Aggregator

Submit #834016 / VDB-325828

Submit #834003 / VDB-325828

​活人讨论，在 AI 时代非常「宝贵」。

A vulnerability has been found in Chengdu Everbrite Network Technology BeikeShop up to 1.6.0.22 and classified as critical. Impacted is an unknown function of the file beike/Admin/Routes/admin.php of the component Admin Design Builder Endpoint. Performing a manipulation of the argument settings.value results in sql injection. This vulnerability is cataloged as CVE-2026-11480. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. To fix this issue, it is recommended to deploy a patch.

Submit #833997 / VDB-369101

Submit #833973 / VDB-369100

A vulnerability, which was classified as problematic, was found in yoanbernabeu grepai 0.35.0. This issue affects some unknown processing of the file indexer/chunker.go of the component Qdrant Backend. Such manipulation leads to use of weak hash. This vulnerability is listed as CVE-2026-11479. The attack may be performed from remote. In addition, an exploit is available. The pull request to fix this issue awaits acceptance.

A vulnerability, which was classified as problematic, has been found in kokke tiny-regex-c up to f2632c6d9ed25272987471cdb8b70395c2460bdb. This vulnerability affects the function matchstar of the file re.c of the component Pattern Handler. This manipulation causes inefficient regular expression complexity. This vulnerability is tracked as CVE-2026-11478. The attack is restricted to local execution. Moreover, an exploit is present. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for affected or updated releases cannot be specified. The project was informed of the problem early through an issue report but has not responded yet.

Submit #833971 / VDB-369099

A vulnerability classified as problematic was found in hs-web hsweb-framework up to 5.0.1. This affects the function OAuth2Client of the file hsweb-authorization/hsweb-authorization-oauth2/src/main/java/org/hswebframework/web/oauth2/server/OAuth2Client.java of the component OAuth2 Client. The manipulation results in open redirect. This vulnerability is identified as CVE-2026-11477. The attack can be executed remotely. Additionally, an exploit exists. Applying a patch is advised to resolve this issue.

A vulnerability classified as critical has been found in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this issue is the function edit-admin of the file controllers/AdminController.php of the component Profile Update Endpoint. The manipulation of the argument isadmin leads to improper authorization. This vulnerability is referenced as CVE-2026-11476. Remote exploitation of the attack is possible. Furthermore, an exploit is available. This product follows a rolling release approach for continuous delivery, so version details for affected or updated releases are not provided. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability described as critical has been identified in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected by this vulnerability is the function getStatus of the file controllers/GradeController.php of the component Certificate Verification Endpoint. Executing a manipulation of the argument nic can lead to sql injection. The identification of this vulnerability is CVE-2026-11475. The attack may be launched remotely. Furthermore, there is an exploit available. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability marked as critical has been reported in Kushan2k student-management-system up to f16a4ceaddd6729c4b306ed4641cda3176c1ef2a. Affected is an unknown function of the file service/RegisterService.php of the component Registration Endpoint. Performing a manipulation of the argument stimg results in unrestricted upload. This vulnerability was named CVE-2026-11474. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

Submit #833966 / VDB-369098

Submit #833962 / VDB-369097

A vulnerability labeled as critical has been found in jflyfox jfinal_cms up to 5.1.0. This impacts the function list of the file AdvicefeedbackController.java. Such manipulation of the argument orderBy leads to sql injection. This vulnerability is uniquely identified as CVE-2026-11473. The attack can be launched remotely. No exploit exists. The project was informed of the problem early through an issue report but has not responded yet.

Submit #833945 / VDB-369096

Submit #833942 / VDB-369095

Submit #833933 / VDB-369094

A vulnerability identified as critical has been detected in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown function of the file /index1.php. This manipulation of the argument Password causes sql injection. This vulnerability is handled as CVE-2026-11472. The attack can be initiated remotely. Additionally, an exploit exists.