🚨 CVE-2026-58144
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.
🎖@cveNotify
Cotonti Siena 0.9.26 and earlier contains a stored cross-site scripting vulnerability that allows authenticated users with PFS access to inject arbitrary script payloads by supplying malicious HTML in the ntitle parameter processed through the TXT filter in pfs.main.php. Attackers can create a folder with a crafted title containing script tags that are stored unescaped in the database and execute in the browser of any user who views the folder listing, including administrators.
🎖@cveNotify
Gist
CVE-2026-58143 & CVE-2026-58144 — Cotonti CMS CSRF to RCE and Stored XSS PoC
CVE-2026-58143 & CVE-2026-58144 — Cotonti CMS CSRF to RCE and Stored XSS PoC - CVE-2026-58143_README.md
🚨 CVE-2026-21039
Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.
🎖@cveNotify
Improper access control in Settings prior to SMR Jul-2026 Release 1 allows local attackers to configure Theft protection settings.
🎖@cveNotify
🚨 CVE-2026-21040
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs.
🎖@cveNotify
Improper access control in IAFDService prior to SMR Jul-2026 Release 1 allows local privileged attackers to use the privileged APIs.
🎖@cveNotify
🚨 CVE-2026-21041
Improper access control in SamsungSEAgentService prior to SMR Jul-2026 Release 1 allows local attackers to access sensitive information.
🎖@cveNotify
Improper access control in SamsungSEAgentService prior to SMR Jul-2026 Release 1 allows local attackers to access sensitive information.
🎖@cveNotify
🚨 CVE-2026-21042
Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.
🎖@cveNotify
Out-of-bounds write in libsavsac.so prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.
🎖@cveNotify
🚨 CVE-2026-21043
Path traversal in Wallpaper service prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system server privilege.
🎖@cveNotify
Path traversal in Wallpaper service prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system server privilege.
🎖@cveNotify
🚨 CVE-2026-21044
Improper authorization in KnoxGuardManager prior to SMR Jul-2026 Release 1 allows local attackers to bypass the persistence configuration of the application.
🎖@cveNotify
Improper authorization in KnoxGuardManager prior to SMR Jul-2026 Release 1 allows local attackers to bypass the persistence configuration of the application.
🎖@cveNotify
🚨 CVE-2026-21045
Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allows remote attackers to write out-of-bounds memory.
🎖@cveNotify
Out-of-bounds write in parsing TIFF format in libimagecodec.media.quram.so prior to SMR Jul-2026 Release 1 allows remote attackers to write out-of-bounds memory.
🎖@cveNotify
🚨 CVE-2026-21046
Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows local privileged attackers to execute arbitrary code.
🎖@cveNotify
Time-of-check time-of-use race condition in fabricKeymaster trustlet prior to SMR Jul-2026 Release 1 allows local privileged attackers to execute arbitrary code.
🎖@cveNotify
🚨 CVE-2026-21049
Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.
🎖@cveNotify
Out-of-bounds write in libpadm.so library prior to SMR Jul-2026 Release 1 allows local attackers to execute arbitrary code.
🎖@cveNotify
🚨 CVE-2026-21050
Improper access control in SmartThingsKit prior to SMR Jul-2026 Release 1 allows local attackers to access sensitive information.
🎖@cveNotify
Improper access control in SmartThingsKit prior to SMR Jul-2026 Release 1 allows local attackers to access sensitive information.
🎖@cveNotify
🚨 CVE-2026-21051
Incorrect default permissions in WLAN security prior to SMR Jul-2026 Release 1 allows local attackers to configure TencentWifiSecurity settings.
🎖@cveNotify
Incorrect default permissions in WLAN security prior to SMR Jul-2026 Release 1 allows local attackers to configure TencentWifiSecurity settings.
🎖@cveNotify
🚨 CVE-2026-21052
Path traversal in SemClipboardService prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system privilege.
🎖@cveNotify
Path traversal in SemClipboardService prior to SMR Jul-2026 Release 1 allows local privileged attackers to access files with system privilege.
🎖@cveNotify
🚨 CVE-2026-21053
Improper input validation in Samsung Email prior to version 6.2.13.1 allows local attackers to create arbitrary files within the application sandbox.
🎖@cveNotify
Improper input validation in Samsung Email prior to version 6.2.13.1 allows local attackers to create arbitrary files within the application sandbox.
🎖@cveNotify
🚨 CVE-2026-21054
Improper export of android application components in InputSharing prior to version 2.7.01.4 allows local attackers to access sharing data.
🎖@cveNotify
Improper export of android application components in InputSharing prior to version 2.7.01.4 allows local attackers to access sharing data.
🎖@cveNotify
🚨 CVE-2026-21055
Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.
🎖@cveNotify
Improper export of android application components in Bixby prior to version 4.0.70.8 allows local attackers to execute arbitrary commands with Bixby privilege.
🎖@cveNotify
🚨 CVE-2026-21056
Improper authorization in Samsung Health prior to version 7.00.0.107 allows local attackers to access connected device information.
🎖@cveNotify
Improper authorization in Samsung Health prior to version 7.00.0.107 allows local attackers to access connected device information.
🎖@cveNotify
🚨 CVE-2026-21057
Improper input validation in Samsung Pass prior to version 5.2.10.3 allows local privileged attackers to write out-of-bounds memory.
🎖@cveNotify
Improper input validation in Samsung Pass prior to version 5.2.10.3 allows local privileged attackers to write out-of-bounds memory.
🎖@cveNotify
🚨 CVE-2026-12276
The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.
🎖@cveNotify
The LA-Studio Element Kit for Elementor WordPress plugin before 1.6.1 does not check whether user registration is enabled on the site before creating an account through one of its unauthenticated AJAX actions, allowing unauthenticated attackers to register new accounts even when registration has been disabled site-wide.
🎖@cveNotify
WPScan
LA-Studio Element Kit for Elementor < 1.6.1 - Unauthenticated Open Registration
See details on LA-Studio Element Kit for Elementor < 1.6.1 - Unauthenticated Open Registration CVE 2026-12276. View the latest Plugin Vulnerabilities on WPScan.
🚨 CVE-2026-12685
The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.
🎖@cveNotify
The EscortWP escortwp WordPress theme through 3.6.2 was distributed with a vendor-authored, obfuscated backdoor that lets an unauthenticated attacker who supplies a hard-coded, per-build key permanently delete all of the site's content, and that covertly transmits the site URL, administrator email address, and license key to a third-party server.
🎖@cveNotify
WPScan
EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor
See details on EscortWP <= 3.6.2 - Content Deletion via Vendor-Authored Backdoor CVE 2026-12685. View the latest Theme Vulnerabilities on WPScan.
🚨 CVE-2026-58225
SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.
This issue affects postgrex: from 0.16.0 before 0.22.3.
🎖@cveNotify
SQL Injection vulnerability in elixir-ecto postgrex allows an attacker who can influence a LISTEN channel name to inject SQL into the reconnect replay query, causing a denial of service of the notification connection.
Postgrex.Notifications sanitizes channel names with quote_channel/1, which doubles double quotes so the name is safe inside a double-quoted identifier. This protects the single-statement LISTEN and UNLISTEN paths. On every (re)connect, however, handle_connect/1 replays all registered channels at once by concatenating their LISTEN statements and wrapping them in a dollar-quoted anonymous code block (DO $$BEGIN ... END$$). quote_channel/1 does not escape the $$ dollar-quote delimiter that opens and closes this block.
The listen/3 guards only reject null bytes and names longer than 63 bytes, so a channel name containing $$ passes validation unchanged. Once such a name is embedded, its $$ prematurely terminates the outer dollar-quoted string and PostgreSQL parses the remainder as additional top-level statements. Because handle_connect/1 runs on every (re)connect, the malformed replay query is rejected each time and the notification connection never re-establishes its subscriptions, silently dropping notifications for every channel sharing that connection.
An application is affected when it passes untrusted input (for example a tenant or user identifier) as a channel name to Postgrex.Notifications.listen/3. The double-quote doubling prevents forming a fully valid injected statement, so arbitrary SQL execution is not possible, but the corrupted query reliably breaks the shared notification connection for all tenants, resulting in denial of service.
This issue affects postgrex: from 0.16.0 before 0.22.3.
🎖@cveNotify
Erlang Ecosystem Foundation CNA
SQL injection via unescaped dollar-quote in Postgrex.Notifications reconnect replay causes notification denial of service
This project handles the CVE Numbering Authority (CNA) for the Erlang Ecosystem Foundation (EEF).