VulDB Recent Entries

A vulnerability identified as critical has been detected in OpenCATS up to 0.9.7.4. This affects the function define of the file config.php of the component AJAX Endpoint. This manipulation of the argument action causes code injection. This vulnerability is tracked as CVE-2026-27760. The attack is possible to be carried out remotely. No exploit exists. It is suggested to install a patch to address this issue.

A vulnerability categorized as problematic has been discovered in Devolutions Server up to 2026.1.14.0. Affected by this issue is some unknown functionality of the component API Handler. The manipulation results in missing authorization. This vulnerability is identified as CVE-2026-6706. The attack can be executed remotely. There is not any exploit available.

A vulnerability was found in BinSoft mpGabinet up to 23.12.19. It has been rated as problematic. Affected by this vulnerability is an unknown functionality. The manipulation leads to use of client-side authentication. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is referenced as CVE-2026-40551. The attack can only be performed from a local environment. No exploit is available.

A vulnerability was found in BinSoft mpGabinet up to 23.12.19. It has been declared as problematic. Affected is an unknown function of the component Application Interface. Executing a manipulation can lead to execution with unnecessary privileges. This vulnerability only affects products that are no longer supported by the maintainer. The identification of this vulnerability is CVE-2026-40550. The attack can only be executed locally. There is no exploit available.

A vulnerability was found in BinSoft mpGabinet up to 23.12.19. It has been classified as critical. This impacts an unknown function. Performing a manipulation results in incorrect resource transfer. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability was named CVE-2026-40552. The attack may be initiated remotely. There is no available exploit.

A vulnerability was found in Nutanix Cisco Intersight Device Connector for Prism Central up to 7.5.0 and classified as critical. This affects an unknown function of the component API Passthrough Endpoint. Such manipulation leads to missing authentication. This vulnerability is uniquely identified as CVE-2026-5944. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability has been found in elinsky execution-system-mcp 0.1.0 and classified as critical. The impacted element is the function _get_context_file_path of the file src/execution_system_mcp/server.py of the component add_action Tool. This manipulation of the argument context causes path traversal. This vulnerability is handled as CVE-2026-7319. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability, which was classified as critical, was found in elie mcp-project 0.1.0. The affected element is the function search_papers of the file research_server.py. The manipulation of the argument topic results in path traversal. This vulnerability is known as CVE-2026-7318. Attacking locally is a requirement. Furthermore, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability, which was classified as critical, has been found in MphRx Minerva 3.6.0. Impacted is an unknown function of the file /minerva/moUser/update of the component Graphical User Interface. The manipulation of the argument Identifier leads to improper authorization. This vulnerability is traded as CVE-2026-5781. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability classified as critical was found in MphRx Minerva 3.6.0. This issue affects some unknown processing of the file /minerva/user/updateUserProfile. Executing a manipulation can lead to improper access controls. This vulnerability appears as CVE-2026-5779. The attack may be performed from remote. There is no available exploit.

A vulnerability classified as problematic has been found in Red Hat OpenShift Container Platform 4. This vulnerability affects unknown code of the component Environment Variable Handler. Performing a manipulation of the argument LD_PRELOAD/http_proxy results in information disclosure. This vulnerability is reported as CVE-2026-7309. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability described as critical has been identified in MphRx Minerva 3.6.0. This affects an unknown part of the file /minerva/moUser/show/ of the component Endpoint. Such manipulation leads to improper access controls. This vulnerability is documented as CVE-2026-5780. The attack can be executed remotely. There is not any exploit available.

A vulnerability marked as critical has been reported in GNU C Library up to 2.2. Affected by this issue is the function ns_printrrf/ns_printrr/fp_nquery. This manipulation causes out-of-bounds write. This vulnerability is registered as CVE-2026-5435. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability labeled as critical has been found in Grav CMS up to 1.7.49.5/2.0.0-beta.1. Affected by this vulnerability is the function FileCache::doGet of the file system/src/Grav/Framework/Cache/Adapter/FileCache.php of the component Cache Value Handler. The manipulation results in deserialization. This vulnerability is cataloged as CVE-2026-7317. The attack may be launched remotely. Furthermore, there is an exploit available. The affected component should be upgraded.

A vulnerability identified as critical has been detected in eiliyaabedini aider-mcp up to 667b914301aada695aab0e46d1fb3a7d5e32c8af. Affected is an unknown function of the file aider_mcp.py of the component code_with_ai. The manipulation of the argument working_dir/editable_files leads to command injection. This vulnerability is listed as CVE-2026-7316. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability categorized as critical has been discovered in eiceblue spire-pdf-mcp-server 0.1.1. This impacts the function get_pdf_path of the file src/spire_pdf_mcp/server.py of the component PDF File Handler. Executing a manipulation of the argument filepath can lead to path traversal. This vulnerability is tracked as CVE-2026-7315. The attack can be launched remotely. Moreover, an exploit is present. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in eiceblue spire-doc-mcp-server 1.0.0. It has been rated as critical. This affects the function get_doc_path of the file src/spire_doc_mcp/api/base.py. Performing a manipulation of the argument document_name results in path traversal. This vulnerability is identified as CVE-2026-7314. The attack can be initiated remotely. Additionally, an exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in Xuxueli xxl-job up to 3.3.2. It has been declared as critical. The impacted element is an unknown function of the file xxl-job-admin/src/main/java/com/xxl/job/admin/scheduler/openapi/OpenApiController.java of the component OpenAPI Endpoint. Such manipulation of the argument default_token leads to use of hard-coded cryptographic key . This vulnerability is referenced as CVE-2026-7306. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in Xuxueli xxl-job up to 3.3.2. It has been classified as critical. The affected element is the function triggerJob of the file xxl-job-admin/src/main/java/com/xxl/job/admin/service/impl/XxlJobServiceImpl.java of the component trigger Endpoint. This manipulation of the argument addressList causes server-side request forgery. The identification of this vulnerability is CVE-2026-7305. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. There is ongoing doubt regarding the real existence of this vulnerability. The project maintainer explains (translated from Chinese): "Triggers are manually activated and involve login and access control, thus requiring management." The pull request by the researcher got rejected because of that.

A vulnerability was found in Xuxueli xxl-job up to 3.3.2 and classified as problematic. Impacted is the function logDetailCat of the file xxl-job-admin/src/main/java/com/xxl/job/admin/controller/biz/JobLogController.java of the component Execution Log Handler. The manipulation of the argument logId results in improper control of resource identifiers. This vulnerability was named CVE-2026-7303. The attack may be performed from remote. In addition, an exploit is available. It is suggested to upgrade the affected component.