Critical · CVSS 9.1
Improper access control on nasSvr.php in actidata actiNAS SL 2U-8 RDX 3.2.03-SP1 allows remote attackers to read and modify different types of data without authentication.
Published Jan 19, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.1
Multiple reflected cross-site scripting (XSS) vulnerabilities in nasSvr.php in actidata actiNAS-SL-2U-8 3.2.03-SP1 allow remote attackers to inject arbitrary web script or HTML.
Published Jan 19, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
Published Jan 20, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
YonBIP v3_23.05 was discovered to contain a SQL injection vulnerability via the com.yonyou.hrcloud.attend.web.AttendScriptController.runScript() method.
Published Jan 20, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
YonBIP v3_23.05 was discovered to contain an arbitrary file read vulnerability via the nc.bs.framework.comn.serv.CommonServletDispatcher component.
Published Jan 20, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the nccloud.web.arcp.taskmonitor.action.ArcpUploadAction.doAction() method of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
Published Jan 20, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An arbitrary file upload vulnerability in the uap.framework.rc.itf.IResourceManager interface of YonBIP v3_23.05 allows attackers to execute arbitrary code via uploading a crafted file.
Published Jan 20, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in yonyou YonBIP v3_23.05 allows a remote attacker to execute arbitrary code via a crafted script to the ServiceDispatcherServlet uap.framework.rc.itf.IResourceManager component.
Published Jan 20, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in weaver e-cology v.10.0.2310.01 allows a remote attacker to execute arbitrary code via a crafted script to the FrameworkShellController component.
Published Jan 20, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
SQL injection vulnerability in StackIdeas EasyDiscuss v.5.0.5 and fixed in v.5.0.10 allows a remote attacker to obtain sensitive information via a crafted request to the search parameter in the Users module.
Published Jan 16, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in Evernote Evernote for MacOS v.10.68.2 allows a remote attacker to execute arbitrary code via the RunAsNode and enableNodeClilnspectArguments components.
Published Jan 9, 2024 · Updated Jul 9, 2026
Medium · CVSS 5.3
The remote keyless system of the Hozard alarm system (alarmsystemen) v1.0 sends an identical radio frequency signal for each request, which results in an attacker being able to conduct replay attacks to bring the alarm system to a disarmed state.
Published Jan 11, 2024 · Updated Jul 9, 2026
High · CVSS 8.8
pyLoad 0.5.0 is vulnerable to Unrestricted File Upload.
Published Jan 8, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue in SpringBlade v.3.7.0 and before allows a remote attacker to escalate privileges via the lack of permissions control framework.
Published Jan 2, 2024 · Updated Jul 9, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability in ABO.CMS v.5.9.3 allows an attacker to execute arbitrary code via a crafted payload to the Referer header.
Published Jan 17, 2024 · Updated Jul 9, 2026
High · CVSS 7.2
File Upload vulnerability PMB v.7.4.8 allows a remote attacker to execute arbitrary code and escalate privileges via a crafted PHP file uploaded to the start_import.php file.
Published Jan 11, 2024 · Updated Jul 9, 2026
High · CVSS 8.2
An issue in Tamaki_hamanoki Line v.13.6.1 allows attackers to send crafted notifications via leakage of the channel access token.
Published Jan 3, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
An issue in Automatic Systems SOC FL9600 FirstLane V06 lego_T04E00 allows a remote attacker to obtain sensitive information because there is an automaticsystems super admin account with astech as its hardcoded password.
Published Jan 3, 2024 · Updated Jul 9, 2026
High · CVSS 7.5
Directory Traversal in Automatic Systems SOC FL9600 FirstLane V06 lego_T04E00 allows a remote attacker to obtain sensitive information via csvServer.php?file= with a .. in the dir parameter.
Published Jan 3, 2024 · Updated Jul 9, 2026
Critical · CVSS 9.8
An issue was discovered in badaix Snapcast version 0.27.0, allows remote attackers to execute arbitrary code and gain sensitive information via crafted request in JSON-RPC-API.
Published Jan 23, 2024 · Updated Jul 9, 2026
High · CVSS 7.8
Jensen of Scandinavia Eagle 1200AC V15.03.06.33_en was discovered to contain a command injection vulnerability in the function formWriteFacMac. This vulnerability allows attackers to execute arbitrary commands via manipulation of the mac parameter.
Published Jan 22, 2024 · Updated Jul 9, 2026
High · CVSS 8.9
The NextEPC MME <= 1.0.1 (fixed in commit a8492c9c5bc0a66c6999cb5a263545b32a4109df) contains a stack-based buffer overflow vulnerability in the Emergency Number List decoding method. An attacker may send a NAS message containing an oversized Emergency Number List value to the MME to overwrite the stack with arbitrary bytes. An attacker with a cellphone connection to any base station managed by the MME may exploit this vulnerability without having to authenticate with the LTE core.
Published Jan 22, 2025 · Updated Jul 5, 2026
High · CVSS 7.5
TP-Link Tapo APK up to v2.12.703 uses hardcoded credentials for access to the login panel.
Published Jan 9, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.1
Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the name parameter of the Profile and Exclusion List page(s).
Published Jan 9, 2024 · Updated Jul 5, 2026
Critical · CVSS 9.8
An issue found in NetScout nGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code and cause a denial of service via a crafted file.
Published Jan 9, 2024 · Updated Jul 5, 2026
Medium · CVSS 5.4
Cross Site Scripting vulnerability found in NetScoutnGeniusOne v.6.3.4 allows a remote attacker to execute arbitrary code via the creator parameter of the Alert Configuration page.
Published Jan 9, 2024 · Updated Jul 5, 2026
Medium · CVSS 6.6
A missing authorization check vulnerability exists in GitLab Remote Development affecting all versions prior to 16.5.6, 16.6 prior to 16.6.4 and 16.7 prior to 16.7.2. This condition allows an attacker to create a workspace in one group that is associated with an agent from another group.
Published Jan 12, 2024 · Updated Jun 27, 2026
High · CVSS 7.4
A buffer overflow was found in Shim in the 32-bit system. The overflow happens due to an addition operation involving a user-controlled value parsed from the PE binary being used by Shim. This value is further used for memory allocation operations, leading to a heap-based buffer overflow. This flaw causes memory corruption and can lead to a crash or data integrity issues during the boot phase.
Published Jan 29, 2024 · Updated Jun 26, 2026
High · CVSS 8.3
A remote code execution vulnerability was found in Shim. The Shim boot support trusts attacker-controlled values when parsing an HTTP response. This flaw allows an attacker to craft a specific malicious HTTP request, leading to a completely controlled out-of-bounds write primitive and complete system compromise. This flaw is only exploitable during the early boot phase, an attacker needs to perform a Man-in-the-Middle or compromise the boot server to be able to exploit this vulnerability successfully.
Published Jan 25, 2024 · Updated Jun 26, 2026
High · CVSS 7.5
A segment fault (SEGV) flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFReadRGBATileExt() API. This flaw allows a remote attacker to cause a heap-buffer overflow, leading to a denial of service.
Published Jan 25, 2024 · Updated Jun 10, 2026
Critical · CVSS 10 · CISA KEV
An issue has been discovered in GitLab CE/EE affecting all versions from 16.1 prior to 16.1.6, 16.2 prior to 16.2.9, 16.3 prior to 16.3.7, 16.4 prior to 16.4.5, 16.5 prior to 16.5.6, 16.6 prior to 16.6.4, and 16.7 prior to 16.7.2 in which user account password reset emails could be delivered to an unverified email address.
Published Jan 12, 2024 · Updated May 26, 2026
Medium · CVSS 6.1
Jetpack 11.4 contains a cross-site scripting vulnerability in the contact form module that allows attackers to inject malicious scripts through the post_id parameter. Attackers can craft malicious URLs with script payloads to execute arbitrary JavaScript in victims' browsers when they interact with the contact form page.
Published Jan 13, 2026 · Updated May 24, 2026
Medium · CVSS 6.1
Zstore, now referred to as Zippy CRM, 6.5.4 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts through unvalidated input parameters. Attackers can submit crafted payloads in manual insertion points to execute arbitrary JavaScript code in victim's browser context.
Published Jan 13, 2026 · Updated May 24, 2026
High · CVSS 7.5
An out-of-memory flaw was found in libtiff that could be triggered by passing a crafted tiff file to the TIFFRasterScanlineSize64() API. This flaw allows a remote attacker to cause a denial of service via a crafted input with a size smaller than 379 KB.
Published Jan 25, 2024 · Updated May 21, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Mergen Software Quality Management System allows SQL Injection.
This issue affects Quality Management System: before v1.2.
Published Jan 18, 2024 · Updated May 20, 2026
Critical · CVSS 9.8
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Ekol Informatics Website Template allows SQL Injection.
This issue affects Website Template: through 20231215.
Published Jan 2, 2024 · Updated May 20, 2026
High · CVSS 7.5
Path Traversal: '/../filedir' vulnerability in Biges Safe Life Technologies Electronics Inc. VGuard allows Absolute Path Traversal.
This issue affects VGuard: before V500.0003.R008.4011.C0012.B351.C.
Published Jan 26, 2024 · Updated May 20, 2026
Medium · CVSS 6.1
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Macroturk Software and Internet Technologies Macro-Bel allows Reflected XSS.
This issue affects Macro-Bel: before V.1.0.1.
Published Jan 18, 2024 · Updated May 20, 2026
Critical · CVSS 9.3
Changjetong T+ versions up to and including 16.x contain a .NET deserialization vulnerability in an AjaxPro endpoint that can lead to remote code execution. A remote attacker can send a crafted request to /tplus/ajaxpro/Ufida.T.CodeBehind._PriorityLevel,App_Code.ashx?method=GetStoreWarehouseByStore with a malicious JSON body that leverages deserialization of attacker-controlled .NET types to invoke arbitrary methods such as System.Diagnostics.Process.Start. This can result in execution of arbitrary commands in the context of the T+ application service account. Exploitation evidence was observed by the Shadowserver Foundation as early as 2023-08-19 (UTC).
Published Jan 15, 2026 · Updated May 14, 2026
Medium · CVSS 5.3
An integer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a very long message, leading to an incorrect calculation of the buffer size to store the message, resulting in undefined behavior. This issue affects glibc 2.37 and newer.
Published Jan 31, 2024 · Updated May 12, 2026
High · CVSS 8.2
An off-by-one heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when these functions are called with a message bigger than INT_MAX bytes, leading to an incorrect calculation of the buffer size to store the message, resulting in an application crash. This issue affects glibc 2.37 and newer.
Published Jan 31, 2024 · Updated May 12, 2026
High · CVSS 8.4
A heap-based buffer overflow was found in the __vsyslog_internal function of the glibc library. This function is called by the syslog and vsyslog functions. This issue occurs when the openlog function was not called, or called with the ident argument set to NULL, and the program name (the basename of argv[0]) is bigger than 1024 bytes, resulting in an application crash or local privilege escalation. This issue affects glibc 2.36 and newer.
Published Jan 31, 2024 · Updated May 12, 2026
Medium · CVSS 6.5
Issue summary: The POLY1305 MAC (message authentication code) implementation
contains a bug that might corrupt the internal state of applications running
on PowerPC CPU based platforms if the CPU provides vector instructions.
Impact summary: If an attacker can influence whether the POLY1305 MAC
algorithm is used, the application state might be corrupted with various
application dependent consequences.
The POLY1305 MAC (message authentication code) implementation in OpenSSL for
PowerPC CPUs restores the contents of vector registers in a different order
than they are saved. Thus the contents of some of these vector registers
are corrupted when returning to the caller. The vulnerable code is used only
on newer PowerPC processors supporting the PowerISA 2.07 instructions.
The consequences of this kind of internal application state corruption can
be various - from no consequences, if the calling application does not
depend on the contents of non-volatile XMM registers at all, to the worst
consequences, where the attacker could get complete control of the application
process. However unless the compiler uses the vector registers for storing
pointers, the most likely consequence, if any, would be an incorrect result
of some application dependent calculations or a crash leading to a denial of
service.
The POLY1305 MAC algorithm is most frequently used as part of the
CHACHA20-POLY1305 AEAD (authenticated encryption with associated data)
algorithm. The most common usage of this AEAD cipher is with TLS protocol
versions 1.2 and 1.3. If this cipher is enabled on the server a malicious
client can influence whether this AEAD cipher is used. This implies that
TLS server applications using OpenSSL can be potentially impacted. However
we are currently not aware of any concrete application that would be affected
by this issue therefore we consider this a Low severity security issue.
Published Jan 9, 2024 · Updated May 12, 2026
Medium · CVSS 5.3
Missing Authorization vulnerability in vberkel Schema App Structured Data schema-app-structured-data-for-schemaorg allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Schema App Structured Data: from n/a through <= 1.23.1.
Published Jan 2, 2025 · Updated May 11, 2026
Medium · CVSS 5.3
Missing Authorization vulnerability in WPDO DoLogin Security dologin allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects DoLogin Security: from n/a through <= 3.7.1.
Published Jan 2, 2025 · Updated May 11, 2026
Medium · CVSS 6.5
An issue has been discovered in GitLab CE/EE affecting all versions from 12.7 prior to 16.6.6, 16.7 prior to 16.7.4, and 16.8 prior to 16.8.1 It was possible for an attacker to trigger a Regular Expression Denial of Service via a `Cargo.toml` containing maliciously crafted input.
Published Jan 26, 2024 · Updated May 6, 2026
High · CVSS 7.6
An issue has been discovered in GitLab EE affecting all versions starting from 15.3 before 16.5.6, all versions starting from 16.6 before 16.6.4, all versions starting from 16.7 before 16.7.2. The required CODEOWNERS approval could be bypassed by adding changes to a previously approved merge request.
Published Jan 12, 2024 · Updated May 1, 2026
Medium · CVSS 5.3
Missing Authorization vulnerability in Porto Theme Porto Theme - Functionality porto-functionality allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Porto Theme - Functionality: from n/a through < 2.12.1.
Published Jan 2, 2025 · Updated Apr 29, 2026
High · CVSS 7.1
Missing Authorization vulnerability in Crocoblock JetEngine jet-engine allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects JetEngine: from n/a through <= 3.2.4.
Published Jan 2, 2025 · Updated Apr 29, 2026
Medium · CVSS 4.3
Missing Authorization vulnerability in 10Web 10WebAnalytics wd-google-analytics allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects 10WebAnalytics: from n/a through <= 1.2.12.
Published Jan 2, 2025 · Updated Apr 29, 2026