π¨ CVE-2026-37271
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.
π@cveNotify
Fire-Boltt Smartwatch FB BGS001 Firmware: MOY-JS14-2.0.4 is vulnerable to Improper Authentication, The device accepts GATT Write Request commands without sufficient authentication or strong session validation. Under specific conditions, previously captured BLE packets can be replayed from a nearby device to trigger functionality on the smartwatch.
π@cveNotify
GitHub
CVE/CVE-2026-37271/CVE-2026-37271.pdf at main Β· EmbdCDACHyd/CVE
Research repository focused on security vulnerabilities (CVEs) in IoT devices, firmware, communication protocols, and embedded systems. - EmbdCDACHyd/CVE
π¨ CVE-2026-50810
A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
π@cveNotify
A NULL pointer dereference in smooth_parse_stream_index() in src/media_tools/mpd.c in GPAC master HEAD before commit b35c61f104b85fbb16520ac2838d5d2ef70845b5 allows attackers to cause a denial of service
π@cveNotify
Gist
gist:0c67bf67a268ff8861100bfc132e801c
GitHub Gist: instantly share code, notes, and snippets.
π¨ CVE-2026-56362
ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting any writer calling GetPixelIndex.
π@cveNotify
ImageMagick before 7.1.2-15 contains a heap-buffer-overflow read vulnerability in GetPixelIndex caused by OpenPixelCache updating image channel metadata before pixel cache memory allocation. Attackers can trigger memory and disk allocation failures to cause a heap-buffer-overflow read affecting any writer calling GetPixelIndex.
π@cveNotify
GitHub
Heap-buffer-overflow read in GetPixelIndex due to metadata-cache desynchronization in OpenPixelCache
`OpenPixelCache` updates image channel metadata **before** attempting pixel cache memory allocation. When both memory and disk allocation fail a heap-buffer-overflow read in occurs in any writer t...
π¨ CVE-2026-59262
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
π@cveNotify
AFFiNE's histories GraphQL field fails to validate Doc.Read permission before exposing document edit history, allowing authenticated workspace members to retrieve restricted content timelines. Attackers can supply arbitrary document GUIDs to access full edit histories including user names, emails, and timestamps of private pages they lack access to.
π@cveNotify
GitHub
GitHub - toeverything/AFFiNE: There can be more than Notion and Miro. AFFiNE(pronounced [Ιβfain]) is a next-gen knowledge baseβ¦
There can be more than Notion and Miro. AFFiNE(pronounced [Ιβfain]) is a next-gen knowledge base that brings planning, sorting and creating all together. Privacy first, open-source, customizable an...
π¨ CVE-2026-59880
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
π@cveNotify
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, Immutable.Map and Immutable.Set keep keys that share the same 32-bit hash in a HashCollisionNode collision bucket that is scanned linearly, allowing an attacker who controls keys inserted into a Map, such as through Immutable.Map(obj), Immutable.fromJS(obj), state.merge(userObject), or mergeDeep, to craft many colliding keys and degrade insertion and lookup to consume disproportionate CPU. This issue is fixed in versions 4.3.9 and 5.1.8.
π@cveNotify
GitHub
perf(Map): index large hash-collision buckets for faster lookups Β· immutable-js/immutable-js@3dd7e56
Backport of the hash-collision DoS fix to the 4.x line. Large
HashCollisionNode buckets now build a per-process seeded secondary index
(hashCollisionKey) instead of scanning linearly, restoring nea...
HashCollisionNode buckets now build a per-process seeded secondary index
(hashCollisionKey) instead of scanning linearly, restoring nea...
π¨ CVE-2026-59879
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
π@cveNotify
Immutable.js provides many Persistent Immutable data structures. Prior to 4.3.9 and 5.1.8, List#set, List#setSize, List#setIn, List#updateIn, and the functional set, setIn, and updateIn mishandle an index or size in the range 2 ** 30 to 2 ** 31 in setListBounds in src/List.js, causing an empty List to enter an uncatchable infinite loop, a populated List to allocate without bound until process abort, or setSize to silently wrap large values. This issue is fixed in versions 4.3.9 and 5.1.8.
π@cveNotify
GitHub
Merge commit from fork Β· immutable-js/immutable-js@a1a1ee4
fix(List): guard oversized bounds in setListBounds
π¨ CVE-2026-60102
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
π@cveNotify
Horde Virtual File System (VFS) API before 3.0.1 contains an OS command injection vulnerability in the Horde_Vfs_Smb driver where the _escapeShellCommand() method fails to sanitize command substitution sequences, allowing authenticated attackers to inject arbitrary shell commands through user-controlled filenames. Attackers can supply malicious filenames containing unescaped command substitution payloads through operations such as file upload, folder creation, rename, or deletion, which are interpolated into a double-quoted shell context and executed via proc_open() through /bin/sh -c before smbclient runs, resulting in arbitrary command execution on the underlying system.
π@cveNotify
GitHub
fix(vfs): quote smbclient arguments to prevent command injection (CVE⦠· horde/Vfs@41f74b4
β¦-2026-60102)
Harden Horde_Vfs_Smb against crafted resource names. It previously only neutralised
';' and '\' but not $(...), backticks, newlines as attack vectors....
Harden Horde_Vfs_Smb against crafted resource names. It previously only neutralised
';' and '\' but not $(...), backticks, newlines as attack vectors....
π¨ CVE-2026-36027
An issue in Code27 Companion Hub SQ3A.220705.003.A1 allows a physically proximate attacker to execute arbitrary code via the USB debugging (ADB) and Android Debug Bridge components
π@cveNotify
An issue in Code27 Companion Hub SQ3A.220705.003.A1 allows a physically proximate attacker to execute arbitrary code via the USB debugging (ADB) and Android Debug Bridge components
π@cveNotify
π¨ CVE-2026-59802
PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.
π@cveNotify
PasswordPusher before 2.8.1 accepts data URI schemes in URL push payloads due to insufficient validation in the valid_url function. Attackers can create malicious pushes containing data:text/html URIs that execute arbitrary JavaScript in victims' browsers when clicked, enabling phishing and credential theft under the trusted PasswordPusher domain.
π@cveNotify
GitHub
data: URI Scheme Accepted as URL Push Payload Enables Redirect-Based XSS via Trusted Domain
### Summary
I found that PasswordPusher's URL push feature accepts any URI scheme whose scheme component is non-nil, including `data:` URIs. Because the application performs a `redirect_to` ...
I found that PasswordPusher's URL push feature accepts any URI scheme whose scheme component is non-nil, including `data:` URIs. Because the application performs a `redirect_to` ...
π¨ CVE-2026-59803
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.
π@cveNotify
rpcx through 1.9.3, fixed in commit 047aec1, contains a denial-of-service vulnerability in protocol.Message.Decode (protocol/message.go). When a message has the compression flag set, the payload is gzip-decompressed via util.Unzip with no limit on the decompressed output size. The only built-in size guard, protocol.MaxMessageLength, is checked against the compressed on-the-wire frame length, not the decompressed size, so it provides no protection. Because decoding (and decompression) occurs in readRequest before authentication, a single unauthenticated connection can send a small (under 2 MB) gzip-compressed message that expands to gigabytes of heap allocation, leading to out-of-memory conditions and service unavailability.
π@cveNotify
GitHub
fix(protocol): cap decompressed payload size to prevent gzip bombs (#β¦ Β· smallnest/rpcx@047aec1
β¦943)
Message.Decode decompressed gzip/snappy payloads with io.ReadAll and no
output cap, before service lookup or auth. MaxMessageLength only bounds
the compressed wire length, so a small frame c...
Message.Decode decompressed gzip/snappy payloads with io.ReadAll and no
output cap, before service lookup or auth. MaxMessageLength only bounds
the compressed wire length, so a small frame c...
π¨ CVE-2026-59805
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership validation. Attackers can modify the is_access_revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
π@cveNotify
Gumroad before 2026.07.06.2 contains a broken access control vulnerability in the PurchasesController that allows authenticated sellers to manipulate purchase access for other sellers' products by sending PUT requests to the revoke_access and undo_revoke_access actions without seller ownership validation. Attackers can modify the is_access_revoked status on arbitrary purchases to unauthorized revoke or restore buyer access to products they do not own.
π@cveNotify
GitHub
Block cross-seller access revocation (#5731) Β· antiwork/gumroad@e7fd0e6
Fixes #5725
## Root cause
Confirmed. `PurchasesController#revoke_access` and `#undo_revoke_access`
loaded `@purchase` from the external id and authorized with
`Audience::PurchasePolicy`, but they...
## Root cause
Confirmed. `PurchasesController#revoke_access` and `#undo_revoke_access`
loaded `@purchase` from the external id and authorized with
`Audience::PurchasePolicy`, but they...
π¨ CVE-2026-59806
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Attackers can craft a malicious FileData response targeting internal endpoints such as cloud metadata services to retrieve sensitive credentials including EC2 IAM role credentials.
π@cveNotify
Gradio before 6.20.0 contains an open redirect and server-side request forgery vulnerability that allows attackers to redirect users to arbitrary URLs or perform client-side SSRF by supplying unvalidated HTTP/HTTPS URLs to the file_fetch() function in the /gradio_api/file= endpoint. Attackers can craft a malicious FileData response targeting internal endpoints such as cloud metadata services to retrieve sensitive credentials including EC2 IAM role credentials.
π@cveNotify
GitHub
fix: serve /gradio_api/file=<url> via an SSRF-safe proxy (#13596) Β· gradio-app/gradio@1c5c538
* fix: harden CORS Host-header trust (#13594) and file= open redirect/SSRF (#13593)
CORS (#13594): CustomCORSMiddleware decided whether to apply the localhost-only
CORS restriction from the client...
CORS (#13594): CustomCORSMiddleware decided whether to apply the localhost-only
CORS restriction from the client...
π¨ CVE-2026-60105
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
π@cveNotify
Monsta FTP before 2.14.5 contains a server-side request forgery vulnerability in the fetchRemoteFile action caused by an incomplete IP blocklist check in the isBlockedIP() function, which fails to detect embedded IPv4 addresses within IPv4-mapped IPv6 addresses. An unauthenticated attacker can obtain a CSRF token from the public getSystemVars endpoint and submit a fetchRemoteFile request with a source URL resolving to an IPv4-mapped address, causing the server to issue HTTP requests to internal services and write responses to an attacker-controlled FTP destination, enabling retrieval of cloud instance metadata credentials.
π@cveNotify
π¨ CVE-2026-11404
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.
π@cveNotify
Cesanta Mongoose before 7.22 contains an out-of-bounds read in the built-in TLS server function mg_tls_server_recv_hello(), which uses an attacker-controlled session_id_len byte from a TLS ClientHello as a buffer index without validating it against the length of received data. A remote, unauthenticated attacker can send a single crafted ClientHello with an oversized session id length to read past the receive buffer, crashing any HTTPS, MQTTS, or WSS service built on MG_TLS_BUILTIN.
π@cveNotify
GitHub
GitHub - cesanta/mongoose: Embedded web server, with TCP/IP network stack, MQTT and Websocket
Embedded web server, with TCP/IP network stack, MQTT and Websocket - cesanta/mongoose
π¨ CVE-2026-51597
MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.
π@cveNotify
MERCURY MIPC252W IP camera v1.0.5 Build 230306 Rel.79931n does not implement nonce expiration in RTSP Digest authentication. An adjacent network attacker can capture a legitimate authentication exchange and replay the nonce and response values in a new connection to bypass authentication without knowledge of the device credentials, gaining unauthorized access to the live video stream.
π@cveNotify
GitHub
cve_ID_report/MERCURY_MIPC252W/MERCURY_MIPC252W_5th/README.md at main Β· kkkk2222874/cve_ID_report
δΈζ₯cveζΌζ΄δ»εΊ. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
π¨ CVE-2026-51598
An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n) allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line.
π@cveNotify
An input validation vulnerability in the RTSP service of MERCURY MIPC252W IP Camera v1.0.5 Build 230306 Rel.79931n) allows an unauthenticated, network-adjacent attacker to cause a denial of service via a crafted DESCRIBE request with a malformed URL in the request line.
π@cveNotify
GitHub
cve_ID_report/MERCURY_MIPC252W/MERCURY_MIPC252W_6th/README.md at main Β· kkkk2222874/cve_ID_report
δΈζ₯cveζΌζ΄δ»εΊ. Contribute to kkkk2222874/cve_ID_report development by creating an account on GitHub.
π¨ CVE-2026-59217
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
π@cveNotify
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the file upload path accepted metadata.knowledge_id and auto-linked uploaded files to a target knowledge base without applying the write-access check used by /api/v1/knowledge//file/add, allowing read-only knowledge-base users to add arbitrary files. This issue is fixed in version 0.10.0.
π@cveNotify
GitHub
Authorize KB write access before auto-linking an uploaded file (CWE-8β¦ Β· open-webui/open-webui@b7626f0
β¦62/863) (#26001)
process_uploaded_file auto-links an uploaded file to the knowledge base named in
client-supplied metadata.knowledge_id, but it called Knowledges.add_file_to_knowledge_by_id
direc...
process_uploaded_file auto-links an uploaded file to the knowledge base named in
client-supplied metadata.knowledge_id, but it called Knowledges.add_file_to_knowledge_by_id
direc...
π¨ CVE-2026-59218
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
π@cveNotify
Open WebUI is an extensible, feature-rich, and user-friendly self-hosted AI platform. Prior to 0.10.0, the /api/v1/auths/signin endpoint looked users up by email and only ran bcrypt password verification when a credential existed, making registered-account attempts measurably slower than missing-email attempts and allowing unauthenticated account enumeration. This issue is fixed in version 0.10.0.
π@cveNotify
GitHub
refac Β· open-webui/open-webui@993e749
User-friendly AI Interface (Supports Ollama, OpenAI API, ...) - refac Β· open-webui/open-webui@993e749
π¨ CVE-2025-63579
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be obtained. This affects Kyocera Command Center RX TASKalfa 2552ci, TASKalfa 3252ci, TASKalfa 2553ci, TASKalfa 3253ci, TASKalfa 3554ci, TASKalfa 4052ci, TASKalfa 5052ci, TASKalfa 6052ci, TASKalfa 7052ci, TASKalfa 8052ci, TASKalfa 7353ci, TASKalfa 8353ci, TASKalfa 2554ci, TASKalfa 3254ci, TASKalfa 505.
π@cveNotify
Unauthorized use of Kyocera printers, allows all information stored in the Kyocera address book to be exported. The security measure that encrypts incoming data ian be bypassed with this vulnerability, allowing encrypted data to be decrypted. Passwords and other sensitive information can be obtained. This affects Kyocera Command Center RX TASKalfa 2552ci, TASKalfa 3252ci, TASKalfa 2553ci, TASKalfa 3253ci, TASKalfa 3554ci, TASKalfa 4052ci, TASKalfa 5052ci, TASKalfa 6052ci, TASKalfa 7052ci, TASKalfa 8052ci, TASKalfa 7353ci, TASKalfa 8353ci, TASKalfa 2554ci, TASKalfa 3254ci, TASKalfa 505.
π@cveNotify
GitHub
GitHub - barisbaydur/CVE-2025-63579: Unauthorized access to all user names and passwords entered in the Address Book feature foundβ¦
Unauthorized access to all user names and passwords entered in the Address Book feature found in Kyocera printers. - barisbaydur/CVE-2025-63579
π¨ CVE-2026-31267
Mercusys MW302R MW302R(EU)_V1_1.4.10 Build 231023 is vulnerable to Buffer Overflow in the administrative web interface. A stack buffer overflow vulnerability in the administrative web interface allows an authenticated attacker with administrative privileges to trigger a system crash by sending a specially crafted request. The vulnerability results in denial of service through control flow manipulation to an arbitrary instruction address.
π@cveNotify
Mercusys MW302R MW302R(EU)_V1_1.4.10 Build 231023 is vulnerable to Buffer Overflow in the administrative web interface. A stack buffer overflow vulnerability in the administrative web interface allows an authenticated attacker with administrative privileges to trigger a system crash by sending a specially crafted request. The vulnerability results in denial of service through control flow manipulation to an arbitrary instruction address.
π@cveNotify
π¨ CVE-2026-51923
An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with other usersβ accounts.
π@cveNotify
An Insecure Direct Object Reference (IDOR) vulnerability exists in docuForm GmbH Client v.11.11c allowing a remote attacker to execute arbitrary code via the user settings component, and modify or retrieve sensitive data associated with other usersβ accounts.
π@cveNotify
zerobreach.de
ZeroBreach - Penetrationstests, Security Beratung & Awareness Training
IT-Security Leistungen: Penetrationstests, Security Beratung und Awareness Trainings fΓΌr Unternehmen. Jetzt Sicherheitsniveau prΓΌfen und verbessern.