CVE-2026-50100

CVE-2026-50100 concerns privilege-escalation in printer drivers from Ricoh Company, Ltd. and KONICA MINOLTA JAPAN, INC. Affected software consists of multiple printer drivers; exploitation would allow an attacker who can log in to a host running an affected driver to elevate privileges by using a...

CVE-2026-9278

The CVE-2026-9278 entry concerns the Form Builder CP WordPress plugin prior to 1.2.47. Affected component: form_structure value handling in the plugin’s form configuration. Root cause: improper sanitization before storing and using the value in a client-side script, enabling Stored XSS. Impact: a...

CVE-2026-8386

WP Go Maps for WordPress is affected up to version 10.0.9. The vulnerability arises because the public single-marker REST endpoint does not filter by approval state, enabling unauthenticated users to fetch marker records that administrators have not approved for public display. Exposed data may i...

CVE-2026-8935

The CVE concerns the WP MAPS PRO WordPress plugin prior to version 6.1.1. The vulnerability arises from an unauthenticated AJAX action that, when a valid nonce (publicly emitted on frontend pages enqueuing the map script) is supplied, unconditionally creates an administrator account and returns a...

CVE-2026-8385

The CVE-2026-8385 entry concerns the WP Go Maps WordPress plugin, specifically versions prior to 10.0.10. The vulnerability arises from improper enforcement of the marker approval filter on the admin-ajax fallback for the plugin’s datatables route, allowing unauthenticated visitors to access mark...

CVE-2026-12223

The CVE affects Yealink SIP-T46U with firmware 108.86.0.118, specifically the Web FastCGI Service component. The vulnerability lies in the mod_webd.TFTPUploadIperf function within /api/inner/tftpuploadiperf, where manipulating the ip/port argument leads to command injection. Exploitation is descr...

CVE-2026-12222

CVE-2026-12222 affects Yealink SIP-T46U (firmware 108.86.0.118) via the Web FastCGI Service: function mod_webd.BlueToothTest in /api/inner/bttest, where manipulating btMac/pin/reserved can trigger a stack-based overflow. Exploitation reportedly public and feasible within a local network; vendor d...

CVE-2026-12221

Yealink SIP-T46U (version 108.86.0.118) is affected by a stack-based buffer overflow in the Firmware Chunk Upload Handler, caused by a faulty sprintf in /api/upgrade/upgrade when manipulating uid/start_offset. Exploitation requires local-network access; the exploit is publicly available. No remed...

CVE-2026-12220

A vulnerability exists in Yealink SIP-T46U firmware 108.86.0.118 affecting the mod_upgrade.SparePartsUpload handler in /api/upgrade/accupgradebychunk. Manipulating the uid argument can cause a stack-based buffer overflow. Exploitation is described as local-network only, with public disclosure and...

CVE-2026-12219

CVE-2026-12219 concerns Yealink SIP-T46U (108.86.0.118) involving the Web FastCGI Service. The vulnerable element is the function mod_diagnose.CommandShellByType in /api/diagnosis/start, where manipulating the Time argument leads to command injection. The flaw enables a remote attacker to execute...

CVE-2026-12218

The CVE-2026-12218 entry concerns Yealink SIP-T46U (firmware version 108.87.50.1) with a vulnerability in Web FastCGI Service, affecting the function StartReportInformation in /api/inner/beforewifitest. The issue is triggered by manipulating the port argument, causing a stack-based buffer overflo...

CVE-2026-12217

DVDFab Virtual Drive 2.0.0.5 is affected by a local privilege escalation in the Signed Kernel Driver (dvdfabio.sys). The vulnerability concerns an unknown function within the driver library that leads to improper privilege management. Attacks require local access; the exploit has been publicly di...

CVE-2026-12216

The CVE-2026-12216 entry concerns svaarala duktape up to 2.99.99. The vulnerability occurs in duk_api_bytecode.c and is triggered by manipulating the argument count_instr, leading to memory corruption. Exploitation requires local access, and a public exploit/public disclosure has been made. No re...

CVE-2026-12214

Qihoo 360 Total Security 6.0 contains a vulnerability in the RpcStringBindingComposeW function within the Nucleus Engine Monitoring Logic. Manipulating the NetworkAddr argument can cause protection mechanism failure, allowing a local attacker to exploit the issue. The exploit is publicly availabl...

CVE-2026-12213

The CVE-2026-12213 entry describes a vulnerability in hcengineering Huly Platform (

CVE-2026-12212

The CVE concerns hcengineering Huly Platform (up to v0.7.0). It affects the RPC Interface component, specifically the getMailboxSecret function in server/account/src/operations.ts. The issue is an improper access control vulnerability that could be triggered remotely. Public disclosure of the exp...

CVE-2026-12211

Intelbras iNVU 7016 FT (3.004.00IB000.0.T, build 2025-09-26) Web Interface contains a path traversal vulnerability in the /RPC2_Loadfile/syslog/ function. The flaw can be exploited remotely to manipulate files; exploit code has been published. A fixed version has been released by the vendor and u...

CVE-2026-12210

CVE-2026-12210 affects the universal-tool-calling-protocol project, specifically the python-utcp 1.1.0 release, with a vulnerability in the utcp-gql/utcp-websocket component that enables server-side request forgery. The description notes a remote, public exploit and a lack of vendor response. The...

CVE-2026-12209

Technical details are not publicly available in the provided documents; monitor for updates.

CVE-2026-12208

CVE-2026-12208 affects the jsonata-js package (up to 2.2.0) in the Function Binding Frame System. The vulnerability is in the function createFrame (src/jsonata.js) where an attacker can perform a prototype pollution attack by manipulating object prototype attributes. This can be triggered remotel...

CVE-2026-12207

The CVE concerns medkey-org medkey HTTP REST API (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed). The vulnerability lies in the actionGetPatientById function of app/modules/medical/port/rest/controllers/PatientController.php, where manipulating the ID argument leads to improper control of...

CVE-2026-12206

Grit42 Grit (up to 0.11.0) contains a SQL injection in Grit::Assays::DataTableEntity (modules/assays/backend/app/models/grit/assays/data_table_entity.rb). The issue can be exploited remotely; a publicly available exploit exists. The vendor was contacted but did not respond. No remediation or vers...

CVE-2026-53533

Technical details for CVE-2026-53533 are not publicly available in the provided documents. The SUSE page lists the CVE but does not reveal affected products, impact, or remediation. Monitor for updates.

CVE-2026-12204

Summary : CVE-2026-12204 affects ShopXO up to version 6.7.1. The vulnerability resides in the Scheduled Task Endpoint, notably the file app/api/controller/Crontab.php, affecting functions OrderClose, OrderSuccess, PayLogOrderClose, and GoodsGiveIntegral. The issue allows remote manipulation that ...

CVE-2026-12203

HKUDS AI-Trader (up to commit 74caf996f78dcc0c657df8365c8544678a16e215) contains an information disclosure vulnerability in the Research Export component, affecting an unknown part of the /api/research/agents.csv endpoint. Manipulation of that endpoint can disclose information and is exploitable ...

CVE-2026-12202

Intelliants Subrion CMS (up to 4.0.3) is affected via the Blocks Endpoint, where manipulating the CSS class name can trigger cross-site scripting. The issue is exploitable remotely and a public exploit exists. Vendor did not respond to disclosure. Based on linked CVSS data, the impact is limited ...

CVE-2026-12201

CVE-2026-12201 affects IObit Malware Fighter (up to 13.2.0) via an unknown functionality in the DLL Handler component, where manipulation leads to permission issues. The flaw enables a local attacker with access to the system to trigger the vulnerability; an exploit has been published. The docume...

CVE-2026-12200

Ritlabs TinyWeb Server (Windows, up to v1.94) is affected by a stack-based buffer overflow in the Header Handler’s libeay32.dll.html component. The vulnerability is triggered by manipulating the Authorization argument, allowing remote exploitation. An exploit has been disclosed publicly, and the ...

CVE-2026-12198

CVE-2026-12198 affects Microweber up to 2.0.20. The vulnerability is in the API Endpoint file /api_nosession/thumbnail_img, specifically the function userfiles_path, where manipulating the argument cache_path_relative can cause a path traversal. It is possible to launch the attack remotely, and p...

CVE-2026-45388

CVE-2026-45388 affects OCaml-TLS before 2.1.0. The TLS 1.3 client path in handshake_client13.ml did not wire into validate_keyusage, allowing a certificate issued for non-server purposes (e.g., clientAuth, codeSigning, emailProtection) to impersonate a TLS server if the EKU/KeyUsage restrictions ...

CVE-2026-50889

CVE-2026-50889 references an input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 that enables Denial of Service (DoS) when a crafted refresh-token header is sent. The connected sources consistently describe the same vulnerability in LLDAP 0.6.2’s refresh-token handling, but do n...

CVE-2025-55644

CVE-2025-55644 describes a heap use-after-free in the function gf_node_get_tag located in scenegraph/base_scenegraph.c of GPAC MP4Box v2.4. The vulnerability allows a Denial of Service (DoS) when processing a crafted MP4 file, with a local attack vector and user interaction required per the CVSS ...

CVE-2025-55643

CVE-2025-55643 describes a NULL pointer dereference in the TrackWriter handling component (filters/mux_isom.c) of GPAC MP4Box v2.4. This defect can be triggered by processing a crafted MP4 file and leads to a Denial of Service. The issue is reported across multiple feeds (NVD, Debian/Ubuntu OSV e...

CVE-2025-55642

GPAC MP4Box v2.4 contains a floating point exception in avidmx_process (isomedia/isom_write.c) per CVE-2025-55642. Affected component: GPAC MP4Box 2.4. Reported impact: runtime crash due to FP exception. Connected sources confirm the flaw and CVE mapping; remediation status is not provided in the...

CVE-2025-56814

CVE-2025-56814 affects OpenCPN v5.12.0, where the wxExecute() function is vulnerable to code injection via embedded shell metacharacters. The underlying issue is a vector that allows arbitrary code execution, with a local attack vector and high impact on confidentiality, integrity, and availabili...

CVE-2026-38329

Bludit CMS is affected pre-3.18.4. The API Plugin's POST /api/files/{key} endpoint in bl-plugins/api/plugin.php fails authorization checks and lacks file extension validation, enabling an attacker with a valid API token to upload a PHP script and execute arbitrary code on the server (Remote Code ...

CVE-2026-36213

The vulnerability CVE-2026-36213 affects Microvirt MEmu Android Emulator (Windows) up to version 9.2.7.0, in the MemuService.exe component. The issue enables local privilege escalation because the MemuSVC service runs with SYSTEM-level privileges while its binary is writable by a local user, allo...

CVE-2026-36933

The CVE-2026-36933 issue affects Boyleep K11 y108 firmware v2.3.0.11291. A physically proximate attacker can execute arbitrary code via the factory test feature. The impact is described as high for confidentiality, integrity, and availability; the root cause is tied to the factory test feature, w...

CVE-2026-50879

The vulnerability CVE-2026-50879 affects Andrei Marcu linx-server v2.3.8, specifically the uploadPostHandler component. A crafted POST request can trigger a Denial of Service (DoS). The connected sources confirm the issue but do not provide exploit details or a remediation patch/version. There is...

CVE-2026-36670

CVE-2026-36670: Time-based blind SQL injection in the OpenSIPS Control Panel (opensips-cp) alias_management module before version 9.3.3. Authenticated attackers can leverage the table parameter in alias_management.php to execute arbitrary SQL. Connected sources confirm the affected component is O...

CVE-2026-30120

CVE-2026-30120 concerns the Remotion project: remotion v4.0.409 has a reported remote code execution (RCE) vulnerability. The NVD/NVD-derived entries and ENISA/EUVD mirrors describe an exploit with a CVSS v3.1 base score of 9.8 (CRITICAL), attack vector NETWORK, no privileges required, no user in...

CVE-2026-39007

Technical details about CVE-2026-39007 are not publicly available in the provided documents. Monitor for updates from vendors and advisories.

CVE-2026-38061

CVE-2026-38061 affects Tenda 5G03 with firmware V05.03.02.04 (Version 1.0). It is a command-injection vulnerability in the function action_set_volume through the volume parameter. The CVSSv3.1 metrics indicate a remote, unauthenticated exploit with high impact to confidentiality, integrity, and a...

CVE-2026-50870

CVE-2026-50870 describes an information-disclosure flaw in the configuration endpoint of Ben Busby’s whoogle-search v1.2.3. The vulnerability is triggered by a crafted GET request against the configuration endpoint, and allows attackers to obtain sensitive information. The available connected doc...

CVE-2025-55641

CVE-2025-55641 describes a NULL pointer dereference in GPAC MP4Box v2.4, specifically in gf_isom_copy_sample_info (isomedia/isom_write.c). The issue allows a crafted MP4 file to trigger a Denial of Service. The available data identifies the vulnerable component and function, and the underlying ca...

CVE-2026-39196

Datadog Vector v0.54.0 contains a SQL injection in the set_uri_query parameter of KeyPartitioner::partition. The vulnerability could allow an attacker to access sensitive database information via crafted SQL statements. Affected component: Vector’s data routing/partition logic (KeyPartitioner::pa...

CVE-2026-38062

Summary: CVE-2026-38062 affects Tenda 5G03 (V05.03.02.04, Version 1.0). The issue is a command injection in the function action_set_rat_mode via the ratMode parameter. Multiple trusted sources (NVD, EUVD, CVE lists, vuln enrichment) describe this vulnerability with the same root cause. The CVSS v...

CVE-2026-38064

Affected product: Tenda 5G03 V05.03.02.04 (Version 1.0). Vulnerability: command injection in the function action_dial_call via the dialNumber parameter. Root cause/detail: not explicitly described beyond the command injection vector; connected sources confirm the same description across EUVD-2026...

CVE-2026-38065

The vulnerability CVE-2026-38065 affects Tenda 5G03 devices running firmware V05.03.02.04 (Version 1.0) . A command injection exists in the function action_ims_on_with_apn via the ims_apn parameter. This is supported by multiple connected sources (NVD, ENISA EUVD, CVE listings) confirming the sam...

CVE-2026-39006

CVE-2026-39006 concerns SNMP4J-Agent 3.8.3 where a remote attacker can execute arbitrary code via the snmp4jCfgStoragePath component. Documented impact is critical (CVSS v3.1: 9.8) with network discovery and no user interaction required; exploitation status is not provided in the supplied sources...