Aggregator

Name: TaipanByte’s Chart CTF (an TaipanByte CTF event.)
Date: Feb. 14, 2026, 10 a.m. — 15 Feb. 2026, 10:00 UTC  [add to calendar]
Format: Jeopardy
On-line
Offical URL: https://chart.taipanbyte.ru/
Rating weight: 0
Event organizers: TaipanByte

A vulnerability has been found in Flos Freeware Notepad2 4.2.22/4.2.23/4.2.24/4.2.25 and classified as problematic. Affected is an unknown function in the library Msimg32.dll. Performing a manipulation results in uncontrolled search path. This vulnerability is known as CVE-2026-2538. Attacking locally is a requirement. No exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in Comfast CF-E4 2.6.0.1. This impacts an unknown function of the file /cgi-bin/mbox-config?method=SET&section=ntp_timezone of the component HTTP POST Request Handler. Such manipulation of the argument timestr leads to command injection. This vulnerability is traded as CVE-2026-2537. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #749345 / VDB-346126

A vulnerability, which was classified as problematic, has been found in opencc JFlow up to 20260129. This affects the function Imp_Done of the file src/main/java/bp/wf/httphandler/WF_Admin_AttrFlow.java of the component Workflow Engine. This manipulation of the argument File causes xml external entity reference. This vulnerability appears as CVE-2026-2536. The attack may be initiated remotely. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

Submit #749196 / VDB-346125

A vulnerability classified as critical was found in Comfast CF-N1 V2 2.6.0.2. The impacted element is the function sub_44AB9C of the file /cgi-bin/mbox-config?method=SET&section=ptest_channel. The manipulation of the argument channel results in command injection. This vulnerability is reported as CVE-2026-2535. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in Comfast CF-N1 V2 2.6.0.2. The affected element is the function sub_44AC4C of the file /cgi-bin/mbox-config?method=SET&section=ptest_bandwidth. The manipulation of the argument bandwidth leads to command injection. This vulnerability is documented as CVE-2026-2534. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #748808 / VDB-346124

Submit #748807 / VDB-346124

A vulnerability described as critical has been identified in Tosei Self-service Washing Machine 4.02. Impacted is an unknown function of the file /cgi-bin/tosei_datasend.php. Executing a manipulation of the argument adr_txt_1 can lead to command injection. This vulnerability is registered as CVE-2026-2533. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #748784 / VDB-346123

Submit #748783 / VDB-346122

Всего одна неосторожная переписка разрушила теневую IT-империю.

A vulnerability marked as critical has been reported in lintsinghua DeepAudit up to 3.0.3. This issue affects some unknown processing of the file backend/app/api/v1/endpoints/embedding_config.py of the component IP Address Handler. Performing a manipulation results in server-side request forgery. This vulnerability is cataloged as CVE-2026-2532. It is possible to initiate the attack remotely. There is no exploit available. It is suggested to upgrade the affected component.

Submit #748771 / VDB-346121

A vulnerability labeled as critical has been found in MindsDB up to 25.14.1. This vulnerability affects the function clear_filename of the file mindsdb/utilities/security.py of the component File Upload. Such manipulation leads to server-side request forgery. This vulnerability is listed as CVE-2026-2531. The attack may be performed from remote. In addition, an exploit is available. It is best practice to apply a patch to resolve this issue.

Submit #748220 / VDB-346120