CVE-2026-28699

CVE-2026-28699 affects Gitea: an OAuth2 access token presented over HTTP Basic Auth can bypass the intended scope. The root cause is that Basic-auth tokens were recorded with IsApiToken=true but ApiTokenScope was missing, allowing a token with read:user scope to perform write actions. A self-cont...

CVE-2026-49413

CVE-2026-49413 is documented in the FreeBSD advisory as a flaw in the Linuxulator: during Linux binary execution, AT_SECURE was incorrectly set to zero for set‑uid/set‑gid binaries because the P_SUGID flag isn’t yet established in execve. This allows an unprivileged local user to inject a shared ...

CVE-2026-45034

The connected advisory details a vulnerability in PhpSpreadsheet (shared/File.php: prohibitWrappers) related to candlestick-like bypass of an input path check for stream wrappers. The bypass occurs when parsing a path such as phar:///work/exploit.phar/dummy.csv, where parse_url returns false and ...

CVE-2026-48017

CVE-2026-48017 (DbGate) – Normal mode, concrete details available. DbGate’s POST /runners/load-reader endpoint is vulnerable to functionName injection. The endpoint passes an unvalidated functionName into compileShellApiFunctionName and interpolates it directly into a server-side script template ...

CVE-2026-34914

CVE-2026-34914 relates to Revive Adserver, with vulnerable versions 6.0.6 and earlier. The connected reports describe multiple flaws: access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection. A specific issue is a blind SQL injection via the clientid paramet...

CVE-2026-34917

Technical details for CVE-2026-34917 are not publicly available in the provided documents. Monitor for updates as new information may be released.

CVE-2026-44959

The connected packetstorm news entry links CVE-2026-44959 to Revive Adserver 6.0.6 and earlier, describing vulnerabilities in these versions: access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection. The document does not specify the exact root cause, affect...

CVE-2026-34913

CVE-2026-34913 is reserved; connected documents reveal concrete details for Revive Adserver: versions 6.0.6 and earlier are affected. The vulnerability is a missing access control in linking trackers to campaigns via campaign-trackers.php, enabling a low-privileged user to associate trackers with...

CVE-2026-44961

The connected sources describe vulnerabilities affecting Revive Adserver 6.0.6 and earlier, including access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection. A HackerOne report cites stored XSS via malicious usernames in audit log details and a username va...

CVE-2026-44958

Revive Adserver versions 6.0.6 and earlier are reported vulnerable due to multiple flaws including access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection. A separate report notes that advertiser‑level users could override banner status (activate/deactivate...

CVE-2026-34915

Revive Adserver is affected (versions 6.0.6 and earlier) by multiple vulnerabilities reported in connected sources: access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection. A specific, publicly discussed issue is a reflected XSS via the clientid parameter i...

CVE-2026-34916

Revive Adserver 6.0.6 and earlier are affected by multiple vulnerabilities including access control weaknesses, code injection, cross-site scripting (XSS), and remote SQL injection (SQLi). The HackerOne report mentions PHP code injection via delivery limitation logic, and PacketStormNews referenc...

CVE-2026-34912

Technical details for CVE-2026-34912 are not publicly provided in the supplied documents; connected items reference Revive Adserver vulnerabilities (≤6.0.6) but do not map directly to this CVE. Monitor for updates.

CVE-2026-44956

CVE-2026-44956 is linked to Revive Adserver vulnerabilities. Connected sources indicate Revive Adserver versions 6.0.6 and below are affected by multiple issues including access control problems, code injection, cross‑site scripting (XSS), and remote SQL injection. A HackerOne report mentions Sto...

CVE-2026-26555

Technical details for CVE-2026-26555 are not publicly provided in the supplied documents. Monitor for updates from CIRCL and the GitHub repo for potential disclosures, PoCs, and remediation guidance.

CVE-2026-26897

CVE-2026-26897 affects EcoOnline EHS for Android (com.airsweb.v10), prior to fix 0.2.500. Root cause: deep-link handler rewrites ehs-app:// URIs to https: and loads them in a WebView without applying the host allow-list, enabling arbitrary attacker-controlled content to render inside the trusted ...

CVE-2022-42005

CVE-2022-42005 concerns Tesla ODIN/infotainment components where persistence is achieved via svlogd log-rotation. The exploit chain described in the connected GitHub exploit shows root access obtained through the ODIN interface and a subsequent persistence method: replacing the svlogd log-rotatio...

CVE-2026-38444

CVE-2026-38444 is linked to a stored XSS in osTicket (<= 1.18.3) via the From header display name (CWE-79). The GitHub exploit collection confirms an exploit advisory for this CVE. Affected software/version: osTicket

CVE-2026-8380

The CVE-2026-8380 details a critical authorization bypass in WordPress Frontend File Manager (nmedia-user-file-uploader)

CVE-2026-48778

Technical details for CVE-2026-48778 are not publicly available in the provided documents. No affected products, root cause, impact, or remediation are disclosed here. Monitor for updates from official advisories.