๐จ CVE-2026-0854
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
๐@cveNotify
Certain DVR/NVR models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
๐@cveNotify
๐จ CVE-2026-0855
Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
๐@cveNotify
Certain IP Camera models developed by Merit LILIN has a OS Command Injection vulnerability, allowing authenticated remote attackers to inject arbitrary OS commands and execute them on the device.
๐@cveNotify
๐จ CVE-2026-22184
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
๐@cveNotify
zlib versions up to and including 1.3.1.2 contain a global buffer overflow in the untgz utility. The TGZfname() function copies an attacker-supplied archive name from argv[] into a fixed-size 1024-byte static global buffer using an unbounded strcpy() call without length validation. Supplying an archive name longer than 1024 bytes results in an out-of-bounds write that can lead to memory corruption, denial of service, and potentially code execution depending on compiler, build flags, architecture, and memory layout. The overflow occurs prior to any archive parsing or validation.
๐@cveNotify
GitHub
GitHub - madler/zlib: A massively spiffy yet delicately unobtrusive compression library.
A massively spiffy yet delicately unobtrusive compression library. - madler/zlib
๐จ CVE-2025-50572
Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.
๐@cveNotify
Archer 6.11.00204.10014 allows attackers to execute arbitrary code via crafted system inputs that would be exported into the CSV and be executed after the user opened the file with compatible applications. NOTE: the Supplier does not accept this as a valid vulnerability report against their product.
๐@cveNotify
Archer
Archer | Electric Air Taxis
Archer is designing and developing electric vertical takeoff and landing (eVTOL) aircraft for use in urban air mobility networks. Archerโs mission is to unlock the skies, freeing everyone to reimagine how they move and spend time. Archer's team is based inโฆ
๐จ CVE-2025-20772
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.
๐@cveNotify
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.
๐@cveNotify
MediaTek
December 2025
๐จ CVE-2025-20773
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797.
๐@cveNotify
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10196993; Issue ID: MSV-4797.
๐@cveNotify
MediaTek
December 2025
๐จ CVE-2025-20775
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.
๐@cveNotify
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4795.
๐@cveNotify
MediaTek
December 2025
๐จ CVE-2025-20781
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699.
๐@cveNotify
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10182914; Issue ID: MSV-4699.
๐@cveNotify
MediaTek
January 2026
๐จ CVE-2025-20786
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673.
๐@cveNotify
In display, there is a possible memory corruption due to use after free. This could lead to local escalation of privilege if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10149882; Issue ID: MSV-4673.
๐@cveNotify
MediaTek
January 2026
๐จ CVE-2023-34975
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
QuTScloud is not affected.
We have already fixed the vulnerability in the following versions:
QuTS hero h4.5.4.2626 build 20231225 and later
QTS 4.5.4.2627 build 20231225 and later
๐@cveNotify
An OS command injection vulnerability has been reported to affect several QNAP operating system versions. If exploited, the vulnerability could allow authenticated administrators to execute commands via a network.
QuTScloud is not affected.
We have already fixed the vulnerability in the following versions:
QuTS hero h4.5.4.2626 build 20231225 and later
QTS 4.5.4.2627 build 20231225 and later
๐@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Multiple Vulnerabilities in QTS, QuTS hero, and QuTScloud - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
๐จ CVE-2023-34976
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Video Station 5.7.0 ( 2023/07/27 ) and later
๐@cveNotify
A SQL injection vulnerability has been reported to affect Video Station. If exploited, the vulnerability could allow authenticated users to inject malicious code via a network.
We have already fixed the vulnerability in the following version:
Video Station 5.7.0 ( 2023/07/27 ) and later
๐@cveNotify
QNAP Systems, Inc. - Network Attached Storage (NAS)
Vulnerabilities in Video Station - Security Advisory
QNAP designs and delivers high-quality network attached storage (NAS) and professional network video recorder (NVR) solutions to users from home, SOHO to small, medium businesses.
๐จ CVE-2025-20765
In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.
๐@cveNotify
In aee daemon, there is a possible system crash due to a race condition. This could lead to local denial of service if a malicious actor has already obtained the System privilege. User interaction is not needed for exploitation. Patch ID: ALPS10190802; Issue ID: MSV-4833.
๐@cveNotify
MediaTek
December 2025
๐จ CVE-2025-52694
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet.
๐@cveNotify
Successful exploitation of the SQL injection vulnerability could allow an unauthenticated remote attacker to execute arbitrary SQL commands on the vulnerable service when it is exposed to the Internet.
๐@cveNotify
Cyber Security Agency of Singapore
Critical Vulnerability in Advantech Products
CSA has issued 1 CVE ID to a vulnerability in Advantech Products. Users and administrators of the affected product versions are advised to update to the latest versions immediately.
๐จ CVE-2025-40975
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to โ/hrmgo/ticket/changereplyโ, using the โdescriptionโ parameter.
๐@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's HRMGo, consisting of a lack of proper validation of user input by sending a POST request to โ/hrmgo/ticket/changereplyโ, using the โdescriptionโ parameter.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in WorkDo products
INCIBE has coordinated the publication of four vulnerabilities, all of medium severity, affecting Tick
๐จ CVE-2025-40976
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to โ/ticketgo-saas/homeโ, using the โdescriptionโ parameter.
๐@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's TicketGo, consisting of a lack of proper validation of user input by sending a POST request to โ/ticketgo-saas/homeโ, using the โdescriptionโ parameter.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in WorkDo products
INCIBE has coordinated the publication of four vulnerabilities, all of medium severity, affecting Tick
๐จ CVE-2025-40977
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to โ/store-ticketโ, using the โsubjectโ and โdescriptionโ parameters.
๐@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a lack of proper validation of user input by sending a POST request to โ/store-ticketโ, using the โsubjectโ and โdescriptionโ parameters.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in WorkDo products
INCIBE has coordinated the publication of four vulnerabilities, all of medium severity, affecting Tick
๐จ CVE-2025-40978
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to โ/ticket/x/conversionโ, using the โreply_descriptionโ parameter.
๐@cveNotify
Stored Cross-Site Scripting (XSS) vulnerability in WorkDo's eCommerceGo SaaS, consisting of a stored XSS due to a lack of proper validation of user input by sending a POST request to โ/ticket/x/conversionโ, using the โreply_descriptionโ parameter.
๐@cveNotify
www.incibe.es
Multiple vulnerabilities in WorkDo products
INCIBE has coordinated the publication of four vulnerabilities, all of medium severity, affecting Tick
๐จ CVE-2024-56644
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: release expired exception dst cached in socket
Dst objects get leaked in ip6_negative_advice() when this function is
executed for an expired IPv6 route located in the exception table. There
are several conditions that must be fulfilled for the leak to occur:
* an ICMPv6 packet indicating a change of the MTU for the path is received,
resulting in an exception dst being created
* a TCP connection that uses the exception dst for routing packets must
start timing out so that TCP begins retransmissions
* after the exception dst expires, the FIB6 garbage collector must not run
before TCP executes ip6_negative_advice() for the expired exception dst
When TCP executes ip6_negative_advice() for an exception dst that has
expired and if no other socket holds a reference to the exception dst, the
refcount of the exception dst is 2, which corresponds to the increment
made by dst_init() and the increment made by the TCP socket for which the
connection is timing out. The refcount made by the socket is never
released. The refcount of the dst is decremented in sk_dst_reset() but
that decrement is counteracted by a dst_hold() intentionally placed just
before the sk_dst_reset() in ip6_negative_advice(). After
ip6_negative_advice() has finished, there is no other object tied to the
dst. The socket lost its reference stored in sk_dst_cache and the dst is
no longer in the exception table. The exception dst becomes a leaked
object.
As a result of this dst leak, an unbalanced refcount is reported for the
loopback device of a net namespace being destroyed under kernels that do
not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"):
unregister_netdevice: waiting for lo to become free. Usage count = 2
Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The
patch that introduced the dst_hold() in ip6_negative_advice() was
92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22
merely refactored the code with regards to the dst refcount so the issue
was present even before 92f1655aa2b22. The bug was introduced in
54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually
expired.") where the expired cached route is deleted and the sk_dst_cache
member of the socket is set to NULL by calling dst_negative_advice() but
the refcount belonging to the socket is left unbalanced.
The IPv4 version - ipv4_negative_advice() - is not affected by this bug.
When the TCP connection times out ipv4_negative_advice() merely resets the
sk_dst_cache of the socket while decrementing the refcount of the
exception dst.
๐@cveNotify
In the Linux kernel, the following vulnerability has been resolved:
net/ipv6: release expired exception dst cached in socket
Dst objects get leaked in ip6_negative_advice() when this function is
executed for an expired IPv6 route located in the exception table. There
are several conditions that must be fulfilled for the leak to occur:
* an ICMPv6 packet indicating a change of the MTU for the path is received,
resulting in an exception dst being created
* a TCP connection that uses the exception dst for routing packets must
start timing out so that TCP begins retransmissions
* after the exception dst expires, the FIB6 garbage collector must not run
before TCP executes ip6_negative_advice() for the expired exception dst
When TCP executes ip6_negative_advice() for an exception dst that has
expired and if no other socket holds a reference to the exception dst, the
refcount of the exception dst is 2, which corresponds to the increment
made by dst_init() and the increment made by the TCP socket for which the
connection is timing out. The refcount made by the socket is never
released. The refcount of the dst is decremented in sk_dst_reset() but
that decrement is counteracted by a dst_hold() intentionally placed just
before the sk_dst_reset() in ip6_negative_advice(). After
ip6_negative_advice() has finished, there is no other object tied to the
dst. The socket lost its reference stored in sk_dst_cache and the dst is
no longer in the exception table. The exception dst becomes a leaked
object.
As a result of this dst leak, an unbalanced refcount is reported for the
loopback device of a net namespace being destroyed under kernels that do
not contain e5f80fcf869a ("ipv6: give an IPv6 dev to blackhole_netdev"):
unregister_netdevice: waiting for lo to become free. Usage count = 2
Fix the dst leak by removing the dst_hold() in ip6_negative_advice(). The
patch that introduced the dst_hold() in ip6_negative_advice() was
92f1655aa2b22 ("net: fix __dst_negative_advice() race"). But 92f1655aa2b22
merely refactored the code with regards to the dst refcount so the issue
was present even before 92f1655aa2b22. The bug was introduced in
54c1a859efd9f ("ipv6: Don't drop cache route entry unless timer actually
expired.") where the expired cached route is deleted and the sk_dst_cache
member of the socket is set to NULL by calling dst_negative_advice() but
the refcount belonging to the socket is left unbalanced.
The IPv4 version - ipv4_negative_advice() - is not affected by this bug.
When the TCP connection times out ipv4_negative_advice() merely resets the
sk_dst_cache of the socket while decrementing the refcount of the
exception dst.
๐@cveNotify
๐จ CVE-2025-22921
FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
๐@cveNotify
FFmpeg git-master,N-113007-g8d24a28d06 was discovered to contain a segmentation violation via the component /libavcodec/jpeg2000dec.c.
๐@cveNotify
๐จ CVE-2025-32154
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode allows PHP Local File Inclusion. This issue affects Catch Dark Mode: from n/a through 1.2.1.
๐@cveNotify
Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in Catch Themes Catch Dark Mode allows PHP Local File Inclusion. This issue affects Catch Dark Mode: from n/a through 1.2.1.
๐@cveNotify
Patchstack
Local File Inclusion in WordPress Catch Dark Mode Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2024-32531
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Everest themes GuCherry Blog allows Reflected XSS.This issue affects GuCherry Blog: from n/a through 1.1.8.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Everest themes GuCherry Blog allows Reflected XSS.This issue affects GuCherry Blog: from n/a through 1.1.8.
๐@cveNotify