin is an application extension. The...

NamelessMC 安全漏洞

NamelessMC is a free, easy-to-use, and powerful website software developed by the NamelessMC team. It’s suitable for your Minecraft server and comes with numerous features. Versions of NamelessMC 2.2.4 and earlier have security vulnerabilities. These vulnerabilities stem from unvalidated state...

SourceCodester Human Resource Management 安全漏洞

SourceCodester Human Resource Management is an open-source human resource management system developed by SourceCodester. Version 1.0 of SourceCodester Human Resource Management contains a security vulnerability. This vulnerability stems from the handling of the parameter employeeid in the Employe...

PT-2026-45844

Name of the Vulnerable Software and Affected Versions ARMember Premium versions prior to 7.3.2 Description An issue exists where unauthenticated attackers can append additional SQL queries to existing ones to extract sensitive information from the database. This occurs due to insufficient escapin...

PT-2026-45854

Name of the Vulnerable Software and Affected Versions authentik versions prior to 2026.2.3 Description The WS-Federation provider in this open-source identity provider validates the user-supplied wreply parameter using a raw string prefix check instead of proper URL parsing. An attacker can craft...

PT-2026-45819

Name of the Vulnerable Software and Affected Versions DedeCMS version 5.7.88 Description A security flaw exists in the RemoveXSS function within the '/plus/carbuyaction.php' file. Remote attackers can perform SQL injection, which is a technique used to manipulate a database by inserting malicious...

CVE-2026-35716

A stack-based buffer overflow in the motionprivacy.cgi binary in VIVOTEK FD8136 firmware FD8136-VVTK-0300a allows authenticated remote attackers to execute arbitrary code as root via an oversized n1 parameter in a POST request to the /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or...

SourceCodester Pizzafy Ecommerce System 安全漏洞

SourceCodester Pizzafy Ecommerce System is an open-source e-commerce system developed by SourceCodester. Version 1.0 of the SourceCodester Pizzafy Ecommerce System contains a security vulnerability, which stems from the handling of the 'page' parameter in the file/admin/index.php, potentially...

BlenderMCP 代码注入漏洞

BlenderMCP is a 3D modeling control tool developed by ahujasid that connects Blender with AI. Versions of BlenderMCP 7636d13bded82eca58eb93c3f4cd8708dfdfbe8b and earlier have a code injection vulnerability. This vulnerability stems from the handling of the code parameter in the executeblendercode...

DesDev DedeCMS SQL注入漏洞

DesDev DedeCMS is an open-source content management system CMS developed by DesDev Corporation, based on PHP. This system offers functions such as content publishing, content management, content editing, and content retrieval. Version 5.7.88 of DesDev DedeCMS contains a SQL injection vulnerabilit...

PT-2026-45702

The FPW Category Thumbnails plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'id' parameter of the 'fpw fs get file' AJAX action in all versions up to, and including, 1.9.5. This is due to insufficient input sanitization and output escaping. This makes it possible for...

PT-2026-45700

The rognone plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'a' parameter in versions up to, and including, 0.6.2 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages...

PT-2026-45703

The hiWeb Migration Simple plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'new domain' parameter in all versions up to, and including, 2.0.0.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject...

PT-2026-45698

The WP Nano AD plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘blogrole link’ parameter in all versions up to, and including, 1.31 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level...