161701 matches found
CVE-2026-12814 Comfast CF-WR631AX V3 API Endpoint mbox-config system os command injection
A flaw has been found in Comfast CF-WR631AX V3 up to 2.7.0.8. This issue affects the function system of the file /cgi-bin/mbox-config?section=pingconfig of the component API Endpoint. This manipulation of the argument destination causes os command injection. The attack is possible to be carried o...
CVE-2026-12813 activepieces File URL file.ts handleUrlFile server-side request forgery
A vulnerability was detected in activepieces up to 0.83.0. This vulnerability affects the function handleUrlFile in the library packages/server/engine/src/lib/variables/processors/file.ts of the component File URL Handler. The manipulation results in server-side request forgery. The attack can be...
CVE-2026-12812 Radware Cyber Controller HTML Report Generation HTML injection
A security vulnerability has been detected in Radware Cyber Controller up to 10.11.0. This affects an unknown part of the component HTML Report Generation. The manipulation leads to HTML injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be...
CVE-2026-12811 kortix-ai suna Auth Endpoint page.tsx router.push cross site scripting
A weakness has been identified in kortix-ai suna up to 0.8.38. Affected by this issue is the function router.replace/router.push of the file apps/frontend/src/app/auth/page.tsx of the component Auth Endpoint. Executing a manipulation of the argument returnURL can lead to cross site scripting. The...
CVE-2026-12810 Edimax BR-6478AC V2 POST Request mp command injection
A security flaw has been discovered in Edimax BR-6478AC V2 1.23. Affected by this vulnerability is the function mp of the file /goform/mp of the component POST Request Handler. Performing a manipulation of the argument command results in command injection. The attack may be initiated remotely. Th...
CVE-2026-12809 Edimax BR-6478AC V2 POST Request wiz_5in1_redirect command injection
A vulnerability was identified in Edimax BR-6478AC V2 1.23. Affected is the function wiz5in1redirect of the file /goform/wiz5in1redirect of the component POST Request Handler. Such manipulation of the argument newpass leads to command injection. The attack can be launched remotely. The exploit is...
CVE-2026-12808 Edimax BR-6478AC V2 POST Request stainfo command injection
A vulnerability was determined in Edimax BR-6478AC V2 1.23. This impacts the function stainfo of the file /goform/stainfo of the component POST Request Handler. This manipulation of the argument interface causes command injection. The attack can be initiated remotely. The exploit has been publicl...
CVE-2026-12807 Edimax BR-6478AC V2 POST Request setWAN command injection
A vulnerability was found in Edimax BR-6478AC V2 1.23. This affects the function setWAN of the file /goform/setWAN of the component POST Request Handler. The manipulation of the argument pppUserName/pptpUserName/L2TPUserName results in command injection. It is possible to launch the attack...
CVE-2026-12806 Edimax BR-6478AC V2 POST Request formWlSiteSurvey buffer overflow
A vulnerability has been found in Edimax BR-6478AC V2 1.23. The impacted element is the function formWlSiteSurvey of the file /goform/formWlSiteSurvey of the component POST Request Handler. The manipulation of the argument selSSID leads to buffer overflow. It is possible to initiate the attack...
CVE-2026-12805 OFFIS DCMTK ofxml.cc parseFile heap-based overflow
A flaw has been found in OFFIS DCMTK up to 3.7.0. The affected element is the function XMLNode::parseFile in the library ofstd/libsrc/ofxml.cc. Executing a manipulation can lead to heap-based buffer overflow. The attack may be performed from remote. The exploit has been published and may be used...
CVE-2026-12804 lemonldap-ng SAML Common Domain Cookie Endpoint CDC.pm redirect
A vulnerability was detected in lemonldap-ng up to 2.23.0. Impacted is an unknown function in the library lemonldap-ng-portal/lib/Lemonldap/NG/Portal/CDC.pm of the component SAML Common Domain Cookie Endpoint. Performing a manipulation of the argument url results in open redirect. The attack is...
CVE-2026-56412
libexpat before 2.8.2 does not consider XMLTOKDATACHARS in doCdataSection and thus lacks handler call depth tracking for various calls from within handlers in cases of a policy violation. Thus, a use-after-free can occur. NOTE: this issue exists because of an incomplete fix for CVE-2026-50219...
CVE-2026-56411
xmlwf in libexpat before 2.8.2 has an integer overflow in endDoctypeDecl via NOTATION declarations...
CVE-2026-56410
xmlwf in libexpat before 2.8.2 has an integer overflow in resolveSystemId...
CVE-2026-56409
xmlwf in libexpat before 2.8.2 has an integer overflow for the output filename when -d outputDir is used...
CVE-2026-56408
libexpat before 2.8.2 has an integer overflow in copyString...
CVE-2026-56407
libexpat before 2.8.2 has an integer overflow in doProlog that is related to storeEntityValue and entity textLen...
CVE-2026-56406
libexpat before 2.8.2 has an integer overflow in XMLParseBuffer because it lacked a check that was present in XMLParse...
CVE-2026-56405
libexpat before 2.8.2 has an integer overflow in getAttributeId...
CVE-2026-56404
libexpat before 2.8.2 has an integer overflow in addBinding...
CVE-2026-56403
libexpat before 2.8.2 has an integer overflow in storeAtts...
CVE-2026-56397 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56395 SiYuan - Remote Code Execution via Malicious Bazaar Package Metadata and README
SiYuan before v3.6.1 fails to sanitize package metadata and README content in the Bazaar marketplace, allowing malicious package authors to inject arbitrary HTML and JavaScript. Attackers can achieve remote code execution on any user browsing the Bazaar by embedding XSS payloads in package...
CVE-2026-56396 phpMyFAQ - Privilege Escalation via Missing Authorization in editUser() and updateUserRights()
phpMyFAQ before 4.1.4 contains missing authorization vulnerabilities in editUser and updateUserRights endpoints that allow authenticated administrators to escalate privileges. Non-SuperAdmin users with edituser permission can set issuperadmin flag or grant arbitrary rights to escalate to SuperAdm...
CVE-2026-56394 Craft CMS - Authenticated Path Traversal in assets/icon Extension Parameter
Craft CMS from 4.0.0-RC1 contains an authenticated path traversal vulnerability in the assets/icon endpoint where the extension parameter is not validated before file existence checks. Attackers can bypass extension validation by passing traversal sequences that resolve to existing SVG files,...
CVE-2026-56393 Craft CMS - Multiple Stored Cross-Site Scripting in Settings Names and Field Options
Craft CMS 4.x = 4.0.0-RC1, = 5.0.0-RC1, 5.9.0-beta.1 contain multiple stored cross-site scripting vulnerabilities where settings names and field option labels are rendered without sanitization e.g., via the checkbox.twig template, which used label|raw . An authenticated administrator with...
CVE-2026-56385 Craft CMS - Authorization Bypass in assets/preview-file Endpoint
Craft CMS versions = 5.0.0-RC1, = 4.0.0-RC1, = 4.17.7 contain an authorization bypass in the assets/preview-file endpoint. The action does not enforce per-asset view authorization before returning preview content, allowing an authenticated low-privileged user to supply a controlled assetId for an...
CVE-2026-56384 Craft CMS - Missing Authorization in assets/preview-thumb Endpoint
Craft CMS contains a missing authorization vulnerability in the assets/preview-thumb endpoint. A Control Panel user without permission to view a target private asset can call the endpoint with an attacker-controlled assetId and receive preview HTML containing a signed fallback transform preview...
CVE-2026-56383 Craft CMS - Stored XSS in Table Field via Row Heading Column Type
Craft CMS contains a stored cross-site scripting XSS vulnerability in the editableTable.twig component when using the 'Row Heading' column type. The application fails to sanitize input within row heading default values, allowing an attacker with an administrator account with allowAdminChanges...
CVE-2026-56381 Craft CMS - Stored XSS via User Group Name in User Permissions Page
Craft CMS from version 5.0.0-RC1 contains a stored cross-site scripting vulnerability in the User Permissions page where user group names are rendered without proper HTML escaping. Attackers with admin access can inject arbitrary JavaScript via the user group name field that executes when other...
CVE-2026-56382 Craft CMS - Remote Code Execution via Missing Config Sanitization in FieldsController
Craft CMS composer package craftcms/cms versions = 5.5.0 and = 5.9.13 contain a remote code execution vulnerability in the FieldsController::actionRenderCardPreview method, which passes the fieldLayoutConfig POST parameter directly to Fields::createLayout without calling Component::cleanseConfig...
CVE-2026-56378 ImageMagick - Heap Out-of-Bounds Read in PCD Decoder
ImageMagick before 7.1.2-15 and 6.x before 6.9.13-40 contains a heap out-of-bounds read in the PCD coder's DecodeImage loop. A crafted PCD file can trigger a one-byte heap out-of-bounds read during image decoding, resulting in denial of service and potential disclosure of an adjacent heap byte...
CVE-2026-56367 ImageMagick - Heap Out-of-Bounds Read in PSB RLE Decoding
ImageMagick before 7.1.2-15 and 6.9.x before 6.9.13-40 contains an integer overflow in the PSB PSD v2 RLE decoding path ReadPSDChannelRLE in coders/psd.c that causes a heap out-of-bounds read on 32-bit builds. Processing a crafted PSB file can lead to information disclosure or a crash...
CVE-2026-56316 Cap-go - Job Existence Oracle via Unauthenticated OPTIONS /build/upload/:jobId/*
Cap-go before 12.128.2 contains an information disclosure vulnerability in the OPTIONS /build/upload/:jobId/ endpoint that allows unauthenticated attackers to enumerate valid builder job IDs through observable response discrepancies. Attackers can probe the endpoint without authentication to...
CVE-2026-56299 Capgo - Denial of Service via Unauthenticated OPTIONS Request to /build/upload Endpoint
Capgo before 12.128.2 contains an authentication bypass vulnerability in the /build/upload/:jobId/ endpoint that allows unauthenticated attackers to trigger consistent 500 errors. Remote attackers can send OPTIONS requests to bypass authentication middleware and invoke tusProxy logic with invalid...
CVE-2026-56265 Crawl4AI - Authentication Bypass via Hardcoded JWT Signing Key
Crawl4AI before 0.8.7 contains an authentication bypass vulnerability due to a hardcoded default JWT signing key in the Docker API server. Attackers who know the default key can forge valid authentication tokens for any user, bypassing authentication and gaining full access to protected...
CVE-2026-56253 Capgo - Unauthenticated Organization Member Email Disclosure via get_org_members RPC
Capgo before 12.128.2 contains an improper access control vulnerability in the public.getorgmembers RPC function that allows unauthenticated attackers to enumerate organization members. Attackers can invoke the endpoint using only the public sbpublishable key and an organization UUID to retrieve...
CVE-2026-56251 Capgo - Privilege Escalation via Broken Row Level Security in org_users
Capgo before 12.128.2 contains a broken row level security policy in the orgusers table that allows authenticated users to elevate privileges from admin to superadmin. Attackers can exploit the insufficient RLS enforcement to gain unauthorized superadmin access and compromise system security...
CVE-2026-56239 Capgo - Privilege Escalation via SECURITY DEFINER Function apply_usage_overage
Capgo before 12.128.2 contains a potential privilege escalation vulnerability in the public.applyusageoverage SECURITY DEFINER function, which performs sensitive billing operations without enforcing internal authorization checks no validation of auth.uid, org membership, or checkminrights. Becaus...
CVE-2026-56242 Capgo - Unauthenticated API Key Validity Oracle and User Identity Disclosure via get_identity_apikey_only RPC
Capgo before 12.128.2 contains an unauthenticated security definer RPC function getidentityapikeyonly that returns the owning userid for supplied API keys, creating an API key validity oracle and user identity disclosure primitive. Attackers can call this endpoint with valid or invalid API keys t...
CVE-2026-56236 Capgo CLI - Arbitrary File Overwrite via Symlink-Following in Local Credential Operations
Capgo CLI before 12.128.2 contains arbitrary file overwrite vulnerabilities in login and build credentials operations that follow symlinks without validation. Attackers can create malicious symlinks in repositories to overwrite arbitrary files or expose credentials with world-readable permissions...
CVE-2025-71378 picklescan - Remote Code Execution via Undetected cProfile.runctx in Pickle Files
picklescan before 0.0.30 fails to detect cProfile.runctx function calls in pickle file reduce methods, allowing attackers to execute arbitrary code. Malicious pickle files bypass picklescan detection and execute remote code when loaded via pickle.load...
CVE-2026-56229 Capgo - Cross-App Build Job Access via app_id/job_id Mismatch in /build/status and /build/logs
Capgo before 12.128.2 contains an authorization bypass vulnerability in the /build/status and /build/logs endpoints that allows attackers to access build jobs belonging to different applications by supplying a mismatched appid and jobid combination. Limited API keys restricted to a single app can...
CVE-2025-71357 picklescan - Arbitrary Code Execution via Undetected idlelib.pyshell.ModifiedInterpreter.runcommand
picklescan before 0.0.30 fails to detect malicious pickle files using idlelib.pyshell.ModifiedInterpreter.runcommand in reduce methods. Attackers can embed undetected code in pickle files that executes remote commands when loaded by victims...
CVE-2025-71351 picklescan - Remote Code Execution via timeit.timeit() Detection Bypass
picklescan before 0.0.25 fails to detect malicious pickle files that use timeit.timeit in the reduce method, allowing remote code execution. Attackers can craft pickle files that import dangerous libraries like os and execute arbitrary system commands, which evade picklescan detection and execute...
CVE-2025-71348 picklescan - Arbitrary Code Execution via torch.utils._config_module.load_config Bypass
picklescan before 0.0.28 fails to detect malicious pickle files that invoke torch.utils.configmodule.loadconfig function within reduce methods. Attackers can craft pickle files embedding arbitrary code that evades detection but executes during pickle.load, enabling remote code execution in supply...
CVE-2026-12799 BerriAI litellm Incomplete Fix CVE-2025-0628 internal_user_endpoints.py ui_view_users improper authorization
A security vulnerability has been detected in BerriAI litellm up to 1.82.2. Affected by this issue is the function uiviewusers of the file litellm/proxy/managementendpoints/internaluserendpoints.py of the component Incomplete Fix CVE-2025-0628. Such manipulation leads to improper authorization. I...
CVE-2026-12798 BerriAI litellm MCP OpenAPI Spec Loader openapi_to_mcp_generator.py load_openapi_spec_async server-side request forgery
A weakness has been identified in BerriAI litellm up to 1.82.2. Affected by this vulnerability is the function loadopenapispecasync of the file litellm/proxy/experimental/mcpserver/openapitomcpgenerator.py of the component MCP OpenAPI Spec Loader. This manipulation of the argument specpath causes...
CVE-2026-12797 BerriAI litellm Completions banned_keywords.py async_pre_call_hook authorization
A security flaw has been discovered in BerriAI litellm up to 1.82.5. Affected is the function asyncprecallhook of the file enterprise/enterprisehooks/bannedkeywords.py of the component Completions Interface. The manipulation of the argument prompt results in incorrect authorization. The attack ma...
CVE-2026-12796 BerriAI litellm SSO Authentication Flow ui_sso.py get_redirect_response_from_openid session expiration
A vulnerability was identified in BerriAI litellm up to 1.82.2. This impacts the function getredirectresponsefromopenid of the file litellm/proxy/managementendpoints/uisso.py of the component SSO Authentication Flow. The manipulation leads to session expiration. The attack is possible to be carri...