🚨 CVE-2026-7073
A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /execute.php. This manipulation of the argument code causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
🎖@cveNotify
A flaw has been found in itsourcecode Construction Management System 1.0. This affects an unknown part of the file /execute.php. This manipulation of the argument code causes sql injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.
🎖@cveNotify
GitHub
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability · Issue #2 · Beatriz-ai-boop/cve
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Construction Management System Vendor Homepage https://itsourcecode.com/free-projects/php-pr...
🚨 CVE-2026-7074
A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of the argument code leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
A vulnerability has been found in itsourcecode Construction Management System 1.0. This vulnerability affects unknown code of the file /execute1.php. Such manipulation of the argument code leads to sql injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.
🎖@cveNotify
GitHub
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability · Issue #3 · Beatriz-ai-boop/cve
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Construction Management System Vendor Homepage https://itsourcecode.com/free-projects/php-pr...
🚨 CVE-2026-7075
A vulnerability was found in itsourcecode Construction Management System 1.0. This issue affects some unknown processing of the file /locations.php. Performing a manipulation of the argument address results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
🎖@cveNotify
A vulnerability was found in itsourcecode Construction Management System 1.0. This issue affects some unknown processing of the file /locations.php. Performing a manipulation of the argument address results in sql injection. It is possible to initiate the attack remotely. The exploit has been made public and could be used.
🎖@cveNotify
GitHub
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability · Issue #4 · Beatriz-ai-boop/cve
itsourcecode Construction Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Construction Management System Vendor Homepage https://itsourcecode.com/free-projects/php-pr...
🚨 CVE-2026-7076
A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
🎖@cveNotify
A vulnerability was determined in itsourcecode Courier Management System 1.0. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of the argument ID can lead to sql injection. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized.
🎖@cveNotify
GitHub
itsourcecode Courier Management System V1.0 SQL Injection Vulnerability · Issue #5 · Beatriz-ai-boop/cve
itsourcecode Courier Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Courier Management System Vendor Homepage https://itsourcecode.com/free-projects/php-project/cour...
🚨 CVE-2026-5201
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
🎖@cveNotify
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user interaction, for example, via thumbnail generation. Successful exploitation leads to application crashes and denial of service (DoS) conditions.
🎖@cveNotify
🚨 CVE-2026-3006
Successful exploitation of the race condition vulnerability could allow
an attacker to trigger a kernel heap overflow, potentially leading to local privilege
escalation and granting system-level access to the affected software.
🎖@cveNotify
Successful exploitation of the race condition vulnerability could allow
an attacker to trigger a kernel heap overflow, potentially leading to local privilege
escalation and granting system-level access to the affected software.
🎖@cveNotify
GitHub
Release WinFsp 2026 Beta1 · winfsp/winfsp
CHANGES SINCE WINFSP 2025
[FIX] Fixes vulnerability CVE-2026-3006 discovered by Tay Kiat Loong. PLEASE UPGRADE!
[FIX] The WinFsp Network Provider provides improved shell support for network fil...
[FIX] Fixes vulnerability CVE-2026-3006 discovered by Tay Kiat Loong. PLEASE UPGRADE!
[FIX] The WinFsp Network Provider provides improved shell support for network fil...
🚨 CVE-2026-7077
A vulnerability was identified in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
🎖@cveNotify
A vulnerability was identified in itsourcecode Courier Management System 1.0. The affected element is an unknown function of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.
🎖@cveNotify
GitHub
itsourcecode Courier Management System V1.0 SQL Injection Vulnerability · Issue #6 · Beatriz-ai-boop/cve
itsourcecode Courier Management System V1.0 SQL Injection Vulnerability NAME OF AFFECTED PRODUCT(S) Courier Management System Vendor Homepage https://itsourcecode.com/free-projects/php-project/cour...
🚨 CVE-2026-7078
A security flaw has been discovered in Tenda F456 1.0.0.5. The impacted element is the function fromSetIpBind of the file /goform/SetIpBind of the component httpd. The manipulation of the argument page results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
🎖@cveNotify
A security flaw has been discovered in Tenda F456 1.0.0.5. The impacted element is the function fromSetIpBind of the file /goform/SetIpBind of the component httpd. The manipulation of the argument page results in buffer overflow. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.
🎖@cveNotify
GitHub
vuldb_new/F456/vul_129/README.md at main · Litengzheng/vuldb_new
CVE. Contribute to Litengzheng/vuldb_new development by creating an account on GitHub.
🚨 CVE-2026-7079
A weakness has been identified in Tenda F456 1.0.0.5. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component httpd. This manipulation of the argument wanmode causes buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
🎖@cveNotify
A weakness has been identified in Tenda F456 1.0.0.5. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component httpd. This manipulation of the argument wanmode causes buffer overflow. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks.
🎖@cveNotify
GitHub
vuldb_new/F456/vul_130/README.md at main · Litengzheng/vuldb_new
CVE. Contribute to Litengzheng/vuldb_new development by creating an account on GitHub.
🚨 CVE-2026-7080
A security vulnerability has been detected in Tenda F456 1.0.0.5. This impacts the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. Such manipulation of the argument delno leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in Tenda F456 1.0.0.5. This impacts the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. Such manipulation of the argument delno leads to buffer overflow. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
GitHub
vuldb_new/F456/vul_132/README.md at main · Litengzheng/vuldb_new
CVE. Contribute to Litengzheng/vuldb_new development by creating an account on GitHub.
🚨 CVE-2026-3867
An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.
🎖@cveNotify
An improper ownership management vulnerability has been identified in Moxa’s Secure Router. Because of improper ownership management, a low-privileged authenticated user may access a configuration file containing the hashed password of the administrative account. Successful exploitation of this vulnerability could allow an attacker to obtain sensitive information. Exploitation is only possible under a specific condition — when the configuration file has been exported. This vulnerability does not impact the integrity or availability of the affected product, and no confidentiality, integrity, or availability impact to the subsequent system has been identified.
🎖@cveNotify
Moxa
CVE-2026-3867, CVE-2026-3868: Improper Ownership Management and Improper Handling of Length Parameter Inconsistency Vulnerabilities…
🚨 CVE-2026-3868
An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa’s Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified.
🎖@cveNotify
An improper handling of the length parameter inconsistency vulnerability has been identified in Moxa’s Secure Router. Because of improper validation of length parameters in the HTTPS management interface, an unauthenticated remote attacker could send specially crafted requests that trigger a buffer overflow condition, causing the web service to become unresponsive. Successful exploitation may result in a denial-of-service condition requiring a device reboot to restore normal operation. While successful exploitation can severely impact the availability of the affected device, no impact to the confidentiality or integrity of the affected product has been identified. Additionally, no confidentiality, integrity, or availability impact to the subsequent system has been identified.
🎖@cveNotify
Moxa
CVE-2026-3867, CVE-2026-3868: Improper Ownership Management and Improper Handling of Length Parameter Inconsistency Vulnerabilities…
🚨 CVE-2026-7081
A vulnerability was detected in Tenda F456 1.0.0.5. Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used.
🎖@cveNotify
A vulnerability was detected in Tenda F456 1.0.0.5. Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. Remote exploitation of the attack is possible. The exploit is now public and may be used.
🎖@cveNotify
GitHub
vuldb_new/F456/vul_133/README.md at main · Litengzheng/vuldb_new
CVE. Contribute to Litengzheng/vuldb_new development by creating an account on GitHub.
🚨 CVE-2026-7082
A flaw has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.
🎖@cveNotify
A flaw has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.
🎖@cveNotify
GitHub
vuldb_new/F456/vul_134/README.md at main · Litengzheng/vuldb_new
CVE. Contribute to Litengzheng/vuldb_new development by creating an account on GitHub.
🚨 CVE-2026-7083
A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php of the component dataTable Admin API. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
A vulnerability has been found in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php of the component dataTable Admin API. The manipulation leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.
🎖@cveNotify
GitHub
GitHub - likeadmin-likeshop/likeadmin_php: 🌟🌟🌟likeadmin通用管理后台是快速开发前后端的解决方案,使用目前最流行的技术PHP8、TypeScript、ThinkPHP6、Vue3、vite2、Element…
🌟🌟🌟likeadmin通用管理后台是快速开发前后端的解决方案,使用目前最流行的技术PHP8、TypeScript、ThinkPHP6、Vue3、vite2、Element Plus1.2(ElementUI)。 PHP管理后台、ThtinkPHP管理后台、前后端分离管理后台、Vue3管理后台、Vue.js管理后台、Element Plus管理后台、Element UI管理后台、简单管理后台...
🚨 CVE-2026-7084
A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."
🎖@cveNotify
A vulnerability was found in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."
🎖@cveNotify
GitHub
GitHub - HBAI-Ltd/Toonflow-app: Toonflow 是一款 AI 短剧漫剧工具,能够利用 AI 技术将小说自动转化为剧本,并结合 AI 生成的图片和视频,实现高效的短剧创作。借助 Toonflow,可以轻松完成从文字到影像…
Toonflow 是一款 AI 短剧漫剧工具,能够利用 AI 技术将小说自动转化为剧本,并结合 AI 生成的图片和视频,实现高效的短剧创作。借助 Toonflow,可以轻松完成从文字到影像的全流程,让短剧制作变得更加智能与便捷。 - HBAI-Ltd/Toonflow-app
👍1
🚨 CVE-2026-7086
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
🎖@cveNotify
A vulnerability was identified in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. It is possible to launch the attack remotely. The exploit is publicly available and might be used. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."
🎖@cveNotify
GitHub
GitHub - HBAI-Ltd/Toonflow-app: Toonflow 是一款 AI 短剧漫剧工具,能够利用 AI 技术将小说自动转化为剧本,并结合 AI 生成的图片和视频,实现高效的短剧创作。借助 Toonflow,可以轻松完成从文字到影像…
Toonflow 是一款 AI 短剧漫剧工具,能够利用 AI 技术将小说自动转化为剧本,并结合 AI 生成的图片和视频,实现高效的短剧创作。借助 Toonflow,可以轻松完成从文字到影像的全流程,让短剧制作变得更加智能与便捷。 - HBAI-Ltd/Toonflow-app
🚨 CVE-2026-7087
A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_sales. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
🎖@cveNotify
A security flaw has been discovered in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_sales. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
🎖@cveNotify
GitHub
sourcecodester Pharmacy Sales and Inventory System Project V1.0 /ajax.php?action=save_sales SQL injection · Issue #2 · nidieaaa/test
sourcecodester Pharmacy Sales and Inventory System Project V1.0 /ajax.php?action=save_sales SQL injection NAME OF AFFECTED PRODUCT(S) Pharmacy Sales and Inventory System Vendor Homepage https://www...
🚨 CVE-2026-7088
A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=save_receiving. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
🎖@cveNotify
A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=save_receiving. Executing a manipulation of the argument ID can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.
🎖@cveNotify
GitHub
sourcecodester Pharmacy Sales and Inventory System Project V1.0 /ajax.php?action=save_receiving SQL injection · Issue #3 · nidieaaa/test
sourcecodester Pharmacy Sales and Inventory System Project V1.0 /ajax.php?action=save_receiving SQL injection NAME OF AFFECTED PRODUCT(S) Pharmacy Sales and Inventory System Vendor Homepage https:/...
🚨 CVE-2026-7089
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
A security vulnerability has been detected in code-projects Home Service System 1.0. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.
🎖@cveNotify
🚨 CVE-2026-7090
A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
🎖@cveNotify
A vulnerability was detected in code-projects Chat System 1.0. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
🎖@cveNotify