๐จ CVE-2026-14846
In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the โAliasโ parameter in the โUpdate your addressโ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the โGet my data in CSVโ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victimโs personal data.
๐@cveNotify
In version 8.2.1 of PrestaShop, there is a vulnerability relating to the incorrect sanitisation of elements, caused by inadequate validation of the โAliasโ parameter in the โUpdate your addressโ function. This flaw allows an attacker to inject malicious expressions that are executed when the information is exported using the โGet my data in CSVโ tool. Successful exploitation of this vulnerability could facilitate unauthorised access to the victimโs personal data.
๐@cveNotify
www.incibe.es
Incorrect neutralisation in the PrestaShop firmware
INCIBE has coordinated the publication of a medium-severity vulnerability affecting the firmware of Pr
๐จ CVE-2026-15548
A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub_407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely. This project is superseded by FreshTomato.
๐@cveNotify
A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub_407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely. This project is superseded by FreshTomato.
๐@cveNotify
Gitee
็ไธฐๆฏ
/CVE: Backup repository for firmware CVE submission issues and package archives
๐จ CVE-2026-15557
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
๐@cveNotify
GitHub
GitHub - waooAI/waoowaoo: ้ฆๅฎถๅทฅไธ็บงๅ
จๆต็จ AI ๅฝฑ่ง็ไบงๅนณๅฐใIndustry-first professional AI Agent platform for controllable film & video production.โฆ
้ฆๅฎถๅทฅไธ็บงๅ
จๆต็จ AI ๅฝฑ่ง็ไบงๅนณๅฐใIndustry-first professional AI Agent platform for controllable film & video production. From shorts to live-action with Hollywood-standard workflows. - waooAI/waoowaoo
๐จ CVE-2026-22093
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.
This issue affects EVbee Service: v1.4.101.00.
๐@cveNotify
The EVbee Service Android app uses TLS encrypted communication (HTTPS), but does not validate the certificate provided by the server. This allows an attacker on the network path between the app and EVbee server to intercept and manipulate the communication between the app and server. The traffic is weakly encrypted using RC4 with a hardcoded key, which allows an attacker to gain access to the communication. Part of this communication involves access codes to charging stations.
This issue affects EVbee Service: v1.4.101.00.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22095
The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection.
๐@cveNotify
The network diagnosis endpoint on the web server at port 8090 is vulnerable to command injection.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22096
The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.
๐@cveNotify
The webserver running on port 8090 does not require authentication. This allows for sensitive information leakage such as configured passwords, or uploading files through different endpoints.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22097
The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.
๐@cveNotify
The firmware update mechanism does not include cryptographic signature validation. This allows anyone with access to the firmware update capability to upload arbitrary files which can then lead to arbitrary code execution.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22098
Various sensitive information such as passwords and charging card UIDs are written to log files.
๐@cveNotify
Various sensitive information such as passwords and charging card UIDs are written to log files.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22099
The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.
๐@cveNotify
The charging station does not require authentication for Bluetooth commands to perform actions. The functionality exposed includes sensitive information leakage, triggering reboots, or pushing a firmware update URL.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22100
The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.
๐@cveNotify
The OCPP DataTransfer message `ReserveLogin` is vulnerable to command injection. By manipulating the data value, arbitrary OS commands can be executed as root.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22102
A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification.
This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means.
๐@cveNotify
A POST request sent to a specific webserver endpoint can be used to write to arbitrary file locations. The endpoint accepts the filename parameter in the Content-Disposition header without verification.
This can be used to cause a denial of service by overwriting system files, or remote-code-execution by overwriting shell-scripts which execution can be triggered through other means.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-22103
The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.
๐@cveNotify
The NPC start endpoint on the web server at port 8090 is vulnerable to command injection.
๐@cveNotify
DIVD CSIRT
DIVD-2026-00001 - DIVD-2026-00001 โ EVbee Service App and DC Quick Charging Station
Multiple vulnerabilities in EVbee Service App and DC Quick Charging Stations.
๐จ CVE-2026-41041
URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino.
This issue affects Apache Gravitino: from 1.0.0 before 1.2.1.
Users are recommended to upgrade to version 1.2.1, which fixes the issue.
๐@cveNotify
URL path injection via unencoded user-supplied identifiers vulnerability in Apache Gravitino.
This issue affects Apache Gravitino: from 1.0.0 before 1.2.1.
Users are recommended to upgrade to version 1.2.1, which fixes the issue.
๐@cveNotify
๐จ CVE-2026-49876
Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.
This issue affects Apache Gravitino: from 1.0.0 through 1.2.1.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
๐@cveNotify
Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.
This issue affects Apache Gravitino: from 1.0.0 through 1.2.1.
Users are recommended to upgrade to version 1.3.0, which fixes the issue.
๐@cveNotify
๐จ CVE-2026-57363
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in QuantumCloud ChatBot chatbot allows Stored XSS.This issue affects ChatBot: from n/a through <= 8.3.7.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress ChatBot Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57364
Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment โ Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment โ Instant Payments, Donations, Fundraising with Subscriptions & More: from n/a through <= 2.2.0.
๐@cveNotify
Improper Validation of Specified Quantity in Input vulnerability in WPDeveloper Better Payment โ Instant Payments, Donations, Fundraising with Subscriptions & More better-payment allows Accessing Functionality Not Properly Constrained by ACLs.This issue affects Better Payment โ Instant Payments, Donations, Fundraising with Subscriptions & More: from n/a through <= 2.2.0.
๐@cveNotify
Patchstack
Other Vulnerability Type in WordPress Better Payment โ Instant Payments, Donations, Fundraising with Subscriptions & More Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57365
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 & v3) for Asgaros Forum: from n/a through <= 1.1.0.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Hitesh Chandwani reCAPTCHA (v2 & v3) for Asgaros Forum recaptcha-for-asgaros-forum allows DOM-Based XSS.This issue affects reCAPTCHA (v2 & v3) for Asgaros Forum: from n/a through <= 1.1.0.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress reCAPTCHA (v2 & v3) for Asgaros Forum Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57369
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4.
๐@cveNotify
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in themifyme Themify Builder themify-builder allows Reflected XSS.This issue affects Themify Builder: from n/a through <= 7.7.4.
๐@cveNotify
Patchstack
Cross Site Scripting (XSS) in WordPress Themify Builder Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57371
Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.
๐@cveNotify
Deserialization of Untrusted Data vulnerability in denishua WPJAM Basic wpjam-basic allows Object Injection.This issue affects WPJAM Basic: from n/a through <= 7.0.
๐@cveNotify
Patchstack
PHP Object Injection in WordPress WPJAM Basic Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57372
Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0.
๐@cveNotify
Server-Side Request Forgery (SSRF) vulnerability in denishua WPJAM Basic wpjam-basic allows Server Side Request Forgery.This issue affects WPJAM Basic: from n/a through <= 7.0.
๐@cveNotify
Patchstack
Server Side Request Forgery (SSRF) in WordPress WPJAM Basic Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.
๐จ CVE-2026-57375
Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4.
๐@cveNotify
Missing Authorization vulnerability in FluxBuilder MStore API mstore-api allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects MStore API: from n/a through <= 4.18.4.
๐@cveNotify
Patchstack
Broken Access Control in WordPress MStore API Plugin
Patchstack is the leading open source vulnerability research organization. Find information and protection for all WordPress, Drupal and Joomla security issues.