CVE-2026-39815

A improper neutralization of special elements used in an sql command 'sql injection' vulnerability in Fortinet FortiDDoS-F 7.2.1 through 7.2.2 may allow attacker to execute unauthorized code or commands via sending crafted HTTP requests...

Malicious code in vxui-react (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector bde616ebc21909bfa386bf8e49438da710f48b62ae3127f2a7259c71557a4242 package.json declares a postinstall script that runs curl -skL...

Malicious code in @service-suppliers/select-supplier-watcher-saga (npm)

--- -= Per source details. Do not edit below this line.=- Source: amazon-inspector 3829c1a8be4ed51ad5c9d714d223cb037f7d76df868b73e63c69c6c60ff8dbf3 On npm install, scripts/postinstall.js fetches a platform-specific script from https://oob.moika.tech/payload/linux|mac|win, writes it to the OS temp...

SQL Injection

SiYuan is vulnerable to SQL Injection. The vulnerability is due to direct execution of user-supplied SQL statements in the /api/search/fullTextSearchBlock endpoint without authorization or validation checks, which allows an attacker to execute arbitrary SQL commands against the database...

CVE-2026-6848

A flaw was found in Red Hat Quay. When Red Hat Quay requests password re-verification for sensitive operations, such as token generation or robot account creation, the re-authentication prompt can be bypassed. This allows a user with a timed-out session, or an attacker with access to an idle...

CVE-2026-40252

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

CVE-2026-40252

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

CVE-2026-40252 Broken Access Control (IDOR) Leading to Cross-Tenant Application Access in FastGPT

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

PT-2026-32044

FastGPT is an AI Agent building platform. Prior to 4.14.10.4, Broken Access Control vulnerability IDOR/BOLA allows any authenticated team to access and execute applications belonging to other teams by supplying a foreign appId. While the API correctly validates the team token, it does not verify...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in the createUser process in auth/proxy.go when proxy authentication is enabled and default settings include non-empty commands. An attacker can gain unauthorized execution capabilities and access to...

Improper Privilege Management

Overview Affected versions of this package are vulnerable to Improper Privilege Management in the createUser process in auth/proxy.go when proxy authentication is enabled and default settings include non-empty commands. An attacker can gain unauthorized execution capabilities and access to...

EUVD-2026-11557

SGLang's multimodal generation module is vulnerable to unauthenticated remote code execution through the ZMQ broker, which deserializes untrusted data using pickle.loads without authentication...

IBM Storage Scale 安全漏洞

IBM Storage Scale is a storage solution offered by the American multinational company International Business Machines IBM. It aims to help businesses effectively manage and scale storage resources to meet growing data storage needs. Versions 5.2.3.0 to 5.2.3.5, as well as versions 6.0.0.0 to...

Command Injection

Overview openclaw is a 🦞 OpenClaw — Personal AI Assistant Affected versions of this package are vulnerable to Command Injection via the POST /tools/invoke endpoint. An attacker can gain unauthorized command execution and escalate privileges by invoking high-risk session orchestration tools and...

CVE-2026-2127

CVE-2026-2127 describes an authenticated arbitrary shortcode execution flaw in the WordPress plugin SiteOrigin Widgets Bundle (versions

PlaciPy 授权问题漏洞

PlaciPy is an open-source tool developed by PlaciPy to generate placeholder images. Version 1.0.0 of PlaciPy has a vulnerability related to authorization issues. This vulnerability stems from the code evaluation endpoint not verifying the lifecycle status of evaluations, which may lead to...

CVE-2024-39905

Red is a fully modular Discord bot. Due to a bug in Red's Core API, 3rd-party cogs using the @commands.canmanagechannel command permission check without additional permission controls may authorize a user to run a command even when that user doesn't have permissions to manage a channel. None of t...

CVE-2025-66848

JD Cloud NAS routers AX1800 4.3.1.r4308 and earlier, AX3000 4.3.1.r4318 and earlier, AX6600 4.5.1.r4533 and earlier, BE6500 4.4.1.r4308 and earlier, ER1 4.5.1.r4518 and earlier, and ER2 4.5.1.r4518 and earlier contain an unauthorized remote command execution vulnerability...

CVE-2025-59366

An authentication-bypass vulnerability exists in AiCloud. This vulnerability can be triggered by an unintended side effect of the Samba functionality, potentially leading to allow execution of specific functions without proper authorization. Refer to the Security Update for ASUS Router Firmware...

CVE-2025-58412

A improper neutralization of script-related html tags in a web page basic xss vulnerability in Fortinet FortiADC 8.0.0, FortiADC 7.6.0 through 7.6.3, FortiADC 7.4 all versions, FortiADC 7.2 all versions may allow attacker to execute unauthorized code or commands via crafted URL...