Aggregator

A vulnerability was found in Oracle Retail Price Management 14.1.3.2/15.0.3.1/16.0.3. It has been declared as critical. This impacts an unknown function of the component Security. Executing a manipulation can lead to improper input validation. This vulnerability appears as CVE-2021-44832. The attack may be performed from remote. There is no available exploit.

2026年5月11日，知名TanStack开源库遭供应链劫持，攻击者通过钓鱼获取维护者OIDC令牌，向62个官方包植入凭证窃取代码。该库周下载量逾1200万次，恶意版本在数小时内完成全球扩散。OpenAI两名员工终端恰在此窗口期中招，导致少量代码仓库凭证泄露。 此事虽未酿成灾难性后果，却暴露出软件供应链的深层脆弱性：一次精准钓鱼 → npm账户沦陷 → 全球依赖链污染 → 大型企业员工终端被突破。整个杀伤链中，企业自身几乎无防御抓手。 作为安全从业人员，我认为最值得警惕的不是"OpenAI也被黑了"，而是这次攻防的时间差：传统"定期扫描"模式对此类速闪投毒完全失效。真正有效的防御必须是实时、自动化的。给同行三点建议： 1、引入SBOM及实时SCA，将开源依赖可视化为资产； 2、开发终端零信任化，持续加强终端安全检测-异常行为； 3、与关键开源社区建立直连应急通道，争取在投毒窗口前的预警时间。 此次OpenAI的应急响应可圈可点——迅速轮换签名证书、强制macOS用户更新——体现了风险意识。但对更多企业而言真正的考题是：当你的核心业务依赖万千开源组件时你能在攻守时间差中守住几道防线？

A vulnerability was found in SourceCodester Hospitals Patient Records Management System 1.0. It has been declared as critical. This impacts an unknown function of the file /classes/Users.php?f=delete. The manipulation of the argument ID results in sql injection. This vulnerability is cataloged as CVE-2026-10184. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in SourceCodester Hospitals Patient Records Management System 1.0. It has been rated as critical. Affected is an unknown function of the file /classes/Users.php?f=save. This manipulation of the argument ID causes sql injection. This vulnerability is registered as CVE-2026-10185. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability categorized as critical has been discovered in code-projects Online Hospital Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /patient.php. Such manipulation of the argument editid leads to sql injection. This vulnerability is documented as CVE-2026-10186. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability identified as critical has been detected in Totolink N300RH 6.1c.1353_B20190305. Affected by this issue is the function setWiFiBasicConfig of the file wireless.so of the component Web Management Interface. Performing a manipulation of the argument KeyStr results in stack-based buffer overflow. This vulnerability is reported as CVE-2026-10187. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability labeled as critical has been found in Tenda W12 3.0.0.7(4763). This affects the function cgistaKickOff of the file /bin/httpd. Executing a manipulation of the argument staMac can lead to stack-based buffer overflow. This vulnerability appears as CVE-2026-10188. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability marked as critical has been reported in Tenda W12 3.0.0.7(4763). This vulnerability affects the function cgiSysTimeInfoSet of the file /bin/httpd. The manipulation of the argument sec leads to stack-based buffer overflow. This vulnerability is traded as CVE-2026-10189. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability described as problematic has been identified in Tenda W12 3.0.0.7(4763). This issue affects the function cgiSysWebTimeoutSet of the file /bin/httpd of the component Web Management Interface. The manipulation of the argument web_over_time results in denial of service. This vulnerability is known as CVE-2026-10190. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability classified as critical has been found in Tenda W12 3.0.0.7(4763). Impacted is the function cgiWifiMacFilterSet of the file /bin/httpd. This manipulation of the argument wifiMacFilterSet.macList.mac causes stack-based buffer overflow. This vulnerability is handled as CVE-2026-10191. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability classified as critical was found in Tenda W12 3.0.0.7(4763). The affected element is the function set_local_time_0 of the file /bin/httpd. Such manipulation of the argument Time leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2026-10192. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability, which was classified as critical, has been found in OFCMS up to 1.1.3. The impacted element is the function Query of the file ofcms-admin\src\main\java\com\ofsoft\cms\admin\controller\ComnController.java of the component ComnController. Performing a manipulation of the argument system.user.query results in sql injection. This vulnerability was named CVE-2026-10193. The attack may be initiated remotely. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability marked as critical has been reported in Microsoft Windows. This affects an unknown function of the component Search Service. The manipulation leads to use after free. This vulnerability is documented as CVE-2026-27909. The attack needs to be performed locally. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability described as critical has been identified in Microsoft Windows. This impacts an unknown function of the component Installer. The manipulation results in improper handling of insufficient permissions or privileges. This vulnerability is reported as CVE-2026-27910. The attack requires a local approach. No exploit exists. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Microsoft Windows. Affected is an unknown function of the component User Interface Core. This manipulation causes race condition. This vulnerability appears as CVE-2026-27911. The attack requires local access. There is no available exploit. It is recommended to upgrade the affected component.

A vulnerability labeled as problematic has been found in py-pdf pypdf up to 6.7.2. Impacted is an unknown function. Such manipulation leads to resource consumption. This vulnerability is traded as CVE-2026-27888. The attack may be launched remotely. There is no exploit available. The affected component should be upgraded.

A vulnerability labeled as critical has been found in Microsoft Windows. The impacted element is an unknown function in the library tdx.sys of the component TDI Translation Driver. Executing a manipulation can lead to use after free. This vulnerability is registered as CVE-2026-27908. The attack needs to be launched locally. No exploit is available. The affected component should be upgraded.

A vulnerability described as problematic has been identified in py-pdf pypdf up to 6.7.0. Affected by this vulnerability is an unknown functionality of the component Font Handler. The manipulation of the argument /ToUnicode results in excessive iteration. This vulnerability is identified as CVE-2026-27025. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.

A vulnerability classified as problematic has been found in py-pdf pypdf up to 6.7.0. Affected by this issue is some unknown functionality of the component Decompression Handler. This manipulation of the argument /FlateDecode causes allocation of resources. This vulnerability is tracked as CVE-2026-27026. The attack is possible to be carried out remotely. No exploit exists. It is recommended to upgrade the affected component.

A vulnerability has been found in py-pdf pypdf up to 6.7.1 and classified as problematic. Impacted is an unknown function. The manipulation leads to infinite loop. This vulnerability is listed as CVE-2026-27628. The attack may be initiated remotely. There is no available exploit. The affected component should be upgraded.