CVE-2026-3514

The CVE-2026-3514 entry describes an authentication bypass in prefecthq/prefect v3.6.19 caused by the authentication middleware exempting URL paths ending with “health” or “ready” from authentication checks. This bypass enables unauthorized access to resources via name-based endpoints for variabl...

CVE-2026-1784

CVE-2026-1784 affects the Route OpenShift resource (OpenShift route definitions using HAProxy) where checks on the spec.path YAML stanza are insufficient, allowing controlled injection of the HAProxy configuration. The CVE description and linked records indicate this can lead to remote code execu...

CVE-2026-8293

CVE-2026-8293 affects the WordPress plugin Really Simple Security (before 9.5.10.1). The issue: two-factor authentication REST endpoints do not enforce the second-factor challenge, allowing an attacker who knows a user’s password to obtain a WordPress authentication session without completing the...

CVE-2026-8206

The CVE-2026-8206 entry documents an unauthenticated privilege-escalation vulnerability in the Kirki – Freeform Page Builder for WordPress, affecting versions 6.0.0–6.0.6. The root cause is in the password-reset flow: the vulnerable CompLibFormHandler.php reads an attacker-supplied email from the...

CVE-2026-3198

MLflow 3.9.0 with basic-auth fails authorization for multiple Gateway API 'list' endpoints. The BEFORE_REQUEST_HANDLERS dictionary in mlflow/server/auth/init .py lacks entries for ListGatewaySecretInfos, ListGatewayEndpoints, and ListGatewayModelDefinitions, allowing any authenticated user to enu...

CVE-2026-10583

A vulnerability in nextlevelbuilder GoClaw up to 3.11.3 affects the Import function in internal/http/tts_config.go (TTS Configuration Endpoint). The issue enables server-side request forgery (SSRF) and can be triggered remotely. Exploit details have been publicly disclosed, and the project charac...

CVE-2026-10581

CVE-2026-10581 affects DedeCMS 5.7.88. The vulnerability lies in the function base64_decode in /plus/download.php?open=1, where manipulation of the Link argument triggers a server-side request forgery (SSRF). Remote exploitation is possible, and the exploit has been published. The available docum...

CVE-2026-10568

CVE-2026-10568 affects itsourcecode Fees Management System 1.0. The vulnerability is an SQL injection in an unknown function of /manage_payment.php triggered by tampering with the ID parameter. Attackable remotely with network access; the exploit is public. Documentation provides CVSS-derived met...

CVE-2026-3871

CVE-2026-3871 describes a buffer overflow in the UPnP DeletePortMapping() command in Zyxel VMG4005-B50B firmware up to 5.13(ABRL.5.4)C0. An adjacent attacker could trigger a temporary DoS affecting UPnP functionality. The exposed impact is the availability of the UPnP service (CVSSv3.1: AV = Adja...

CVE-2026-10567

The CVE concerns 1Panel-dev CordysCRM up to version 1.4.1. The vulnerability is in ModuleFormController/ModuleFormService.java (Save function); manipulating the Description argument leads to cross-site scripting (XSS). Exploitation is possible remotely and the exploit has been disclosed publicly....

CVE-2026-10510

CVE-2026-10510 describes a Cross-Site Scripting (XSS) vulnerability in the GeniexWebView component of the Transsion AI Assistant Lifestyle app (package: com.transsion.aiassistantlifestyle) on Android. All versions appear affected. The underlying issue allows a remote attacker to execute arbitrary...

CVE-2026-3870

Zyxel VMG4005-B50B firmware versions up to 5.13(ABRL.5.4)C0 contain a buffer overflow in the UPnP AddPortMapping() command. This vulnerability could allow an adjacent attacker to trigger a temporary denial-of-service (DoS) condition affecting the UPnP function of the device. The available documen...

CVE-2026-10566

FoundationAgents MetaGPT (up to 0.8.2) contains a deserialization vulnerability in metagpt/schema.py: Message.check_instruct_content. By manipulating the argument mapping, an attacker can trigger deserialization with local access. An exploit has been publicly released; the project was informed vi...

CVE-2026-10565

CVE-2026-10565 affects Open5GS up to 2.7.6, in NGAP Handover’s function gmm_state_security_mode (src/amf/gmm-sm.c). The issue is a race condition caused by manipulation, exploitable remotely with high attack complexity and low likelihood of full compromise; impact includes partial availability. T...

CVE-2026-10100

Technical details are not publicly available in the provided documents. No connected documents with concrete technical details were found. Monitor for updates.

CVE-2026-3722

The CVE concerns the WordPress plugin “Auto Image Attributes From Filename With Bulk Updater” (versions ≤ 4.9). The root cause is insufficient input sanitization and output escaping in attachment metadata, enabling Stored Cross-Site Scripting. Impact: authenticated attackers with Author-level acc...

CVE-2026-10559

CVE-2026-10559 affects SourceCodester Pizzafy Ecommerce System 1.0. The flaw is a file inclusion vulnerability in an unknown function of /index.php triggered by manipulation of the page argument, exploitable remotely . The exploit has been published. Per the sources, CVSS metrics indicate a MEDIU...

CVE-2026-10558

SourceCodester Pizzafy Ecommerce System 1.0 has a remote file inclusion in /admin/index.php caused by manipulating the page parameter. The vulnerability affects an unknown function and can be exploited remotely; the exploit is publicly available. CVSS metrics in the sources show MEDIUM severity (...

CVE-2026-10550

Summary of CVE-2026-10550 (elunez eladmin) : Affects eladmin up to 2.7; the vulnerability targets the Application Deployment Module, specifically the App.java component. The issue arises from manipulating the uploadPath argument, enabling command injection and remote code execution. Public exploi...

CVE-2026-10548

CVE-2026-10548 affects NousResearch hermes-agent (up to 2026.4.23) in the Credential Pool Synchronization area. The flaw resides in the function _sync_anthropic_entry_from_credentials_file within agent/credential_pool.py and leads to improper authentication. Attack requires local access; exploita...

CVE-2026-10529

Affected software: westboy CicadasCMS (Task Scheduling Management Module). Vulnerable component: ScheduleJobController.java (src/main/java/com/zhiliao/module/web/system/ScheduleJobController.java). Issue: cross-site scripting via manipulation of an unknown function; can be executed remotely. Publ...

CVE-2026-10528

Orthanc DICOM Server (

CVE-2026-38967

CVE-2026-38967 affects CrowCpp Crow through v1.3.1 HTTP and is caused by unvalidated response header values, leading to response header injection. The vulnerability has a CVSS v3.1 score of 9.8 (CRITICAL) with network attack vector, no user interaction, and impacts on confidentiality, integrity, ...

CVE-2026-242237

NVIDIA NVTabular is affected by CVE-2026-24237 through improper deserialization of untrusted data, allowing potential code execution, data tampering, information disclosure, and denial of service. The security bulletin states the issue impacts all versions from 0.0 to 5dd11f4 and is addressed by ...

CVE-2026-48682

CVE-2026-48682 affects FastNetMon Community Edition up to 1.2.9. Multiple sources (NVD, Red Hat, Ubuntu OSVs, Debian tracker, Tenable) describe an out-of-bounds read in the IPv4 packet parser. After validating at least 20 bytes of an IPv4 header, the code advances by 4 × IHL without validating th...

CVE-2026-44019

Docling-Core contains a critical path-traversal vulnerability (CVE-2026-44019) in which insufficient input sanitization when processing specific documents allows remote attackers to read arbitrary host files, potentially leading to data exfiltration. The PT-Security entry PT-2026-45850 flags this...

CVE-2026-38978

Transmission 4.1.1 and earlier is affected by a clickjacking weakness in its browser-facing WebUI and RPC response paths. The CVE entry CVE-2026-38978 records a MEDIUM severity with CVSS v3.1 metrics: AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N, base score 5.3. Connected sources confirm vulnerable compon...

CVE-2026-26847

Summary: PT-2026-45765 documents a critical vulnerability chain in the Collibra Platform Agent (CP/CPSH): improper authentication allows access to unauthenticated REST endpoints, then path traversal via a crafted ZIP upload leads to arbitrary file write and remote code execution on the host. Expo...

CVE-2026-33553

CFEngine Enterprise vulnerable in 3.24.3 prior to 3.24.4 and 3.27.0 prior to 3.27.1; status: exposes cross‑site scripting (XSS). Upgrade to 3.24.4 or 3.27.1 to fix.

CVE-2026-30649

CVE-2026-30649 reports a Buffer Overflow in VIVOTEK INC FD8136-VVTK-0300a, exploitable remotely via the set_getparam.cgi component. This vulnerability could allow an attacker to execute arbitrary code on affected devices. The CVE records list the vulnerable product (FD8136-VVTK-0300a) and the aff...

CVE-2026-30650

Vivotek FD8136 cameras (firmware FD8136-VVTK-0300a) expose a post-authentication remote buffer overflow in the /cgi-bin/admin/eventtask.cgi endpoint. An authenticated attacker can remotely execute arbitrary code with root privileges. The issue is characterized by CVE-2026-30650 with a high impact...

CVE-2026-35716

CVE-2026-35716 describes a stack-based buffer overflow in the motion_privacy.cgi binary of VIVOTEK FD8136 firmware (FD8136-VVTK-0300a). The issue occurs when an oversized n1 parameter in a POST request to endpoints /cgi-bin/admin/setpm.cgi, /cgi-bin/admin/setmd.cgi, or /cgi-bin/admin/setmd_profil...

CVE-2026-35717

CVE-2026-35717 affects VIVOTEK FD8136 firmware FD8136-VVTK-0300a, specifically the export_language.cgi endpoint. The vulnerability is a stack-based buffer overflow where the handler passes the attacker-controlled Content-Length value directly to fread() as the read size into a fixed-size 0x60-byt...

CVE-2026-30586

This CVE concerns Cross Site Scripting in the open-source project usememos Memos v0.26.0. The vulnerability affects the memo rendering path and related views (SANITIZE_SCHEMA, Memo Rendering Component, and Public/Private Memo View pages). Root cause details are not explicitly provided beyond the ...

CVE-2026-30652

Affected product: Vivotek FD8136 cameras running firmware FD8136-VVTK-0300a. Vulnerable component: admin interface endpoint /cgi-bin/dido/setdo.cgi. Root cause: remote buffer overflow allowing an authenticated attacker to execute arbitrary code as root. Impact: high (remote code execution). Explo...

CVE-2026-35718

Summary: CVE-2026-35718 is a path traversal vulnerability in the /admin/downloadMedias.cgi endpoint of VIVOTEK FD8136-VVTK firmware 0300a. Affected component: firmware running on VIVOTEK FD8136-VVTK. Root cause: crafted requests allow traversal to read arbitrary files due to improper input handli...

CVE-2026-10514

CVE-2026-10514 affects 1Panel-dev CordysCRM versions up to 1.6.2. The vulnerability targets an unknown function in backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java, enabling cross-site scripting. Remote exploitation is possible, and the exploit has been disclosed publi...

CVE-2026-10302

The CVE-2026-10302 entry concerns itsourcecode Fees Management System 1.0. The vulnerability lies in an unknown function within the file /manage_fee.php, where manipulating the ID parameter can lead to SQL injection. This allows remote exploitation, and the exploit has been published. The CVSS me...

CVE-2026-9048

The Slider Revolution WordPress plugin is affected (versions 7.0.0–7.0.14). The vulnerability arises in the slider.get.full AJAX action, enabling authenticated attackers with Contributor-level access and higher to expose sensitive data stored in slider settings. Exposed data includes raw social m...

CVE-2026-9050

The CVE-2026-9050 entry concerns the Slider Revolution WordPress plugin. Affected versions are 6.0.0–6.7.55 and 7.0.0–7.0.14. The root cause is improper verification of user authorization, allowing authenticated attackers with Contributor-level access or higher to perform actions they should not ...

CVE-2026-10301

The CVE-2026-10301 entry concerns itsourcecode Fees Management System 1.0. The vulnerability is in an unknown function of index.php, where manipulating the argument page leads to cross-site scripting. The attack vector is remote, and exploitation is public. The available metrics indicate a mix of...

CVE-2026-10300

SGLang 0.5.10.post1 contains a vulnerability in the Inference HTTP Endpoint, specifically in python/sglang/srt/lora/lora_manager.py where manipulation of the lora_path argument can trigger a reachable assertion. The issue is exposed over the network with high attack complexity and no authenticati...

CVE-2026-10299

The CVE affects code-projects Online Hospital Management System 1.0. A flaw in viewdoctortimings.php allows manipulation of the delid parameter, leading to improper control of resource identifiers (an IDOR-like issue) that can be exploited remotely. The exploit is publicly available. The descript...

CVE-2026-10298

CVE-2026-10298 affects ggml-org whisper.cpp up to 1.8.2. The issue is in whisper_model_load (ggml/src/ggml.c) and causes a null pointer dereference. Exploitation requires local access; a public exploit exists. The project was informed via an issue but has not responded.

CVE-2026-25879

Langroid's CVE-2026-25879 affects the Langroid framework (SQLChatAgent) prior to v0.63.0. An attacker who can shape input to the agent can cause LLM-provided SQL to execute dialect-specific primitives such as COPY ... FROM PROGRAM, enabling Remote Code Execution on the database host when the data...

CVE-2026-28511

CVE-2026-28511 affects eLabFTW. Before version 5.4.2, an authenticated user performing a numeric reference/search could receive results that include resources the user is not authorized to view. The exposed data is limited to resource titles; attempts to access the underlying protected content re...

CVE-2026-10297

The CVE-2026-10297 entry concerns itsourcecode Fees Management System 1.0. An SQL injection vulnerability exists in an unknown area of /manage_course.php triggered by manipulating the ID parameter. The issue allows remote initiation and is accompanied by a publicly available exploit. No vendor na...

CVE-2026-25277

CVE-2026-25277 involves a memory corruption issue in Strongbox caused by a buffer overflow. The connected records confirm the vulnerability is triggered locally with low privileges and no user interaction, leading to high impact on confidentiality, integrity, and availability. Specific affected p...

CVE-2026-25276

CVE-2026-25276 affects Strongbox and causes memory corruption due to a missing bounds check. CVSS v3.1: 8.8 (HIGH); Attack Vector: LOCAL, Attack Complexity: LOW, Privileges Required: LOW, User Interaction: NONE, Scope: CHANGED; Impact: Confidentiality, Integrity, and Availability HIGH. Exploitati...

CVE-2026-25260

CVE-2026-25260 describes a memory corruption vulnerability in Qualcomm components caused by accessing shared buffers without validating concurrent user-mode input modifications. The NVD entry lists CVSS v3.1: 7.8 (HIGH) with LOCAL attack vector, low complexity, and low privileges required, with n...