EUVD-2026-28473

A weakness has been identified in huangjunsen0406 xiaozhi-mcphub up to 1.0.3. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. The attack may be initiated remotely. The exploit has been mad...

OSV-2026-696 Use-of-uninitialized-value in JXRHandler::read

OSS-Fuzz report: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=510577322 Crash type: Use-of-uninitialized-value Crash state: JXRHandler::read kimgiofuzzer.cc interceptormalloc...

PT-2026-38603

Name of the Vulnerable Software and Affected Versions Open5GS versions prior to 2.7.8 Description A flaw in the NSSF component allows a local attacker to cause a denial of service through manipulation of the ogs sbi stream find by id function within the /lib/sbi/nghttp2-server.c library...

📄 WordPress CatFolders 2.5.2 SQL Injection

WordPress CatFolders plugin versions 2.5.2 and below suffer from a remote SQL injection vulnerability. CVE-2025-9776: Authenticated SQL Injection in CatFolders WordPress Plugin Keywords: CVE-2025-9776, CatFolders WordPress vulnerability, SQL injection WordPress, authenticated SQL injection,...

Onyx 安全漏洞

Onyx is an open-source AI large model platform developed by Onyx. Vulnerabilities exist in versions prior to Onyx 3.0.9, 3.1.6, and 3.2.6. These vulnerabilities stem from the POST /chat/stop-chat-session/chatsessionid endpoint checking authentication but failing to verify that the session belongs...

CVE-2026-8115

A security flaw has been discovered in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. The attack can be launched remotely. The...

Wordfence Intelligence Weekly WordPress Vulnerability Report (April 27, 2026 to May 3, 2026)

Last week, there were 87 vulnerabilities disclosed in 198 WordPress Plugins and 5 WordPress Themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 61 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities ...

CVE-Hunter-2026

CVE Hunter 2026 AI-assisted penetration testing tool that det...

CVE-2026-44262

creationtimestamp| type| source ---|---|--- 2026-05-07 11:00:04+00:00| seen| https://t.me/GithubRedTeam/83199 2026-05-07 15:00:07+00:00| seen| Telegram/Oe3myBcohAaGdxUcA5YqeGGADBaBeF3XGiX3aOj54Bo8U 2026-05-07 15:00:15+00:00| seen| Telegram/N3SJRV4ZtVW52SnI4hPtvo0ahEWVD2vwvltAM5Jrkt0Pak 2026-05-13...

wifi: rtw89: pci: validate release report content before using for RTL8922DE

...

CVE-2026-5786

creationtimestamp| type| source ---|---|--- 2026-05-07 07:54:45+00:00| seen| https://ccb.belgium.be/advisories/warning-authenticated-remote-code-execution-vulnerability-ivanti-epmm-exploited-patch 2026-05-07 08:14:00+00:00| seen| https://www.kyberturvallisuuskeskus.fi/fi/haavoittuvuus-2026-12...

SUSE CVE-2026-43047

In the Linux kernel, the following vulnerability has been resolved: HID: multitouch: Check to ensure report responses match the request It is possible for a malicious or clumsy device to respond to a specific report's feature request using a completely different report ID. This can cause confusio...

SUSE CVE-2026-43051

In the Linux kernel, the following vulnerability has been resolved: HID: wacom: fix out-of-bounds read in wacomintuosbtirq The wacomintuosbtirq function processes Bluetooth HID reports without sufficient bounds checking. A maliciously crafted short report can trigger an out-of-bounds read when...

SUSE CVE-2026-43136

In the Linux kernel, the following vulnerability has been resolved: HID: logitech-hidpp: Check maxfield in hidppgetreportlength Do not crash when a report has no fields. Fake USB gadgets can send their own HID report descriptors and can define report structures without valid fields. This can be...

SUSE CVE-2026-43251

In the Linux kernel, the following vulnerability has been resolved: HID: prodikeys: Check presence of pm-inputep82 Fake USB devices can send their own report descriptors for which the inputmapping hook does not get called. In this case, pm-inputep82 stays NULL, which leads to a crash later. This...

groovestrike

GrooveStrike Autonomous Penetration Testing Framework...

Tp-Link Archer AX53 v1.0 Openvpn configuration restore script_security OS command injection vulnerability

Talos Vulnerability Report TALOS-2025-2303 Tp-Link Archer AX53 v1.0 Openvpn configuration restore scriptsecurity OS command injection vulnerability May 7, 2026 CVE Number CVE-2026-30815 SUMMARY An os command injection vulnerability exists in the Openvpn configuration restore scriptsecurity...

PT-2026-38601

Name of the Vulnerable Software and Affected Versions huangjunsen0406 xiaozhi-mcphub versions prior to 1.0.4 Description A path traversal issue exists in the src/controllers/dxtController.ts file. A remote attacker can exploit this by manipulating the manifest.name argument, allowing unauthorized...

CVE-2026-43251

A flaw was found in the Linux kernel's Human Interface Device HID prodikeys driver. A local attacker can exploit this vulnerability by connecting a specially crafted Universal Serial Bus USB device. This device can send a malicious report descriptor, bypassing a necessary check and causing a null...

GHSA-Q98M-7W8C-W388 Kyverno policy-reporter-ui has XSS via Stored Property Values in PropertyCard Component

Summary Vue 3's v-html directive is the framework-documented mechanism for injecting raw HTML, and it intentionally disables the auto-escaping that interpolation provides. The PropertyCard.vue component uses v-html for the else branch of the URL check, meaning any non-URL string value flows...