78
ثغرة
6
تهديد
0
خبر
2
حرجة
🛡 الثغرات الأمنية (CVE)
تؤثر هذه الثغرة على إطار عمل تطوير المواقع baserCMS وتسمح للمسؤولين المصرحين بتنفيذ أوامر نظام التشغيل العشوائية على الخادم. يحدث الضعف في وظيفة التحديث الأساسية حيث لا يتم التحقق من صحة مدخلات المستخدم قبل تمريرها إلى دوال exec().
ثغرة حقن أوامر نظام التشغيل في baserCMS تسمح للمسؤولين المصرحين بتنفيذ أوامر عشوائية على خادم الويب. تؤثر الثغرة على وظيفة التحديث وتم إصلاحها في الإصدار 5.2.3. يمكن للمهاجمين الذين لديهم امتيازات إدارية استخدام هذه الثغرة للسيطرة الكاملة على النظام.
CVE-2026-5214
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-32
17:48 KSA
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function …
CVE-2026-5213
A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, D
17:48 KSA
A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element…
CVE-2026-5212
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, D
17:48 KSA
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects t…
CVE-2026-5211
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, D
17:48 KSA
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects th…
CVE-2026-34373
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
03:28 KSA
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.66 and 9.7.0-alpha.10, the GraphQL API endpoint does not respect the allowOrigin server option and unconditionally allows cross-origin requests from any w…
CVE-2026-34227
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click
17:48 KSA
Sliver is a command and control framework that uses a custom Wireguard netstack. Prior to version 1.7.4, a single click on a malicious link gives an unauthenticated attacker immediate, silent control over every active C2 session or beacon, capable of exfiltrating all collected ta…
CVE-2026-34040
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that all
03:28 KSA
Moby is an open source container framework. Prior to version 29.3.1, a security vulnerability has been detected that allows attackers to bypass authorization plugins (AuthZ). This issue has been patched in version 29.3.1.
CVE-2026-5204
A vulnerability was determined in Tenda CH22 1.0.0.1. Affected is the function formWebTypeLibrary of the file /goform/we
17:48 KSA
A vulnerability was determined in Tenda CH22 1.0.0.1. Affected is the function formWebTypeLibrary of the file /goform/webtypelibrary of the component Parameter Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack can be initiated rem…
CVE-2026-5156
A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/Quick
21:26 KSA
A vulnerability was determined in Tenda CH22 1.0.0.1. This impacts the function formQuickIndex of the file /goform/QuickIndex of the component Parameter Handler. This manipulation of the argument mit_linktype causes stack-based buffer overflow. The attack is possible to be carrie…
CVE-2025-32957
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to
21:26 KSA
baserCMS is a website development framework. Prior to version 5.2.3, the application's restore function allows users to upload a .zip file, which is then automatically extracted. A PHP file inside the archive is included using require_once without validating or restricting the fi…
CVE-2026-34585
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute
17:48 KSA
SiYuan is a personal knowledge management system. Prior to version 3.6.2, a vulnerability allows crafted block attribute values to bypass server-side attribute escaping when an HTML entity is mixed with raw special characters. An attacker can embed a malicious IAL value inside a …
CVE-2026-32920
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust ve
21:26 KSA
OpenClaw before 2026.3.12 automatically discovers and loads plugins from .OpenClaw/extensions/ without explicit trust verification, allowing arbitrary code execution. Attackers can execute malicious code by including crafted workspace plugins in cloned repositories that execute w…
CVE-2026-34504
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-prov
03:28 KSA
OpenClaw before 2026.3.28 contains a server-side request forgery vulnerability in the fal provider image-generation-provider.ts component that allows attackers to fetch internal URLs. A malicious or compromised fal relay can exploit unguarded image download fetches to expose inte…
CVE-2026-34503
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked.
03:28 KSA
OpenClaw before 2026.3.28 fails to disconnect active WebSocket sessions when devices are removed or tokens are revoked. Attackers with revoked credentials can maintain unauthorized access through existing live sessions until forced reconnection.
CVE-2026-34377
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic
03:23 KSA
ZEBRA is a Zcash node written entirely in Rust. Prior to zebrad version 4.3.0 and zebra-consensus version 5.0.1, a logic error in Zebra's transaction verification cache could allow a malicious miner to induce a consensus split. By matching a valid transaction's txid while providi…
CVE-2026-34210
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method
03:28 KSA
mppx is a TypeScript interface for machine payments protocol. Prior to version 0.4.11, the stripe/charge payment method did not check Stripe's Idempotent-Replayed response header when creating PaymentIntents. An attacker could replay a valid credential containing the same spt tok…
CVE-2026-33579
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to
03:28 KSA
OpenClaw before 2026.3.28 contains a privilege escalation vulnerability in the /pair approve command path that fails to forward caller scopes into the core approval check. A caller with pairing privileges but without admin privileges can approve pending device requests asking for…
CVE-2026-33577
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that
03:28 KSA
OpenClaw before 2026.3.28 contains an insufficient scope validation vulnerability in the node pairing approval path that allows low-privilege operators to approve nodes with broader scopes. Attackers can exploit missing callerScopes validation in node-pairing.ts to extend privile…
CVE-2026-24165
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful explo
17:48 KSA
NVIDIA BioNeMo contains a vulnerability where a user could cause a deserialization of untrusted data. A successful exploit of this vulnerability might lead to code execution, denial of service, information disclosure, and data tampering.
CVE-2026-2123
A security audit identified a privilege escalation
vulnerability in Operations Agent(<=OA 12.29) on Windows. Under speci
17:48 KSA
A security audit identified a privilege escalation
vulnerability in Operations Agent(<=OA 12.29) on Windows. Under specific conditions
Operations Agent may run executables from specific writeable locations.Thanks to Manuel Rickli & Philippe Leiser of
Oneconsult AG for reporting t…
CVE-2026-22561
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.336
03:23 KSA
Uncontrolled search path elements in Anthropic Claude for Windows installer (Claude Setup.exe) versions prior to 1.1.3363 allow local privilege escalation via DLL search-order hijacking. The installer loads DLLs (e.g., profapi.dll) from its own directory after UAC elevation, enab…
CVE-2026-34163
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoi
03:28 KSA
FastGPT is an AI Agent building platform. Prior to version 4.14.9.5, FastGPT's MCP (Model Context Protocol) tools endpoints (/api/core/app/mcpTools/getTools and /api/core/app/mcpTools/runTool) accept a user-supplied URL parameter and make server-side HTTP requests to it without v…
CVE-2026-34366
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and
21:54 KSA
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Payment receipt PDF generation module. User-supplied HTML i…
CVE-2026-34365
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and
21:54 KSA
InvoiceShelf is an open-source web & mobile app that helps track expenses, payments and create professional invoices and estimates. Prior to version 2.2.0, a Server-Side Request Forgery (SSRF) vulnerability exists in the Estimate PDF generation module. User-supplied HTML in the e…
CVE-2026-5115
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijackin
03:28 KSA
The PaperCut NG/MF (specifically, the embedded application for Konica Minolta devices) is vulnerable to session hijacking. The PaperCut NG/MF Embedded application is a software interface that runs directly on the touch screen of a multi-function device.
It was internally discove…
CVE-2026-4020
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and includi
21:26 KSA
The Gravity SMTP plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 2.1.4. This is due to a REST API endpoint registered at /wp-json/gravitysmtp/v1/tests/mock-data with a permission_callback that unconditionally returns true…
CVE-2026-5201
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loade
21:26 KSA
A flaw was found in the gdk-pixbuf library. This heap-based buffer overflow vulnerability occurs in the JPEG image loader due to improper validation of color component counts when processing a specially crafted JPEG image. A remote attacker can exploit this flaw without user inte…
CVE-2026-32988
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary fi
21:26 KSA
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in fs-bridge staged writes where temporary file creation and population are not pinned to a verified parent directory. Attackers can exploit a race condition in parent-path alias changes to write attacker-…
CVE-2026-32982
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes
21:26 KSA
OpenClaw before 2026.3.13 contains an information disclosure vulnerability in the fetchRemoteMedia function that exposes Telegram bot tokens in error messages. When media downloads fail, the original Telegram file URLs containing bot tokens are embedded in MediaFetchError strings…
CVE-2026-34784
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
17:48 KSA
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.71 and 9.7.1-alpha.1, file downloads via HTTP Range requests bypass the afterFind(Parse.File) trigger and its validators on storage adapters that support …
CVE-2026-34573
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
17:48 KSA
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.68 and 9.7.0-alpha.12, the GraphQL query complexity validator can be exploited to cause a denial-of-service by sending a crafted query with binary fan-out…
CVE-2026-5237
A security flaw has been discovered in itsourcecode Payroll Management System 1.0. Affected by this vulnerability is an
17:48 KSA
A security flaw has been discovered in itsourcecode Payroll Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /manage_user.php of the component Parameter Handler. Performing a manipulation of the argument ID results in sql injection. Th…
CVE-2026-5210
A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a
17:48 KSA
A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used.
CVE-2026-5195
A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the
21:26 KSA
A flaw has been found in code-projects Student Membership System 1.0. This issue affects some unknown processing of the component User Registration Handler. Executing a manipulation can lead to sql injection. The attack can be launched remotely.
CVE-2026-5176
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of
21:26 KSA
A security flaw has been discovered in Totolink A3300R 17.0.0cu.557_b20221024. Affected is the function setSyslogCfg of the file /cgi-bin/cstecgi.cgi. Performing a manipulation of the argument provided results in command injection. The attack may be initiated remotely. The exploi…
CVE-2026-5179
A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of th
21:26 KSA
A vulnerability was detected in SourceCodester Simple Doctors Appointment System 1.0. This affects an unknown part of the file /admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit is now public and …
CVE-2026-5180
A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code o
21:26 KSA
A flaw has been found in SourceCodester Simple Doctors Appointment System 1.0. This vulnerability affects unknown code of the file /admin/ajax.php?action=login2. This manipulation of the argument email causes sql injection. The attack is possible to be carried out remotely. The e…
CVE-2026-5182
A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teach
21:26 KSA
A vulnerability was found in SourceCodester Teacher Record System 1.0. Impacted is an unknown function of the file Teacher Record System of the component Parameter Handler. Performing a manipulation of the argument searchteacher results in sql injection. It is possible to initiat…
CVE-2026-5198
A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown functi
03:28 KSA
A vulnerability was determined in code-projects Student Membership System 1.0. The impacted element is an unknown function of the file /admin/index.php of the component Admin Login. This manipulation of the argument username/password causes sql injection. Remote exploitation of t…
CVE-2026-4267
The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site S
03:28 KSA
The Query Monitor – The developer tools panel for WordPress plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the ‘$_SERVER['REQUEST_URI']’ parameter in all versions up to, and including, 3.20.3 due to insufficient input sanitization and output escaping. Th…
CVE-2026-32734
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag
09:57 KSA
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has DOM-based cross-site scripting in tag creation. This issue has been patched in version 5.2.3.
CVE-2026-32971
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays e
21:26 KSA
OpenClaw before 2026.3.11 contains an approval-integrity vulnerability in node-host system.run approvals that displays extracted shell payloads instead of the executed argv. Attackers can place wrapper binaries and induce wrapper-shaped commands to execute local code after operat…
CVE-2026-1710
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data
09:57 KSA
The WooPayments: Integrated WooCommerce Payments plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the 'save_upe_appearance_ajax' function in all versions up to, and including, 10.5.1. This makes it possible for unauthent…
CVE-2026-34505
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypa
09:57 KSA
OpenClaw before 2026.3.12 applies rate limiting only after successful webhook authentication, allowing attackers to bypass rate limits and brute-force webhook secrets. Attackers can submit repeated authentication requests with invalid secrets without triggering rate limit respons…
CVE-2026-32976
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected s
09:57 KSA
OpenClaw before 2026.3.11 contains an authorization bypass vulnerability allowing channel commands to mutate protected sibling-account configuration despite configWrites restrictions. Attackers with authorized access on one account can execute channel commands like /config set ch…
CVE-2026-30521
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validati
09:57 KSA
A Business Logic vulnerability exists in SourceCodester Loan Management System v1.0 due to improper server-side validation. The application allows administrators to create "Loan Plans" with specific interest rates. While the frontend interface prevents users from entering negativ…
CVE-2026-33576
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization.
09:57 KSA
OpenClaw before 2026.3.28 downloads and stores inbound media from Zalo channels before validating sender authorization. Unauthorized senders can force network fetches and disk writes to the media store by sending messages that are subsequently rejected.
CVE-2026-33580
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication th
09:57 KSA
OpenClaw before 2026.3.28 contains a missing rate limiting vulnerability in the Nextcloud Talk webhook authentication that allows attackers to brute-force weak shared secrets. Attackers who can reach the webhook endpoint can exploit this to forge inbound webhook events by repeate…
CVE-2026-34215
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to version
09:57 KSA
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to versions 8.6.63 and 9.7.0-alpha.7, the verify password endpoint returns unsanitized authentication data, including MFA TOTP secrets, recovery codes, and OAuth access t…
CVE-2026-34716
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature r
09:57 KSA
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo YPTSocket plugin's caller feature renders incoming call notifications using the jQuery Toast Plugin, passing the caller's display name directly as the heading parameter. The toast plugin construc…
CVE-2026-2480
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the
09:57 KSA
The WP Shortcodes Plugin — Shortcodes Ultimate plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'max_width' attribute of the `su_box` shortcode in all versions up to, and including, 7.4.10 due to insufficient input sanitization and output escaping on user…
CVE-2026-1834
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin'
09:57 KSA
The Ibtana – WordPress Website Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's 'ive' shortcode in all versions up to, and including, 1.2.5.7 due to insufficient input sanitization and output escaping on user supplied attributes. This mak…
CVE-2026-5206
A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects
09:57 KSA
A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection…
CVE-2026-5205
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigge
09:57 KSA
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack ca…
CVE-2026-5197
A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of
09:57 KSA
A vulnerability was found in code-projects Student Membership System 1.0. The affected element is an unknown function of the file /delete_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public …
CVE-2026-5196
A vulnerability has been found in code-projects Student Membership System 1.0. Impacted is an unknown function of the fi
09:57 KSA
A vulnerability has been found in code-projects Student Membership System 1.0. Impacted is an unknown function of the file /delete_member.php. The manipulation of the argument ID leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the p…
CVE-2026-5184
A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The impacted element is an unknown function of the file
09:57 KSA
A vulnerability was identified in TRENDnet TEW-713RE up to 1.02. The impacted element is an unknown function of the file /goform/setSysAdm. The manipulation of the argument admuser leads to command injection. The attack can be initiated remotely. The exploit is publicly available…
CVE-2026-5183
A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub_421494 of the
09:57 KSA
A vulnerability was determined in TRENDnet TEW-713RE up to 1.02. The affected element is the function sub_421494 of the file /goform/addRouting. Executing a manipulation of the argument dest can lead to command injection. It is possible to launch the attack remotely. The exploit …
CVE-2026-32921
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not b
09:57 KSA
OpenClaw before 2026.3.8 contains an approval bypass vulnerability in system.run where mutable script operands are not bound across approval and execution phases. Attackers can obtain approval for script execution, modify the approved script file before execution, and execute dif…
CVE-2026-5181
A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some un
09:57 KSA
A vulnerability has been found in SourceCodester Simple Doctors Appointment System up to 1.0. This issue affects some unknown processing of the file /doctors_appointment/admin/ajax.php?action=save_category. Such manipulation of the argument img leads to unrestricted upload. The a…
CVE-2026-5178
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the func
09:57 KSA
A security vulnerability has been detected in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this issue is the function setIptvCfg of the file /cgi-bin/cstecgi.cgi. The manipulation of the argument vlanPriLan3 leads to command injection. Remote exploitation of the attack is …
CVE-2026-5177
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function
09:57 KSA
A weakness has been identified in Totolink A3300R 17.0.0cu.557_b20221024. Affected by this vulnerability is the function setWiFiBasicCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument rxRate can lead to command injection. The attack may be launched rem…
CVE-2026-32977
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that u
09:57 KSA
OpenClaw before 2026.3.11 contains a sandbox boundary bypass vulnerability in the fs-bridge writeFile commit step that uses an unanchored container path during the final move operation. An attacker can exploit a time-of-check-time-of-use race condition by modifying parent paths i…
CVE-2026-34396
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configur
09:57 KSA
WWBN AVideo is an open source video platform. In versions 26.0 and prior, the AVideo admin panel renders plugin configuration values in HTML forms without applying htmlspecialchars() or any other output encoding. The jsonToFormElements() function in admin/functions.php directly i…
CVE-2026-1877
The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and incl
09:57 KSA
The Auto Post Scheduler plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 1.84. This is due to missing nonce validation on the 'aps_options_page' function. This makes it possible for unauthenticated attackers to update settings…
CVE-2026-30879
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability i
09:57 KSA
baserCMS is a website development framework. Prior to version 5.2.3, baserCMS has a cross-site scripting vulnerability in blog posts. This issue has been patched in version 5.2.3.
CVE-2026-34605
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function i
23:32 KSA
SiYuan is a personal knowledge management system. From version 3.6.0 to before version 3.6.2, the SanitizeSVG function introduced in version 3.6.0 to fix XSS in the unauthenticated /api/icon/getDynamicIcon endpoint can be bypassed by using namespace-prefixed element names such as…
CVE-2026-34442
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header
09:57 KSA
FreeScout is a free help desk and shared inbox built with PHP's Laravel framework. Prior to version 1.8.211, host header manipulation in FreeScout version (http://localhost:8080/system/status) allows an attacker to inject an arbitrary domain into generated absolute URLs. This lea…
CVE-2026-20915
Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permiss
19:04 KSA
Stored cross-site scripting (XSS) in Checkmk version 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create pending changes to inject malicious JavaScript into the Pending Changes sidebar, which will execute in the browsers of other users viewing the sid…
CVE-2026-33276
Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to c
19:04 KSA
Stored cross-site scripting (XSS) in Checkmk 2.5.0 (beta) before 2.5.0b2 allows authenticated users with permission to create hosts or services to execute arbitrary JavaScript in the browsers of other users performing searches in the Unified Search feature.
CVE-2026-3191
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2
09:57 KSA
The Minify HTML plugin for WordPress is vulnerable to Cross-Site Request Forgery in all versions up to, and including, 2.1.12. This is due to missing or incorrect nonce validation on the 'minify_html_menu_options' function. This makes it possible for unauthenticated attackers to …
CVE-2026-5186
A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb
09:57 KSA
A weakness has been identified in Nothings stb up to 2.30. This impacts the function stbi__load_gif_main of the file stb_image.h of the component Multi-frame GIF File Handler. This manipulation causes double free. The attack requires local access. The exploit has been made availa…
CVE-2026-1797
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Ex
09:57 KSA
The Appointment Booking and Scheduler Plugin – Truebooker plugin for WordPress is vulnerable to Sensitive Information Exposure in all versions up to, and including, 1.1.4 through views php files. This makes it possible for unauthenticated attackers to view potentially sensitive i…
CVE-2026-5235
A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache o
09:57 KSA
A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The e…
CVE-2026-5236
A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of
09:57 KSA
A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of the file Ap4Dac4Atom.cpp of the component DSI v1 Parser. Such manipulation of the argument n_presentations leads to heap-based buffer overflow. The attack needs…
CVE-2026-5185
A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of t
09:57 KSA
A security flaw has been discovered in Nothings stb_image up to 2.30. This affects the function stbi__gif_load_next of the file stb_image.h of the component Multi-frame GIF File Handler. The manipulation results in heap-based buffer overflow. The attack requires a local approach.…
⚠️ استخبارات التهديدات
6 تهديد
rss:Dark Reading
—
14:48 KSA
<strong>منصة Vertex AI من جوجل تمتلك صلاحيات مفرطة. هذه مشكلة</strong>
اكتشف باحثون من Palo Alto Networks ثغرات خطيرة تتعلق بالصلاحيات المفرطة في منصة Vertex AI من جوجل، والتي قد تسمح للمهاجمين باستغلال وكلاء الذكاء الاصطناعي لسرقة البيانات والوصول غير المصرح به إلى البنية التحت…
rss:Dark Reading
—
14:48 KSA
<strong>مجموعة TeamPCP تخترق البيئات السحابية وخدمات SaaS باستخدام بيانات اعتماد مسروقة</strong>
غيرت مجموعة التهديد TeamPCP أساليبها لتنفيذ هجمات سريعة على منصات AWS وAzure وخدمات SaaS باستخدام بيانات اعتماد مسروقة. يؤكد الجدول الزمني المتسارع للهجمات على الحاجة الماسة للمؤسسات…
rss:Dark Reading
—
13:43 KSA
<strong>اختراق حزمة Axios على NPM في هجوم دقيق</strong>
تم اختراق حزمة Axios على NPM، وهي مكتبة عميل HTTP بلغة JavaScript واسعة الانتشار، بشكل مؤقت في هجوم مستهدف على سلسلة التوريد يُحتمل أن يكون من جهات فاعلة تهديد كورية شمالية. يسلط هذا الحادث الضوء على ضعف اعتماديات البرمجيات…
rss:CISA Advisories
—
02:26 KSA
<strong>نظام الطيار الآلي PX4</strong>
ثغرة أمنية حرجة في نظام الطيار الآلي PX4 الإصدار v1.16.0 تسمح للمهاجمين الذين لديهم وصول إلى واجهة MAVLink بتنفيذ أوامر نظام عشوائية دون مصادقة تشفيرية. يشكل هذا مخاطر كبيرة على أنظمة الطائرات بدون طيار والمركبات ذاتية القيادة المستخدمة في …
rss:CISA Advisories
—
01:16 KSA
<strong>جهاز مراقبة الطيف عن بعد من أنريتسو</strong>
ثغرة أمنية في جهاز مراقبة الطيف عن بعد أنريتسو MS27 تسمح للمهاجمين عبر الشبكة بتغيير الإعدادات التشغيلية والحصول على بيانات الإشارات الحساسة أو تعطيل توفر الجهاز. تشكل خطراً على البنية التحتية لمراقبة الطيف والاتصالات.
rss:Mandiant Blog
—
21:50 KSA
<strong>جهة تهديد مرتبطة بكوريا الشمالية تخترق حزمة Axios NPM واسعة الاستخدام في هجوم سلسلة التوريد</strong>
اخترقت جهة تهديد مرتبطة بكوريا الشمالية حزمة Axios NPM واسعة الاستخدام في هجوم نشط على سلسلة التوريد. تتعقب مجموعة استخبارات التهديدات من جوجل هذه الحملة التي تستهدف نظام…
📰 أخبار الأمن السيبراني
0 مقال
لا توجد أخبار مجمّعة اليوم حتى الآن
يتم تحديث هذه النشرة تلقائياً يومياً — آخر تحديث: 31 Mar 2026
أرشيف الثغرات ·
التهديدات ·
الأخبار