25
CVEs
1
Threats
0
News
🛡 Security Vulnerabilities (CVE)
CVE-2025-10465
Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd
04:01 KSA
Unrestricted Upload of File with Dangerous Type vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Sensaway allows Upload a Web Shell to a Web Server.This issue affects Sensaway: through 09022026.
NOTE: The vendor was contacted early about this disclos…
CVE-2026-25812
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enable
04:01 KSA
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, the application enables credentialed CORS requests but does not implement any CSRF protection mechanism.
CVE-2026-25497
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0
04:01 KSA
Craft is a platform for creating digital experiences. In Craft versions from 4.0.0-RC1 to before 4.17.0-beta.1 and 5.9.0-beta.1, there is a Privilege Escalation vulnerability in Craft CMS’s GraphQL API that allows an authenticated user with write access to one asset volume to esc…
CVE-2026-25495
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through
04:01 KSA
Craft is a platform for creating digital experiences. In Craft versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, the element-indexes/get-elements endpoint is vulnerable to SQL Injection via the criteria[orderBy] parameter (JSON body). The application fails to sanit…
CVE-2025-7799
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Infor
04:01 KSA
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Zirve Information Technologies Inc. E-Taxpayer Accounting Website allows Reflected XSS.This issue affects e-Taxpayer Accounting Website: through 07082025.
CVE-2026-0870
MacroHub developed by GIGABYTE has a Local Privilege Escalation vulnerability. Due to the MacroHub application launching
04:01 KSA
MacroHub developed by GIGABYTE has a Local Privilege Escalation vulnerability. Due to the MacroHub application launching external applications with improper privileges, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges.
CVE-2026-25961
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS host
04:01 KSA
SumatraPDF is a multi-format reader for Windows. In 3.5.0 through 3.5.2, SumatraPDF's update mechanism disables TLS hostname verification (INTERNET_FLAG_IGNORE_CERT_CN_INVALID) and executes installers without signature checks. A network attacker with any valid TLS certificate (e.…
PolarLearn is a free and open-source learning program. In 0-PRERELEASE-16 and earlier, the group chat WebSocket at wss://polarlearn.nl/api/v1/ws can be used without logging in. An unauthenticated client can subscribe to any group chat by providing a group UUID, and can also send …
PlaciPy is a placement management system designed for educational institutions. In version 1.0.0, The application logs highly sensitive data directly to console output without masking or redaction.
CVE-2026-24684
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can p
04:01 KSA
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, the RDPSND async playback thread can process queued PDUs after the channel is closed and internal state is freed, leading to a use after free in rdpsnd_treat_wave. This vulnerability is fixed in 3.2…
FreeRDP is a free implementation of the Remote Desktop Protocol. ainput_send_input_event caches channel_callback in a local variable and later uses it without synchronization; a concurrent channel close can free or reinitialize the callback, leading to a use after free. Prior to …
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, audin_server_recv_formats frees an incorrect number of audio formats on parse failure (i + i), leading to out-of-bounds access in audio_formats_free. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, aAsynchronous bulk transfer completions can use a freed channel callback after URBDRC channel close, leading to a use after free in urb_write_completion. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, sdl_Pointer_New frees data on failure, then pointer_free calls sdl_Pointer_Free and frees it again, triggering ASan UAF. This vulnerability is fixed in 3.22.0.
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, A capture thread sends sample responses using a freed channel callback after a device channel close, leading to a use after free in ecam_channel_write. This vulnerability is fixed in 3.22.0.
CVE-2026-24676
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the a
04:01 KSA
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, AUDIN format renegotiation frees the active format list while the capture thread continues using audin->format, leading to a use after free in audio_format_compatible. This vulnerability is fixed in…
CVE-2026-24675
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the devi
04:01 KSA
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, urb_select_interface can free the device's MS config on error but later code still dereferences it, leading to a use after free in libusb_udev_select_interface. This vulnerability is fixed in 3.22.0…
CVE-2026-24491
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notificati
04:01 KSA
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, video_timer can send client notifications after the control channel is closed, dereferencing a freed callback and triggering a use after free. This vulnerability is fixed in 3.22.0.
CVE-2026-23948
FreeRDP NULL Pointer Dereference in LogonInfoV2 Processing (CVE-2026-23948)
04:01 KSA
FreeRDP is a free implementation of the Remote Desktop Protocol. Prior to 3.22.0, a NULL pointer dereference vulnerability in rdp_write_logon_info_v2() allows a malicious RDP server to crash FreeRDP proxy by sending a specially crafted LogonInfoV2 PDU with cbDomain=0 or cbUserNam…
CVE-2026-22905
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path tr
04:01 KSA
An unauthenticated remote attacker can bypass authentication by exploiting insufficient URI validation and using path traversal sequences (e.g., /js/../cgi-bin/post.cgi), gaining unauthorized access to protected CGI endpoints and configuration downloads.
CVE-2026-2236
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbit
04:01 KSA
C&Cm@il developed by HGiga has a SQL Injection vulnerability, allowing unauthenticated remote attackers to inject arbitrary SQL commands to read database contents.
CVE-2025-10463
Improper Authentication vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Au
04:01 KSA
Improper Authentication vulnerability in Birtech Information Technologies Industry and Trade Ltd. Co. Senseway allows Authentication Abuse.This issue affects Senseway: through 09022026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way.
Craft is a platform for creating digital experiences. In versions 4.0.0-RC1 through 4.16.17 and 5.0.0-RC1 through 5.8.21, a Remote Code Execution (RCE) vulnerability exists in Craft CMS where the assembleLayoutFromPost() function in src/services/Fields.php fails to sanitize user-…
A vulnerability has been found in D-Link DIR-823X 250416. This affects the function sub_4211C8 of the file /goform/set_filtering. Such manipulation leads to os command injection. The attack may be launched remotely. The exploit has been disclosed to the public and may be used.
FUXA is a web-based Process Visualization (SCADA/HMI/Dashboard) software. Prior to 1.2.11, there is a flaw in the path sanitization logic allows an authenticated attacker with administrative privileges to bypass directory traversal protections. By using nested traversal sequences…
⚠️ Threat Intelligence
1 threats
rss:Mandiant Blog
—
06:12 KSA
UNC1069 Targets Cryptocurrency Sector with New Tooling and AI-Enabled Social Engineering
North Korean threat group UNC1069 is using advanced tooling and AI-enabled social engineering to target cryptocurrency and decentralized finance (DeFi) organizations. Mandia…
📰 Cybersecurity News
0 articles
No news aggregated today yet
This digest is updated automatically every day — Last updated: Monday, February 9, 2026
CVE Archive ·
Threats ·
News