CVE-2026-7683 - Edimax BR-6428nC Web setWAN command injection
CVE ID :CVE-2026-7683
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7683
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A weakness has been identified in Edimax BR-6428nC up to 1.16. This affects an unknown function of the file /goform/setWAN of the component Web Interface. This manipulation of the argument pppUserName/pptpUserName causes command injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7684 - Edimax BR-6428nC setWAN buffer overflow
CVE ID :CVE-2026-7684
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7684
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A security vulnerability has been detected in Edimax BR-6428nC up to 1.16. This impacts an unknown function of the file /goform/setWAN. Such manipulation of the argument pptpDfGateway leads to buffer overflow. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7685 - Edimax BR-6208AC setWAN buffer overflow
CVE ID :CVE-2026-7685
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7685
Published : May 3, 2026, 7:16 a.m. | 2 hours, 28 minutes ago
Description :A vulnerability was detected in Edimax BR-6208AC up to 1.02. Affected is an unknown function of the file /goform/setWAN. Performing a manipulation of the argument pptpDfGateway results in buffer overflow. The attack may be initiated remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 9.0 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7686 - eyeo Adblock Plus Legacy Premium Activation premium.preload.js postMessage access control
CVE ID :CVE-2026-7686
Published : May 3, 2026, 8:16 a.m. | 1 hour, 29 minutes ago
Description :A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7686
Published : May 3, 2026, 8:16 a.m. | 1 hour, 29 minutes ago
Description :A vulnerability was found in eyeo Adblock Plus up to 4.36.2 on Chrome. Affected by this vulnerability is the function postMessage of the file premium.preload.js of the component Legacy Premium Activation. Performing a manipulation results in improper access controls. Remote exploitation of the attack is possible. The exploit has been made public and could be used. Upgrading the affected component is recommended. The vendor provides additional details: "The affected code path is a legacy Premium activation flow that has been deprecated. eyeo has already migrated to a new user account-based licensing system. The exploit does not grant permanent Premium access. The licensing server issues a short-lived trial license (valid for approximately 24 hours) for any submitted userId. On the next license check, the server validates against a real subscription and the trial expires if no valid subscription is found. The researcher's claim of permanently unlocking all Premium features is therefore incorrect. (...) The old flow has been present for years and has not been weaponized at scale to our knowledge. The risk to eyeo and to users is minimal."
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7688 - Dolibarr ERP CRM Shipments API Endpoint expedition.class.php _checkValForAPI sql injection
CVE ID :CVE-2026-7688
Published : May 3, 2026, 9:15 a.m. | 30 minutes ago
Description :A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7688
Published : May 3, 2026, 9:15 a.m. | 30 minutes ago
Description :A vulnerability was identified in Dolibarr ERP CRM up to 23.0.2. This affects the function _checkValForAPI of the file htdocs/expedition/class/expedition.class.php of the component Shipments API Endpoint. The manipulation of the argument fields leads to sql injection. The attack is possible to be carried out remotely. A high degree of complexity is needed for the attack. It is indicated that the exploitability is difficult. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7687 - langflow-ai langflow Full Builtins code_parser.py CodeParser.parse_callable_details command injection
CVE ID :CVE-2026-7687
Published : May 3, 2026, 9:16 a.m. | 29 minutes ago
Description :A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7687
Published : May 3, 2026, 9:16 a.m. | 29 minutes ago
Description :A vulnerability was determined in langflow-ai langflow up to 1.8.4. Affected by this issue is the function CodeParser.parse_callable_details of the file src/lfx/src/lfx/custom/code_parser/code_parser.py of the component Full Builtins Module Handler. Executing a manipulation can lead to command injection. The attack can be executed remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7689 - Dolibarr ERP CRM Online Signature security.lib.php dol_verifyHash signature verification
CVE ID :CVE-2026-7689
Published : May 3, 2026, 9:30 a.m. | 15 minutes ago
Description :A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7689
Published : May 3, 2026, 9:30 a.m. | 15 minutes ago
Description :A security flaw has been discovered in Dolibarr ERP CRM up to 23.0.2. This vulnerability affects the function dol_verifyHash in the library htdocs/core/lib/security.lib.php of the component Online Signature Module. The manipulation results in improper verification of cryptographic signature. The attack may be performed from remote. Attacks of this nature are highly complex. It is stated that the exploitability is difficult. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7690 - Wavlink WL-WN570HA1 adm.cgi set_sys_adm command injection
CVE ID :CVE-2026-7690
Published : May 3, 2026, 10:16 a.m. | 3 hours, 31 minutes ago
Description :A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7690
Published : May 3, 2026, 10:16 a.m. | 3 hours, 31 minutes ago
Description :A weakness has been identified in Wavlink WL-WN570HA1 R70HA1 V1410_221110. This issue affects the function set_sys_adm of the file /cgi-bin/adm.cgi. This manipulation of the argument Username causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7691 - Wavlink WL-WN570HA1 adm.cgi set_sys_cmd command injection
CVE ID :CVE-2026-7691
Published : May 3, 2026, 11:16 a.m. | 2 hours, 31 minutes ago
Description :A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7691
Published : May 3, 2026, 11:16 a.m. | 2 hours, 31 minutes ago
Description :A security vulnerability has been detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. Impacted is the function set_sys_cmd of the file /cgi-bin/adm.cgi. Such manipulation of the argument command leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7692 - Wavlink WL-WN570HA1 adm.cgi ping_ddns command injection
CVE ID :CVE-2026-7692
Published : May 3, 2026, 11:16 a.m. | 2 hours, 31 minutes ago
Description :A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7692
Published : May 3, 2026, 11:16 a.m. | 2 hours, 31 minutes ago
Description :A vulnerability was detected in Wavlink WL-WN570HA1 R70HA1 V1410_221110. The affected element is the function ping_ddns of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument DDNS results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. Once again the vendors acted very professional and confirms, "that the WN570HA1 firmware version R70HA1 V1410_221110 has been removed from our website." This vulnerability only affects products that are no longer supported by the maintainer.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7694 - Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System elecMaxMinAvgValue sql injection
CVE ID :CVE-2026-7694
Published : May 3, 2026, 12:15 p.m. | 1 hour, 31 minutes ago
Description :A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7694
Published : May 3, 2026, 12:15 p.m. | 1 hour, 31 minutes ago
Description :A flaw has been found in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0. The impacted element is an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. Executing a manipulation of the argument fCircuitids can lead to sql injection. The attack can be launched remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7697 - AMTT Hotel Broadband Operation System cardhand_submit.php sql injection
CVE ID :CVE-2026-7697
Published : May 3, 2026, 1:15 p.m. | 32 minutes ago
Description :A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7697
Published : May 3, 2026, 1:15 p.m. | 32 minutes ago
Description :A vulnerability was determined in AMTT Hotel Broadband Operation System 1.0. Affected is an unknown function of the file /manager/card/cardhand_submit.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7695 - Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform elecMaxMinAvgValue sql injection
CVE ID :CVE-2026-7695
Published : May 3, 2026, 1:16 p.m. | 31 minutes ago
Description :A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7695
Published : May 3, 2026, 1:16 p.m. | 31 minutes ago
Description :A vulnerability has been found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This affects an unknown function of the file /SubstationWEBV2/main/elecMaxMinAvgValue. The manipulation of the argument fCircuitids leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7696 - Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform uploadH5Files unrestricted upload
CVE ID :CVE-2026-7696
Published : May 3, 2026, 1:16 p.m. | 31 minutes ago
Description :A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7696
Published : May 3, 2026, 1:16 p.m. | 31 minutes ago
Description :A vulnerability was found in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0. This impacts an unknown function of the file /SubstationWEBV2/main/uploadH5Files. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7698 - Tiandy Easy7 Integrated Management Platform updateDbBackupInfo os command injection
CVE ID :CVE-2026-7698
Published : May 3, 2026, 2:16 p.m. | 3 hours, 33 minutes ago
Description :A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7698
Published : May 3, 2026, 2:16 p.m. | 3 hours, 33 minutes ago
Description :A vulnerability was identified in Tiandy Easy7 Integrated Management Platform 7.17.0. Affected by this vulnerability is an unknown functionality of the file /Easy7/rest/systemInfo/updateDbBackupInfo. Such manipulation of the argument week leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7699 - Dromara MaxKey StrUtils.java StrUtils.checkSqlInjection sql injection
CVE ID :CVE-2026-7699
Published : May 3, 2026, 3:15 p.m. | 2 hours, 34 minutes ago
Description :A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7699
Published : May 3, 2026, 3:15 p.m. | 2 hours, 34 minutes ago
Description :A security flaw has been discovered in Dromara MaxKey up to 3.5.13. Affected by this issue is the function StrUtils.checkSqlInjection of the file StrUtils.java. Performing a manipulation of the argument filtersfields results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7700 - langflow-ai langflow LambdaFilterComponent lambda_filter.p eval code injection
CVE ID :CVE-2026-7700
Published : May 3, 2026, 3:15 p.m. | 2 hours, 34 minutes ago
Description :A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7700
Published : May 3, 2026, 3:15 p.m. | 2 hours, 34 minutes ago
Description :A weakness has been identified in langflow-ai langflow up to 1.8.4. This affects the function eval of the file src/lfx/src/lfx/components/llm_operations/lambda_filter.p of the component LambdaFilterComponent. Executing a manipulation can lead to code injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7701 - Telegram Desktop Bot API url_auth_box.cpp RequestButton null pointer dereference
CVE ID :CVE-2026-7701
Published : May 3, 2026, 4:15 p.m. | 1 hour, 34 minutes ago
Description :A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7701
Published : May 3, 2026, 4:15 p.m. | 1 hour, 34 minutes ago
Description :A security vulnerability has been detected in Telegram Desktop up to 6.7.5. This vulnerability affects the function RequestButton of the file Telegram/SourceFiles/boxes/url_auth_box.cpp of the component Bot API. The manipulation of the argument login_url leads to null pointer dereference. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.0 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7702 - toeverything AFFiNE Public Markdown Preview Endpoint :docId allowDocPreview authorization
CVE ID :CVE-2026-7702
Published : May 3, 2026, 4:15 p.m. | 1 hour, 34 minutes ago
Description :A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7702
Published : May 3, 2026, 4:15 p.m. | 1 hour, 34 minutes ago
Description :A vulnerability was detected in toeverything AFFiNE up to 0.26.3. This issue affects the function allowDocPreview of the file /workspace/:workspaceId/:docId of the component Public Markdown Preview Endpoint. The manipulation results in authorization bypass. It is possible to launch the attack remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity: 5.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7703 - AV Stumpfl Pixera Two Media Server Websocket API code injection
CVE ID :CVE-2026-7703
Published : May 3, 2026, 5:16 p.m. | 33 minutes ago
Description :A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7703
Published : May 3, 2026, 5:16 p.m. | 33 minutes ago
Description :A flaw has been found in AV Stumpfl Pixera Two Media Server up to 25.2 R2. Impacted is an unknown function of the component Websocket API. This manipulation causes code injection. The attack can be initiated remotely. The exploit has been published and may be used. Upgrading to version 25.2 R3 is recommended to address this issue. Upgrading the affected component is advised.
Severity: 7.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE-2026-7704 - AV Stumpfl Pixera Two Media Server Service Port 1338 path traversal
CVE ID :CVE-2026-7704
Published : May 3, 2026, 5:16 p.m. | 33 minutes ago
Description :A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID :CVE-2026-7704
Published : May 3, 2026, 5:16 p.m. | 33 minutes ago
Description :A vulnerability has been found in AV Stumpfl Pixera Two Media Server up to 25.1 R2. The affected element is an unknown function of the component Service Port 1338. Such manipulation leads to path traversal. The exploit has been disclosed to the public and may be used. Upgrading to version 25.2 R3 is sufficient to fix this issue. It is advisable to upgrade the affected component.
Severity: 4.3 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...