CVE-2026-12197 Ruijie EG105G-P JSON-RPC Diagnose Endpoint diagnose nslookup command injection

A security flaw has been discovered in Ruijie EG105G-P 2.340. The impacted element is the function nslookup of the file /cgi-bin/luci/api/diagnose of the component JSON-RPC Diagnose Endpoint. Performing a manipulation of the argument params.target results in command injection. It is possible to...

CVE-2026-12174 D-Link DCS-935L HTTP rhea snprintf format string

A security vulnerability has been detected in D-Link DCS-935L 1.10.01. This issue affects the function snprintf of the file /web/cgi-bin/greece/rhea of the component HTTP Handler. Such manipulation of the argument data leads to format string. The attack may be launched remotely. The exploit has...

CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

CVE-2026-12183

Nefteprodukttekhnika BUK TS-G Gas Station Automation System 2.9.1 through 2.10.2 on Linux contains an Improper Authentication vulnerability CWE-287 in the system configuration module. The /php/ajax-login.php endpoint returns userid=1 administrator in response to any HTTP POST request that supplie...

CVE-2026-42567

A flaw was found in Svelte, a web framework. An internal regular expression regex in the Svelte runtime, specifically when processing , can be exploited by a remote attacker. By providing specially crafted input, an attacker can cause the regex to take an exponential amount of time to process,...

CVE-2026-48558 SimpleHelp Authentication Bypass via Missing OIDC JWT Signature Verification

SimpleHelp versions 5.5.15 and prior and 6.0 pre-release versions contain an authentication bypass vulnerability in the OIDC authentication flow. When OIDC authentication is configured, identity tokens submitted during login are accepted without verifying their cryptographic signature. In a...

OESA-2026-2623 openvpn security update

OpenVPN is a full-featured open source SSL VPN solution that accommodates a wide range of configurations, including remote access, site-to-site VPNs, Wi-Fi security, and enterprise-scale remote access solutions with load balancing, failover, and fine-grained access-controls. Starting with the...

CVE-2026-12060 Hepta Platforms｜Heptabase - Exposed Dangerous

Heptabase developed by Hepta Platforms has a Exposed Dangerous Method or Function vulnerability, allowing unauthenticated remote attackers to leverage social engineering techniques to trick a victim into opening or loading a malicious webpage within the Heptabase application, thereby gaining...

SUSE CVE-2026-10118

A flaw was found in Poppler's Splash backend. A remote attacker could exploit this vulnerability by crafting a malicious PDF file that, when rendered, triggers an integer overflow in the tilingPatternFill function. This overflow leads to an undersized heap memory allocation, allowing a subsequent...

PT-2026-48975

Name of the Vulnerable Software and Affected Versions CodeAstro Human Resource Management System version 1.0 Description A security flaw in the Projects Management Page component allows for remote cross-site scripting XSS, which is a technique where malicious scripts are injected into trusted...

SwiftNIO NIOHTTP1: HTTPDecoder accepts unbounded HTTP/1 header blocks, enabling remote DoS

The HTTPDecoder in NIOHTTP1 enforces no limit on the total size of an HTTP/1 message's header block or on the number of header fields per message. A remote peer can submit an arbitrary number of small, valid headers in a single request and have them all accumulated into the resulting HTTPHeaders...

CVE-2026-45177 Idira Secrets Manager SaaS Edge: Authentication Bypass of an internal validation mechanism

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to...

CVE-2026-47157

aiograpi (Python) before 0.9.10 accepted server-supplied signup challenge paths and built request URLs before validating that the paths were relative Instagram API paths. An attacker who can influence a challenge response (e.g., on a local network, via DNS, or via a proxy) could cause challenge h...

openssl: Multi-RecipientInfo Bleichenbacher Oracle in CMS_decrypt() and PKCS7_decrypt()

A flaw was found in OpenSSL's CMSdecrypt and PKCS7decrypt functions. This vulnerability, a Bleichenbacher-style oracle, could allow a remote attacker to decrypt or sign messages using the victim's private RSA key. Exploitation requires the attacker to provide specially crafted CMS or S/MIME...

CVE-2026-11956 TwiN gatus OIDC Session Cookie oidc.go setSessionCookie missing secure attribute

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attac...

bind: BIND: Denial of Service via maliciously crafted DNSSEC-validated zone

A flaw was found in BIND. A remote attacker could exploit this vulnerability by sending a maliciously crafted DNSSEC-validated zone to a BIND resolver. This could cause the resolver to consume excessive CPU resources, leading to a denial of service DoS for legitimate users...

PT-2026-48703

Idira Secrets Manager SaaS Edge versions prior to 1.8 exhibit improper access control within its internal authentication components. A remote, unauthenticated attacker could exploit this by submitting a specially crafted request. Under specific circumstances, this could allow the attacker to...

PT-2026-48659

A vulnerability was determined in TwiN gatus 5.36.0. Impacted is the function setSessionCookie of the file security/oidc.go of the component OIDC Session Cookie Handler. Executing a manipulation can lead to sensitive cookie without secure attribute. The attack can be launched remotely. This attac...

PT-2026-48696

A remote unauthenticated attacker may be able to conduct credential-guessing attacks against user accounts in Sonatype Nexus Repository via authentication endpoints...

CVE-2026-6893

A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP Dynamic Host Configuration Protocol options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and...