VulDB Recent Entries

A vulnerability was found in PrestaShop up to 8.2.3/9.0.2 and classified as problematic. This impacts an unknown function. Executing a manipulation can lead to observable timing discrepancy. This vulnerability is tracked as CVE-2026-25597. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability has been found in n8n-io n8n up to 1.120.x and classified as critical. This affects an unknown function of the component Credential Domain Validation. Performing a manipulation results in improper authentication. This vulnerability is identified as CVE-2026-25631. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability, which was classified as critical, was found in pydantic pydantic-ai up to 1.55.x. The impacted element is an unknown function. Such manipulation leads to server-side request forgery. This vulnerability is referenced as CVE-2026-25580. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

A vulnerability, which was classified as critical, has been found in WaterFutures EPyT-Flow up to 0.16.0. The affected element is an unknown function of the component REST API. This manipulation causes deserialization. The identification of this vulnerability is CVE-2026-25632. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in Microsoft semantic-kernel up to 1.69.x. Impacted is an unknown function of the component SessionsPythonPlugin. The manipulation results in path traversal. This vulnerability was named CVE-2026-25592. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.

A vulnerability classified as critical has been found in D-Link DIR-823X 250416. This issue affects some unknown processing of the file /goform/set_ddns of the component DDNS Service. The manipulation of the argument ddnsType/ddnsDomainName/ddnsUserName/ddnsPwd leads to os command injection. This vulnerability is uniquely identified as CVE-2026-2143. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability described as critical has been identified in D-Link DIR-823X 250416. This vulnerability affects the function sub_420688 of the file /goform/set_qos. Executing a manipulation can lead to os command injection. This vulnerability is handled as CVE-2026-2142. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability marked as critical has been reported in WuKongOpenSource WukongCRM up to 11.3.3. This affects an unknown part of the file gateway/src/main/java/com/kakarote/gateway/service/impl/PermissionServiceImpl.java of the component URL Handler. Performing a manipulation results in improper authorization. This vulnerability is known as CVE-2026-2141. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability labeled as critical has been found in Tenda TX9 up to 22.03.02.10_multi. Affected by this issue is the function sub_4223E0 of the file /goform/setMacFilterCfg. Such manipulation of the argument deviceList leads to buffer overflow. This vulnerability is traded as CVE-2026-2140. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability identified as critical has been detected in Tenda TX9 up to 22.03.02.10_multi. Affected by this vulnerability is the function sub_432580 of the file /goform/fast_setting_wifi_set. This manipulation of the argument ssid causes buffer overflow. This vulnerability appears as CVE-2026-2139. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability categorized as critical has been discovered in Tenda TX9 up to 22.03.02.10_multi. Affected is the function sub_42D03C of the file /goform/SetStaticRouteCfg. The manipulation of the argument list results in buffer overflow. This vulnerability is reported as CVE-2026-2138. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in Tenda TX3 up to 16.03.13.11_multi. It has been rated as critical. This impacts an unknown function of the file /goform/SetIpMacBind. The manipulation of the argument list leads to buffer overflow. This vulnerability is documented as CVE-2026-2137. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability was found in projectworlds Online Food Ordering System 1.0. It has been declared as critical. This affects an unknown function of the file /view-ticket.php. Executing a manipulation of the argument ID can lead to sql injection. This vulnerability is registered as CVE-2026-2136. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in UTT HiPER 810 1.7.4-141218. It has been classified as critical. The impacted element is the function sub_43F020 of the file /goform/formPdbUpConfig. Performing a manipulation of the argument policyNames results in command injection. This vulnerability is cataloged as CVE-2026-2135. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability was found in PHPGurukul Hospital Management System 4.0 and classified as critical. The affected element is an unknown function of the file /hms/admin/manage-doctors.php. Such manipulation of the argument ID leads to sql injection. This vulnerability is listed as CVE-2026-2134. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability has been found in code-projects Online Music Site 1.0 and classified as critical. Impacted is an unknown function of the file /Administrator/PHP/AdminUpdateCategory.php. This manipulation of the argument txtimage causes unrestricted upload. This vulnerability is tracked as CVE-2026-2133. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability, which was classified as critical, was found in code-projects Online Music Site 1.0. This issue affects some unknown processing of the file /Administrator/PHP/AdminUpdateCategory.php. The manipulation of the argument txtcat results in sql injection. This vulnerability is identified as CVE-2026-2132. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability, which was classified as critical, has been found in XixianLiang HarmonyOS-mcp-server 0.1.0. This vulnerability affects the function input_text. The manipulation of the argument text leads to os command injection. This vulnerability is referenced as CVE-2026-2131. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability classified as critical was found in BurtTheCoder mcp-maigret up to 1.0.12. This affects an unknown part of the file src/index.ts of the component search_username. Executing a manipulation of the argument Username can lead to command injection. The identification of this vulnerability is CVE-2026-2130. The attack may be launched remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability classified as critical has been found in D-Link DIR-823X 250416. Affected by this issue is some unknown functionality of the file /goform/set_ac_status. Performing a manipulation of the argument ac_ipaddr/ac_ipstatus/ap_randtime results in os command injection. This vulnerability was named CVE-2026-2129. The attack may be initiated remotely. In addition, an exploit is available.