CVE Notify
19.1K subscribers
4 photos
184K links
Alert on the latest CVEs

Partner channel: @malwr
Download Telegram
๐Ÿšจ CVE-2026-54012
Open WebUI is a self-hosted artificial intelligence platform designed to operate entirely offline. Prior to 0.9.6, Open WebUI lets a user who can create, update, or import workspace models store arbitrary meta.knowledge entries on their model without checking whether they own or can read the referenced files. Open WebUI then treats meta.knowledge entries of type file as an authorization source in two places: the built-in view_file tool reads the file's extracted text, and has_access_to_file()'s model branch authorizes the file content and file delete endpoints. A malicious model owner can therefore attach another user's file ID to their model metadata and read or delete that private file. This vulnerability is fixed in 0.9.6.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12485
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### IP field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v3 = strlen(g_network_config->ip_addr);

memcpy(&reply_buf[36], g_network_config->ip_addr, v3);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12486
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_IP_Addr command injection

The following function takes a string as an ip address, performs no sanitization and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_IP_Addr(const char **this, char *ip_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = ip_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s %s", *this, ip_addr); // attacker controlled ip address

system(v4);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12488
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. 


A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12846
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### Net Mask field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v6 = strlen(g_network_config->net_mask);

memcpy(&reply_buf[184], g_network_config->net_mask, v6);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12847
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:


#### Gateway field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v7 = strlen(g_network_config->gateway);

memcpy(&reply_buf[216], g_network_config->gateway, v7);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12848
GV-I/O Box 4E is a smart embedded device with 4 input and 4 relays output that can be controlled over Ethernet and RS-485.

DVRSearch is a service running by default on the IOBox listening for UDP messages on port 10001. Any user on the network can send messages to this service and interact with it.



Upon receiving a UDP message, the server reads at most 1460 bytes into a local buffer and a pointer to the buffer is stored in a global variable:



#### DNS field stack overflow

The following code is vulnerable to a stack overflow that is attacker-controlled:



v8 = strlen(g_network_config->dns_addr);

memcpy(&reply_buf[248], g_network_config->dns_addr, v8);

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12849
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)



#### CNetSetObj::m_F_n_Set_Net_Mask command injection

The following function takes a string as a net mask address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_Net_Mask(const char **this, char *netmask_addr)

{

bool v2; // zf

char v4[72]; // [sp+0h] [bp-48h] BYREF



v2 = *this == 0;

if ( *this )

v2 = netmask_addr == 0;

if ( v2 )

return 0;

sprintf(v4, "/sbin/ifconfig %s netmask %s", *this, netmask_addr); // attacker controlled netmask_addr

system(v4);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12850
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_Gate_way command injection

The following function takes a string as a gatewy address, performs no sanitization on it and calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.





int __fastcall CNetSetObj::m_F_n_Set_Gate_way(const char **this, char *gw, char *dev)

{

char s[324]; // [sp+4h] [bp-144h] BYREF



if ( !dev && !*this || !gw )

return 0;

system("/sbin/route del -net 224.0.0.0 netmask 224.0.0.0");

system("/sbin/route del default ");

if ( dev )

sprintf(s, "/sbin/route add default gw %s dev %s", gw, dev); //attacker controlled gw string

else

sprintf(s, "/sbin/route add default gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

sprintf(s, "/sbin/route add -net 224.0.0.0 netmask 224.0.0.0 gw %s dev %s", gw, *this); //attacker controlled gw string

system(s);

return 1;

}

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12851
Multiple OS command injection vulnerabilities exist in the libNetSetObj.so functionality of GeoVision GV-I/O Box 4E 2.09. A specially crafted network packet can lead to command execution. An attacker can send a network request to trigger this vulnerability.


`libNetSetObj.so` is an internal library used by various binaries on the device to configure the network stack (start and stop various services, configure IP, Netmask, gateway, dns, etc.)


#### CNetSetObj::m_F_n_Set_DNS_Addr command injection

The following function can take up to two addresses, performs no sanitization and then calls `system`. This is a classic command injection vulnerability. The function is reachable from both the network-exposed `DVRSearch` service and the `Network.cgi` endpoint.



int __fastcall CNetSetObj::m_F_n_Set_DNS_Addr(CNetSetObj *this, char *dns1, char *dns2)

{

int result; // r0

char v5[80]; // [sp+0h] [bp-50h] BYREF



if ( !dns1 )

result = 0;

if ( dns1 )

{

sprintf(v5, "/bin/echo nameserver %s > /etc/resolv.conf", dns1); // attacker controlled dns1 field

system(v5);

if ( dns2 )

{

sprintf(v5, "/bin/echo nameserver %s >> /etc/resolv.conf", dns2);

system(v5);

}

return 1;

}

return result;

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-9539
An out-of-bounds heap read and integer underflow in the TCP urgent data handling (sosendoob) in freedesktop.org libslirp version before v4.9.2 on hypervisor host environments (e.g., QEMU) allows a privileged guest VM attacker (root or CAP_NET_RAW) to leak gigabytes of sensitive host-process heap memory via sending crafted TCP segments with manipulated URG flags and urgent pointers (ti_urp).

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2025-10911
A use-after-free vulnerability was found in libxslt while parsing xsl nodes that may lead to the dereference of expired pointers and application crash.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-12488
A memory corruption vulnerability exists in the GV-Cloud functionality of GeoVision GV-VMS V20 20.0.2. 


A specially crafted network request can lead to a denial of service. An attacker can impersonate the legitimate server to trigger this vulnerability.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10091
The Email JavaScript Cloak plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'email' shortcode in all versions up to, and including, 1.03 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10092
The Cincopa video and media plug-in plugin for WordPress is vulnerable to Stored Cross-Site Scripting via cincopa Shortcode in Post Comments in all versions up to, and including, 1.163 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. Exploitation is possible because the plugin processes the [cincopa] shortcode via a comment_text filter hook, allowing unauthenticated visitors who can post comments to supply a malicious shortcode argument that persists in the database.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10531
The AI Share & Summarize WordPress plugin before 2.0.4 does not sanitise and escape some of its shortcode attributes before outputting them in a page, allowing users with the Contributor role and above to perform Stored Cross-Site Scripting attacks.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10552
The Blue Captcha plugin for WordPress is vulnerable to Cross-Site Request Forgery in versions up to and including 2.0.1. This is due to missing or incorrect nonce validation on the main admin panel (blcap_main_page) and on the Hall of Shame and Log subpages, which accept a 'blcap_action' / 'action' parameter from $_REQUEST and perform destructive operations (plugin uninstall via blcap_uninstall(), log deletion via blcap_delete_logs(), Hall of Shame deletion via blcap_delete_ip_db(), and adding IPs to the banned list via update_option('blcap_settings')) with no wp_verify_nonce(), check_admin_referer(), or check_ajax_referer() calls anywhere in the codebase. This makes it possible for unauthenticated attackers to uninstall the plugin, delete audit logs, remove Hall of Shame entries, and add arbitrary IP addresses to the block list via a forged request granted they can trick a site administrator into performing an action such as clicking on a link.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10735
Multiple Shapedsmart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 Pro smart-post-show-pro WordPress plugin before 4.0.2, Real Testimonials Pro WordPress plugin before 3.2.5, Product Slider for WooCommerce Pro WordPress plugin before 3.5.3 were distributed with malicious code through the vendor's compromised update server, allowing unauthenticated attackers to deploy a second-stage payload that exfiltrates credentials and other sensitive data and grants full control of affected sites.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10749
The Post Duplicator WordPress plugin before 3.0.15 does not safely handle custom meta-data during post duplication, storing attacker-supplied serialized values without the WordPress meta API's double-serialization protection, allowing users with Contributor-level access and above to inject a PHP Object.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-10753
The Site Kit by Google WordPress plugin before 1.176.0 does not properly restrict a REST API write endpoint to administrators, allowing lower-privileged users who have been granted dashboard sharing access (such as Editors) to modify a site-wide Site Kit by Google WordPress plugin before 1.176.0 setting that should only be modifiable by administrators.

๐ŸŽ–@cveNotify
๐Ÿšจ CVE-2026-11370
The WP Meta SEO plugin for WordPress is vulnerable to Server-Side Request Forgery in all versions up to, and including, 4.5.18 via the 'new_link' parameter. This makes it possible for authenticated attackers, with contributor-level access and above, to make web requests to arbitrary locations originating from the web application and can be used to query and modify information from internal services. The HTTP response status from outbound requests is reflected back in the AJAX JSON response as status_code, providing an enumeration oracle usable for probing internal hosts and cloud metadata services.

๐ŸŽ–@cveNotify