PT-2026-49217

WordPress Dharma Booking 2.28.3 and earlier contains a local file inclusion vulnerability that allows unauthenticated attackers to include arbitrary files by manipulating the gateway parameter. Attackers can supply file paths with directory traversal sequences or null byte injection to the gatewa...

PT-2026-49197

Wertheim SafeController Software, AssemblyVersion 6.15.8328.28014, contains a path traversal vulnerability in the documentName parameter of the /safe/selfservice/openselfservicedocument endpoint. The application constructs a file path using attacker-controlled input without sufficient validation,...

CVE-2026-38060

Tenda 5G03 V05.03.02.04 Version 1.0 is vulnerable to Command injection in the function actionunlocksim via the pin parameter...

PT-2026-49295

Name of the Vulnerable Software and Affected Versions Tenda 5G03 version V05.03.02.04 Version 1.0 Description Command injection is possible in the action dial call function through the dialNumber parameter. Recommendations At the moment, there is no information about a newer version that contains...

PT-2026-49302

Name of the Vulnerable Software and Affected Versions Vector versions prior to 0.55.0 Description The ClickHouse sink contains a SQL/identifier injection flaw. The software escaped the table identifier but interpolated the database value raw into the INSERT statement, allowing a crafted database...

CVE-2026-39196

Datadog Vector v0.54.0 contains a SQL injection in the set_uri_query parameter of KeyPartitioner::partition. The vulnerability could allow an attacker to access sensitive database information via crafted SQL statements. Affected component: Vector’s data routing/partition logic (KeyPartitioner::pa...

PT-2026-49207

WordPress Booking Calendar Contact Form 1.0.23 contains an unauthenticated blind SQL injection vulnerability in the shortcode function that fails to sanitize the calendar parameter before using it in database queries. Attackers can inject SQL commands through the calendar shortcode parameter to...

CVE-2026-38061

CVE-2026-38061 affects Tenda 5G03 with firmware V05.03.02.04 (Version 1.0). It is a command-injection vulnerability in the function action_set_volume through the volume parameter. The CVSSv3.1 metrics indicate a remote, unauthenticated exploit with high impact to confidentiality, integrity, and a...

CVE-2026-38065

The vulnerability CVE-2026-38065 affects Tenda 5G03 devices running firmware V05.03.02.04 (Version 1.0) . A command injection exists in the function action_ims_on_with_apn via the ims_apn parameter. This is supported by multiple connected sources (NVD, ENISA EUVD, CVE listings) confirming the sam...

CVE-2026-38064

Affected product: Tenda 5G03 V05.03.02.04 (Version 1.0). Vulnerability: command injection in the function action_dial_call via the dialNumber parameter. Root cause/detail: not explicitly described beyond the command injection vector; connected sources confirm the same description across EUVD-2026...

CVE-2026-38060

The CVE-2026-38060 entry concerns Tenda 5G03 V05.03.02.04 (Version 1.0) with a vulnerability in the function action_unlock_sim, exploitable via the pin parameter to enable command injection. The mapped CVSS 3.1 base score is 9.8 (CRITICAL) with Network attack vector, no privileges required, no us...

CVE-2026-38062

Summary: CVE-2026-38062 affects Tenda 5G03 (V05.03.02.04, Version 1.0). The issue is a command injection in the function action_set_rat_mode via the ratMode parameter. Multiple trusted sources (NVD, EUVD, CVE lists, vuln enrichment) describe this vulnerability with the same root cause. The CVSS v...

CVE-2026-36670

CVE-2026-36670: Time-based blind SQL injection in the OpenSIPS Control Panel (opensips-cp) alias_management module before version 9.3.3. Authenticated attackers can leverage the table parameter in alias_management.php to execute arbitrary SQL. Connected sources confirm the affected component is O...

CVE-2026-50890

Bernd Bestel grocy v4.6.0 is affected by a SQL injection in the product-group parameter at /stockreports/spendings. The issue allows extracting sensitive database information via a crafted SQL statement. Environment references this vulnerability across multiple sources (NVD, ENISA EUVD, CVE recor...

CVE-2026-38063

CVE-2026-38063 affects Tenda 5G03 V05.03.02.04 (Version 1.0). The vulnerability is a command injection in the function action_radio_on_with_ia_apn via the ia parameter. CVSS 3.1 base score 9.8 (Network, No auth, No user interaction). Exploitation status and concrete remediation details are not pr...

CVE-2026-38064

Tenda 5G03 V05.03.02.04 Version 1.0 is vulnerable to Command injection in the function actiondialcall via the dialNumber parameter...

PT-2026-49570

Summary QuerystringParser treated ; as a field separator in application/x-www-form-urlencoded bodies, in addition to &. The WHATWG URL standard, modern browsers, and Python's urllib.parse since the CVE-2021-23336 fix treat only & as a separator. This creates a parser differential: the same bytes...

PT-2026-49292

Name of the Vulnerable Software and Affected Versions Tenda 5G03 version V05.03.02.04 Version 1.0 Description Command injection is possible in the action set volume function through the volume parameter. Recommendations At the moment, there is no information about a newer version that contains a...

PT-2026-49331

Name of the Vulnerable Software and Affected Versions grocy version 4.6.0 Description SQL injection occurs at the '/stockreports/spendings' endpoint through the product-group parameter. This allows attackers to access sensitive database information by using a crafted SQL statement. SQL injection ...

PT-2026-49291

Name of the Vulnerable Software and Affected Versions Tenda 5G03 version V05.03.02.04 Version 1.0 Description Command injection is possible in the action unlock sim function through the pin parameter. Recommendations At the moment, there is no information about a newer version that contains a fix...