CVE-2026-48939 Joomla Extension - icagenda.com - Remote Code Execution in iCaganda extension for Joomla < 4.0.8/3.9.15

A vulnerability in the iCagenda extension for Joomla allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution...

CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

EUVD-2026-38108

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

CVE-2026-48909 Joomla Extension - joomshaper.com - PHP Object injection in SP LMS extension for Joomla < 4.1.4

SP LMS comsplms 4.1.4 by JoomShaper deserializes user-controlled cookie data without validation, enabling an unauthenticated remote attacker to execute arbitrary code on the server...

CVE-2026-9843

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the viewpage function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete...

EUVD-2026-38104

The Database for Contact Form 7, WPforms, Elementor forms plugin for WordPress is vulnerable to arbitrary file deletion due to insufficient file path validation in the viewpage function in all versions up to, and including, 1.5.1. This makes it possible for unauthenticated attackers to delete...

Linux Distros Unpatched Vulnerability : CVE-2026-42530

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NGINX Open Source has a vulnerability in the ngxhttpv3module module. When NGINX Open Source is configured to use the HTTP/3 QUIC module, a remote unauthenticate...

Linux Distros Unpatched Vulnerability : CVE-2026-55200

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - libssh2 through 1.11.1, fixed in commit 7acf3df contains an out-of-bounds write vulnerability in ssh2transportread that fails to enforce upper bounds on...

PT-2026-51141

Name of the Vulnerable Software and Affected Versions WooCommerce version 7.1.0 Description A remote code execution flaw exists in the 'class-wc-meta-box-product-images.php' endpoint. The product-type parameter is passed without proper sanitization, allowing an attacker to inject shell commands a...

Linux Distros Unpatched Vulnerability : CVE-2026-8461

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - An out-of-bounds write vulnerability in FFmpeg's libavcodec library, specifically in the MagicYUV decoder, allows denial-of-service and, in some cases, can be...

PT-2026-51136

Name of the Vulnerable Software and Affected Versions SP LMS versions prior to 4.1.4 Description SP LMS com splms by JoomShaper contains a PHP Object injection flaw where user-controlled cookie data is deserialized without validation. Specifically, the application passes the lmsOrders cookie to a...

PT-2026-51142

Name of the Vulnerable Software and Affected Versions Flowise versions prior to 2.1.4 Description Configuration can be injected into the Chainflow during execution through the overrideConfig option, which is available in the frontend web integration and the backend Prediction API. This feature is...

Linux Distros Unpatched Vulnerability : CVE-2026-43994

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Coturn is a free open source implementation of TURN and STUN Server. Versions prior to 4.10.0 contain a stack buffer overflow in decodeoauthtokengcm. A uint16t...

Linux Distros Unpatched Vulnerability : CVE-2026-56211

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - A remote code execution vulnerability was found in libaom, the reference AV1 codec implementation. Insufficient bounds validation in the AV1 encoder's SVC...

Linux Distros Unpatched Vulnerability : CVE-2026-42055

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - NGINX Plus and NGINX Open Source have a vulnerability in the ngxhttpproxyv2module and ngxhttpgrpcmodule modules. This vulnerability exists when the...

Langflow: BaseFileComponent-based nodes arbitrary file read with RCE exploit

Summary All components based on BaseFileComponent are vulnerable to the following vulnerability: 1. Docling DoclingInlineComponent 2. Docling Serve DoclingRemoteComponent 3. Read File FileComponent 4. NVIDIA Retriever Extraction NvidiaIngestComponent 5. Video File VideoFileComponent 6. Unstructur...

CVE-2026-49345

Mercator is an open source web application that enables mapping of the information system. Prior to version 2025.05.19, a Server-Side Request Forgery SSRF vulnerability exists in Mercator's CVE configuration panel /admin/config/parameters. The testProvider method in ConfigurationController passes...

CVE-2026-48787

gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST /autoCode/addFunc, and then...

CVE-2026-48787

CVE-2026-48787 affects gin-vue-admin (AI-assisted basic development platform) in version 2.9.1. An authenticated attacker with access to the code-generation feature and MCP management interface can inject attacker-controlled Go source code via POST /autoCode/addFunc, then trigger a rebuild of the...

CVE-2026-48787 gin-vue-admin vulnerable to RCE

gin-vue-admin is an AI-assisted basic development platform. In version 2.9.1, an authenticated attacker with access to the code-generation feature and MCP management interface can exploit this vulnerability by injecting attacker-controlled Go source code through POST /autoCode/addFunc, and then...