CVE-2026-40563 Apache Atlas: Script injection allows access to unintended data

Description: Improper Control of Generation of Code 'Code Injection' vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect...

CVE-2026-40563

CVE-2026-40563 concerns Apache Atlas where an exposed DSL search endpoint accepts user-supplied query strings, enabling a code injection that can alter Gremlin traversal logic and access unintended data. Affected versions range from 0.8 through 2.4.0. For Atlas deployments using non-default confi...

WordPress addfreespace plugin <= 0.1.3 - Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability

Cross-Site Request Forgery to Stored Cross-Site Scripting vulnerability discovered by Muhammad Nur Ibnu Hubab Ibnu - Pondok Teknologi in WordPress Plugin addfreespace versions = 0.1.3...

CVE-2026-42519

A flaw was found in Jenkins Script Security Plugin. An attacker with Overall/Read permission can exploit a missing permission check to enumerate pending and approved Script Security classpaths. This information disclosure vulnerability allows unauthorized access to sensitive configuration details...

CVE-2026-7748

A weakness has been identified in Totolink N300RH 3.2.4-B20220812. Affected by this issue is the function setUpgradeFW of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. Executing a manipulation of the argument FileName can lead to buffer overflow. The attack can be launched...

CVE-2026-7748

Totolink N300RH (firmware 3.2.4-B20220812) is affected by a buffer overflow in the POST handler function setUpgradeFW within /cgi-bin/cstecgi.cgi. The vulnerability stems from manipulation of the FileName argument, allowing remote exploitation. Exploit code is publicly available per the CVE entry...

CVE-2026-7732 code-projects BloodBank Managing System request_blood.php unrestricted upload

A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file requestblood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used...

EUVD-2026-26873

A weakness has been identified in Totolink WA300 5.2cu.7112B20190227. The impacted element is the function setLanguageCfg of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. This manipulation of the argument langType causes command injection. Remote exploitation of the attack ...

EUVD-2026-26870

A security flaw has been discovered in Totolink WA300 5.2cu.7112B20190227. The affected element is the function loginauth of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument httphost results in buffer overflow. The attack may be launched...

CVE-2026-7718 Totolink WA300 POST Request cstecgi.cgi setWebWlanIdx command injection

A vulnerability was identified in Totolink WA300 5.2cu.7112B20190227. Impacted is the function setWebWlanIdx of the file /cgi-bin/cstecgi.cgi of the component POST Request Handler. The manipulation of the argument webWlanIdx leads to command injection. The attack may be initiated remotely. The...

PT-2026-36888

Name of the Vulnerable Software and Affected Versions Detect-It-Easy versions prior to 3.21 Description Insufficient path normalization during archive extraction allows attackers to write arbitrary files to the filesystem. By crafting malicious archive entries using absolute paths or relative...

TOTOLINK N300RH 缓冲区错误漏洞

TOTOLINK N300RH is a long-range wireless router produced by TOTOLINK Corporation. The version TOTOLINK N300RH 3.2.4-B20220812 contains a buffer overflow vulnerability. This vulnerability stems from the function setWanConfig in the component POST Request Handler, specifically the...

PT-2026-37360

sui-execution-cut included a build script that attempted to exfiltrate data from the build machine. The malicious crate had 1 version published on 2026-04-20 and had no evidence of actual usage. This crate had no dependencies on crates.io...

EUVD-2026-26959

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function...

Yeapook WDR201A WiFi Extender 安全漏洞

The Yeapook WDR201A WiFi Extender is a wireless signal extension device produced by the Yeapook company. The Yeapook WDR201A WiFi Extender in the HW V2.1 version and FW LFMZX28040922V1.02 version contain security vulnerabilities. These vulnerabilities stem from stack-based buffer overflows in the...

Yeapook WDR201A WiFi Extender 操作系统命令注入漏洞

The Yeapook WDR201A WiFi Extender is a wireless signal extension device from the Yeapook company. The WDR201A WiFi Extender HW V2.1 version and FW LFMZX28040922V1.02 version contain an operating system command injection vulnerability. This vulnerability stems from the gateway POST parameters in t...

PT-2026-36788

Name of the Vulnerable Software and Affected Versions Apache Atlas versions 0.8 through 2.4.0 Description An improper control of code generation issue exists in the DSL search endpoint, which accepts user-supplied query strings. An attacker can alter Gremlin traversal logic using grammar-allowed...

CVE-2026-31205

Cross Site Scripting vulnerability in Pluck CMS before v.4.7.21dev allows a remote attacker to escalate privileges via the editpage.php and the sanitizePageContent function...

TOTOLINK WA300 缓冲区错误漏洞

TOTOLINK WA300 is a wireless access point produced by TOTOLINK, a Chinese company. The TOTOLINK WA300 5.2cu.7112B20190227 version contains a buffer overflow vulnerability. This vulnerability stems from the function UploadCustomModule in the POST Request Handler component’s file...

CVE-2026-38751

CVE-2026-38751 affects OpenSTAManager versions prior to 2.11 (2.10 and earlier) and is an arbitrary file upload vulnerability in the module update endpoint (modules/aggiornamenti/upload_modules.php). The Red Hat/NVD/CVE records, along with PT-Security and CVE enrichment sources, confirm a vulnera...