EUVD-2026-35188

samlify is a Node.js library for SAML single sign-on. Prior to version 2.13.0, samlify’s template substitution only escapes attribute contexts. Values inserted into element text e.g., are not escaped. A normal user can inject XML markup into an attribute value e.g., email, name and add new elemen...

EUVD-2026-35187

Improper neutralization of triple-quote characters during Python code generation in AgentCore CLI before v0.14.2 might allow an authenticated remote threat actor to execute arbitrary code on AWS AgentCore Runtime under the imported agent's IAM execution role and on the local environment of anothe...

EUVD-2026-35118

Shenzhen Tenda Technology Co., Ltd Tenda FH451 V1.0.0.9 was discovered to contain a stack overflow in the list1 parameter of the fromDhcpListClient function. This vulnerability allows attackers to cause a Denial of Service DoS via a crafted HTTP request...

EUVD-2026-35186

MVT Mobile Verification Toolkit helps with conducting forensics of mobile devices in order to find signs of a potential compromise. Prior to version 2026.5.12, there is a path traversal vulnerability via unsanitized File identifiers in iOS Backup processing. This issue has been patched in version...

EUVD-2026-35185

A security vulnerability has been detected in CodeAstro Payroll System 1.0. The impacted element is an unknown function of the file /homesalary.php. The manipulation of the argument rate/salaryrate leads to sql injection. The attack is possible to be carried out remotely. The exploit has been...

EUVD-2026-35184

Improper neutralization of special elements in the built-in PAM provider password rotation templates in Devolutions Server allows an authenticated user with write access to a vault to execute arbitrary commands on the systems managed by the affected PAM provider. This issue affects : Devolutions...

EUVD-2026-35183

Missing authorization in the deleted user groups API in Devolutions Server allows an authenticated low-privileged user to enumerate metadata of deleted user groups via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server 2026.1.20.0 and earlier...

EUVD-2026-35182

Improper access control in the ticketing integration settings in Devolutions Server allows an authenticated low-privileged user to obtain cleartext credentials for configured ticketing integrations via a crafted API request. This issue affects : Devolutions Server 2026.2.4.0 Devolutions Server...

EUVD-2026-35181

YesWiki is a wiki system written in PHP. Prior to version 4.6.6, an unsafe execution vulnerability exists in the Bazar form field calculator CalcField.php of YesWiki. The application attempts to sanitize user-defined mathematical formulas using a complex recursive regular expression before passin...

EUVD-2026-35180

A weakness has been identified in Tenda F451 1.0.0.7/1.0.0.9. The affected element is the function fromNatlimit of the file /goform/Natlimit of the component Web Management Interface. Executing a manipulation of the argument page can lead to stack-based buffer overflow. The attack can be executed...

EUVD-2026-35179

A security flaw has been discovered in Tenda F451 1.0.0.7/1.0.0.9. Impacted is the function formWriteFacMac of the file /goform/WriteFacMac of the component Web Management Interface. Performing a manipulation of the argument mac results in os command injection. Remote exploitation of the attack i...

EUVD-2026-35178

A vulnerability was identified in D-Link DGS-1100-08PD 1.00.006. This issue affects some unknown processing of the file /etc/boa.conf of the component Web Interface. Such manipulation leads to least privilege violation. The attack may be launched remotely. The attack requires a high level of...

EUVD-2026-35177

A vulnerability was determined in TOTOLINK CP450 4.1.0cu.747. This vulnerability affects unknown code of the file /etc/vsftpd.conf of the component vsftpd. This manipulation causes least privilege violation. The attack may be initiated remotely. The exploit has been publicly disclosed and may be...

EUVD-2026-35176

A command Injection vulnerability exists in the WireGuard client configuration of Archer MR600 v5 due to improper neutralization of user-controlled input within the web management interface. An authenticated attacker with administrative privileges may be able to execute arbitrary commands when...

EUVD-2026-35175

A vulnerability was found in Tenda HG7HG9 and HG10 300001138enxpon. This affects the function formPPPEdit of the file /boaform/formPPPEdit. The manipulation of the argument encodename results in stack-based buffer overflow. The attack can be launched remotely. The exploit has been made public and...

EUVD-2026-35174

A vulnerability has been found in SourceCodester Onlne Examination & Learning Management System and Syllabus-aligned Learning Management and Examination System 1.0. Affected by this issue is some unknown functionality of the file importusers.php. The manipulation of the argument rawpassword with...

EUVD-2026-35139

fabric-chaincode-java is a Java based implementation of Hyperledger Fabric chaincode shim APIs. From version 2.3.1 to before version 2.5.10, when chaincode is deployed in chaincode-as-a-service mode with TLS enabled, the chaincode server INFO level logging includes the TLS private key password in...

EUVD-2026-35138

OpenBullet2 through version 0.3.2 contains an authentication bypass vulnerability in the API key authentication middleware that allows unauthenticated attackers to gain admin access by supplying an empty X-Api-Key header value. Attackers can exploit the middleware's comparison of the supplied...

EUVD-2026-35137

OpenBullet2 through version 0.3.2 contains a path traversal vulnerability in the wordlist endpoint that allows authenticated attackers to perform arbitrary file read, write, and delete operations by supplying unsanitized absolute paths to the upload handler and wordlist functions. Attackers can...

EUVD-2026-35136

OpenMetadata is a unified metadata platform. Prior to version 1.12.4, a non-admin SSO user can trigger a TESTCONNECTION workflow for a Database Service and receive, in the HTTP 201 response of POST /api/v1/automations/workflows, both the cleartext database password in...

EUVD-2026-35135

OpenBullet2 through version 0.3.2 contains an authenticated remote code execution vulnerability that allows authenticated users to execute arbitrary C code on the server host by creating or modifying job configurations. Attackers can leverage the plain C execution mode, which lacks reference...

EUVD-2026-35134

OpenBullet2 through version 0.3.2 contains a remote code execution vulnerability that allows authenticated users to execute arbitrary commands by uploading script files .bat.ps1.sh through the FileProxySource proxy loading feature. Attackers can upload malicious script files as proxy sources,...

EUVD-2026-35133

OpenBullet2 through version 0.3.2 on Windows contains a credential disclosure vulnerability that allows remote attackers to capture the NTLMv2 hash of the process user by configuring a job proxy source with a UNC path pointing to an attacker-controlled server. When the job starts, the application...

EUVD-2026-35132

A vulnerability was detected in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this issue is some unknown functionality of the file /add.php. The manipulation of the argument name/address/fname results in cross site scripting. It is possible to launch...

EUVD-2026-35131

Improper Neutralization of CRLF Sequences in HTTP Headers 'HTTP Request/Response Splitting' vulnerability in ninenines cowlib allows HTTP response splitting via non-VCHAR bytes in structured-fields string values. cowhttpstructhd:escapestring/2 in cowlib only escapes \ and ", passing all other byt...

EUVD-2026-35130

A security vulnerability has been detected in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected by this vulnerability is an unknown functionality of the file /see.php of the component Student Deletion Endpoint. The manipulation of the argument del leads to...

EUVD-2026-35129

A flaw was found in 389 Directory Server. The Content Synchronization persistent search plugin allows unbounded memory growth when an authenticated client stops reading sync responses, enabling denial of service. Additional race conditions in plugin thread lifecycle can cause crashes during...

EUVD-2026-35128

STACKIT IaaS API contains a missing authorization check vulnerability that allows authenticated, low-privileged attackers to escalate privileges to full organization compromise by attaching arbitrary service accounts to virtual machines they control. Attackers can exploit the unvalidated PUT...

EUVD-2026-35127

A weakness has been identified in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. Affected is an unknown function of the file /add.php of the component Student Record Handler. Executing a manipulation can lead to improper access controls. The attack may be perform...

EUVD-2026-35126

AdGuard Home, when started with the --glinet flag, contains an authentication bypass vulnerability that allows unauthenticated attackers to gain full admin access by supplying a path traversal sequence in the Admin-Token cookie, exploiting unsanitized string concatenation in the token file path...

EUVD-2026-35125

A security flaw has been discovered in imvks786 studentmanagementsystem up to 9599b560ad3c3b83e75d328b76bedcd489ef1f46. This impacts an unknown function of the file admin/adminlogin.php of the component Administrator Login Endpoint. Performing a manipulation of the argument ausr/apwd results in s...

EUVD-2026-35124

In the Linux kernel, the following vulnerability has been resolved: drm/v3d: Reject empty multisync extension to prevent infinite loop v3dgetextensions walks a userspace-provided singly-linked list of ioctl extensions without any bound on the chain length. A local user can craft a self-referentia...

EUVD-2026-35123

In the Linux kernel, the following vulnerability has been resolved: media: intel/ipu6: fix error pointer dereference In a error path isp-psys is confirmed to be an error pointer not NULL so this condition is true and the error pointer is dereferenced. So isp-psys should be set to NULL before goin...

EUVD-2026-35122

In the Linux kernel, the following vulnerability has been resolved: media: videobuf2: Set vmaflags in vb2dmasgmmap vb2dmacontig sets VMA flags VMDONTEXPAND and VMDONTDUMP and I do not see a reason why vb2dmasg should behave differently. This avoids hitting WARNON!vma-vmflags & VMDONTEXPAND; in...

EUVD-2026-35121

In the Linux kernel, the following vulnerability has been resolved: drm/amdgpu/userq: fix access to stale wptr mapping Use drmexec to take both locks i.e vm root bo and wptrobj bo to access the mapping data properly. This fixes the security issue of unmap the wptrobj while a queue creation is in...

EUVD-2026-35120

In the Linux kernel, the following vulnerability has been resolved: media: renesas: vsp1: Fix NULL pointer deref on module unload When unloading the module on gen 4, we hit a NULL pointer dereference. This is caused by the cleanup code calling vsp1drmcleanup where it should be calling...

EUVD-2026-35119

In the Linux kernel, the following vulnerability has been resolved: drm/xe/uapi: Reject cohnone PAT index for CPU cached memory in madvise Add validation in xevmmadviseioctl to reject PAT indices with XECOHNONE coherency mode when applied to CPU cached memory. Using cohnone with CPU cached buffer...

EUVD-2026-35173

In the Linux kernel, the following vulnerability has been resolved: pmdomain: mediatek: fix use-after-free in scpsysgetbusprotectionlegacy In scpsysgetbusprotectionlegacy, offindnodewithproperty returns a device node with its reference count incremented. The function then calls ofnodeputnode befo...

EUVD-2026-35172

In the Linux kernel, the following vulnerability has been resolved: wifi: ath5k: do not access array OOB Vincent reports: The ath5k driver seems to do an array-index-out-of-bounds access as shown by the UBSAN kernel message: UBSAN: array-index-out-of-bounds in...

EUVD-2026-35171

In the Linux kernel, the following vulnerability has been resolved: flowdissector: do not dissect PPPoE PFC frames RFC 2516 Section 7 states that Protocol Field Compression PFC is NOT RECOMMENDED for PPPoE. In practice, pppd does not support negotiating PFC for PPPoE sessions, and the flow...

EUVD-2026-35170

In the Linux kernel, the following vulnerability has been resolved: staging: rtl8723bs: osdep: avoid NULL pointer dereference in rtwcbufalloc The return value of kzallocflex is used without ensuring that the allocation succeeded, and the pointer is dereferenced unconditionally. Guard the access t...

EUVD-2026-35169

In the Linux kernel, the following vulnerability has been resolved: nvmet: avoid recursive nvmet-wq flush in nvmetctrlfree nvmettcpreleasequeuework runs on nvmet-wq and can drop the final controller reference through nvmetcqput. If that triggers nvmetctrlfree, the teardown path flushes...

EUVD-2026-35168

In the Linux kernel, the following vulnerability has been resolved: isofs: validate Rock Ridge CE continuation extent against volume size rockcontinue reads rs-contextent verbatim from the Rock Ridge CE record and passes it to sbbread without checking that the block number is within the mounted I...

EUVD-2026-35167

In the Linux kernel, the following vulnerability has been resolved: selinux: allow multiple opens of /sys/fs/selinux/policy Currently there can only be a single open of /sys/fs/selinux/policy at any time. This allows any process to block any other process from reading the kernel policy. The...

EUVD-2026-35166

In the Linux kernel, the following vulnerability has been resolved: spi: topcliff-pch: fix use-after-free on unbind Give the driver a chance to flush its queue before releasing the DMA buffers on driver unbind...

EUVD-2026-35165

In the Linux kernel, the following vulnerability has been resolved: hfsplus: fix held lock freed on hfsplusfillsuper hfsplusfillsuper calls hfsfindinit to initialize a search structure, which acquires tree-treelock. If the subsequent call to hfspluscatbuildkey fails, the function jumps to the...

EUVD-2026-35164

In the Linux kernel, the following vulnerability has been resolved: pseries/papr-hvpipe: Fix race with interrupt handler While executing -ioctl handler or -release handler, if an interrupt fires on the same cpu, then we can enter into a deadlock. This patch fixes both these handlers to take...

EUVD-2026-35163

In the Linux kernel, the following vulnerability has been resolved: net: libwx: use requestirq for VF misc interrupt Currently, requestthreadedirq is used with a primary handler but a NULL threaded handler, while also setting the IRQFONESHOT flag. This specific combination triggers a WARNING sinc...

EUVD-2026-35162

In the Linux kernel, the following vulnerability has been resolved: spi: s3c64xx: fix NULL-deref on driver unbind A change moving DMA channel allocation from probe back to s3c64xxspipreparetransfer failed to remove the corresponding deallocation from remove. Drop the bogus DMA channel release fro...

EUVD-2026-35161

In the Linux kernel, the following vulnerability has been resolved: KVM: x86: Do IRR scan in kvmapicupdateirr even if PIR is empty Fall back to apicfindhighestvector when PID.ON is set but PIR turns out to be empty, to correctly report the highest pending interrupt from the existing IRR. In a...