🚨 CVE-2026-20182
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
🎖@cveNotify
May 2026: This security advisory provides the details and fix information for a vulnerability that was discovered and fixed after the was disclosed in February 2026. This new advisory is for a new vulnerability in the control connection handshaking. The section of this advisory includes Show Control Connections guidance to help with system checks.
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated, remote attacker to bypass authentication and obtain administrative privileges on an affected system.
This vulnerability exists because the peering authentication mechanism in an affected system is not working properly. An attacker could exploit this vulnerability by sending crafted requests to the affected system. A successful exploit could allow the attacker to log in to an affected Cisco Catalyst SD-WAN Controller as an internal, high-privileged, non-root user account. Using this account, the attacker could access NETCONF, which would then allow the attacker to manipulate network configuration for the SD-WAN fabric.
🎖@cveNotify
Cisco
Cisco Security Advisory: Cisco Catalyst SD-WAN Controller Authentication Bypass Vulnerability
A vulnerability in the peering authentication in Cisco Catalyst SD-WAN Controller, formerly SD-WAN vSmart, Cisco Catalyst SD-WAN Manager, formerly SD-WAN vManage, and Cisco Catalyst SD-WAN Validator, formerly SD-WAN vBond, could allow an unauthenticated,…
🚨 CVE-2026-45602
No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.
🎖@cveNotify
No cwe for this issue in Windows DHCP Server allows an unauthorized attacker to perform tampering over a network.
🎖@cveNotify
🚨 CVE-2026-6893
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
🎖@cveNotify
A flaw was found in dracut. A remote attacker on the adjacent network can exploit this vulnerability by providing specially crafted DHCP (Dynamic Host Configuration Protocol) options, such as a malicious hostname, to a system using dracut's legacy DHCP path. These options are improperly handled and written into temporary shell scripts without proper escaping, leading to command injection. This allows the attacker to achieve root code execution within the initramfs, potentially compromising the system's boot and network behavior.
🎖@cveNotify
🚨 CVE-2026-44173
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
🎖@cveNotify
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.26, 10.11.1 to before 10.11.17, 11.4.1 to before 11.4.11, 11.8.1 to before 11.8.7, and 12.3.1, MariaDB allowed SELECT ... INTO OUTFILE and SELECT ... INTO DUMPFILE without verifying the FILE privilege if the FROM clause contained only subqueries. This issue has been patched in versions 10.6.26, 10.11.17, 11.4.11, 11.8.7, and 12.3.2.
🎖@cveNotify
GitHub
FILE privilege was not checked for subqueries in the FROM clause
### Impact
MariaDB allowed `SELECT ... INTO OUTFILE` and `SELECT ... INTO DUMPFILE` without verifying the `FILE` privilege if the `FROM` clause contained only subqueries.
### Patches
Fixed in ...
MariaDB allowed `SELECT ... INTO OUTFILE` and `SELECT ... INTO DUMPFILE` without verifying the `FILE` privilege if the `FROM` clause contained only subqueries.
### Patches
Fixed in ...
🚨 CVE-2026-48163
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
🎖@cveNotify
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, during the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to execute arbitrary shell commands on the donor side via the rsync SST method. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
🎖@cveNotify
GitHub
wsrep SST unsafe parameter handling on the donor side (rsync)
### Impact
During the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to ...
During the SST the donor node is interpolating parameters that the joiner sent into the command line. Not all parameters were properly validated which could allow a malicious joiner to ...
🚨 CVE-2026-48165
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
🎖@cveNotify
MariaDB server is a community developed fork of MySQL server. From versions 10.6.1 to before 10.6.27, 10.11.1 to before 10.11.18, 11.4.1 to before 11.4.12, 11.8.1 to before 11.8.8, and 12.3.1, a high-privileged MariaDB user could've used wsrep_sst_receive_address or wsrep_sst_donor global system variables to execute shell commands as the uid of the mariadbd process on the galera joiner node. This issue has been patched in versions 10.6.27, 10.11.18, 11.4.12, 11.8.8, and 12.3.2.
🎖@cveNotify
GitHub
unsafe usage of `wsrep_sst_receive_address` values on the joiner side
### Impact
A high-privileged MariaDB user could've used `wsrep_sst_receive_address` or `wsrep_sst_donor` global system variables to execute shell commands as the uid of the mariadbd process on...
A high-privileged MariaDB user could've used `wsrep_sst_receive_address` or `wsrep_sst_donor` global system variables to execute shell commands as the uid of the mariadbd process on...
🚨 CVE-2026-53408
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
🎖@cveNotify
Improper Authorization in Handler for Custom URL Scheme in Zoom Workplace before version 7.0.4 for Android and before 7.0.3 for iOS may allow an unauthenticated user to conduct an escalation of privilege via network access.
🎖@cveNotify
Zoom
ZSB-26010
🚨 CVE-2026-36521
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
🎖@cveNotify
PublicCMS V5.202506.d has a Cross Site Scripting (XSS) vulnerability in the site configuration management module.
🎖@cveNotify
Gist
Reference for CVE-2026-36521
Reference for CVE-2026-36521. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-37216
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
🎖@cveNotify
Ruoyi 4.8.2 is vulnerable to Cross Site Scripting (XSS) at the interface /system/notice/add.
🎖@cveNotify
GitHub
通知公告模块存储型XSS漏洞 · Issue #320 · yangzongzhuan/RuoYi
漏洞背景 通知公告模块(/system/notice/*)在 application.yml 中被排除在XSS过滤器之外(第144行): xss: enabled: true excludes: /system/notice/* 排除XSS过滤是为了支持Summernote富文本编辑器提交HTML内容。但服务端未对提交的HTML进行安全消毒处理(如JSoup Cleaner),且前端使用th...
🚨 CVE-2026-38060
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_unlock_sim via the pin parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_unlock_sim at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-38061
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_volume via the volume parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_set_volume at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-38062
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_set_rat_mode via the ratMode parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_set_rat_mode at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-38063
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_radio_on_with_ia_apn via the ia parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_radio_on_with_ia_apn at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-38064
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_dial_call via the dialNumber parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_dial_call at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-38065
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.
🎖@cveNotify
Tenda 5G03 V05.03.02.04 (Version 1.0) is vulnerable to Command injection in the function action_ims_on_with_apn via the ims_apn parameter.
🎖@cveNotify
GitHub
IOT-vul/Tenda/5G03/action_ims_on_with_apn at main · sezangel/IOT-vul
Contribute to sezangel/IOT-vul development by creating an account on GitHub.
🚨 CVE-2026-39118
An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.
🎖@cveNotify
An issue in Iru, Inc Kandji Agent before v.4.7.5(5374) allows a local attacker to escalate privileges via a client validation gap to invoke restricted agent functionality.
🎖@cveNotify
Iru
Kandji Agent Release 4.7.5 (5374)
This release includes miscellaneous bug fixes and performance improvements.
🚨 CVE-2026-39197
An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
🎖@cveNotify
An issue in the /util/http/prelude.rs endpoint of Datadog, Inc Vector v0.54.0 allows attackers to cause a Denial of Service (DoS) via a crafted request or payload.
🎖@cveNotify
Gist
Reference for CVE-2026-39197
Reference for CVE-2026-39197. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-50874
An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
🎖@cveNotify
An OS command injection vulnerability in the /manage/features/media component of kanishka-linux Reminiscence v0.3.0 allows attackers to execute arbitrary commands via supplying a crafted input.
🎖@cveNotify
Gist
Reference for CVE-2026-50874
Reference for CVE-2026-50874. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-50875
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.
🎖@cveNotify
Incorrect access control in the /{form}/webhooks/{webhook} endpoint of Deck9 Input v2.0.1 allows authenticated attackers to arbitrarily modify or delete another tenant's webhook via a crafted request.
🎖@cveNotify
Gist
Reference for CVE-2026-50875
Reference for CVE-2026-50875. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-50881
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.
🎖@cveNotify
Incorrect access control in the impworks Bonsai v6.0 allows authenticated attackers with Editor privileges to escalate privileges to Administrator and execute unauthorized account, password, and configuration changes.
🎖@cveNotify
Gist
Reference for CVE-2026-50881
Reference for CVE-2026-50881. GitHub Gist: instantly share code, notes, and snippets.
🚨 CVE-2026-50891
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
🎖@cveNotify
Incorrect access control in the /admin/api/config component of Filestash v0.4.0 allows attackers to escalate privileges via sending a crafted request.
🎖@cveNotify
Gist
Reference for CVE-2026-50891
Reference for CVE-2026-50891. GitHub Gist: instantly share code, notes, and snippets.