367168 matches found
CVE-2026-16218 hunvreus devpush Storage Reset Failure storage.py reset_storage improper check or handling of exceptional conditions
A vulnerability was detected in hunvreus devpush up to 0.4.6. Affected by this issue is the function resetstorage of the file app/workers/tasks/storage.py of the component Storage Reset Failure Handler. The manipulation results in improper check or handling of exceptional conditions. A high...
CVE-2026-16217 guohongze adminset Delivery Deployment Endpoint deli.py authorization
A security vulnerability has been detected in guohongze adminset up to 0.61. Affected by this vulnerability is an unknown functionality of the file delivery/deli.py of the component Delivery Deployment Endpoint. The manipulation of the argument projectid leads to authorization bypass. It is...
CVE-2026-16216 geex-arts django-jet OAuth cross-site request forgery
A weakness has been identified in geex-arts django-jet up to 1.0.8. Affected is an unknown function of the component OAuth Handler. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been made available to the public and could...
CVE-2026-16215 geex-arts django-jet OAuth Credential Revoke authorization
A security flaw has been discovered in geex-arts django-jet up to 1.0.8. This impacts an unknown function of the component OAuth Credential Revoke Handler. Performing a manipulation results in missing authorization. The attack is possible to be carried out remotely. The exploit has been released ...
CVE-2026-16214 geex-arts django-jet Dashboard views.py authorization
A vulnerability was identified in geex-arts django-jet up to 1.0.8. This affects an unknown function of the file jet/dashboard/views.py of the component Dashboard Module. Such manipulation leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and...
CVE-2026-16213 Fantomas42 django-blog-zinnia Protected Entry Password entry_protection.py cleartext storage
A security flaw has been discovered in Fantomas42 django-blog-zinnia up to 0.20. Affected by this vulnerability is an unknown functionality of the file zinnia/views/mixins/entryprotection.py of the component Protected Entry Password Handler. The manipulation results in cleartext storage of...
CVE-2026-16212 awesto django-shop Purchase Stock inventory.py race condition
A vulnerability was identified in awesto django-shop up to 1.2.4. Affected is an unknown function of the file shop/models/inventory.py of the component Purchase Stock Handler. The manipulation leads to race condition. The attack is possible to be carried out remotely. The attack is considered to...
CVE-2026-16211 allegro Hostname Allocation assets.py AssetLastHostname.increment_hostname race condition
A vulnerability was determined in allegro up to bcf65b994ef29fb3fc2e10b660e6288723d5209e. This impacts the function AssetLastHostname.incrementhostname of the file src/ralph/assets/models/assets.py of the component Hostname Allocation Handler. Executing a manipulation of the argument counter can...
CVE-2026-16210 newpanjing simpleui AjaxAdmin AJAX Endpoint admin.py self.get_action missing authentication
A vulnerability was found in newpanjing simpleui 2026.01.13. This affects the function self.getaction of the file simpleui/admin.py of the component AjaxAdmin AJAX Endpoint. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. The exploit has...
CVE-2026-16209 Gerapy Project Upload Endpoint views.py missing authentication
A vulnerability has been found in Gerapy up to 0.9.13. The impacted element is an unknown function of the file gerapy/server/core/views.py of the component Project Upload Endpoint. Such manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclos...
CVE-2026-16208 django-tastypie throttle.py CacheDBThrottle race condition
A flaw has been found in django-tastypie up to 0.15.1. The affected element is the function CacheThrottle/CacheDBThrottle of the file tastypie/throttle.py. This manipulation causes race condition. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability...
CVE-2026-16207 django-tastypie authentication.py ApiKeyAuthentication get request method with sensitive query strings
A vulnerability was detected in django-tastypie up to 0.15.1. Impacted is the function ApiKeyAuthentication of the file tastypie/authentication.py. The manipulation results in use of get request method with sensitive query strings. The attack can be launched remotely. This attack is characterized...
CVE-2026-16206 django-oauth django-oauth-toolkit oauth2_validators.py _load_id_token session expiration
A security vulnerability has been detected in django-oauth django-oauth-toolkit 3.3.0. This issue affects the function loadidtoken of the file oauth2provider/oauth2validators.py. The manipulation leads to session expiration. The attack can be initiated remotely. The project was informed of the...
CVE-2026-16205 Pluck CMS Albums albums.admin.php htmlspecialchars_decode cross site scripting
A weakness has been identified in Pluck CMS up to 4.7.21. This vulnerability affects the function htmlspecialcharsdecode of the file data/modules/albums/albums.admin.php of the component Albums Module. Executing a manipulation of the argument Info can lead to cross site scripting. It is possible ...
CVE-2026-16204 zevorn rt-claw Telegram-to-AI Tool Execution Flow script.c tool_run_script_execute code injection
A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This affects the function toolrunscriptexecute of the file claw/services/tools/script.c of the component Telegram-to-AI Tool Execution Flow. Performing a manipulation results in code injection. It is possible to initiate the attac...
CVE-2026-16203 SourceCodester Class and Exam Timetabling System forCYS.php cross site scripting
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /forCYS.php. Such manipulation of the argument course leads to cross site scripting. The attack may be performed from remote. The exploit is...
CVE-2026-16202 SourceCodester Class and Exam Timetabling System CYS.php cross site scripting
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /CYS.php. This manipulation of the argument course causes cross site scripting. The attack is possible to be carried out remotely. The...
CVE-2026-16201 zevorn rt-claw http_request net.c claw_net_post information disclosure
A vulnerability was found in zevorn rt-claw up to 0.2.0. Affected is the function clawnetget/clawnetpost of the file claw/services/tools/net.c of the component httprequest. The manipulation results in information disclosure. The attack can be executed remotely. The exploit has been made public an...
CVE-2026-16200 zevorn rt-claw RPC swarm.c claw_tool_invoke authorization
A vulnerability has been found in zevorn rt-claw up to 0.2.0. This impacts the function clawtoolinvoke of the file claw/services/swarm/swarm.c of the component RPC Handler. The manipulation leads to incorrect authorization. Remote exploitation of the attack is possible. The exploit has been...
CVE-2026-16199 nextlevelbuilder GoClaw credentialed_exec.go ExecTool.Execute improper authorization
A flaw has been found in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This affects the function ExecTool.Execute of the file goclaw/internal/tools/credentialedexec.go. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published...
CVE-2026-16198 Sipeed PicoClaw First Run Setup access_control.go authentication bypass
A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/accesscontrol.go of the component First Run Setup. Performing a manipulation of the argument allowedcidrs results in authentication bypass using alternate...
CVE-2026-16197 Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization
A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched...
CVE-2026-16196 Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery
A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component webfetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made...
CVE-2026-16195 Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization
A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. T...
CVE-2026-10130 QueryWeaver Authentication Bypass via Email Signup Token Issuance for Existing Accounts
QueryWeaver contains an authentication bypass vulnerability that allows unauthenticated attackers to obtain valid session tokens for existing accounts by submitting a signup request with a known victim email address. The signup route unconditionally creates and links a new token to the matching...
CVE-2026-16194 zhayujie CowAgent web_fetch.py WebFetch.execute server-side request forgery
A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/webfetch/webfetch.py. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has...
CVE-2026-16156 SourceCodester Class and Exam Timetabling System forexam.php cross site scripting
A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown part of the file /forexam.php. The manipulation of the argument day results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to...
CVE-2026-16155 SourceCodester Class and Exam Timetabling System schoolyr.php cross site scripting
A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argument sy leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is...
CVE-2026-12228 Stored XSS in Direct Messages via Prompt Sharing in parisneo/lollms
A stored cross-site scripting XSS vulnerability exists in the POST /api/prompts/share endpoint of parisneo/lollms latest version. The endpoint stores attacker-controlled promptcontent into DBDirectMessage.content without server-side sanitization. When a victim opens the direct message DM thread,...
CVE-2026-57857 Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parameter
The Flow Payment plugin for WordPress flow.cl version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the errormessage GET parameter is passed directly to wcaddnotice in flowpayment-fl.php lines 57-58 without...
CVE-2026-16154 SourceCodester Class and Exam Timetabling System edit_room1.php sql injection
A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /editroom1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The...
CVE-2026-16152 SourceCodester Class and Exam Timetabling System edit_rooma.php sql injection
A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /editrooma.php. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public...
CVE-2026-16151 CartoDB carto-api-client filters.ts addFilter prototype pollution
A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly controlled modification of object prototype attributes. The attack can be executed remotely. The project...
CVE-2026-53994 ProFTPD mod_sftp Heap Buffer Overflow via Unsigned Integer Underflow and Size Truncation
ProFTPD modsftp contains a heap-based buffer overflow reachable by an authenticated SFTP user. The fxppacketread function accepts the attacker-supplied 32-bit big-endian SFTP packet length without a minimum sanity check. A value of 0 causes an unsigned subtraction elsewhere in the read path to...
CVE-2026-57848 Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation
Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component reachable to any process on the device via the android.intent.action.SEND intent and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filte...
CVE-2026-16150 RobinHerbots Inputmask Internal Deep Merge Helper extend.js extendAliases prototype pollution
A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of the component Internal Deep Merge Helper. The manipulation results in improperly controlled...
CVE-2026-16133 LiuMengxuan04 MiniCode mcp.ts child_process.spawn command injection
A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function childprocess.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. The attack can be launched remotely. The attack requires a high level of complexity. The exploitatio...
CVE-2026-16131 itsourcecode Hospital Management System prescriptionrecord.php sql injection
A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to...
CVE-2026-16130 nearai ironclaw write_file path_utils.rs validate_path link following
A vulnerability was identified in nearai ironclaw up to 0.29.1. The affected element is the function validatepath of the file src/tools/builtin/pathutils.rs of the component writefile. The manipulation leads to link following. Local access is required to approach this attack. The exploit is...
CVE-2026-16129 princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blacklist
A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction.validatecommand of the file src/safestclaw/actions/shell.py of the component Built-in Web Interface. Such manipulation leads to incomplete blacklist. An attack has to be...
CVE-2026-16128 zevorn rt-claw http_request swarm.c receiver_thread server-side request forgery
A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiverthread of the file claw/services/swarm/swarm.c of the component httprequest. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The...
CVE-2026-16127 zevorn rt-claw http_request tool_net.c claw_net_post server-side request forgery
A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function clawnetget/clawnetpost of the file claw/tools/toolnet.c of the component httprequest. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The...
CVE-2026-16126 zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization
A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handlerpcrequest of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The...
CVE-2026-16125 zevorn rt-claw http_request net.c claw_net_post server-side request forgery
A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function clawnetget/clawnetpost of the file claw/services/tools/net.c of the component httprequest. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely...
CVE-2026-16124 nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery
A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/webshared.go of the component webfetch. Such manipulation leads to server-side request forgery. The attack can be launched remotel...
CVE-2026-16123 nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP authorization
A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/toolsinvoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated...
CVE-2026-16122 nextlevelbuilder GoClaw exec_approval.go matchesAllowlist authorization
A security flaw has been discovered in nextlevelbuilder GoClaw up to 3.13.2. Affected by this vulnerability is the function extractBin/RequestApproval/matchesAllowlist of the file internal/tools/execapproval.go. The manipulation results in incorrect authorization. The exploit has been released to...
CVE-2026-16121 nextlevelbuilder GoClaw exec_approval.go isSafeBin improper authorization
A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/execapproval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be...
CVE-2026-9323 Insecure PRNG and Information Exposure in urwid Web Display Backend
The urwid web display backend urwid/display/web.py generates web session identifiers urwidid in Screen.start by concatenating two random.randrange109 calls that use Python's Mersenne Twister PRNG, which is not cryptographically secure. Each call consumes approximately 30 bits of PRNG state, and t...
CVE-2026-11826 OpenPLC_v3 Heap-Based Buffer Overflow in Modbus Master getData()
OpenPLCv3 contains a heap-based buffer overflow in the getData function in webserver/core/modbusmaster.cpp. getData reads characters between two delimiters into a caller-supplied buffer with no size parameter and no bounds check. In parseConfig the function is invoked with the 100-byte...