π¨ CVE-2026-46735
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
π@cveNotify
Dell Display and Peripheral Manager (DDPM Mac), versions prior to 2.3, contain an Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability. A low privileged attacker with local access could potentially exploit this vulnerability, leading to Command execution.
π@cveNotify
π¨ CVE-2026-57587
A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
A SQL injection vulnerability in Nessus allows a remote, unauthenticated attacker who controls reverse DNS records for a scanned host to inject malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
π¨ CVE-2026-57588
A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
A SQL injection vulnerability in Nessus allows an attacker to craft a malicious scan result file that, when imported by a privileged user, injects malicious SQL into the scan results database, potentially enabling exfiltration of scan-result data.
π@cveNotify
π¨ CVE-2026-48940
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
π@cveNotify
A Joomla user with K2 "create item" rights (Author tier by default) can submit an article whose `embedVideo` POST field contains a raw `<script>` tag; K2 stores it verbatim and renders it unescaped to any visitor of the article page.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48941
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
π@cveNotify
The K2 frontend `item.checkin` task accepts an unauthenticated `sigProFolder` query parameter and uses it directly to address a `JFolder::delete()` call under `/media/k2/galleries/`
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48942
K2 β€ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
π@cveNotify
K2 β€ 2.26 renders the `#__k2_users.image` column directly into HTML `src` attributes via two distinct templates, in both cases without HTML escaping.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48943
K2 β€ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table β none of which are exposed by the K2 frontend profile-edit form.
π@cveNotify
K2 β€ 2.24 contains a mass-assignment defect in the K2 system user plugin `plg_user_k2`. A Registered Joomla user, by including the field `K2UserForm=1` in a standard `com_users` `profile.save` POST, can write arbitrary values into the `notes`, `image`, and `plugins` columns of their own row in the `#__k2_users` table β none of which are exposed by the K2 frontend profile-edit form.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48944
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user β including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
π@cveNotify
The K2 frontend article-save handler accepts an `attachment[N][existing]` POST field that is concatenated with `JPATH_SITE/` and passed to `JFile::copy()`. `JPath::clean` does NOT strip `..`, and there is no allow-list of source paths. An Author can therefore copy `configuration.php` (or any other file readable by the web user β including `../../../etc/passwd`) into `/media/k2/attachments/`, then retrieve the contents via the K2 attachment-download endpoint.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48945
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names β non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
π@cveNotify
The K2 article gallery upload path accepts a zip/tar archive, extracts it under `/media/k2/galleries/<id>/`, and only renames image files (gif/jpg/jpeg/png/webp) to safe names β non-image files (including `.php`) are extracted as-is and remain executable via direct HTTP access.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-48946
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
π@cveNotify
The K2 frontend article-attachment upload path accepts files whose extension is `.php`, and Apache's standard mod_php matches `\.php$` and executes them under the K2 web user. A K2 Author can upload a `shell.php`, then fetch `/media/k2/attachments/shell.php` and execute arbitrary PHP code in the web server's context.
π@cveNotify
getk2.org
K2 | The powerful content extension for Joomla! developed by JoomlaWorks
K2 is the popular, powerful and awarded content extension for Joomla! with CCK-like features developed by JoomlaWorks, makers of fine Joomla! extensions since 2006. It provides an out-of-the box integrated solution featuring rich content forms for items (thinkβ¦
π¨ CVE-2026-54036
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false β all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the GET /api/auth/2fa/enable endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint overwrites the existing TOTP secret, generates new backup codes, and sets twoFactorEnabled to false β all without requiring any TOTP or backup code verification. An attacker with a valid session token can completely take over a victim's 2FA, locking the legitimate user out of their own two-factor authentication. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
GitHub
2FA Re-enrollment Allows Full Account 2FA Takeover Without OTP Verification
### Summary
The `GET /api/auth/2fa/enable` endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint ...
The `GET /api/auth/2fa/enable` endpoint can be called by an authenticated user (or attacker with a stolen session) even when 2FA is already fully enabled on the account. This endpoint ...
π¨ CVE-2026-57456
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
π@cveNotify
Vim is an open source, command line text editor. Prior to 9.2.0699, Vim's Python omni-completion (runtime/autoload/python3complete.vim and the legacy pythoncomplete.vim) executes reconstructed function and class definitions from the current buffer with exec() as part of populating the completion dictionary. When reconstructing that source, each scope's docstring is inserted verbatim between triple quotes with no escaping, so a hostile buffer can break out of the triple-quoted literal and execute attacker-controlled Python during omni-completion. This vulnerability is fixed in 9.2.0699.
π@cveNotify
GitHub
patch 9.2.0699: [security]: possible code execution with python complete Β· vim/vim@cce141c
Problem: [security]: possible code execution with python complete
(morningbread)
Solution: Use repr() to quote the doc strings correctly
Github Security Advisory:
https://github.com/vim...
(morningbread)
Solution: Use repr() to quote the doc strings correctly
Github Security Advisory:
https://github.com/vim...
π¨ CVE-2026-9650
CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system files. With this credential an attacker could subsequently compromise the device if they have physical access to the device.
π@cveNotify
CWE-522 Insufficiently Protected Credentials vulnerability that could cause unauthorized access and exposure of sensitive information when unauthenticated attacker accesses credentials stored within firmware or system files. With this credential an attacker could subsequently compromise the device if they have physical access to the device.
π@cveNotify
π¨ CVE-2026-9651
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
π@cveNotify
CWE-732 Incorrect Permission Assignment for Critical Resource vulnerability that could cause unauthorized disclosure of password hashes and potential account compromise when an attacker with privileged local access reads improperly protected system files.
π@cveNotify
π¨ CVE-2026-9716
CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the deviceβs HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.
π@cveNotify
CWE-476 NULL Pointer Dereference vulnerability exists that could cause a denial-of-service condition, rendering the deviceβs HMI and configuration functionality unavailable when malformed requests are received over exposed network interfaces.
π@cveNotify
π¨ CVE-2026-9717
CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
π@cveNotify
CWE-78 Neutralization of Special Elements used in an OS Command ('OS Command Injection') vulnerability exists that could allow unauthorized execution of commands with elevated privileges, impacting system integrity, confidentiality, and availability when a privileged authenticated user interacts with a vulnerable network-exposed service.
π@cveNotify
π¨ CVE-2026-9718
CWE-617 Reachable Assertion vulnerability exists that could allow an authenticated attacker to trigger a denial-of-service condition, impacting system availability when a specially crafted request is sent to a vulnerable network-exposed service.
π@cveNotify
CWE-617 Reachable Assertion vulnerability exists that could allow an authenticated attacker to trigger a denial-of-service condition, impacting system availability when a specially crafted request is sent to a vulnerable network-exposed service.
π@cveNotify
π¨ CVE-2026-13350
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
π@cveNotify
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
π@cveNotify
GitHub
Incorrect permission check
Permissions where checked incorrectly during room creation, allowing attackers to create rooms of types they shouldn't be allowed to create.
π¨ CVE-2026-13351
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
π@cveNotify
Zephyr's IPv6 network stack can be prevented from receiving or processing future incoming packets by sending a small number of maliciously fragmented IPv6 packets. When such a packet is handled by the fragment-header processing path, the associated RX network packet buffer (allocated from a memory slab) is not released back to the pool. Repeating the malicious packet exhausts all RX buffer slots, after which the device can no longer obtain RX buffers and stops receiving traffic, resulting in a denial of service.
π@cveNotify
GitHub
net: Maliciously fragmented IPv6 packets can prevent receiving/processing future incoming packets
Network stack for Zephyr can be prevented from receiving/processing future incoming packets by sending a few maliciously fragmented IPv6 packets.
Zephyr version: `7823374e872 release: Zephyr 4.1...
Zephyr version: `7823374e872 release: Zephyr 4.1...
π¨ CVE-2026-54024
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 (commit bb58a2d0) added limits: { fileSize } to createMulterInstance() in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that was never updated with the same limits configuration. Combined with the application-level size check being disabled by default (the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES env var is commented out in .env.example), an authenticated user can upload arbitrarily large files to exhaust server disk space and memory. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, the fix for CVE-2024-11171 (commit bb58a2d0) added limits: { fileSize } to createMulterInstance() in the file upload routes. However, the POST /api/convos/import endpoint uses a separate multer instance that was never updated with the same limits configuration. Combined with the application-level size check being disabled by default (the CONVERSATION_IMPORT_MAX_FILE_SIZE_BYTES env var is commented out in .env.example), an authenticated user can upload arbitrarily large files to exhaust server disk space and memory. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
GitHub
Incomplete Fix for CVE-2024-11171 β Conversation Import Multer Instance Missing File Size Limits
### Summary
The fix for [CVE-2024-11171](https://huntr.com/bounties/91717a5a-d653-4e35-b186-9e8d00aa4285) (commit `bb58a2d0`) added `limits: { fileSize }` to `createMulterInstance()` in the file u...
The fix for [CVE-2024-11171](https://huntr.com/bounties/91717a5a-d653-4e35-b186-9e8d00aa4285) (commit `bb58a2d0`) added `limits: { fileSize }` to `createMulterInstance()` in the file u...
π¨ CVE-2026-54025
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
LibreChat is an enhanced ChatGPT clone that supports multiple AI providers. Prior to 0.8.4-rc1, there is a vulnerability in LibreChat's markdown artifact preview pipeline. The marked library v15.0.12 does not HTML-escape double-quote characters in image alt text when a custom renderer falls through to the default renderer. LibreChat's generateMarkdownHtml function (in client/src/utils/markdown.ts) installs a custom image renderer that returns false for URLs passing the isSafeUrl allowlist check, which causes marked to fall back to its built-in renderer. That built-in renderer inserts the raw alt text into the alt="..." attribute without escaping double-quote characters. An attacker can craft an alt text such as " onload="payload to break out of the attribute and inject an arbitrary event handler. The resulting HTML is then assigned to document.getElementById('content').innerHTML inside the Sandpack preview iframe, causing the payload to execute in the victim's browser. This vulnerability is fixed in 0.8.4-rc1.
π@cveNotify
GitHub
Stored XSS via unescaped image alt text in markdown artifact preview
## Title
Stored XSS via unescaped image alt text in markdown artifact preview
## Description
I found a vulnerability in LibreChat's markdown artifact preview pipeline. The `marked` library v...
Stored XSS via unescaped image alt text in markdown artifact preview
## Description
I found a vulnerability in LibreChat's markdown artifact preview pipeline. The `marked` library v...