CVE-2026-10616

CVE-2026-10616 affects nextlevelbuilder GoClaw up to 3.11.3. The vulnerability resides in TeamTasksTool.executeComplete (internal/tools/team_tasks_lifecycle.go), where a manipulation can lead to missing authorization. The issue can be exploited remotely and the exploit has been made publicly avai...

CVE-2026-34993

In CVE-2026-34993, AIOHTTP prior to 3.14.0 is vulnerable: using CookieJar.load() with untrusted input may lead to arbitrary code execution. The issue stems from deserializing untrusted data in the cookie jar. The advisory notes that most applications will be unaffected since data are user-owned, ...

CVE-2026-42342

CVE-2026-42342 affects React Router and Remix Server Runtime: versions 7.0.0–7.14.x of react-router and 2.10.0–2.17.4 of @remix-run/server-runtime are vulnerable to DoS via unbounded path expansion on the __manifest endpoint, causing high resource usage and potential unavailability for Framework ...

CVE-2025-64390

CVE-2025-64390 describes a privilege-escalation in PlayStation 4 firmware 13.00–13.02 where the BD-J sandbox can be escaped via a malformed JAR. Connected sources (NVD, CVE list mirrors, AttackersKB, and HackerOne report) explain the root cause: a mismatch between security policy path canonicaliz...

CVE-2026-42211

CVE-2026-42211 affects React Router versions 7.0.0–7.14.1 when used in Framework Mode. A combination of steps could enable a prototype pollution condition that an attacker could leverage in a two-step process to trigger unauthorized remote code execution on the remote server. The issue does not i...

CVE-2026-49120

Medplum's SSRF flaw (CVE-2026-49120) affects Medplum before 5.1.14 in the subscription worker. An authenticated user can create FHIR Subscription resources with arbitrary endpoint URLs, enabling server-side requests to internal addresses (e.g., metadata services, internal databases, container orc...

CVE-2026-10608

This CVE affects DedeCMS 5.7.88 and the vulnerable component is the function RemoveXSS in the file /plus/carbuyaction.php . The root cause is described as manipulation of the arguments postname/des leading to an SQL injection vulnerability. The impact is described as enabling remote exploitation ...

CVE-2026-40181

Summary: CVE-2026-40181 affects React Router. In versions 7.0.0–7.14.0 and 6.7.0–6.30.3, redirect() can produce an open redirect to an external domain when the URL starts with //, due to protocol-relative URL handling. Impact depends on application-side redirect validation and does not affect Dec...

CVE-2026-10607

The vulnerability CVE-2026-10607 affects DedeCMS 5.7.88. The issue resides in the function dede_htmlspecialchars in /plus/flink.php, where manipulation of the msg argument leads to an SQL injection. Attacks can be remote, and exploitation is publicly available. Impact is described as potentially ...

CVE-2026-34077

React Router upstream vulnerability CVE-2026-34077 affects versions 7.7.0–7.13.1 where, when using unstable React Server Components APIs, the RSC redirect handling can lead to a client-side XSS if redirects come from untrusted sources. The issue does not impact non-RSC applications. A fix is avai...

CVE-2019-25721

CVE-2019-25721 affects Dräger Infinity M300 patient-worn monitors with software VG2.3.1 and earlier. The issue is a network‑based denial-of-service vulnerability that lets network-adjacent attackers repeatedly trigger device reboots by sending malicious requests over the Infinity Network, forcing...

CVE-2026-1829

CVE-2026-1829 affects the WordPress plugin Content Visibility for Divi Builder. The NVD/NVD-derived records indicate a Remote Code Execution vulnerability in all versions up to and including 4.02, exploitable via the et_pb_text shortcode parameter cvdb_content_visibility_check. The root cause is ...

CVE-2026-8036

NI-PAL is affected by improper input validation that may allow a local authenticated user to access arbitrary system memory, enabling privilege escalation. Affected: NI-PAL 26.3.0 and prior on Windows and Linux. Root cause: input validation weakness. Impact: local privilege escalation with potent...

CVE-2026-8035

Technical details for CVE-2026-8035 are not publicly available in the provided documents. Monitor for updates from NI and security advisories.

CVE-2026-10702

CVE-2026-10702 is a Firefox issue involving a JIT miscompilation in the JavaScript Engine (JIT component). The vulnerability was fixed in Firefox 151.0.3. The CVSS score is 4.3 (Medium) with network attack vector, user interaction required, and availability impact of Low. Affected product: Mozill...

CVE-2026-10701

CVE-2026-10701 relates to an Incorrect boundary condition in Firefox’s Graphics: Text component. Connected sources confirm this is addressed by the Firefox 151.0.3 update, fixing the vulnerability. The issue is described as a boundary condition problem within the Graphics: Text component and is i...

CVE-2026-33245

CVE-2026-33245 affects React Router versions 7.7.0–7.13.1 when using unstable React Server Components (RSC) APIs. The issue is a client-side XSS vulnerability in the RSC redirect handling if redirects originate from untrusted sources. Applications not using the unstable RSC APIs are not affected....

CVE-2026-41577

CVE-2026-41577 affects the open‑source identity provider authentik. The SAML source response processor (ResponseProcessor.parse()) does not validate the Conditions element on assertions prior to versions 2025.12.5 and 2026.2.3. Specifically, NotBefore, NotOnOrAfter, and AudienceRestriction are ig...

CVE-2026-33244

CVE-2026-33244 affects React Router in versions 7.5.1–7.13.1 when using Framework Mode with pre-rendering enabled. The issue is improper neutralization of the HTTP Location header value, allowing Cross-Site Scripting (XSS) in statically generated HTML if the redirect target comes from an untruste...

CVE-2026-24237

CVE-2026-24237 (NVIDIA NVTabular) involves improper deserialization of untrusted data in NVTabular. The connected NVIDIA Security Bulletin confirms the vulnerability could allow code execution, data tampering, information disclosure, and denial of service. Affected: all NVIDIA NVTabular versions ...

CVE-2026-24221

NVIDIA NVTabular contains CVE-2026-24221, a vulnerability due to improper deserialization of untrusted data. The issue could allow a local attacker with low privileges to trigger code execution, data tampering, information disclosure, and denial of service. A fix is available: update to version 0...

CVE-2026-40571

CVE-2026-40571 (NamelessMC) affects NamelessMC website software for Minecraft servers. In version 2.2.4, the file core/classes/Misc/ProfilePostReactionContext.php only verifies that the wall post exists and does not enforce blocked/private-profile visibility. As a result, authenticated low-privil...

CVE-2026-35447

NamelessMC web software (Minecraft servers) is affected by CVE-2026-35447 in version 2.2.4. The flaw resides in the profile page (modules/Core/pages/profile.php), where wall post submissions and replies are processed before verifying the viewer’s authorization. This allows any user with the profi...

CVE-2026-10606

CVE-2026-10606 affects DedeCMS 5.7.88, specifically the TrimMsg function in /plus/feedback.php (Feedback Handler). Manipulating the msg argument can cause a SQL injection. The issue is exploitable remotely with publicly disclosed exploit material; CVSS metrics indicate network access, low attack ...

CVE-2026-49943

CZ.NIC BIRD Internet Routing Daemon (up to version 2.19.0) is affected by a stack-based buffer overflow in the BGP AS_PATH mask matching implementation (nest/a-path.c). The as_path_match() routine uses a fixed-size stack capable of 2048 + 1 pm_pos entries, while parse_path() expands AS_PATH segme...

CVE-2026-40715

Summary: Dell ThinOS 10 (pre-2602_10.0765) contains an Improper Access Control vulnerability that enables privilege escalation for a low-privilege, locally authenticated attacker. Affected component: ThinOS 10; root cause: improper access control. Impact: potential privilege escalation. Exploitat...

CVE-2026-1871

CVE-2026-1871 affects TP-Link Tapo C200 v5. The issue is a stack-based buffer overflow in the RTSP authentication handling caused by improper validation of Authorization header lengths. Exploitation triggers a crash of the RTSP core service and an automatic system reboot, resulting in a DoS that ...

CVE-2026-40713

CVE-2026-40713 concerns Dell ThinOS 10, specifically versions prior to ThinOS10_2602_10.0765, with an improper access control vulnerability. The vulnerability allows an unauthenticated attacker who has physical access to potentially cause information exposure. The available documents do not provi...

CVE-2026-40314

NamelessMC (Minecraft server website software) 2.2.4 is affected by an authorization issue where core/classes/Misc/ProfilePostReactionContext.php only verifies the wall post exists and fails to enforce blocked/private-profile visibility, while modules/Core/queries/reactions.php permits unauthenti...

CVE-2024-42206

Technical details are not publicly available in the provided documents. Monitor for updates on affected components, root cause, and remediation.

CVE-2026-35443

NamelessMC (website software for Minecraft servers) is affected in version 2.2.4. The vulnerability lies in modules/Forum/classes/ForumPostReactionContext.php, where topic-level view_other_topics authorization is not re-enforced, allowing reactions on other users’ topics to be read and modified. ...

CVE-2026-0611

Summary: CVE-2026-0611 affects Spacelabs Healthcare Sentinel 10.5.x and higher and Sentinel 11.x.x prior to 11.6.0. A deprecated .NET Remoting HTTP channel exposed on port 8989 allows unauthenticated remote code execution by supplying valid .NET URI endpoints, enabling arbitrary file read/write a...

CVE-2026-42073

Summary: CVE-2026-42073 affects OpenClaude MCP OAuth callback flow. A logic flaw in the conditional order allows an attacker to bypass the CSRF state check when an error parameter is present, forcing the local OAuth callback server to shut down (DoS) without knowing the expected state. Affected c...

CVE-2026-42074

OpenClaude

CVE-2026-45554

NiceGUI is a Python UI framework. Before version 3.12.0, two FastAPI routes serving per-component static assets accept a sub-path that can resolve to a directory, causing an unhandled RuntimeError inside Starlette’s FileResponse. Uvicorn logs the full traceback, and since these routes require no ...

CVE-2026-10591

CVE-2026-10591 affects Amazon Kiro IDE prior to 0.11. The issue is insufficient access control in the file write tool, allowing remote unauthenticated actors to cause writes to execution-sensitive paths (e.g., .vscode/tasks.json), enabling automatic execution on folder open. Impact is high: poten...

CVE-2026-45553

CVE-2026-45553 affects NiceGUI prior to v3.12.0. The server-side reStructuredText renderer (ui.restructured_text) passes content through Docutils without disabling file insertion directives, enabling an attacker-controlled input to trigger include, csv-table with :file:, or raw with :file:. This ...

CVE-2026-45080

Klaw (the self-service Apache Kafka Topic Management/Governance portal) is affected prior to version 2.10.4 by improper access control that can disclose password hashes. The issue is resolved in version 2.10.4. Affected software/components: Klaw; root cause: improper access control leading to pas...

CVE-2026-44367

Klaw (self-service Apache Kafka Topic Management/Governance tool) is affected prior to v2.10.4 by inconsistent case-sensitivity handling in user registration and login, enabling targeted DoS and complete account lockout. Root cause: username case handling leads to lockout conditions. Impact: Deni...

CVE-2026-34460

NamelessMC (Minecraft server website software) is affected in versions up to 2.2.4 where the OAuth callback handling does not validate the state parameter server‑side before exchanging the authorization code. This can let an attacker capture a valid OAuth callback URL for their own account and ca...

CVE-2026-45686

OpenTelemetry eBPF Instrumentation contains a remote integer overflow in OBI’s memcached text protocol parser (memcached_detect_transform.go) that can crash the OBI process and cause denial of service. Affected versions are 0.7.0 through before 0.9.0; the parser accepts large values for storage ...

CVE-2026-45685

Summary: OpenTelemetry eBPF Instrumentation is affected by a remote DoS in its MongoDB parser. From version 0.1.0 up to before 0.9.0, malformed MongoDB wire messages can trigger uncaught panics in the MongoDB TCP parser, allowing an unauthenticated attacker to crash the telemetry agent and termin...

CVE-2026-45684

OpenTelemetry eBPF Instrumentation (OBI) log enricher vulnerability CVE-2026-45684: in versions 0.7.0–0.8.x, the writev path mishandles buffers by reading only the first iovec entry while using the total iov_iter.count for the copy length. When log injection is enabled, a crafted multi-segment wr...

CVE-2026-45683

OpenTelemetry eBPF Instrumentation (Java TLS ioctl) is affected prior to version 0.9.0. The vulnerability stems from the probe reading user-supplied ioctl pointers with bpf_probe_read instead of bpf_probe_read_user, enabling a local attacker to cause the kernel memory pointed to by user space to ...

CVE-2026-45681

Summary: OpenTelemetry eBPF Instrumentation contains a memory‑read overflow in the CPU‑mismatch fallback path. Prior to version 0.9.0, a 256‑byte backup buffer is used for the per‑CPU message buffer, while the logical payload size can reach 8KB. If a CPU mismatch occurs, the code can read beyond ...

CVE-2026-45680

CVE-2026-45680 affects OpenTelemetry eBPF Instrumentation (OBI) prior to version 0.9.0. The root cause is an unbounded delta in calculateStats(), where bp.runCount − bp.prevRunCount is used without a cap, causing the exporter to loop over probe hits for large run-count deltas. This can lead to hi...

CVE-2026-45679

CVE-2026-45679 affects OpenTelemetry eBPF Instrumentation (OBI). Prior to version 0.9.0, OBI exports raw Redis error text as the span status message, causing Redis error replies to be exposed in telemetry backends. This can leak attacker-controlled or sensitive data (tokens, PII, etc.) into downs...

CVE-2026-45678

The CVE-2026-45678 vulnerability affects OpenTelemetry eBPF Instrumentation before version 0.9.0, where the Postgres BIND parsing logic mishandles BIND payloads that are empty or unterminated. The issue arises in the Postgres protocol parser that assumes a NUL-terminated portal name; a crafted pa...

CVE-2026-45676

CVE-2026-45676 affects OpenTelemetry eBPF Instrumentation (OBI). Before version 0.9.0, OBI’s replacement ELF parser trusts section offsets, counts, and string offsets from the executable, allowing a crafted local ELF to trigger invalid dereferences or out-of-bounds slicing in the parser. The vuln...

CVE-2026-45682

OpenTelemetry eBPF Instrumentation CVE-2026-45682 describes a leak in CappedConcurrentHashMap used for Java TLS state tracking: when entries are deleted, keys are not removed from the insertion-order queue, allowing the queue to grow in long-running instrumented JVMs. The issue causes heap exhaus...