๐จ CVE-2025-30413
Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
๐@cveNotify
Credentials are not deleted from Acronis Agent after plan revocation. The following products are affected: Acronis Cyber Protect Cloud Agent (Linux, macOS, Windows) before build 40497, Acronis Cyber Protect 17 (Linux, macOS, Windows) before build 41186.
๐@cveNotify
Acronis
Acronis Advisory Database - Acronis
Acronis Advisory Database. Find information about the latest security advisories and updates for Acronis products.
๐จ CVE-2026-22552
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
๐@cveNotify
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
๐@cveNotify
ePower
Electric Car Charger Support - ePower
Where can I charge my car? What does it cost to charge my electric car? What are the main incentives to buying an electric car?
๐จ CVE-2026-24912
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable
a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
๐@cveNotify
The WebSocket backend uses charging station identifiers to uniquely associate sessions but allows multiple endpoints to connect using the same session identifier. This implementation results in predictable session identifiers and enables session hijacking or shadowing, where the most recent connection displaces the legitimate charging station and receives backend commands intended for that station. This vulnerability may allow unauthorized users to authenticate as other users or enable
a malicious actor to cause a denial-of-service condition by overwhelming the backend with valid session requests.
๐@cveNotify
ePower
Electric Car Charger Support - ePower
Where can I charge my car? What does it cost to charge my electric car? What are the main incentives to buying an electric car?
๐จ CVE-2026-27770
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
๐@cveNotify
Charging station authentication identifiers are publicly accessible via web-based mapping platforms.
๐@cveNotify
ePower
Electric Car Charger Support - ePower
Where can I charge my car? What does it cost to charge my electric car? What are the main incentives to buying an electric car?
๐จ CVE-2026-27778
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
๐@cveNotify
The WebSocket Application Programming Interface lacks restrictions on the number of authentication requests. This absence of rate limiting may allow an attacker to conduct denial-of-service attacks by suppressing or mis-routing legitimate charger telemetry, or conduct brute-force attacks to gain unauthorized access.
๐@cveNotify
ePower
Electric Car Charger Support - ePower
Where can I charge my car? What does it cost to charge my electric car? What are the main incentives to buying an electric car?
๐จ CVE-2026-28709
Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
๐@cveNotify
Unauthorized resource manipulation due to improper authorization checks. The following products are affected: Acronis Cyber Protect 17 (Linux, Windows) before build 41186.
๐@cveNotify
Acronis
Acronis Advisory Database - Acronis
Acronis Advisory Database. Find information about the latest security advisories and updates for Acronis products.
๐จ CVE-2026-3610
A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue is some unknown functionality of the file /mailinspector/mliUserValidation.php of the component URL Handler. The manipulation of the argument error_description results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. Upgrading to version 5.4.0 can resolve this issue. You should upgrade the affected component. The vendor was contacted early and responded very professional: "We have already implemented the fix and made a hotfix available to affected customers, ensuring mitigation while the official release 5.4.0 has not yet been published. This allows customers to address the issue immediately, outside the regular release cycle."
๐@cveNotify
A vulnerability was found in HSC Cybersecurity Mailinspector up to 5.3.2-3. Affected by this issue is some unknown functionality of the file /mailinspector/mliUserValidation.php of the component URL Handler. The manipulation of the argument error_description results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used. Upgrading to version 5.4.0 can resolve this issue. You should upgrade the affected component. The vendor was contacted early and responded very professional: "We have already implemented the fix and made a hotfix available to affected customers, ensuring mitigation while the official release 5.4.0 has not yet been published. This allows customers to address the issue immediately, outside the regular release cycle."
๐@cveNotify
๐จ CVE-2026-3612
A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
๐@cveNotify
A vulnerability was determined in Wavlink WL-NU516U1 V240425. This affects the function sub_405AF4 of the file /cgi-bin/adm.cgi of the component OTA Online Upgrade. This manipulation of the argument firmware_url causes command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.
๐@cveNotify
GitHub
WAVLINK-NU516-V240425/firmware_url.md at main ยท Wlz1112/WAVLINK-NU516-V240425
Contribute to Wlz1112/WAVLINK-NU516-V240425 development by creating an account on GitHub.
๐จ CVE-2025-54236
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe Commerce versions 2.4.9-alpha2, 2.4.8-p2, 2.4.7-p7, 2.4.6-p12, 2.4.5-p14, 2.4.4-p15 and earlier are affected by an Improper Input Validation vulnerability. A successful attacker can abuse this to achieve session takeover, increasing the confidentiality, and integrity impact to high. Exploitation of this issue does not require user interaction.
๐@cveNotify
Adobe
Adobe Security Bulletin
Security Updates Available for Adobe Commerce | APSB25-88
๐จ CVE-2026-3613
A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the function sub_401A0C of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
๐@cveNotify
A vulnerability was identified in Wavlink WL-NU516U1 V240425. This vulnerability affects the function sub_401A0C of the file /cgi-bin/login.cgi. Such manipulation of the argument ipaddr leads to stack-based buffer overflow. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure.
๐@cveNotify
GitHub
WAVLINK-NU516-V240425/ipaddr_Stack Buffer Overflow.md at main ยท Wlz1112/WAVLINK-NU516-V240425
Contribute to Wlz1112/WAVLINK-NU516-V240425 development by creating an account on GitHub.
๐จ CVE-2026-3616
A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The patch is named f0e991870e9d33701cca3a1d0fd4eec135af01a6. It is suggested to install a patch to address this issue.
๐@cveNotify
A vulnerability was detected in DefaultFuction Jeson Customer Relationship Management System 1.0.0. Impacted is an unknown function of the file /modules/customers/edit.php. Performing a manipulation of the argument ID results in sql injection. The attack may be initiated remotely. The exploit is now public and may be used. The patch is named f0e991870e9d33701cca3a1d0fd4eec135af01a6. It is suggested to install a patch to address this issue.
๐@cveNotify
GitHub
Add files via upload ยท DefaultFuction/Jeson-Customer-Relationship-Management-System@f0e9918
Contribute to DefaultFuction/Jeson-Customer-Relationship-Management-System development by creating an account on GitHub.
๐จ CVE-2025-48544
In multiple locations, there is a possible way to read files belonging to other apps due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
In multiple locations, there is a possible way to read files belonging to other apps due to SQL injection. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
๐จ CVE-2025-48631
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
In onHeaderDecoded of LocalImageResolver.java, there is a possible persistent denial of service due to resource exhaustion. This could lead to remote denial of service with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
๐จ CVE-2024-31328
In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
In broadcastIntentLockedTraced of BroadcastController.java, there is a possible way to launch arbitrary activities from the background on the paired companion phone due to a logic error in the code. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
๐จ CVE-2024-43766
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communication due to Invalid error handling. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
In multiple functions of btm_ble_sec.cc, there is a possible unencrypted communication due to Invalid error handling. This could lead to remote (proximal/adjacent) information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
๐จ CVE-2025-32313
In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
In UsageEvents of UsageEvents.java, there is a possible out of bounds write due to an incorrect bounds check. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is not needed for exploitation.
๐@cveNotify
๐จ CVE-2025-48567
In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
๐@cveNotify
In multiple locations, there is a possible bypass of a file path filter designed to prevent access to sensitive directories due to incorrect unicode normalization. This could lead to local escalation of privilege with no additional execution privileges needed. User interaction is needed for exploitation.
๐@cveNotify
๐จ CVE-2026-25877
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1.
๐@cveNotify
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, the application performs authorization checks based solely on the project_id parameter when handling chart-related operations (update, delete, etc.). No authorization check is performed against the chart_id itself. This allows an authenticated user who has access to any project to manipulate or access charts belonging to other users/ project. This issue has been patched in version 4.8.1.
๐@cveNotify
GitHub
Release v4.8.1 ยท chartbrew/chartbrew
WarningThis version fixes important security vulnerabilities! Please update to this version as soon as possible.
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
๐จ CVE-2026-25887
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
๐@cveNotify
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via the MongoDB dataset Query. This issue has been patched in version 4.8.1.
๐@cveNotify
GitHub
Release v4.8.1 ยท chartbrew/chartbrew
WarningThis version fixes important security vulnerabilities! Please update to this version as soon as possible.
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
๐จ CVE-2026-25888
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
๐@cveNotify
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.1, there is a remote code execution vulnerability via a vulnerable API. This issue has been patched in version 4.8.1.
๐@cveNotify
GitHub
Release v4.8.1 ยท chartbrew/chartbrew
WarningThis version fixes important security vulnerabilities! Please update to this version as soon as possible.
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
@ytlamal helped to identify and privately disclose security vulnerabilities in Chart...
๐จ CVE-2026-27005
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.
๐@cveNotify
Chartbrew is an open-source web application that can connect directly to databases and APIs and use the data to create charts. Prior to version 4.8.3, an unauthenticated attacker can inject arbitrary SQL into queries executed against databases connected to Chartbrew (MySQL, PostgreSQL). This allows reading, modifying, or deleting data in those databases depending on the database user's privileges. This issue has been patched in version 4.8.3.
๐@cveNotify
GitHub
Release v4.8.3 ยท chartbrew/chartbrew
Changelog
๐ Added extra sanitation for variables values (thanks @q1uf3ng for reporting!)
๐ Fixed issue with the Chart dataset configs failing to update because of permissions
๐ Added extra sanitation for variables values (thanks @q1uf3ng for reporting!)
๐ Fixed issue with the Chart dataset configs failing to update because of permissions