π¨ CVE-2026-3479
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.
pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
π@cveNotify
DISPUTED: The project has clarified that the documentation was incorrect, and that pkgutil.get_data() has the same security model as open(). The documentation has been updated to clarify this point. There is no vulnerability in the function if following the intended security model.
pkgutil.get_data() did not validate the resource argument as documented, allowing path traversals.
π@cveNotify
GitHub
[3.13] gh-146121: Clarify security model of pkgutil.getdata; revert c⦠· python/cpython@5af6ce3
β¦hecks (GH-148197) (#148205)
gh-146121: Clarify security model of pkgutil.getdata; revert checks (GH-148197)
This reverts commit bcdf231946b1da8bdfbab4c05539bb0cc964a1c7,
and clarifies get_data&a...
gh-146121: Clarify security model of pkgutil.getdata; revert checks (GH-148197)
This reverts commit bcdf231946b1da8bdfbab4c05539bb0cc964a1c7,
and clarifies get_data&a...
π¨ CVE-2026-4519
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
π@cveNotify
The webbrowser.open() API would accept leading dashes in the URL which
could be handled as command line options for certain web browsers. New
behavior rejects leading dashes. Users are recommended to sanitize URLs
prior to passing to webbrowser.open().
π@cveNotify
GitHub
gh-143930: Tweak the exception message and increase test coverage (GH⦠· python/cpython@3681d47
β¦-146476)
π¨ CVE-2026-4779
A security vulnerability has been detected in SourceCodester Sales and Inventory System 1.0. This issue affects some unknown processing of the file update_customer_details.php of the component HTTP GET Parameter Handler. Such manipulation of the argument sid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
π@cveNotify
A security vulnerability has been detected in SourceCodester Sales and Inventory System 1.0. This issue affects some unknown processing of the file update_customer_details.php of the component HTTP GET Parameter Handler. Such manipulation of the argument sid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
π@cveNotify
GitHub
Web-Security-PoCs/Inventory-System/SQLi-UpdateCustomerDetails-sid.md at main Β· meifukun/Web-Security-PoCs
Contribute to meifukun/Web-Security-PoCs development by creating an account on GitHub.
π¨ CVE-2026-4780
A vulnerability was detected in SourceCodester Sales and Inventory System 1.0. Impacted is an unknown function of the file update_out_standing.php of the component HTTP GET Parameter Handler. Performing a manipulation of the argument sid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
π@cveNotify
A vulnerability was detected in SourceCodester Sales and Inventory System 1.0. Impacted is an unknown function of the file update_out_standing.php of the component HTTP GET Parameter Handler. Performing a manipulation of the argument sid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
π@cveNotify
GitHub
Web-Security-PoCs/Inventory-System/SQLi-UpdateOutStanding-sid.md at main Β· meifukun/Web-Security-PoCs
Contribute to meifukun/Web-Security-PoCs development by creating an account on GitHub.
π¨ CVE-2026-4781
A flaw has been found in SourceCodester Sales and Inventory System 1.0. The affected element is an unknown function of the file update_purchase.php of the component HTTP GET Parameter Handler. Executing a manipulation of the argument sid can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
π@cveNotify
A flaw has been found in SourceCodester Sales and Inventory System 1.0. The affected element is an unknown function of the file update_purchase.php of the component HTTP GET Parameter Handler. Executing a manipulation of the argument sid can lead to sql injection. The attack may be performed from remote. The exploit has been published and may be used.
π@cveNotify
GitHub
Web-Security-PoCs/Inventory-System/SQLi-UpdatePurchase-sid.md at main Β· meifukun/Web-Security-PoCs
Contribute to meifukun/Web-Security-PoCs development by creating an account on GitHub.
π¨ CVE-2026-4826
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
A vulnerability was determined in SourceCodester Sales and Inventory System 1.0. This vulnerability affects unknown code of the file /update_stock.php of the component HTTP GET Parameter Handler. This manipulation of the argument sid causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized.
π@cveNotify
GitHub
Web-Security-PoCs/Inventory-System/SQLi-UpdateStock-sid.md at main Β· meifukun/Web-Security-PoCs
Contribute to meifukun/Web-Security-PoCs development by creating an account on GitHub.
π¨ CVE-2026-33765
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
π@cveNotify
Pi-hole Admin Interface is a web interface for managing Pi-hole, a network-level ad and internet tracker blocking application. Versions prior to 6.0 have a critical OS Command Injection vulnerability in the savesettings.php file. The application takes the user-controlled $_POST['webtheme'] parameter and concatenates it directly into a system command executed via PHP's exec() function. Since the input is neither sanitized nor validated before being passed to the shell, an attacker can append arbitrary system commands to the intended pihole command. Furthermore, because the command is executed with sudo privileges, the injected commands will run with elevated (likely root) privileges. Version 6.0 patches the issue.
π@cveNotify
GitHub
[V5] Command Injection Vulnerability in Pi-hole Web Interface
Recently, our team found a Command Injection vulnerability in Pi-hole Web Interface (up to v5.21). The vulnerability logic is present in the file:
https://github.com/pi-hole/web/blob/v5.21/scri...
https://github.com/pi-hole/web/blob/v5.21/scri...
π¨ CVE-2026-30867
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
π@cveNotify
CocoaMQTT is a MQTT 5.0 client library for iOS and macOS written in Swift. Prior to version 2.2.2, a vulnerability exists in the packet parsing logic of CocoaMQTT that allows an attacker (or a compromised/malicious MQTT broker) to remotely crash the host iOS/macOS/tvOS application. If an attacker publishes the 4-byte malformed payload to a shared topic with the RETAIN flag set to true, the MQTT broker will persist the payload. Any time a vulnerable client connects and subscribes to that topic, the broker will automatically push the malformed packet. The app will instantly crash in the background before the user can even interact with it. This effectively "bricks" the mobile application (a persistent DoS) until the retained message is manually wiped from the broker database. This issue has been patched in version 2.2.2.
π@cveNotify
GitHub
Merge pull request #659 from emqx/fix/publish-protocol-error-handling Β· emqx/CocoaMQTT@010bca6
Fix malformed PUBLISH parsing and handle protocol errors safely
π¨ CVE-2026-35200
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
π@cveNotify
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 8.6.73 and 9.7.1-alpha.4, a file can be uploaded with a filename extension that passes the file extension allowlist (e.g., .txt) but with a Content-Type header that differs from the extension (e.g., text/html). The Content-Type is passed to the storage adapter without consistency validation. Storage adapters that store and serve the provided Content-Type (such as S3 or GCS) serve the file with the mismatched Content-Type. The default GridFS adapter is not affected because it derives Content-Type from the filename at serving time. This vulnerability is fixed in 8.6.73 and 9.7.1-alpha.4.
π@cveNotify
GitHub
fix: File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc) by mtrezza Β· Pull Request #10383 Β· parse-community/parseβ¦
Issue
File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)
Tasks
Add tests
Add changes
File upload Content-Type override via extension mismatch (GHSA-vr5f-2r24-w5hc)
Tasks
Add tests
Add changes
π¨ CVE-2026-4437
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
π@cveNotify
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C Library version 2.34 to version 2.43 could, with a crafted response from the configured DNS server, result in a violation of the DNS specification that causes the application to treat a non-answer section of the DNS response as a valid answer.
π@cveNotify
π¨ CVE-2026-4438
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
π@cveNotify
Calling gethostbyaddr or gethostbyaddr_r with a configured nsswitch.conf that specifies the library's DNS backend in the GNU C library version 2.34 to version 2.43 could result in an invalid DNS hostname being returned to the caller in violation of the DNS specification.
π@cveNotify
π¨ CVE-2026-33373
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
π@cveNotify
An issue was discovered in Zimbra Collaboration (ZCS) 10.0 and 10.1. A Cross-Site Request Forgery (CSRF) vulnerability exists in Zimbra Web Client due to the issuance of authentication tokens without CSRF protection during certain account state transitions. Specifically, tokens generated after operations such as enabling two-factor authentication or changing a password may lack CSRF enforcement. While such a token is active, authenticated SOAP requests that trigger token generation or state changes can be performed without CSRF validation. An attacker could exploit this by inducing a victim to submit crafted requests, potentially allowing sensitive account actions such as disabling two-factor authentication. The issue is mitigated by ensuring CSRF protection is consistently enforced for all issued authentication tokens.
π@cveNotify
π¨ CVE-2026-4046
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.
This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
π@cveNotify
The iconv() function in the GNU C Library versions 2.43 and earlier may crash due to an assertion failure when converting inputs from the IBM1390 or IBM1399 character sets, which may be used to remotely crash an application.
This vulnerability can be trivially mitigated by removing the IBM1390 and IBM1399 character sets from systems that do not need them.
π@cveNotify
π¨ CVE-2026-32925
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
π@cveNotify
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CV7BaseMap::WriteV7DataToRom. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
π@cveNotify
π¨ CVE-2026-32926
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6ComFile!load_link_inf. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
π¨ CVE-2026-32927
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6MemInIF!set_temp_type_default. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read vulnerability in VS6MemInIF!set_temp_type_default. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
π¨ CVE-2026-32928
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
π@cveNotify
V-SFT versions 6.2.10.0 and prior contain a stack-based buffer overflow in VS6ComFile!CSaveData::_conv_AnimationItem. Opening a crafted V7 file may lead to arbitrary code execution on the affected product.
π@cveNotify
π¨ CVE-2026-32929
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!get_macro_mem_COM. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
V-SFT versions 6.2.10.0 and prior contain an out-of-bounds read in VS6ComFile!get_macro_mem_COM. Opening a crafted V7 file may lead to information disclosure from the affected product.
π@cveNotify
π¨ CVE-2026-31931
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
π@cveNotify
Suricata is a network IDS, IPS and NSM engine. From version 8.0.0 to before version 8.0.4, use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference. This issue has been patched in version 8.0.4.
π@cveNotify
GitHub
tls: null dereference in tls.alpn rule keyword
### Impact
Use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference.
### Patches
Upgrade to Suricata 8.0.4.
### Workarounds
Disable rules usin...
Use of the "tls.alpn" rule keyword can cause Suricata to crash with a NULL dereference.
### Patches
Upgrade to Suricata 8.0.4.
### Workarounds
Disable rules usin...
π¨ CVE-2026-31932
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
π@cveNotify
Suricata is a network IDS, IPS and NSM engine. Prior to versions 7.0.15 and 8.0.4, inefficiency in KRB5 buffering can lead to performance degradation. This issue has been patched in versions 7.0.15 and 8.0.4.
π@cveNotify
GitHub
krb5: quadratic complexity in krb5 buffering
### Impact
Inefficiency in KRB5 buffering can lead to performance degradation.
### Patches
Upgrade to 8.0.4 or 7.0.15.
### Workarounds
Disable the "krb5" parser.
### Ref...
Inefficiency in KRB5 buffering can lead to performance degradation.
### Patches
Upgrade to 8.0.4 or 7.0.15.
### Workarounds
Disable the "krb5" parser.
### Ref...
π¨ CVE-2026-5271
pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)
from an attacker-controlled directory, a malicious module in that
directory can be imported and executed instead of the intended package.
π@cveNotify
pymanager included the current working directory in sys.path meaning modules could be shadowed by modules in the current working directory. As a result, if a user executes a pymanager-generated command (e.g., pip, pytest)
from an attacker-controlled directory, a malicious module in that
directory can be imported and executed instead of the intended package.
π@cveNotify
GitHub
CWD-Based Module Hijacking via sys.path Manipulation in pymanager Alias Wrapper
## Summary
The alias wrapper generated by `pymanager` modifies `sys.path[0]` to an empty string (`""`).
In Python, this causes the interpreter to prioritize the current working dire...
The alias wrapper generated by `pymanager` modifies `sys.path[0]` to an empty string (`""`).
In Python, this causes the interpreter to prioritize the current working dire...