๐จ CVE-2026-10668
The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data IN already armed for a previous transfer, a USB host that cancels an in-flight control transfer (timeout) and then issues a new SETUP packet can drive the driver out of sync: stale data may be transmitted in the new transfer and the control endpoint can become permanently stuck NAK'ing every subsequent control transfer.
A malicious or buggy host (physical/adjacent attacker driving the bus) can repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint, denying service to the device's USB function (the device stops enumerating/responding on the control pipe) until a USB reset or re-plug. The flaw is an availability-only denial of service; the FIFO copy loops (bounded by net_buf length and the hardware BUFFULL flag) and the net_buf lifecycle are independent of the arming desync, so there is no out-of-bounds access, use-after-free, or information leak.
The fix monitors the IN-token and new-SETUP events (k_event) and only arms control Data IN when an IN token is present and no new SETUP has arrived, cancelling the current transfer on a new SETUP. Affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED); shipped in v4.4.0.
๐@cveNotify
The Nuvoton NuMaker HSUSBD USB device-controller driver (drivers/usb/udc/udc_numaker.c) armed the control Data IN stage unconditionally (base->CEPTXCNT = len in numaker_hsusbd_ep_trigger). Because the HSUSBD hardware cannot disarm a control Data IN already armed for a previous transfer, a USB host that cancels an in-flight control transfer (timeout) and then issues a new SETUP packet can drive the driver out of sync: stale data may be transmitted in the new transfer and the control endpoint can become permanently stuck NAK'ing every subsequent control transfer.
A malicious or buggy host (physical/adjacent attacker driving the bus) can repeatedly cancel-and-re-SETUP to wedge the device's USB control endpoint, denying service to the device's USB function (the device stops enumerating/responding on the control pipe) until a USB reset or re-plug. The flaw is an availability-only denial of service; the FIFO copy loops (bounded by net_buf length and the hardware BUFFULL flag) and the net_buf lifecycle are independent of the arming desync, so there is no out-of-bounds access, use-after-free, or information leak.
The fix monitors the IN-token and new-SETUP events (k_event) and only arms control Data IN when an IN token is present and no new SETUP has arrived, cancelling the current transfer on a new SETUP. Affects boards using the Nuvoton NuMaker HSUSBD controller (CONFIG_UDC_NUMAKER with DT_HAS_NUVOTON_NUMAKER_HSUSBD_ENABLED); shipped in v4.4.0.
๐@cveNotify
GitHub
drivers: usb: udc: numaker: hsusbd: fix stuck in control transfer ยท zephyrproject-rtos/zephyr@48e0033
Host can cancel current Control transfer for timeout and send new
Setup packet for new one. In this situation, driver can get out
of sync and even fail all the following Control transfers, probably...
Setup packet for new one. In this situation, driver can get out
of sync and even fail all the following Control transfers, probably...
๐จ CVE-2026-15505
A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument p_metaData causes cross site scripting. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in vnotex vnote up to 3.20.1. Impacted is an unknown function of the file /src/data/extra/web/js/markdownit.js of the component YAML Frontmatter. This manipulation of the argument p_metaData causes cross site scripting. The attack may be initiated remotely. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
๐จ CVE-2026-15506
A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. The affected element is an unknown function in the library saappctl.sys of the component Driver. Such manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
๐@cveNotify
A security vulnerability has been detected in SecureAge CatchPulse up to 10.9.3. The affected element is an unknown function in the library saappctl.sys of the component Driver. Such manipulation leads to heap-based buffer overflow. An attack has to be approached locally. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure.
๐@cveNotify
๐จ CVE-2026-15507
A vulnerability was detected in coollabsio Coolify up to 4.1.1. The impacted element is an unknown function of the file /app/Policies/ of the component Policy Handler. Performing a manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit is now public and may be used.
๐@cveNotify
A vulnerability was detected in coollabsio Coolify up to 4.1.1. The impacted element is an unknown function of the file /app/Policies/ of the component Policy Handler. Performing a manipulation results in missing authorization. Remote exploitation of the attack is possible. The exploit is now public and may be used.
๐@cveNotify
GitHub
CVE-Discovery/coolify-resource-policy-stubs.zip at main ยท lakshayyverma/CVE-Discovery
Contribute to lakshayyverma/CVE-Discovery development by creating an account on GitHub.
๐จ CVE-2026-15508
A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in Helicone ai-gateway up to 0.2.0-beta.30. This affects the function build_target_url of the file ai-gateway/src/dispatcher/service.rs of the component AWS Metadata Service. Executing a manipulation of the argument extracted_path_and_query can lead to server-side request forgery. The attack can be executed remotely. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
Helicone ai-gateway - SSRF via Provider Base URL Manipulation ยท Issue #1 ยท oscar2744/CVE-Submit
SSRF via Provider Base URL Manipulation Affected Project https://github.com/Helicone/ai-gateway Severity: HIGH (CVSS 8.6) CWE: CWE-918 (Server-Side Request Forgery) Affected Item: โ โ โ ai-gateway/s...
๐จ CVE-2026-15509
A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability has been found in Leantime up to 3.8.0. This impacts the function editUser/addUser of the component JSON-RPC Endpoint. The manipulation of the argument role leads to improper authorization. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Bytium
Bytium | Security-first growth
Security partners for cloud-native companies that need trust and speed.
๐จ CVE-2026-15510
A vulnerability was found in Leantime up to 3.8.0. Affected is the function Setting::saveSetting of the component API. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was found in Leantime up to 3.8.0. Affected is the function Setting::saveSetting of the component API. The manipulation results in improper authorization. The attack may be performed from remote. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Bytium
Bytium | Security-first growth
Security partners for cloud-native companies that need trust and speed.
๐จ CVE-2026-15511
A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was determined in Comfast CF-WR631AX V3 up to 2.7.0.8. Affected by this vulnerability is the function system_wl_upload_pic_file of the file /usr/bin/webmgnt of the component FastCGI Backend. This manipulation of the argument filename causes os command injection. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
cve/Command Injection in Comfast CF-WR631AX V3 โ WiFi Portal Image Upload (CWE-78) at main ยท luminarydawn/cve
Contribute to luminarydawn/cve development by creating an account on GitHub.
๐จ CVE-2026-15512
A vulnerability was identified in pig-mesh Pig up to 3.9.2. Affected by this issue is some unknown functionality of the file \pig-master\pig-visual\pig-codegen\src\main\java\com\pig4cloud\pig\codegen\service\impl\GeneratorServiceImpl.java of the component pig-codegen. Such manipulation leads to code injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was identified in pig-mesh Pig up to 3.9.2. Affected by this issue is some unknown functionality of the file \pig-master\pig-visual\pig-codegen\src\main\java\com\pig4cloud\pig\codegen\service\impl\GeneratorServiceImpl.java of the component pig-codegen. Such manipulation leads to code injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
CVE-2026/pig-mesh/SSIT.md at main ยท sombra0316/CVE-2026
ไธชไบบๆไบค. Contribute to sombra0316/CVE-2026 development by creating an account on GitHub.
๐จ CVE-2026-15513
A security flaw has been discovered in Wavlink WL-NU516U1 260515. This affects the function wlink_uci_set_value of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument lan_ip results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
๐@cveNotify
A security flaw has been discovered in Wavlink WL-NU516U1 260515. This affects the function wlink_uci_set_value of the file /cgi-bin/adm.cgi. Performing a manipulation of the argument lan_ip results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
๐@cveNotify
๐จ CVE-2026-15514
A weakness has been identified in Metasoft ็พ็น่ฝฏไปถ MetaCRM up to 6.4.0 Beta06. This vulnerability affects the function RPCService.query of the file /customizemt/xkq/rpc.jsp of the component PHPRPC Remote Call Interface. Executing a manipulation of the argument phprpc_args can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A weakness has been identified in Metasoft ็พ็น่ฝฏไปถ MetaCRM up to 6.4.0 Beta06. This vulnerability affects the function RPCService.query of the file /customizemt/xkq/rpc.jsp of the component PHPRPC Remote Call Interface. Executing a manipulation of the argument phprpc_args can lead to sql injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
ucn9h68n9289.feishu.cn
Docs
๐จ CVE-2026-15515
A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. This issue affects some unknown processing in the library qmudisk64.sys of the component QMUDisk Driver. The manipulation leads to uncontrolled search path. The attack must be carried out locally. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A security vulnerability has been detected in Tencent PC Manager 18.1.30242.301. This issue affects some unknown processing in the library qmudisk64.sys of the component QMUDisk Driver. The manipulation leads to uncontrolled search path. The attack must be carried out locally. The attack is considered to have high complexity. The exploitability is assessed as difficult. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
GitHub - subsubsub1231/qmukiller
Contribute to subsubsub1231/qmukiller development by creating an account on GitHub.
๐จ CVE-2026-15516
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. Upgrading to version 2022.1000.3025 is recommended to address this issue. Upgrading the affected component is recommended.
๐@cveNotify
A vulnerability was detected in MacCMS Pro up to 2022.1000.3005. Impacted is the function step5 of the file application/install/controller/Index.php of the component Installation Module. The manipulation results in authorization bypass. The attack may be launched remotely. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit is now public and may be used. Upgrading to version 2022.1000.3025 is recommended to address this issue. Upgrading the affected component is recommended.
๐@cveNotify
GitHub
Releases ยท magicblack/maccms10
่นๆCMS v10 ยท MacCMS v10 โ ๅผๆบๅ
ๅฎน็ฎก็็ณป็ป๏ผ่ง้ข / ๅ้ๅงๆ
/ ๆ็ซ / ๆผซ็ป / ๅพ็ / ็ฝๅๅฏผ่ช. Open-source PHP CMS for video, articles, manga, images & site navigation. - magicblack/maccms10
๐จ CVE-2026-15517
A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/PlanGiveOut.aspx. This manipulation of the argument httpOID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A flaw has been found in Jinher OA 1.0. The affected element is an unknown function of the file /C6/JHSoft.Web.PlanSummarize/PlanGiveOut.aspx. This manipulation of the argument httpOID causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
Jinher OA SQL Injection Vulnerability Report ยท Issue #1 ยท weini587/CVE
Jinher OA SQL Injection Vulnerability Report AFFECTED PRODUCT Product: Jinhe OA (Jhsoft OA) Affected Component: /C6/JHSoft.Web.PlanSummarize/PlanGiveOut.aspx VENDOR INFORMATION Vendor: Jinher Netwo...
๐จ CVE-2026-15518
A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0. The impacted element is the function FileLibraryController::storeFile of the file src/Http/Controllers/Admin/FileLibraryController.php of the component Media Library Insert Page. Such manipulation of the argument qqfilename leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability has been found in AREA 17 Twill CMS up to 3.6.0. The impacted element is the function FileLibraryController::storeFile of the file src/Http/Controllers/Admin/FileLibraryController.php of the component Media Library Insert Page. Such manipulation of the argument qqfilename leads to unrestricted upload. The attack can be executed remotely. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
Bytium
Bytium | Security-first growth
Security partners for cloud-native companies that need trust and speed.
๐จ CVE-2026-15551
Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Overflow Buffers.
This issue affects .
๐@cveNotify
Integer overflow or wraparound vulnerability in Samsung Open Source rlottie allows Overflow Buffers.
This issue affects .
๐@cveNotify
GitHub
Fix heap buffer overflow from short truncation of span Y coordinate by mmaciola ยท Pull Request #595 ยท Samsung/rlottie
SW_FT_Span.y is a 16-bit short, so limit our coordinates appropriately.
The clamp (and its "is an integer" comment) was inherited from upstream FreeType's ftgrays.c, where...
The clamp (and its "is an integer" comment) was inherited from upstream FreeType's ftgrays.c, where...
๐จ CVE-2026-15519
A vulnerability was found in usestrix strix up to 1.0.2. This affects an unknown function of the file system_prompt.jinja of the component PyPI Handler. Performing a manipulation results in inclusion of functionality from untrusted control sphere. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
A vulnerability was found in usestrix strix up to 1.0.2. This affects an unknown function of the file system_prompt.jinja of the component PyPI Handler. Performing a manipulation results in inclusion of functionality from untrusted control sphere. The attack is possible to be carried out remotely. The complexity of an attack is rather high. The exploitability is reported as difficult. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
๐@cveNotify
GitHub
GitHub - ez-lbz/strix-vul-report
Contribute to ez-lbz/strix-vul-report development by creating an account on GitHub.
๐จ CVE-2026-15520
A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035. This impacts the function decompress_R2004_section of the file src/decode.c of the component R2004 Section Decompression. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.14.8396 will fix this issue. This patch is called 3d0f9fc2eddbd6579c99af3111c37c98f03475d0. You should upgrade the affected component.
๐@cveNotify
A vulnerability was determined in GNU LibreDWG 0.13.4-154-g0b573035. This impacts the function decompress_R2004_section of the file src/decode.c of the component R2004 Section Decompression. Executing a manipulation can lead to heap-based buffer overflow. The attack requires local access. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.14.8396 will fix this issue. This patch is called 3d0f9fc2eddbd6579c99af3111c37c98f03475d0. You should upgrade the affected component.
๐@cveNotify
GitHub
CVE-Repos/libredwg/libredwg_0b57303_heap_overflow_decompress_R2004_section.dwg at main ยท HackC0der/CVE-Repos
Contribute to HackC0der/CVE-Repos development by creating an account on GitHub.
๐จ CVE-2026-15521
A vulnerability was identified in makafeli n8n-workflow-builder up to 0.11.0. Affected is an unknown function of the file build/server.cjs of the component update_node_from_file. The manipulation of the argument filePath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
A vulnerability was identified in makafeli n8n-workflow-builder up to 0.11.0. Affected is an unknown function of the file build/server.cjs of the component update_node_from_file. The manipulation of the argument filePath leads to path traversal. An attack has to be approached locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
GitHub
GitHub - makafeli/n8n-workflow-builder: AI assistant integration for n8n workflow automation through Model Context Protocol (MCP).โฆ
AI assistant integration for n8n workflow automation through Model Context Protocol (MCP). Connect Claude Desktop, ChatGPT, and other AI assistants to n8n for natural language workflow management. ...
๐จ CVE-2026-15522
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
๐@cveNotify
A security flaw has been discovered in tugcantopaloglu godot-mcp 2.0.0. Affected by this vulnerability is the function validatePath of the file build/index.js of the component run_project. The manipulation of the argument projectPath results in path traversal. Attacking locally is a requirement. The exploit has been released to the public and may be used for attacks. Upgrading to version 3.0.0 addresses this issue. The patch is identified as eb63add552aa4bd9205395cf91b40654654a3cf2. It is suggested to upgrade the affected component.
๐@cveNotify
GitHub
GitHub - tugcantopaloglu/godot-mcp: MCP server for full Godot 4.x engine control โ 149 tools for AI-driven game development
MCP server for full Godot 4.x engine control โ 149 tools for AI-driven game development - tugcantopaloglu/godot-mcp