🚨 CVE-2026-25609
Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
🎖@cveNotify
Incorrect validation of the profile command may result in the determination that a request altering the 'filter' is read-only.
🎖@cveNotify
🚨 CVE-2026-25610
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
🎖@cveNotify
An authorized user may trigger a server crash by running a $geoNear pipeline with certain invalid index hints.
🎖@cveNotify
🚨 CVE-2026-25613
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
🎖@cveNotify
An authorized user may disable the MongoDB server by issuing a query against a collection that contains an invalid compound wildcard index.
🎖@cveNotify
🚨 CVE-2026-26218
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
🎖@cveNotify
newbee-mall includes pre-seeded administrator accounts in its database initialization script. These accounts are provisioned with a predictable default password. Deployments that initialize or reset the database using the provided schema and fail to change the default administrative credentials may allow unauthenticated attackers to log in as an administrator and gain full administrative control of the application.
🎖@cveNotify
GitHub
Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking · Issue #119 · newbee…
Security Issue: Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking Summary The project contains seeded admin accounts with a known default pa...
🚨 CVE-2026-26219
newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.
🎖@cveNotify
newbee-mall stores and verifies user passwords using an unsalted MD5 hashing algorithm. The implementation does not incorporate per-user salts or computational cost controls, enabling attackers who obtain password hashes through database exposure, backup leakage, or other compromise vectors to rapidly recover plaintext credentials via offline attacks.
🎖@cveNotify
GitHub
Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking · Issue #119 · newbee…
Security Issue: Default admin credentials + weak MD5 password hashing enable full admin compromise and credential cracking Summary The project contains seeded admin accounts with a known default pa...
❤1
🚨 CVE-2025-69248
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of free5GC's AMF service have a Buffer Overflow vulnerability leading to Denial of Service. Remote unauthenticated attackers can crash the AMF service by sending a specially crafted NAS Registration Request with a malformed 5GS Mobile Identity, causing complete denial of service for the 5G core network. All deployments of free5GC using the AMF component may be affected. Pull request 43 of the free5gc/nas repo contains a fix. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of free5GC's AMF service have a Buffer Overflow vulnerability leading to Denial of Service. Remote unauthenticated attackers can crash the AMF service by sending a specially crafted NAS Registration Request with a malformed 5GS Mobile Identity, causing complete denial of service for the 5G core network. All deployments of free5GC using the AMF component may be affected. Pull request 43 of the free5gc/nas repo contains a fix. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] Array Index Out of Bounds Vulnerability in AMF MobileIdentity5GS Processing Causes AMF Crash · Issue #747 · free5gc/free5gc
Bug Decription An array index out of bounds vulnerability exists in the Free5GC AMF component when processing malformed 5GS Mobile Identity in NAS Registration Request messages. The vulnerability a...
🚨 CVE-2025-69250
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the service reliably leaks detailed internal error messages (e.g., strconv.ParseInt parsing errors) to remote clients when processing invalid pduSessionId inputs. This exposes implementation details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM DELETE service may be vulnerable. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, the service reliably leaks detailed internal error messages (e.g., strconv.ParseInt parsing errors) to remote clients when processing invalid pduSessionId inputs. This exposes implementation details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM DELETE service may be vulnerable. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] UDM incorrectly returns 500 for invalid (non-numeric or out-of-range) pduSessionId in Nudm_UECM DELETE request · Issue #750…
Bug Decription The UDM component lacks comprehensive input validation on the pduSessionId path parameter and query parameters in multiple Nudm_UECM DELETE endpoints. This allows invalid inputs to t...
🚨 CVE-2025-69251
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the ueId parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system implementation details and can aid in service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM service may be affected. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the ueId parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system implementation details and can aid in service fingerprinting. All deployments of free5GC using the UDM Nudm_UECM service may be affected. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] UDM incorrectly returns 500 for invalid UE ID containing control characters (%00) in Nudm_UECM GET request (net/url invalid…
Bug Decription The UDM component lacks comprehensive input validation/sanitization on the ueId path parameter in Nudm_UECM endpoints. When the ueId contains control characters (e.g., URL-encoded NU...
🚨 CVE-2025-69252
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. Remote unauthenticated attackers can trigger a service panic (Denial of Service) by sending a crafted PUT request with an unexpected ueId, crashing the UDM service. All deployments of free5GC using the UDM component may be affected. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 have a NULL Pointer Dereference vulnerability. Remote unauthenticated attackers can trigger a service panic (Denial of Service) by sending a crafted PUT request with an unexpected ueId, crashing the UDM service. All deployments of free5GC using the UDM component may be affected. free5gc/udm pull request 76 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] UDM panics (nil pointer dereference) and returns 500 when handling Nudm_UECM PUT RegistrationAmf3gppAccess with unmatched…
Bug Decription The UDM UECM service crashes during RegistrationAmf3gppAccess processing when the ueId path parameter is an unexpected/unmatched value (e.g., ZZZ_NOT_MATCH). The request triggers a d...
🚨 CVE-2025-69253
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of the User Data Repository are affected by Improper Error Handling with Information Exposure. The NEF component reliably leaks internal parsing error details (e.g., invalid character 'n' after top-level value) to remote clients, which can aid attackers in service fingerprinting. All deployments of free5GC using the Nnef_PfdManagement service may be vulnerable. free5gc/udr pull request 56 contains a patch. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5GC is an open-source project for 5th generation (5G) mobile core networks. Versions up to and including 1.4.1 of the User Data Repository are affected by Improper Error Handling with Information Exposure. The NEF component reliably leaks internal parsing error details (e.g., invalid character 'n' after top-level value) to remote clients, which can aid attackers in service fingerprinting. All deployments of free5GC using the Nnef_PfdManagement service may be vulnerable. free5gc/udr pull request 56 contains a patch. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] NEF incorrectly returns 500 for missing PFD data (UDR 404) in Nnef_PfdManagement GET request (JSON parse error: invalid…
Bug Decription A GET request to the Nnef_PfdManagement API for an individual application PFD returns 500 Internal Server Error when the requested appId does not exist in UDR (UDR returns 404). Inst...
🚨 CVE-2026-26024
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
🎖@cveNotify
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
🎖@cveNotify
GitHub
[Bugs]SMF crashes on PFCP SessionReportRequest with ReportType.USAR=1 and UsageReport missing URRID · Issue #807 · free5gc/free5gc
Bug Decription The free5gc SMF PFCP report handling path can be crashed remotely by a malformed PFCP SessionReportRequest from a UPF (or attacker spoofing a UPF). When the report sets ReportType.US...
🚨 CVE-2026-26025
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
🎖@cveNotify
free5GC SMF provides Session Management Function for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, SMF panics and terminates when processing a malformed PFCP SessionReportRequest on the PFCP (UDP/8805) interface. No known upstream fix is available, but some workarounds are available. ACL/firewall the PFCP interface so only trusted UPF IPs can reach SMF (reduce spoofing/abuse surface); drop/inspect malformed PFCP SessionReportRequest messages at the network edge where feasible, and/or add recover() around PFCP handler dispatch to avoid whole-process termination (mitigation only).
🎖@cveNotify
GitHub
[Bugs]SMF crashes on PFCP SessionReportRequest with ReportType.USAR=1 and UsageReport missing URRID · Issue #807 · free5gc/free5gc
Bug Decription The free5gc SMF PFCP report handling path can be crashed remotely by a malformed PFCP SessionReportRequest from a UPF (or attacker spoofing a UPF). When the report sets ReportType.US...
🚨 CVE-2026-27642
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
free5gc UDM provides Unified Data Management (UDM) for free5GC, an open-source project for 5th generation (5G) mobile core networks. In versions up to and including 1.4.1, remote attackers can inject control characters (e.g., %00) into the supi parameter, triggering internal URL parsing errors (net/url: invalid control character). This exposes system-level error details and can be used for service fingerprinting. All deployments of free5GC using the UDM Nudm_UEAU service may be affected. free5gc/udm pull request 75 contains a fix for the issue. No direct workaround is available at the application level. Applying the official patch is recommended.
🎖@cveNotify
GitHub
[Bugs] UDM incorrectly returns 500 for invalid parameters in Nudm_UEAU POST request · Issue #749 · free5gc/free5gc
Bug Decription A POST request to the Nudm_UEAU API with an invalid control character in URL causes a 500 Internal Server Error. This occurs because some parameters’ values are invalid, but the impl...
🚨 CVE-2024-47183
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
🎖@cveNotify
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. If the Parse Server option allowCustomObjectId: true is set, an attacker that is allowed to create a new user can set a custom object ID for that new user that exploits the vulnerability and acquires privileges of a specific role. This vulnerability is fixed in 6.5.9 and 7.3.0.
🎖@cveNotify
GitHub
fix: Custom object ID allows to acquire role privileges ([GHSA-8xq9-g… · parse-community/parse-server@13ee52f
…7ch-35hg](https://github.com/parse-community/parse-server/security/advisories/GHSA-8xq9-g7ch-35hg)) (#9317)
🚨 CVE-2026-24688
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
🎖@cveNotify
pypdf is a free and open-source pure-python PDF library. An attacker who uses an infinite loop vulnerability that is present in versions prior to 6.6.2 can craft a PDF which leads to an infinite loop. This requires accessing the outlines/bookmarks. This has been fixed in pypdf 6.6.2. If projects cannot upgrade yet, consider applying the changes from PR #3610 manually.
🎖@cveNotify
GitHub
SEC: Detect cyclic references when retrieving outlines (#3610) · py-pdf/pypdf@b1282f8
A pure-python PDF library capable of splitting, merging, cropping, and transforming the pages of PDF files - SEC: Detect cyclic references when retrieving outlines (#3610) · py-pdf/pypdf@b1282f8
🚨 CVE-2026-25506
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
🎖@cveNotify
MUNGE is an authentication service for creating and validating user credentials. From 0.5 to 0.5.17, local attacker can exploit a buffer overflow vulnerability in munged (the MUNGE authentication daemon) to leak cryptographic key material from process memory. With the leaked key material, the attacker could forge arbitrary MUNGE credentials to impersonate any user (including root) to services that rely on MUNGE for authentication. The vulnerability allows a buffer overflow by sending a crafted message with an oversized address length field, corrupting munged's internal state and enabling extraction of the MAC subkey used for credential verification. This vulnerability is fixed in 0.5.18.
🎖@cveNotify
GitHub
Fix buffer overflow when unpacking message address length · dun/munge@bf40cc2
Add validation that addr_len does not exceed the size of the addr
field before copying IP address data in _msg_unpack().
The m_msg structure contains a 4-byte struct in_addr for the IP
address. W...
field before copying IP address data in _msg_unpack().
The m_msg structure contains a 4-byte struct in_addr for the IP
address. W...
🚨 CVE-2026-26014
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
🎖@cveNotify
Pion DTLS is a Go implementation of Datagram Transport Layer Security. Pion DTLS versions v1.0.0 through v3.0.10 and 3.1.0 use random nonce generation with AES GCM ciphers, which makes it easier for remote attackers to obtain the authentication key and spoof data by leveraging the reuse of a nonce in a session and a "forbidden attack". Upgrade to v3.0.11, v3.1.1, or later.
🎖@cveNotify
GitHub
Use sequence number for nonce in GCM ciphers (#796) · pion/dtls@61762de
DTLS 1.2 implementation for Go (DTLS 1.3 in progress) - Use sequence number for nonce in GCM ciphers (#796) · pion/dtls@61762de
🚨 CVE-2026-2954
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A vulnerability was found in Dromara UJCMS 10.0.2. Impacted is the function importChanel of the file /api/backend/ext/import-data/import-channel of the component ImportDataController. Performing a manipulation of the argument driverClassName/url results in injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
🚨 CVE-2026-2956
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A security flaw has been discovered in qinming99 dst-admin up to 1.5.0. This affects the function revertBackup of the file /home/restore. The manipulation of the argument Name results in command injection. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
fx4tqqfvdw4.feishu.cn
Docs
🚨 CVE-2026-2957
A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A weakness has been identified in qinming99 dst-admin up to 1.5.0. This impacts the function deleteBackup of the file src/main/java/com/tugos/dst/admin/controller/BackupController.java of the component File Handler. This manipulation causes denial of service. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
fx4tqqfvdw4.feishu.cn
Docs
🚨 CVE-2026-2970
A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
A vulnerability has been found in datapizza-labs datapizza-ai 0.0.2. Affected by this vulnerability is the function RedisCache of the file datapizza-ai-cache/redis/datapizza/cache/redis/cache.py. Such manipulation leads to deserialization. The attack requires being on the local network. A high complexity level is associated with this attack. The exploitation appears to be difficult. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
🎖@cveNotify
GitHub
datapizza-ai-disclosure/unsafe-deserialization.md at main · hacktivesec/datapizza-ai-disclosure
Contribute to hacktivesec/datapizza-ai-disclosure development by creating an account on GitHub.