CVE Notify
19.1K subscribers
4 photos
181K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2026-54281
Nest is a framework for building scalable Node.js server-side applications. Prior to 11.1.24, an authentication bypass vulnerability exists in @nestjs/platform-fastify. When middleware is registered through NestJS's MiddlewareConsumer.forRoutes() API on the Fastify adapter, an unauthenticated client can bypass the Nest middleware registered for that route by simply appending a trailing slash (/) to the request URL. This bypass works on the default Fastify adapter configuration. This vulnerability is fixed in 11.1.24.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-11374
In ManageEngine ADSelfService Plus, RecoveryManager Plus, M365 Manager Plus, and ADAudit Plus, the SSO tickets generated to authenticate that session could be predicted
by an unauthenticated user, leading to account takeover.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-33760
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.0, Langflow's /api/v1/monitor router exposes 7 endpoints that perform read, write, and delete operations on user-owned resources โ€” messages, sessions, build artifacts, and LLM transaction logs โ€” without verifying that the authenticated requester owns the targeted resource. Any authenticated user can read, modify, rename, or permanently delete another user's data by supplying the target's resource ID or flow_id. This is a classic IDOR/BOLA vulnerability. Notably, the same source file (monitor.py) contains one correctly-implemented endpoint that uses an ownership check, demonstrating the correct pattern was known but inconsistently applied. This vulnerability is fixed in 1.9.0.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-48519
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, the "Shareable Playground" (or "Public Flows" in code) contains a critical RCE vulnerability. Shareable Playground feature works by enabling the execution of workflows by unauthenticated users, by accessing a link. Specifically, it enables the route /api/v1/build_public_tmp to execute any public flow, given a public flow ID. When the route executes the flow, it allows for providing arbitrary custom Python code as the nodes code, inside the JSON payload. The vulnerable field is data.nodes[X].data.node.template.code.value. This vulnerability is fixed in 1.9.2.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-55255
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, an Insecure Direct Object Reference (IDOR) vulnerability in /api/v1/responses endpoint allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request. This vulnerability is fixed in 1.9.2.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-55447
Langflow is a tool for building and deploying AI-powered agents and workflows. Prior to 1.9.2, by controlling a files that are digested into the RAG, an attacker can direct the node to read any file on the file-system by absolute path. All components based on BaseFileComponent are vulnerable to the vulnerability. This includes Docling (DoclingInlineComponent), Docling Serve, DoclingRemoteComponent), Read File (FileComponent), NVIDIA Retriever Extraction (NvidiaIngestComponent), Video File (VideoFileComponent), and Unstructured API (UnstructuredComponent). This vulnerability is fixed in 1.9.2.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2020-9695
Acrobat Reader versions 2020.009.20074, 2020.001.30002, 2017.011.30171, 2015.006.30523 and earlier are affected by an out-of-bounds write vulnerability that could result in arbitrary code execution in the context of the current user. Exploitation of this issue requires user interaction in that a victim must open a malicious file.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-54010
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets an authenticated user attach arbitrary file_id values to their own chat message without checking whether they own or can read those files. If the attacker then shares that chat and grants themselves read access, has_access_to_file() treats the victim file as accessible through the shared chat, and the file endpoints read or delete the victim file. This vulnerability is fixed in 0.9.6.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-54012
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file. This vulnerability is fixed in 0.9.6.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12485
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### IP field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v3 = strlen(g_network_config->ip_addr);

memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12486
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_IP_Addr command injection

The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = ip_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address

system(v4);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12488
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. 


A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12846
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### Net Mask field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v6 = strlen(g_network_config->net_mask);

memcpy(&reply_buf[184], g_network_config->net_mask, v6);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12847
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### Gateway field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v7 = strlen(g_network_config->gateway);

memcpy(&reply_buf[216], g_network_config->gateway, v7);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12848
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:



#### DNS field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v8 = strlen(g_network_config->dns_addr);

memcpy(&reply_buf[248], g_network_config->dns_addr, v8);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12849
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)



#### CNetSetObj::m_F_n_Set_Net_Mask command injection

The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = netmask_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr

system(v4);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12850
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_Gate_way command injection

The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.





int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)

{

char s[324]; // [sp+4h] [bp-144h] BYREF



if ( !dev && !*this || !gw )

return 0;

system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");

system("/sbin/route del default ");

if ( dev )

sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string

else

sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12851
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_DNS_Addr command injection

The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)

{

int result; // r0

char v5[80]; // [sp+0h] [bp-50h] BYREF



if ( !dns1 )

result = 0;

if ( dns1 )

{

sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field

system(v5);

if ( dns2 )

{

sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);

system(v5);

}

return 1;

}

return result;

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-9539
An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-10911
A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12488
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. 


A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.

๐ŸŽ–@cveNotify