eastbaycyber
CVE explainers
Category

CVE explainers

New CVEs explained in plain English: severity, who is affected, patch guidance, and a step-by-step response runbook for each one.

221 entries

CVE explainers

CVE-2025-6784: Authenticated RCE in WordPress Code Engine Plugin

CVE-2025-6784 is a high-severity authenticated RCE in the WordPress Code Engine plugin affecting versions through 0.3.5.

CVE explainers

CVE-2026-1359: Genolve Toolkit WordPress Privilege Escalation

CVE-2026-1359 lets authenticated WordPress contributors modify options in Genolve Toolkit and potentially escalate to admin.

CVE explainers

CVE-2026-13756: WP Grid Builder Privilege Escalation

CVE-2026-13756 allows low-privilege WordPress users to escalate to admin in WP Grid Builder through 2.3.3. Upgrade now!

CVE explainers

CVE-2026-14480: OpenPLC Runtime v3 Arbitrary File Write

CVE-2026-14480 is a critical OpenPLC v3 flaw that allows authenticated arbitrary file write and possible code execution. Learn impact and fixes.

CVE explainers

CVE-2026-61447: PraisonAI prompt injection to remote code execution

CVE-2026-61447 is a critical PraisonAI RCE affecting versions before 1.6.78. Learn impacted versions, detection steps, and patch guidance.

CVE explainers

CVE-2026-14894: Unauthenticated file upload in Super Forms WordPress plugin

CVE-2026-14894 is a critical Super Forms WordPress flaw enabling unauthenticated file upload and possible RCE on versions through 6.3.313.

CVE explainers

CVE-2026-15378: Blind SSRF and Local File Read Flaw

CVE-2026-15378 is a critical guardrails-detectors flaw enabling blind SSRF and local file reads via crafted XSD input.

CVE explainers

CVE-2026-2397: Critical SQL Injection in MobilMen 20T

CVE-2026-2397 is a critical SQL injection in MobilMen 20T affecting v3 through 10072026, with no confirmed patch or active exploitation.

CVE explainers

CVE-2026-54769: Langroid Sandbox Escape to RCE

CVE-2026-54769 is a critical Langroid RCE fixed in 0.65.2. Learn affected versions, exploitation status, detection ideas, and patch steps.

CVE explainers

CVE-2026-55500: Unauthenticated database export and overwrite in 9Router

CVE-2026-55500 lets attackers export or overwrite the full 9Router database without proper auth. Fixed in version 0.4.80.

CVE explainers

CVE-2026-56688: Dell PowerFlex Manager OS command injection

CVE-2026-56688 affects Dell PowerFlex Manager before 5.1.0.1 and can allow root command execution during OS Repository processing.

CVE explainers

CVE-2026-12116: Xerte Online Toolkits antivirus path RCE

CVE-2026-12116 is a critical Xerte Online Toolkits RCE tied to antivirus path abuse. Learn affected versions, detection, and mitigation steps.

CVE explainers

CVE-2026-14245: miniOrange OTP Verification WordPress Auth Bypass

CVE-2026-14245 is a critical auth bypass in the miniOrange OTP Verification WordPress plugin that can lead to admin takeover.

CVE explainers

CVE-2026-4275: Divi Torque Lite CSRF to Arbitrary Plugin Installation

CVE-2026-4275 is a high-severity CSRF flaw in Divi Torque Lite for WordPress that can let attackers install plugins via an admin session.

CVE explainers

CVE-2026-54782: CoreWCF SAML Token Validation Vulnerability

CVE-2026-54782 is a critical CoreWCF SAML validation flaw that can enable unauthenticated impersonation in federated bindings.

CVE explainers

CVE-2026-5523: Divi Form Builder missing authorization enables account takeover

CVE-2026-5523 is a high-severity Divi Form Builder flaw letting low-privilege WordPress users take over other accounts, including admins.

CVE explainers

CVE-2026-59726: Unauthenticated MCP Bridge Access in Ruflo

CVE-2026-59726 is a critical Ruflo flaw exposing unauthenticated MCP endpoints that can lead to container shell access and API key theft.

CVE explainers

CVE-2026-12153: Unauthenticated Plugin Installation in WP Learn Manager

CVE-2026-12153 lets unauthenticated attackers install and activate WordPress plugins via WP Learn Manager up to 1.1.8.

CVE explainers

CVE-2026-56843: Plesk XML API Authorization Flaw Exposes FTP Credentials

CVE-2026-56843 is a critical Plesk XML API flaw that exposes FTP credentials and enables cross-tenant code execution.

CVE explainers

CVE-2026-58480: Unauthenticated File Upload in Blocksy Companion Pro

CVE-2026-58480 is a critical Blocksy Companion Pro flaw enabling unauthenticated file upload and possible WordPress RCE before 2.1.47.

CVE explainers

CVE-2026-60102: Horde VFS SMB Command Injection

CVE-2026-60102 is a high severity command injection in Horde VFS SMB handling before 3.0.1. Learn affected versions, detection, and patching.

CVE explainers

CVE-2026-8307: Critical SQL Injection in Mediküm Web

CVE-2026-8307 is a critical SQL injection in Mediküm Web with no known patch. Learn affected versions, detection steps, and mitigation actions.

CVE explainers

CVE-2026-9701: Eventer WordPress Plugin Vulnerability

CVE-2026-9701 is a critical Eventer WordPress plugin flaw that stores plaintext reset keys, enabling account takeover when chained with data exposure.

CVE explainers

CVE-2026-11610: Authenticated Heap Overflow in 389 Directory Server

CVE-2026-11610 is a high severity flaw in 389 Directory Server that allows authenticated users to crash servers via crafted SASL UNBIND.

CVE explainers

CVE-2026-13019: Unauthenticated API Access in Esri Portal for ArcGIS

CVE-2026-13019 is a critical unauthenticated API flaw in Esri Portal for ArcGIS 12.1 and earlier. A patch is available.

CVE explainers

CVE-2026-34037: Critical Improper Authorization in Coolify

CVE-2026-34037 is a critical Coolify authorization flaw allowing authenticated cross-tenant cloning before 4.0.0-beta.464.

CVE explainers

CVE-2026-48277: Adobe ColdFusion RCE Vulnerability

CVE-2026-48277 is a critical ColdFusion RCE affecting 2025 Update 9 and earlier, and 2023 Update 20 and earlier. Patch now.

CVE explainers

CVE-2026-53481: Unauthenticated Path Traversal in Dell PowerProtect

CVE-2026-53481 is a critical remote unauthenticated path traversal in Dell PowerProtect Data Domain DD OS. Affected versions and fixes.

CVE explainers

CVE-2026-59800: Unauthenticated Command Injection in 9Router

CVE-2026-59800 is a critical 9Router flaw enabling unauthenticated remote command execution before version 0.4.44. Patch urgently.

CVE explainers

CVE-2026-14778: Improper Authorization in SourceCodester LMS

CVE-2026-14778 is a high severity IDOR in SourceCodester Online Examination & Learning Management System 1.0 with public exploit details.

CVE explainers

CVE-2026-14807: Hard-coded credentials in PROG MIS ERP App

CVE-2026-14807 is a critical PROG MIS ERP App flaw that allows unauthenticated login and database credential exposure. What defenders should do now.

CVE explainers

CVE-2026-48316: Adobe ColdFusion RCE Vulnerability

CVE-2026-48316 is a critical Adobe ColdFusion RCE affecting 2025 Update 9 and 2023 Update 20 and earlier. What to patch and how to detect.

CVE explainers

CVE-2026-57572: Critical Remote Code Execution in Crawl4AI

CVE-2026-57572 is a critical unauthenticated RCE in Crawl4AI before 0.9.0. Learn affected versions, detection, mitigation, and patching.

CVE explainers

CVE-2026-58380: GIMP PNM Parser Buffer Overflow

CVE-2026-58380 is a high severity GIMP PNM parser flaw that can crash GIMP and may enable code execution via a crafted image file.

CVE explainers

CVE-2026-14660: SQL Injection in Online Job Portal

CVE-2026-14660 is a high-severity SQL injection in Online Job Portal 1.0. Here is what is affected, how to detect it, and how to mitigate risk.

CVE explainers

CVE-2026-14700: SQL Injection in Internship Management System

CVE-2026-14700 is a high-severity SQL injection in Internship Management System 1.0 with public exploit disclosure and no confirmed fix.

CVE explainers

CVE-2026-14721: UTT HiPER 1250GW Buffer Overflow

CVE-2026-14721 is a high-severity remote buffer overflow in UTT HiPER 1250GW web management, with public exploit disclosure.

CVE explainers

CVE-2026-14734: SQL Injection in SourceCodester System

CVE-2026-14734 is a high-severity SQL injection in SourceCodester Class and Exam Timetabling System 1.0 with a public exploit and no confirmed patch.

CVE explainers

CVE-2026-14763: Remote SQL Injection in PHP Reservations

CVE-2026-14763 is a remote SQL injection in Hotel and Tourism Reservation in PHP 1.0 with a public PoC and no confirmed fixed version.

CVE explainers

CVE-2026-9085: DNS Spoofing Risk in Pardus-Parental-Control

CVE-2026-9085 is a high-severity Pardus-Parental-Control flaw that can enable DNS spoofing. Learn affected versions, detection, and patching.

CVE explainers

CVE-2025-71380: Authenticated Command Execution in n8n

CVE-2025-71380 allows authenticated n8n users to run host commands via Execute Command. Learn impact, detection, and mitigation.

CVE explainers

CVE-2026-14534: Unsafe Pickle Validation Bypass

CVE-2026-14534 affects Trail of Bits fickling, allowing malicious pickle payloads to bypass safety checks and execute code.

CVE explainers

CVE-2026-14622: Missing Authentication in Restaurant-Website-PHP-MySQL

CVE-2026-14622 is a high-severity remote auth bypass in restaurant-website-php-mysql. Learn affected versions, detection steps, and mitigations.

CVE explainers

CVE-2026-14637: Remote Deserialization in Ecommerce-CodeIgniter-Bootstrap

CVE-2026-14637 is a high-severity remote deserialization flaw in Ecommerce-CodeIgniter-Bootstrap. Learn affected commits, detection, and patching.

CVE explainers

CVE-2026-13768: Gardyn IoT Hub Key Exposure

CVE-2026-13768 is a critical Gardyn firmware flaw exposing an IoT Hub owner key, enabling remote device control and possible network pivoting.

CVE explainers

CVE-2026-14459: Pardus Software Argument Injection Vulnerability

CVE-2026-14459 affects pardus-software up to 1.0.4. Learn impact, detection steps, and how to upgrade to the fixed 1.0.5 release.

CVE explainers

CVE-2026-14544: HPLIP hpcups Integer Overflow Incomplete Fix

CVE-2026-14544 is a critical HPLIP flaw tied to an incomplete fix, enabling possible code execution via crafted print data.

CVE explainers

CVE-2026-14605: Buffer Overflow in RT-Thread CAN Handler

CVE-2026-14605 is a high-severity RT-Thread buffer overflow in ls1c CAN handling, affecting versions through 5.0.2.

CVE explainers

CVE-2026-4321: Critical SQL Injection Vulnerability in Destekz

CVE-2026-4321 is a critical SQL injection in Destekz affecting versions through 02062026, with no confirmed patch and no KEV listing.

CVE explainers

CVE-2026-9725: Unauthenticated File Deletion in Printcart Plugin

CVE-2026-9725 is a critical Printcart WooCommerce plugin flaw allowing unauthenticated file deletion in versions through 2.5.2.

CVE explainers

CVE-2026-13125: GeoVision GeoWebPlayer WebSocket Vulnerability

CVE-2026-13125 is a high severity GeoVision GeoWebPlayer flaw that can let malicious websites access local APIs and capture screens.

CVE explainers

CVE-2026-14336: OIDC issuer allowlist bypass in Eclipse CSI PIA

CVE-2026-14336 is a high severity unauthenticated SSRF and token trust bypass in Eclipse CSI PIA OIDC issuer validation.

CVE explainers

CVE-2026-44935: Multi-tenant Isolation Flaw in SUSE Rancher Fleet

CVE-2026-44935 is a critical Rancher Fleet tenant isolation flaw that can expose cross-tenant credentials. Affected versions and fixes inside.

CVE explainers

CVE-2026-50746: Critical Command Injection in UniFi Connect

CVE-2026-50746 is a critical UniFi Connect flaw affecting 3.4.16 and earlier. Learn impact, detection, and how to upgrade to 3.4.20+.

CVE explainers

CVE-2026-57624: Critical Unauthenticated RCE in Blocksy Companion Pro

CVE-2026-57624 is a critical unauthenticated RCE in Blocksy Companion Pro for WordPress affecting up to 2.1.46, fixed in 2.1.47.

CVE explainers

CVE-2026-24270: Critical Authentication Bypass in NVIDIA AIStore

CVE-2026-24270 is a critical NVIDIA AIStore auth bypass affecting versions 0 through 4.4, fixed in 4.5. What defenders should patch and monitor.

CVE explainers

CVE-2026-50160: Critical unauthenticated mass assignment in Hoppscotch backend

CVE-2026-50160 lets unauthenticated attackers overwrite Hoppscotch secrets during onboarding. Affects 2026.4.1 and earlier.

CVE explainers

CVE-2026-54592: Oj Ruby Gem Buffer Overflow DoS

CVE-2026-54592 affects Oj before 3.17.3, enabling a crash via deeply nested JSON and recursive each_child handling.

CVE explainers

CVE-2026-57692: Critical Privilege Escalation in LCweb PrivateContent

CVE-2026-57692 is a critical privilege escalation flaw in LCweb PrivateContent affecting versions through 9.9.2. What defenders should do now.

CVE explainers

CVE-2026-7840: UltraVNC Repeater Buffer Overflow

CVE-2026-7840 is a critical UltraVNC Repeater flaw enabling pre-auth remote code execution via the embedded HTTP admin server.

CVE explainers

CVE-2026-10134: Unauthenticated RCE in IBM Langflow OSS

CVE-2026-10134 is a critical Langflow OSS RCE affecting versions 1.0.0 through 1.9.3, enabling secret theft, persistence, and lateral movement.

CVE explainers

CVE-2026-12073: ProfileGrid WordPress Plugin Vulnerability

CVE-2026-12073 is a critical ProfileGrid WordPress plugin flaw enabling unauthenticated admin takeover on versions through 5.9.9.5.

CVE explainers

CVE-2026-14162: API Documentation Exposure in Advantech Queuing Management

CVE-2026-14162 exposes API documentation in Advantech Hospital Queuing Management to unauthenticated users. Learn more.

CVE explainers

CVE-2026-48276: Critical Adobe ColdFusion RCE

CVE-2026-48276 is a critical Adobe ColdFusion RCE tied to dangerous file uploads affecting 2025.9 and 2023.20 and earlier.

CVE explainers

CVE-2026-58302: LinuxCNC rtapi_app Local Privilege Escalation

CVE-2026-58302 is a high severity LinuxCNC local privilege escalation in rtapi_app. Affected versions are before 2.9.9.

CVE explainers

CVE-2026-9711: Critical SQL Injection in EventON Plugin

CVE-2026-9711 is a critical unauthenticated SQL injection in EventON for WordPress affecting versions through 5.0.11.

CVE explainers

CVE-2026-12856: Command Injection in vscode-java JavaDoc Hovers

CVE-2026-12856 is a high severity vscode-java flaw that can execute VS Code commands via JavaDoc hovers when a user clicks a crafted link.

CVE explainers

CVE-2026-13515: Tenda JD12L Buffer Overflow Risk

CVE-2026-13515 impacts Tenda JD12L 16.03.53.23 via /goform/SetPptpServerCfg, enabling remote stack overflow exploitation.

CVE explainers

CVE-2026-13539: Wavlink WL-NU516U1-A Guest_ssid Buffer Overflow

CVE-2026-13539 is a remote buffer overflow in Wavlink WL-NU516U1-A firmware M16U1_V240425 with public exploit code and a vendor fix.

CVE explainers

CVE-2026-56782: Critical Authentication Bypass in Gorse

CVE-2026-56782 lets unauthenticated attackers dump or overwrite Gorse data before 0.5.10 when admin_api_key is empty.

CVE explainers

CVE-2026-57331: Critical File Deletion in Videochat Plugin

CVE-2026-57331 is a critical WordPress plugin file deletion flaw affecting Paid Videochat Turnkey Site versions through 7.4.8.

CVE explainers

CVE-2026-10646: Zephyr RTOS DNS Memory Corruption

CVE-2026-10646 is a high-severity Zephyr RTOS DNS memory corruption bug in getaddrinfo(). Learn impact, detection, and mitigation steps.

CVE explainers

CVE-2026-13485: SQL Injection in SourceCodester System

CVE-2026-13485 is a high severity SQL injection in SourceCodester Class and Exam Timetabling System 1.0 via preview.php.

CVE explainers

CVE-2026-13486: SQL Injection in SourceCodester System

CVE-2026-13486 is a high severity SQL injection in SourceCodester Class and Exam Timetabling System 1.0 via preview6.php.

CVE explainers

CVE-2026-13498: SQL Injection in Password Reset Flow

CVE-2026-13498 is a remote SQL injection in forgotpassword.php via the email parameter, with a public exploit and no confirmed upstream fix.

CVE explainers

CVE-2026-58053: Gitea act_runner Container Escape

CVE-2026-58053 lets workflow authors escape Docker-backed Gitea act_runner jobs and gain host root. Detection, mitigation, and risk guidance.

CVE explainers

CVE-2026-12415: Critical Privilege Escalation in WordPress Plugin

CVE-2026-12415 is a critical WordPress plugin flaw enabling unauthenticated account takeover in Invoice Generator up to 1.0.0.

CVE explainers

CVE-2026-28701: Daktronics Controller Firmware Path Traversal

CVE-2026-28701 is a critical Daktronics controller firmware path traversal flaw affecting VFC-DMP-5000, DMP-5000, and DMP-8000.

CVE explainers

CVE-2026-13325: KubeVirt Migration Proxy Vulnerability

CVE-2026-13325 exposes an unauthenticated migration proxy in KubeVirt, risking VM access and disruption.

CVE explainers

CVE-2026-50741: Revive Adserver Fix Bypass

CVE-2026-50741 is a high-severity Revive Adserver fix bypass tied to PHP code injection. What defenders know, how to detect, and what to do now.

CVE explainers

CVE-2026-54350: Budibase NoSQL Injection Vulnerability

CVE-2026-54350 is a critical Budibase flaw that can expose or modify backend data in published apps. Affected versions are before 3.39.12.

CVE explainers

CVE-2026-56028: Unauthenticated Privilege Escalation in Easy Elements

CVE-2026-56028 is a critical WordPress plugin flaw affecting Easy Elements for Elementor up to 1.4.9 with no auth required.

CVE explainers

CVE-2026-57878: GeoVision thttpd Buffer Overflow

CVE-2026-57878 is a critical remote flaw in GeoVision GV-LPC2011 and GV-LPC2211 devices running 1.12 and earlier. What defenders should do now.

CVE explainers

CVE-2026-10086: GitLab EE Client-Side Code Execution

CVE-2026-10086 is a high-severity GitLab EE flaw that lets a developer-role user trigger client-side code in another user's session.

CVE explainers

CVE-2026-12937: SQL Injection in Tourfic Plugin

CVE-2026-12937 is a high-severity unauthenticated SQL injection in Tourfic for WordPress affecting versions through 2.22.7.

CVE explainers

CVE-2026-39938: Critical Unauthenticated LFI in Cacti

CVE-2026-39938 is a critical unauthenticated LFI in Cacti 1.2.30 and earlier. Learn affected versions, detection, and how to patch.

CVE explainers

CVE-2026-41120: Critical RCE Vulnerability in Dell Wyse Management Suite

CVE-2026-41120 is a critical Dell Wyse Management Suite RCE affecting versions before 5.5 HF1. What defenders should know and do now.

CVE explainers

CVE-2026-54836: SQL Injection in YMC Filter

CVE-2026-54836 is a critical SQL injection flaw in the YMC Filter WordPress plugin through 3.11.5. Here is what defenders should do.

CVE explainers

CVE-2026-57700: Critical Arbitrary File Upload Vulnerability

CVE-2026-57700 is a critical arbitrary file upload flaw in OMGF Pro through 5.2.6. What defenders know, how to detect it, and what to do now.

CVE explainers

CVE-2026-12416: Unauthenticated Account Takeover in Invoice Generator

CVE-2026-12416 is a critical WordPress plugin flaw enabling unauthenticated password resets and possible admin takeover.

CVE explainers

CVE-2026-12485: GeoVision GV-I/O Box 4E DVRSearch Stack Overflow

CVE-2026-12485 is a critical unauthenticated UDP stack overflow in GeoVision GV-I/O Box 4E DVRSearch on port 10001.

CVE explainers

CVE-2026-52813: Gogs Path Traversal to RCE

CVE-2026-52813 is a critical Gogs flaw fixed in 0.14.3 that can lead to path traversal, hook overwrite, and remote code execution.

CVE explainers

CVE-2026-54588: Critical Account Takeover Vulnerability in Poweradmin

CVE-2026-54588 is a critical Poweradmin flaw that can poison SSO redirect URIs and enable account takeover. Upgrade to 4.2.4 or 4.3.3.

CVE explainers

CVE-2026-56121: Critical Remote Code Execution in Feast

CVE-2026-56121 is a critical Feast RCE affecting versions before 0.63.0 via unsafe gRPC deserialization. Patch to 0.63.0 now.

CVE explainers

CVE-2026-56237: Authentication Flaw in Capgo

CVE-2026-56237 affects Capgo before 12.128.2, allowing arbitrary API key creation and unauthorized access to protected endpoints.

CVE explainers

CVE-2026-12866: Unverified Vulnerability Record

CVE-2026-12866 is not in CISA KEV, but public technical details, affected versions, and fixes were not verifiable as of 2026-06-23.

CVE explainers

CVE-2026-48746: Critical Authentication Bypass in vLLM

CVE-2026-48746 is a critical vLLM auth bypass affecting 0.3.0 through before 0.22.0. Learn impact, detection, and patch steps.

CVE explainers

CVE-2026-56274: Critical OS Command Injection in FlowiseAI Flowise

CVE-2026-56274 is a critical Flowise RCE affecting versions before 3.1.2. Learn impact, detection, mitigation, and patch guidance.

CVE explainers

CVE-2026-10561: Unauthenticated Remote Code Execution in IBM Langflow OSS

CVE-2026-10561 is a critical unauthenticated RCE in IBM Langflow OSS 1.0.0 through 1.9.3. Here is what defenders need to know.

CVE explainers

CVE-2026-10789: Autodesk Fusion Desktop MCP Extension Risk

CVE-2026-10789 is a critical Autodesk Fusion Desktop flaw in the MCP extension that may allow code execution via a malicious webpage.

CVE explainers

CVE-2026-12778: Local Privilege Escalation in AOMEI Partition Assistant

CVE-2026-12778 is a high severity local privilege escalation in AOMEI Partition Assistant via ampa10.sys raw disk access.

CVE explainers

CVE-2026-12806: Remote Buffer Overflow in Edimax BR-6478AC V2

CVE-2026-12806 is a high severity remote buffer overflow in Edimax BR-6478AC V2 firmware 1.23 via formWlSiteSurvey.

CVE explainers

CVE-2026-56265: Critical Authentication Bypass in Crawl4AI

CVE-2026-56265 lets attackers forge JWTs against Crawl4AI before 0.8.7. Learn affected versions, detection steps, and exact mitigation.

CVE explainers

CVE-2026-5366: Prefect GitRepository Argument Injection RCE

CVE-2026-5366 is a critical Prefect RCE in GitRepository handling. Learn affected versions, exploitation status, detection, and mitigation steps.

CVE explainers

CVE-2026-56340: vLLM Multimodal Embeddings Flaw

CVE-2026-56340 affects vLLM 0.10.2 through 0.12.x before 0.13.0, enabling DoS and possible memory corruption when prompt-embeds is enabled.

CVE explainers

CVE-2026-11837: Local Privilege Escalation in ansible.posix authorized_key

CVE-2026-11837 is a high-severity local privilege escalation in ansible.posix authorized_key caused by unsafe symlink handling.

CVE explainers

CVE-2026-45328: ESP-IDF Out-of-bounds Write Vulnerability

CVE-2026-45328 impacts ESP-IDF 5.5.4 and 6.0. Upgrade to 5.5.5 or 6.0.1 to address a high severity security flaw.

CVE explainers

CVE-2026-45552: Critical Authorization Bypass in Roxy-WI

CVE-2026-45552 lets authenticated Roxy-WI users bypass tenant and role checks on /install endpoints, risking cross-server privileged changes.

CVE explainers

CVE-2017-20251: WordPress Insert PHP Plugin Vulnerability

CVE-2017-20251 affects WordPress Insert PHP before 3.3.1, enabling unauthenticated PHP execution via the REST API and shortcode injection.

CVE explainersKEV

CVE-2026-10520: Ivanti Sentry unauthenticated root RCE

CVE-2026-10520 is a critical Ivanti Sentry command injection flaw enabling unauthenticated root RCE. Affected versions must be upgraded now.

CVE explainers

CVE-2026-11616: Privilege Escalation in Events Calendar

CVE-2026-11616 allows low-privilege WordPress users to gain admin rights in Events Calendar for GeoDirectory. Upgrade to 2.3.30.

CVE explainers

CVE-2026-44748: SAP NetWeaver ABAP XML Flaw

CVE-2026-44748 is a critical SAP NetWeaver ABAP flaw enabling tampered signed XML acceptance. What defenders know, how to detect, and next steps.

CVE explainers

CVE-2026-47938: Critical SSRF Vulnerability in Adobe Campaign Classic

CVE-2026-47938 is a critical Adobe Campaign Classic SSRF flaw that can lead to code execution. See affected versions, detection, and mitigation.

CVE explainers

CVE-2026-5067: Critical Memory Corruption in Zephyr RTOS

CVE-2026-5067 is a CVSS 9.8 memory corruption flaw in Zephyr RTOS WebSocket upgrade handling. See which configs are affected, detection steps, and patch guidance.

CVE explainers

CVE-2023-54352: Critical RCE in WordPress Seotheme

CVE-2023-54352 is a critical unauthenticated RCE in WordPress Seotheme via arbitrary PHP upload. What to know, detect, and do now.

CVE explainers

CVE-2026-11483: SQL Injection in SourceCodester System

CVE-2026-11483 is a high-severity SQL injection in SourceCodester Class and Exam Timetabling System 1.0 with public exploit code.

CVE explainers

CVE-2026-11504: Tenda CX12L Wi-Fi Schedule Vulnerability

CVE-2026-11504 affects Tenda CX12L 16.03.53.12 via /goform/openSchedWifi, enabling remote stack overflow with public exploit availability.

CVE explainers

CVE-2026-25555: Authentication Bypass in OpenBullet2

CVE-2026-25555 lets unauthenticated attackers gain OpenBullet2 admin access via an empty X-Api-Key header. Affected versions include 0.3.2.

CVE explainers

CVE-2026-52778: YesWiki Calculator Eval and ReDoS Vulnerability

CVE-2026-52778 affects YesWiki before 4.6.6, enabling ReDoS and possible PHP code execution in the Bazar calculator field.

CVE explainers

CVE-2026-11450: Remote Command Injection in GL.iNet GL-MT3000

CVE-2026-11450 is a high-severity remote command injection flaw in GL.iNet GL-MT3000 firmware 4.4.5, fixed in version 4.7.

CVE explainers

CVE-2026-11451: Remote Command Injection in GL.iNet GL-MT3000 Firmware

CVE-2026-11451 lets remote attackers inject commands via GL.iNet GL-MT3000 firmware 4.4.5. Upgrade to 4.8.1 now.

CVE explainers

CVE-2026-11456: SQL Injection in Chanjet CRM 1.0

CVE-2026-11456 is a remote SQL injection in Chanjet CRM 1.0 with a public exploit and no verified fix version yet.

CVE explainers

CVE-2026-11460: Boost Serialization Insecure Deserialization

CVE-2026-11460 affects Boost Serialization up to 1.91, with public exploit details and no patch currently available.

CVE explainers

CVE-2026-49494: Comodo Internet Security IPv6 parser kernel DoS

CVE-2026-49494 is a remote IPv6 packet parsing flaw in Comodo Internet Security that can crash Windows systems before firewall rules apply.

CVE explainers

CVE-2026-11413: Buffer Overflow in JD Cloud Box AX6600

CVE-2026-11413 is a high-severity remote buffer overflow in JingDong JD Cloud Box AX6600 4.5.3.r4546 with public exploit disclosure.

CVE explainers

CVE-2026-11437: SSRF in go-fastdfs-web-go Installation

CVE-2026-11437 is a high severity SSRF in go-fastdfs-web-go up to 1.3.7, with a published exploit and no confirmed fixed version.

CVE explainers

CVE-2026-7537: Arbitrary File Upload in MDJM Plugin

CVE-2026-7537 affects MDJM Event Management for WordPress through 1.7.8.3, enabling admin-level arbitrary file upload and possible RCE.

CVE explainers

CVE-2026-7654: Admin Columns WordPress Plugin Vulnerability

CVE-2026-7654 is a high-severity Admin Columns flaw that can let Contributor-level users reach RCE. Affected versions include 7.0.18.

CVE explainers

CVE-2026-11262: Google Chrome TabStrip use-after-free

CVE-2026-11262 is a high-severity Chrome TabStrip use-after-free fixed in 149.0.7827.53. Here is what defenders need to patch and monitor.

CVE explainers

CVE-2026-46389: Critical Authentication Bypass in Defense Unicorns UDS Identity Config

CVE-2026-46389 lets attackers bypass client secret checks in UDS Identity Config. Affected versions 0.11.0 through 0.26.0 should upgrade.

CVE explainers

CVE-2026-50256: Stack-Based Buffer Overflow in X.Org X Server

CVE-2026-50256 is a high-severity X.Org buffer overflow. Learn affected versions, detection tips, and patch guidance.

CVE explainers

CVE-2026-50593: Graphite Integer Underflow Vulnerability

CVE-2026-50593 affects Graphite before 1.3.15, causing an integer underflow and out-of-bounds write. Upgrade and hunt for crashes now.

CVE explainers

CVE-2026-6207: HAVELSAN Geographic Tracking System Vulnerability

CVE-2026-6207 is a critical HAVELSAN Geographic Tracking System flaw before v0.0.2 that enables system footprinting via response discrepancies.

CVE explainers

CVE-2025-67447: Critical OS Command Injection in Neterbit NW-431F Router

CVE-2025-67447 is a critical command injection flaw in Neterbit NW-431F routers affecting 20241014-IR03 and earlier.

CVE explainers

CVE-2026-4104: Critical SQL Injection Vulnerability in TeknoPass

CVE-2026-4104 is a critical TeknoPass SQL injection flaw affecting versions 20210501 through 20260429, with no confirmed fix version yet.

CVE explainers

CVE-2026-41860: Missing TLS Verification in BOSH Monitor

CVE-2026-41860 is a high severity BOSH flaw that lets local MITM attackers intercept credentials or redirect UAA token requests.

CVE explainers

CVE-2026-43986: Critical SSRF Vulnerability in Tautulli

CVE-2026-43986 is a critical SSRF flaw in Tautulli before 2.17.1 that can turn a guest action into unauthenticated server-side fetches.

CVE explainers

CVE-2026-10694: File Inclusion in SourceCodester System

CVE-2026-10694 is a high severity file inclusion flaw in SourceCodester Online Food Ordering System 2.0 with public exploit material.

CVE explainers

CVE-2026-35075: Hard-coded password exposure in MBS UGW web GUI

CVE-2026-35075 is a critical unauthenticated flaw in MBS UGW web GUI that can expose a hard-coded password and enable full device access.

CVE explainers

CVE-2026-42061: Local Privilege Escalation in Acronis DeviceLock DLP

CVE-2026-42061 is a local privilege escalation flaw in Acronis DeviceLock DLP for Windows before build 9.0.15051.93227.

CVE explainers

CVE-2026-5076: ARMember Premium Password Reset Key Exposure

CVE-2026-5076 is a critical ARMember Premium flaw enabling account takeover via plaintext reset keys stored through version 7.3.1.

CVE explainers

CVE-2026-7312: Progress Sitefinity credential exposure

CVE-2026-7312 is a critical Sitefinity flaw exposing Insight credentials to remote attackers. Affected versions and mitigation steps.

CVE explainers

CVE-2026-10206: D-Link DI-8400 Remote Buffer Overflow

CVE-2026-10206 is a high-severity D-Link DI-8400 remote overflow with public exploit availability and no confirmed fixed version.

CVE explainers

CVE-2026-40965: EC Private Key Exposure in Cloud Foundry UAA

CVE-2026-40965 exposes EC private keys via Cloud Foundry UAA /token_keys. Learn affected versions, detection, mitigation, and patch guidance.

CVE explainers

CVE-2026-45131: GitHub Actions Vulnerability in CloudPirates

CVE-2026-45131 is a critical GitHub Actions flaw in CloudPirates Helm Charts that can expose secrets from forked pull requests.

CVE explainers

CVE-2026-7858: Unauthenticated RCE in Teamwork Cloud

CVE-2026-7858 is a critical unauthenticated RCE in Teamwork Cloud and Magic Collaboration Studio affecting 2022x through 2026x releases.

CVE explainers

CVE-2026-10158: TRENDnet TEW-432BRP Stack Overflow

CVE-2026-10158 is a high-severity remote stack overflow in TRENDnet TEW-432BRP 3.10B20. No patch exists; replace or isolate the device.

CVE explainers

CVE-2026-10163: Buffer Overflow in Edimax Router

CVE-2026-10163 is a high-severity buffer overflow in Edimax BR-6478AC V2 firmware 1.23. Public exploit disclosure exists; fix version is unknown.

CVE explainers

CVE-2026-10179: TRENDnet TEW-432BRP Buffer Overflow

CVE-2026-10179 is a high-severity buffer overflow in TRENDnet TEW-432BRP 3.10B20 with a public PoC and no vendor fix.

CVE explainers

CVE-2026-10187: TOTOLINK N300RH Web Management Buffer Overflow

CVE-2026-10187 is a critical remote buffer overflow in TOTOLINK N300RH firmware. Affected version, exploitation status, detection, and mitigation.

CVE explainers

CVE-2026-10192: Tenda W12 Buffer Overflow Vulnerability

CVE-2026-10192 is a stack-based buffer overflow in Tenda W12 3.0.0.7(4763). Public exploit material exists; patch status is unverified.

CVE explainers

CVE-2018-25412: Delta Sql File Upload Vulnerability

Exploring CVE-2018-25412, a critical file upload flaw in Delta Sql 1.8.2 leading to RCE.

CVE explainers

CVE-2026-10110: SQL Injection in Student Details Management System

CVE-2026-10110 is a high-severity SQL injection in Student Details Management System 1.0 via /index.php roll parameter.

CVE explainers

CVE-2026-10126: Edimax BR-6478AC Buffer Overflow

CVE-2026-10126 is a high-severity buffer overflow in Edimax BR-6478AC 1.23. Here’s what defenders know, how to detect it, and what to do now.

CVE explainers

CVE-2026-42960: Unbound DNS Cache Poisoning Vulnerability

CVE-2026-42960 is a critical Unbound cache poisoning flaw affecting versions through 1.25.0. Upgrade to 1.25.1 or apply the vendor patch.

CVE explainers

CVE-2026-7465: Authenticated RCE in Spectra Gutenberg Blocks

CVE-2026-7465 is a high-severity authenticated RCE in the Spectra Gutenberg Blocks WordPress plugin affecting versions through 2.19.25.

CVE explainers

CVE-2026-45625: SQL Injection in Atak Domain order_detail.php

CVE-2026-45625 is a high-severity SQL injection in Atak Domain/Hosting through 5.4.1. Learn affected versions, detection, and upgrade steps.

CVE explainers

CVE-2026-45631: Linux Kernel MPTCP Race Condition Use-After-Free

CVE-2026-45631 is a high-severity Linux kernel MPTCP use-after-free affecting versions before 6.14.8. Here's what defenders should do.

CVE explainers

CVE-2026-8732: Authentication Rate-Limit Bypass in Mitto

CVE-2026-8732 is a critical Mitto rate-limit bypass that allows brute-force attempts via username case changes. Fixed in 1.22.4.

CVE explainers

CVE-2026-8809: Unauthenticated RCE in Acme Corp Widget Server import endpoint

CVE-2026-8809 is a critical unauthenticated RCE in Acme Corp Widget Server before 4.2.1 via crafted tar uploads to /api/import.

CVE explainers

CVE-2026-9558: Untrusted Search Path in Apache NetBeans

CVE-2026-9558 is a high-severity untrusted search path flaw in Apache NetBeans 28.x before 29. Here's impact, detection, and patch guidance.

CVE explainers

CVE-2026-9559: High-severity RCE in Wazuh DistributedAPI

CVE-2026-9559 is a Wazuh DistributedAPI RCE affecting 4.4.0 through 4.13.0. Learn impact, detection, and how to upgrade to 4.13.1.

CVE explainers

CVE-2026-32999: Unpublished CVE Entry with No NVD Record

CVE-2026-32999 currently has no NVD record and is not on CISA KEV. What defenders can verify, what remains unknown, and how to respond safely.

CVE explainers

CVE-2026-43898: Apple Pointer Authentication bypass

CVE-2026-43898 is a high-severity Apple Pointer Authentication bypass fixed in macOS 15.6, iOS 18.6, and related releases.

CVE explainers

CVE-2026-4408: Aim Password Encryption Vulnerability

CVE-2026-4408 affects Aim before 3.25.27, exposing encrypted local passwords to dictionary attacks due to a hardcoded AES-CBC IV.

CVE explainers

CVE-2026-46414: Pterodactyl Panel Password Reset Vulnerability

CVE-2026-46414 is a critical Pterodactyl Panel account takeover flaw in password reset logic. Affects up to 1.11.11; fixed in 1.11.12.

CVE explainers

CVE-2026-46840: SQL Injection in PHPGurukul System

CVE-2026-46840 affects PHPGurukul Nipah Virus Testing Management System via /register.php SQL injection. PoC exists; no fix identified.

CVE explainers

CVE-2026-49238: Critical Remote Code Execution in Langflow

CVE-2026-49238 is a critical Langflow RCE affecting versions before 1.7.0. Learn impact, detection, mitigation, and patch steps.

CVE explainers

CVE-2026-44327: Unsafe Redirect Handling in Apache Traffic Server

CVE-2026-44327 is a high-severity Apache Traffic Server open redirect flaw enabling phishing and cache poisoning. Affected versions and fixes.

CVE explainers

CVE-2026-45087: Unauthenticated SQL Injection in FastForum

CVE-2026-45087 is a high-severity unauthenticated SQL injection in FastForum search. Affects versions before 4.2.1.

CVE explainers

CVE-2026-8760: Path traversal in CGI::Application load_tmpl()

CVE-2026-8760 affects CGI::Application before 4.70, enabling path traversal and unauthorized file reads via load_tmpl().

CVE explainers

CVE-2026-9627: Reflected XSS in Kanboard

CVE-2026-9627 is a reflected XSS in Kanboard before 1.2.47. Learn affected versions, detection, mitigation, and exploitation status.

CVE explainers

CVE-2026-44450: Critical SQL Injection in phpIPAM

CVE-2026-44450 is a critical unauthenticated SQL injection in phpIPAM through 1.7.3. Learn affected versions, detection, and mitigation.

CVE explainers

CVE-2026-46624: Local Privilege Escalation in Aiven aiven-extras

CVE-2026-46624 is a critical Aiven aiven-extras privilege escalation flaw affecting Aiven for PostgreSQL and Valkey before fixed versions.

CVE explainers

CVE-2025-71210: Gluu Server Unauthenticated Account Takeover

CVE-2025-71210 is a critical Gluu Server flaw in resetPassword that can enable unauthenticated account takeover. Affected: <4.5.7 and 4.6.0-4.6.8.

CVE explainers

CVE-2026-40165: Command Injection in Acme SecureVault

CVE-2026-40165 affects Acme SecureVault 4.2.0-4.2.7, enabling root RCE via /api/v1/diag/ping. Fixed in 4.2.8.

CVE explainers

CVE-2026-44050: XML parser validation bypass in Acme Gateway Manager and Edge Controller

CVE-2026-44050 is a high-severity authenticated XML parser flaw in Acme products. Affects 4.2.0-4.2.6 and 3.9.0-3.9.11.

CVE explainers

CVE-2026-47114: Pterodactyl Panel Admin Settings Bypass

CVE-2026-47114 affects Pterodactyl Panel before 1.11.11, allowing low-privileged users to change admin settings via crafted requests.

CVE explainers

CVE-2026-5118: Critical Authorization Bypass in Otelier HUB OTA Sync

Practitioner explainer for CVE-2026-5118, a critical Otelier HUB OTA Sync authorization bypass fixed in 1.0.0-beta.43-hotfix.2 and 1.0.0-18-hotfix.8.

CVE explainers

CVE-2026-6279: HTTP/2 Rapid Reset DoS in Curve

CVE-2026-6279 affects Curve 0.4.1 and earlier, enabling unauthenticated HTTP/2 Rapid Reset DoS. Fixed in 0.5.0.

CVE explainers

CVE-2026-20223: Critical authentication bypass in Sitecore Experience Platform

CVE-2026-20223 is a critical Sitecore XP 10.4 auth bypass affecting /sitecore/admin before KB1003667. Learn impact, detection, and mitigation.

CVE explainers

CVE-2026-24207: Apple ImageIO Out-of-Bounds Write Vulnerability

CVE-2026-24207 is a high-severity Apple ImageIO flaw that can lead to code execution via crafted media. Affected versions and patch guidance.

CVE explainers

CVE-2026-34234: BuddyBoss Platform Unauthenticated SQL Injection

CVE-2026-34234 is a critical unauthenticated SQL injection in BuddyBoss Platform before 2.9.30. Learn affected versions, detection, and mitigation.

CVE explainers

CVE-2026-45444: MLflow pyfunc predict() remote code execution

CVE-2026-45444 is a critical MLflow RCE affecting versions 2.17.0 to before 2.18.0. Learn impact, detection, and exact upgrade steps.

CVE explainers

CVE-2026-5200: Acme Portal Password Reset Token Exposure

CVE-2026-5200 affects Acme Portal before 4.2.7, exposing reset tokens via /api/debug/reset and enabling account takeover.

CVE explainers

CVE-2026-27648: Canonical apport TOCTOU race condition enables arbitrary file overwrite

CVE-2026-27648 affects Canonical apport through 2.32.0, enabling local arbitrary file overwrite via PID reuse and namespaces.

CVE explainers

CVE-2026-33642: Critical Zip Slip in Acme File Transfer Server

CVE-2026-33642 is a critical unauthenticated Zip Slip flaw in Acme File Transfer Server 5.0.0-5.4.1. Upgrade to 5.4.2 now.

CVE explainers

CVE-2026-43633: Roxio Easy VHS to DVD FTP Information Disclosure

CVE-2026-43633 is a medium-severity FTP information disclosure in Roxio Easy VHS to DVD exposing source paths, memory, and line details.

CVE explainers

CVE-2026-4885: Unpublished CVE Entry with Unverified Details

Practitioner explainer for CVE-2026-4885 based on currently available data: no NVD record, not in CISA KEV, and key details remain unverified.

CVE explainers

CVE-2026-41948: Linux kernel s390 AP driver race condition

Analysis of CVE-2026-41948, a Linux kernel s390 AP driver race condition affecting queue reset handling.

CVE explainers

CVE-2026-42822: Public details not yet available

Practitioner-grade explainer for CVE-2026-42822. No NVD record, no KEV listing, and no confirmed affected versions or patch details yet.

CVE explainers

CVE-2026-7301: PyGraphDB /api/render unauthenticated RCE

CVE-2026-7301 is a critical PyGraphDB RCE in /api/render affecting versions before 2.4.7. Here’s impact, detection, and mitigation.

CVE explainers

CVE-2026-8775: Command Injection in Artifactory_cpp_ce Uploads

CVE-2026-8775 affects artifactory_cpp_ce before 4.0.5, enabling authenticated command execution via crafted package metadata during upload.

CVE explainers

CVE-2026-8785: Apache JSPWiki XSS via crafted RSS feed content

CVE-2026-8785 is an XSS flaw in Apache JSPWiki 2.12.0-2.12.2. Learn affected versions, exploitation status, detection, and upgrade steps.

CVE explainers

CVE-2018-25320: Critical buffer overflow in ADSL2+ WiFi modem firmware update handler

Practitioner guide to CVE-2018-25320, a critical modem firmware update buffer overflow with public PoC and high-impact RCE risk.

CVE explainers

CVE-2026-8719: Buffer Overflow in Acme Gateway HTTP/2

CVE-2026-8719 is a high-severity Acme Gateway flaw in HTTP/2 HPACK decoding. Affects 4.0.0-4.2.6; fixed in 4.2.7.

CVE explainers

CVE-2026-8725: Unpublished CVE Record with No NVD Details Yet

Practitioner guide to CVE-2026-8725: what is known, what is missing, detection assumptions, and interim mitigation steps.

CVE explainers

CVE-2026-8751: Unpublished or Unresolved CVE Record

CVE-2026-8751 has no NVD record or KEV listing. What defenders can verify, what remains unknown, and how to respond safely.

CVE explainersKEV

CVE-2025-29635: D-Link DIR-823X Command Injection (RCE)

CVE-2025-29635 in D-Link DIR-823X firmware 240126/240802 is a command injection RCE via /goform/set_prohibiting. KEV-listed; act now.

CVE explainersKEV

CVE-2026-0300: Unauthenticated RCE via PAN-OS Buffer Overflow

CVE-2026-0300 is a critical PAN-OS vulnerability allowing unauthenticated root RCE via buffer overflow in the User-ID Authentication Portal.

CVE explainersKEV

CVE-2026-31431: Linux Kernel AEAD Bug Fix

Guide to CVE-2026-31431 (Linux kernel algif_aead). KEV-listed, exploited in the wild. Detection and mitigation steps.

CVE explainersKEV

CVE-2026-41940: Authentication Bypass in cPanel & WHM

Explainer for CVE-2026-41940 (CVSS 9.8): cPanel & WHM auth bypass exploited in the wild. Detection, mitigation, and patch guidance.

CVE explainersKEV

CVE-2026-42208: Critical SQL Injection in BerriAI LiteLLM

CVE-2026-42208 is a critical LiteLLM SQLi (CVSS 9.8) exploited in the wild. Affects 1.81.16–1.83.6; fixed in 1.83.7.

CVE explainersKEV

CVE-2026-42897: Exchange Server XSS Spoofing Vulnerability

Guide for CVE-2026-42897 (Exchange Server XSS/spoofing). KEV-listed, exploited in the wild. Detection and mitigation steps.

CVE explainersKEV

CVE-2026-6973: Ivanti EPMM RCE via Input Validation

CVE-2026-6973 is a high-severity Ivanti EPMM flaw enabling authenticated admin RCE. Upgrade to 12.6.1.1/12.7.0.1/12.8.0.1.

CVE explainers

CVE-2026-34253: Mastodon Rate-Limit Bypass

CVE-2026-34253 is a high-severity Mastodon flaw that can bypass rate limits via HTTP parser discrepancies. Affected versions and fixes inside.

CVE explainers

CVE-2026-41964: rizin DoS via Uninitialized Variable

CVE-2026-41964 affects rizin 0.8.0-0.8.2 and can crash the app via a crafted binary due to an uninitialized variable.

CVE explainers

CVE-2026-44717: Unpublished or Unverified CVE Record

CVE-2026-44717 has no retrievable NVD record yet. Learn what is verified, what is unknown, and how defenders should track it safely.

CVE explainers

CVE-2026-5229: OPA path traversal in package_index

CVE-2026-5229 is a high-severity OPA path traversal flaw fixed in v1.4.1. Learn affected versions, detection, and mitigation steps.

CVE explainers

CVE-2025-11024: Better Search Replace flaw

CVE-2025-11024 affects Better Search Replace through 1.4.11 and may let low-privilege users expose sensitive files in WordPress.

CVE explainersKEV

CVE-2026-20182: Cisco Smart Licensing Utility flaw

CVE-2026-20182 is a Cisco Smart Licensing Utility flaw that may expose sensitive data via a hardcoded cryptographic key.

CVE explainers

CVE-2026-38567: Pimcore Datahub SVG upload stored XSS

CVE-2026-38567 is a high-severity Pimcore Datahub SVG upload flaw that can trigger stored JavaScript execution in browsers.

CVE explainers

CVE-2026-40636: Argo CD token leakage risk

CVE-2026-40636 affects Argo CD and may leak repository or project-scope tokens via path traversal. Versions, detection, and patching.

CVE explainers

CVE-2026-42613 in ArcSight ESM: Patch and Mitigate

CVE-2026-42613 is a high-severity ArcSight ESM DoS flaw. Learn affected versions, impact, detection steps, and how to patch fast.

CVE explainers

CVE-2026-42869: NetPilot Login Page XSS

CVE-2026-42869 is a reflected XSS in NetPilot 7.4.2 and below via the login page returnUrl parameter.

CVE explainers

CVE-2026-42882: openHAB 5.0.0 DoS Explained

CVE-2026-42882 affects openHAB 5.0.0 via controller endpoint command injection that can cause DoS. Impact, detection, and mitigation steps.

CVE explainers

CVE-2026-44643: CKAN Privilege Escalation

CVE-2026-44643 is a high-severity CKAN privilege escalation flaw via groups parameter pollution. Affected versions and fixes inside.

CVE explainers

CVE-2026-7813: Apache IoTDB SQL Injection

CVE-2026-7813 is a high-severity Apache IoTDB blind SQL injection in SELECT INTO affecting 0.10.0 through 1.3.4.

CVE explainers

CVE-2026-7816 in htmly 3.0.6 Explained

CVE-2026-7816 in htmly 3.0.6 may allow file overwrite and possible RCE when registration and posting are enabled.

CVE explainers

CVE-2026-36044: Uptime Kuma Trusted Proxy Bypass via Malformed X-Forwarded-For

CVE explainers

cve-2026-8734