135
CVEs
29
Threats
0
News
4
Critical
3
CISA KEV
🛡 Security Vulnerabilities (CVE)
CVE-2026-40411
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
23:15 KSA
Improper input validation in Azure Virtual Network Gateway allows an authorized attacker to execute code over a network.
CVE-2025-34291
Langflow Langflow — CVE-2025-34291
Langflow contains an origin validation error vulnerability in which an overly permiss
05:32 KSA
Langflow Langflow — CVE-2025-34291
Langflow contains an origin validation error vulnerability in which an overly permissive CORS configuration combined with a refresh token cookie configured as SameSite=None allows a malicious webpage to perform cross-origin requests that include…
CVE-2026-34926
Trend Micro Apex One — CVE-2026-34926
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability tha
05:32 KSA
Trend Micro Apex One — CVE-2026-34926
Trend Micro Apex One (on-premise) contains a directory traversal vulnerability that could allow a pre-authenticated local attacker to modify a key table on the server to inject malicious code to deploy to agents on affected installations.
Re…
CVE-2026-9082
Drupal Core — CVE-2026-9082
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation
05:16 KSA
Drupal Core — CVE-2026-9082
Drupal Core contains a SQL injection vulnerability that could allow for privilege escalation and remote code execution via specially crafted requests sent with the database abstraction API.
Required Action: Apply mitigations per vendor instructions, f…
Twig versions 2.16.x and 3.9.0 through 3.25.x contain a sandbox bypass vulnerability when using a SourcePolicyInterface that allows attackers with template rendering capabilities to pass arbitrary PHP callables to sort, filter, map, and reduce filters. Attackers can exploit the r…
Authorization bypass through user-controlled key in Azure Privileged Identity Management (PIM) allows an authorized attacker to elevate privileges over a network.
Deserialization of untrusted data in Microsoft Office SharePoint allows an authorized attacker to execute code over a network.
CVE-2026-9018
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation
22:00 KSA
The Easy Elements for Elementor – Addons & Website Templates plugin for WordPress is vulnerable to Privilege Escalation in all versions up to, and including, 1.4.5 via the `easyel_handle_register()` function. This is due to the `wp_ajax_nopriv_eel_register` AJAX handler iterating…
CVE-2026-41071
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file w
23:15 KSA
libheif is a HEIF and AVIF file format decoder and encoder. In versions 1.21.2 and prior, a crafted HEIF sequence file where the saiz box declares more samples than actually exist in the track's chunk table causes a heap-buffer-overflow (out-of-bounds read) in the SampleAuxInfoRe…
Heap-based buffer overflow in Microsoft Defender allows an unauthorized attacker to execute code over a network.
CVE-2026-42834
Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized
12:00 KSA
Improper link resolution before file access ('link following') in Azure Portal Windows Admin Center allows an authorized attacker to elevate privileges locally.
A potential security vulnerability has been identified in the HP Linux Imaging and Printing Software. This potential vulnerability may allow escalation of privileges and/or arbitrary code execution via operating system command injection.
CVE-2026-26147
Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
20:52 KSA
Improper input validation in Azure Compute Gallery allows an authorized attacker to disclose information over a network.
Improper neutralization of input during web page generation ('cross-site scripting') vulnerability in Beyaz Computer Software Design Industry and Trade Ltd. Co. CityPLus allows Reflected XSS.
This issue affects CityPLus: before V24.29750.1.0.
CVE-2026-9144
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedde
20:55 KSA
Taiko AG1000-01A SMS Alert Gateway Rev 7.3 and Rev 8 contains a stored cross-site scripting vulnerability in the embedded web configuration interface that allows authenticated attackers to execute persistent JavaScript by fragmenting malicious payloads across multiple administrat…
Authorization bypass through User-Controlled key vulnerability in PosCube Hardware Software and Consulting Ltd. QR Menu allows Exploitation of Trusted Identifiers.
This issue affects QR Menu: through 21052026. NOTE: The vendor was contacted early about this disclosure but did no…
CVE-2026-20239
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.1
03:23 KSA
In Splunk Enterprise versions below 10.2.2 and 10.0.5, and Splunk Cloud Platform versions below 10.3.2512.8, 10.2.2510.11, 10.1.2507.21, and 10.0.2503.13, a user with a role that has access to the `_internal` index could view session cookies and response bodies that contain sensi…
CVE-2026-23663
Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.
20:52 KSA
Improper privilege management in Azure Entra ID allows an unauthorized attacker to elevate privileges over a network.
The WP ERP Pro plugin for WordPress is vulnerable to SQL Injection via the 'search_key' parameter in all versions up to, and including, 1.5.1. This is due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This ma…
Multiple flaws have been identified in `named` related to the handling of DNS messages whose CLASS is not Internet (`IN`) — for example, `CHAOS` or `HESIOD`, or DNS messages that specify meta-classes (`ANY` or `NONE`) in the question section. Specially crafted requests reaching t…
CVE-2026-8679
AudioIgniter WordPress Plugin IDOR Vulnerability - Unauthorized Playlist Access
22:00 KSA
The AudioIgniter plugin for WordPress is vulnerable to Insecure Direct Object Reference in versions up to, and including, 2.0.2. This is due to the handle_playlist_endpoint() function (hooked to template_redirect) accepting a user-controlled playlist ID via the audioigniter_playl…
The Ditty – Responsive News Tickers, Sliders, and Lists plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 3.1.65. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible…
CVE-2026-32323
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may
08:18 KSA
Mullvad VPN is a VPN client app for desktop and mobile. When using macOS with versions 2026.1 and below, Mullvad VPN may allow local privilege escalation during installation or upgrade. The installer package executes binaries from /Applications/Mullvad VPN.app without verifying i…
CVE-2026-7613
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0]
20:55 KSA
The Cost of Goods by PixelYourSite plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'csvdata[0][cost_of_goods_value]' parameter in versions up to, and including, 1.2.12 due to insufficient input sanitization and output escaping. This makes it possible for…
Exposure of private personal information to an unauthorized actor, Insufficiently Protected Credentials vulnerability in Digital Operations Services Inc. WifiBurada allows Authentication Bypass.
This issue affects WifiBurada: through 21052026. NOTE: The vendor was contacted earl…
CVE-2026-7509
The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` short
12:18 KSA
The KIA Subtitle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin's `the-subtitle` shortcode `before` and `after` attributes in all versions up to, and including, 4.0.1. This is due to insufficient input sanitization and output escaping on user sup…
CVE-2026-9104
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up
12:18 KSA
The Draft List plugin for WordPress is vulnerable to Stored Cross-Site Scripting via Draft Post Title in all versions up to, and including, 2.6.3 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with author-level acce…
CVE-2018-25252
FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by in
03:38 KSA
FTP Voyager 16.2.0 contains a denial of service vulnerability that allows local attackers to crash the application by injecting oversized buffer data into the site profile IP field. Attackers can create a malicious site profile containing 500 bytes of repeated characters and past…
CVE-2018-25253
Termite 3.4 contains a buffer overflow vulnerability in the User interface language settings field that allows local att
03:38 KSA
Termite 3.4 contains a buffer overflow vulnerability in the User interface language settings field that allows local attackers to cause a denial of service by supplying an excessively long string. Attackers can paste a 2000-byte payload into the Settings User interface language f…
CVE-2018-25262
Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the app
04:02 KSA
Angry IP Scanner for Linux 3.5.3 contains a denial of service vulnerability that allows local attackers to crash the application by supplying malformed input to the port selection field. Attackers can craft a malicious string containing buffer overflow patterns and paste it into …
CVE-2018-25264
TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to cra
06:05 KSA
TransMac 12.2 contains a buffer overflow vulnerability in the license key input field that allows local attackers to crash the application by submitting an oversized string. Attackers can generate a payload file containing 4000 bytes of data, paste it into the License Key field, …
CVE-2018-25266
Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to
04:02 KSA
Angry IP Scanner 3.5.3 contains a buffer overflow vulnerability in the preferences dialog that allows local attackers to crash the application by supplying an excessively large string. Attackers can generate a file containing a massive buffer of repeated characters and paste it i…
CVE-2018-25267
UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image
06:10 KSA
UltraISO 9.7.1.3519 contains a local buffer overflow vulnerability in the Output FileName field of the Make CD/DVD Image dialog that allows attackers to overwrite SEH and SE handler records. Attackers can craft a malicious filename string with 304 bytes of data followed by SEH re…
CVE-2018-25271
Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplyi
06:10 KSA
Textpad 8.1.2 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long buffer string through the Run command interface. Attackers can paste a 5000-byte payload into the Command field via Tools > Run to trigge…
CVE-2018-25273
CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submittin
06:05 KSA
CrossFont 7.5 contains a buffer overflow vulnerability that allows local attackers to crash the application by submitting an oversized payload in the License Key field. Attackers can generate a malicious file containing 4000 bytes of data, paste it into the License Key input fiel…
CVE-2018-25274
InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by im
06:05 KSA
InfraRecorder 0.53 contains a denial of service vulnerability that allows local attackers to crash the application by importing a maliciously crafted text file. Attackers can create a text file containing 6000 bytes of data and import it through the Edit menu's Import function to…
CVE-2018-25275
Faleemi Plus 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supp
06:05 KSA
Faleemi Plus 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can paste a 2000-byte payload into the Camera name and DID number fields during camera addition to trigger an applicati…
CVE-2018-25277
PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying
06:05 KSA
PixGPS 1.1.8 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string to the folder path input field. Attackers can craft a payload exceeding 6000 bytes and paste it into the 'Folder with picture files' field t…
CVE-2018-25278
PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by subm
06:05 KSA
PicaJet FX 2.6.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to registration fields. Attackers can paste a 6000-byte buffer into the Registration Name and Registration Key fields via the Help menu's…
CVE-2018-25279
jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the applicati
06:05 KSA
jiNa OCR Image to Text 1.0 contains a denial of service vulnerability that allows local attackers to crash the application by processing a malformed PNG file. Attackers can create a specially crafted PNG file with an oversized buffer and trigger the crash when the application att…
CVE-2018-25282
Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing
06:05 KSA
Nmap 7.70 contains a denial of service vulnerability that allows local attackers to crash the application by processing malicious XML files with exponential entity expansion. Attackers can create a crafted XML file with nested entity definitions and open it through ZenMap's scan …
CVE-2018-25284
HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supply
06:05 KSA
HD Tune Pro 5.70 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the folder/file name field. Attackers can trigger a denial of service by entering a 6000-byte payload through the File > Optio…
CVE-2018-25286
Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supp
06:05 KSA
Easy PhotoResQ 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Folder/filename field. Attackers can input a 6000-byte payload through the File Options dialog to trigger a denial of se…
CVE-2018-25288
StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplyi
06:05 KSA
StyleWriter 1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a 6000-byte payload into the Pattern to Find or Advice Message fields in the Add Pattern dialog to trigger a …
CVE-2018-25289
Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to c
06:05 KSA
Softdisk 3.0.3 contains a buffer overflow vulnerability in the registration code dialog that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by entering a 6000-byte payload in the Registration Name field th…
CVE-2018-25290
Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to cras
06:05 KSA
Easyboot 6.6.0 contains a buffer overflow vulnerability in the Replace Text function that allows local attackers to crash the application by supplying an oversized string. Attackers can trigger the vulnerability by accessing File > Tools > Replace Text and pasting a 7000-byte pay…
CVE-2018-25291
Project64 2.3.2 contains a buffer overflow vulnerability in the Plugin Directory settings field that allows local attack
06:05 KSA
Project64 2.3.2 contains a buffer overflow vulnerability in the Plugin Directory settings field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 6000-byte payload into the Plugin Directory field through the Option…
CVE-2018-25292
Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by su
06:05 KSA
Bome Restorator 1793 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can create a malicious payload exceeding 4000 bytes and paste it into the Name input field to tr…
CVE-2018-25293
Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to
06:05 KSA
Prime95 29.4b7 contains a buffer overflow vulnerability in the PrimeNet connection dialog that allows local attackers to crash the application by supplying an excessively long string in the optional proxy password field. Attackers can trigger a denial of service by entering a 600…
CVE-2018-25295
ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the applica
06:05 KSA
ObserverIP Scan Tool 1.4.0.1 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the IP input field. Attackers can paste a 2000-byte buffer of repeated characters into the IP field and trigger…
CVE-2018-25297
Wansview 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplyin
06:05 KSA
Wansview 1.0.2 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input strings. Attackers can inject 2000-byte payloads into the Camera name and DID number fields during camera addition to trigger application cras…
CVE-2018-25305
librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service b
15:38 KSA
librsvg2-bin 2.40.13 contains a buffer overflow vulnerability that allows local attackers to cause a denial of service by processing malformed SVG files. Attackers can supply crafted SVG input to the rsvg conversion tool to trigger a segmentation fault in the cairo image composit…
CVE-2018-25306
PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by process
15:38 KSA
PDFunite 0.41.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by processing malformed PDF files during merge operations. Attackers can trigger a segmentation fault in the XRef::getEntry function within libpoppler by providing a spec…
CVE-2018-25313
SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers
20:09 KSA
SysGauge 4.5.18 contains a buffer overflow vulnerability in the proxy configuration handler that allows local attackers to cause a denial of service by supplying an oversized string. Attackers can inject a large payload through the Proxy Server Host Name field in the Options menu…
CVE-2018-25324
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticat
20:32 KSA
Simple Fields 0.2 through 0.3.5 WordPress Plugin contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by injecting null bytes into the wp_abspath parameter on PHP versions before 5.3.4. Attackers can supply malicious wp_abspa…
CVE-2019-25544
Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providi
09:54 KSA
Pidgin 2.13.0 contains a denial of service vulnerability that allows local attackers to crash the application by providing an excessively long username string during account creation. Attackers can input a buffer of 1000 characters in the username field and trigger a crash when j…
CVE-2019-25545
Terminal Services Manager 3.2.1 contains a local buffer overflow vulnerability that allows attackers to crash the applic
09:54 KSA
Terminal Services Manager 3.2.1 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string in the computer name field. Attackers can input a 5000-byte buffer of data into the 'Computer name or IP address' …
CVE-2019-25546
NetAware 1.20 contains a buffer overflow vulnerability in the Share Name field that allows local attackers to crash the
09:54 KSA
NetAware 1.20 contains a buffer overflow vulnerability in the Share Name field that allows local attackers to crash the application by supplying an excessively long string. Attackers can trigger a denial of service by pasting a 1000-byte buffer into the Share Name parameter when …
CVE-2019-25547
NetAware 1.20 contains a buffer overflow vulnerability in the User Blocking feature that allows local attackers to crash
09:54 KSA
NetAware 1.20 contains a buffer overflow vulnerability in the User Blocking feature that allows local attackers to crash the application by supplying oversized input. Attackers can paste a malicious buffer of 512 bytes into the 'Add a website or keyword to be filtered' field and …
CVE-2019-25548
BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application b
09:54 KSA
BlueStacks 4.80.0.1060 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input to the search field. Attackers can paste a buffer of 100,000 'A' characters into the search field and trigger a search operation to…
CVE-2019-25549
VeryPDF PCL Converter 2.7 contains a denial of service vulnerability that allows local attackers to crash the applicatio
09:54 KSA
VeryPDF PCL Converter 2.7 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long password string. Attackers can trigger a buffer overflow by entering a 3000-byte password in the PDF Security encryption fiel…
Encrypt PDF 2.3 contains a buffer overflow vulnerability that allows local attackers to crash the application by inputting excessively long strings into password fields. Attackers can paste a 1000-byte buffer into the User Password or Master Password field in the Settings dialog …
Sandboxie 5.30 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Program Alerts configuration field. Attackers can paste a buffer of 5000 characters into the 'Select or enter a program' f…
Lyric Maker 2.0.1.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Title field. Attackers can paste a 5000-byte buffer into the Title input field and save the file to trigger a denial of…
CVE-2019-25572
NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submit
09:54 KSA
NordVPN 6.19.6 contains a denial of service vulnerability that allows local attackers to crash the application by submitting an excessively long string in the email input field. Attackers can paste a buffer of 100,000 characters into the email field during login to trigger an app…
CVE-2019-25589
ZOC Terminal 7.23.4 contains a buffer overflow vulnerability in the Shell field of Program Settings that allows local at
09:54 KSA
ZOC Terminal 7.23.4 contains a buffer overflow vulnerability in the Shell field of Program Settings that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a crafted payload into the Shell configuration field and trigger a…
CVE-2019-25591
DNSS Domain Name Search Software 2.1.8 contains a buffer overflow vulnerability in the registration code input field tha
09:54 KSA
DNSS Domain Name Search Software 2.1.8 contains a buffer overflow vulnerability in the registration code input field that allows local attackers to crash the application by submitting an excessively long string. Attackers can trigger a denial of service by pasting a malicious reg…
CVE-2019-25592
PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supply
09:54 KSA
PHPRunner 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the dashboard name field. Attackers can paste a buffer of 10000 characters into the Name field during dashboard creation to tr…
ASPRunner.NET 10.1 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the table name field. Attackers can input a buffer of 10000 characters in the table name parameter during database table c…
CVE-2019-25595
jetAudio 8.1.7.20702 Basic contains a denial of service vulnerability that allows local attackers to crash the applicati
09:54 KSA
jetAudio 8.1.7.20702 Basic contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string through the URL input handler. Attackers can trigger the crash by pasting a buffer of 5000 characters into the Open U…
SpotAuditor 5.2.6 contains a denial of service vulnerability in the registration dialog that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 repeated characters into the Name input duri…
CVE-2019-25597
NSauditor 3.1.2.0 contains a buffer overflow vulnerability in the SNMP Auditor Community field that allows local attacke
09:54 KSA
NSauditor 3.1.2.0 contains a buffer overflow vulnerability in the SNMP Auditor Community field that allows local attackers to crash the application by supplying an excessively long string. Attackers can paste a large payload into the Community field and trigger the Walk function …
CVE-2019-25598
HeidiSQL Portable 10.1.0.5464 Denial of Service via Buffer Overflow in Password Field
09:54 KSA
HeidiSQL Portable 10.1.0.5464 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer overflow payload into the password input during Microsoft SQL …
Backup Key Recovery 2.2.4 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the Name field. Attackers can paste a buffer of 300 or more characters into the Name field during registration to t…
UltraVNC Launcher 1.2.2.4 contains a buffer overflow vulnerability in the Path vncviewer.exe property field that allows local attackers to crash the application by supplying an excessively long string. Attackers can input a 300-byte payload of repeated characters through the Prop…
AnMing MP3 CD Burner 2.0 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized string. Attackers can paste a 6000-byte payload into the registration name field to trigger a denial of service condition.
Ease Audio Converter 5.30 contains a denial of service vulnerability in the Audio Cutter function that allows local attackers to crash the application by processing malformed MP4 files. Attackers can create a crafted MP4 file containing an oversized buffer and load it through the…
AdminExpress 1.2.5 contains a denial of service vulnerability that allows local attackers to crash the application by submitting oversized input through the System Compare feature. Attackers can paste a large buffer of characters into the Folder Path field and trigger the compari…
Tree Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, causi…
Pixel Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters, causing the application to beco…
Paint Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of characters and trigger the application to read i…
Luminance Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can create a text file with arbitrary character sequences and trigger the application to pr…
Liquid Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the keyboard interface. Attackers can trigger the vulnerability by entering arbitrary characters during application runtime, cau…
CVE-2019-25625
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by prov
09:54 KSA
Blob Studio 2.17 contains a denial of service vulnerability that allows local attackers to crash the application by providing malformed input through the key entry mechanism. Attackers can create a text file with a large buffer of repeated characters and trigger the application t…
CVE-2019-25648
MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application
11:08 KSA
MyVideoConverter Pro 3.14 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying an excessively long string to the registration code input field. Attackers can paste a malicious payload containing 10000 bytes into the 'Copy and …
Navicat for Oracle 12.1.15 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string in the password field. Attackers can paste a buffer of 550 repeated characters into the password parameter during Ora…
Device Monitoring Studio 8.10.00.8925 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the server connection dialog. Attackers can trigger the crash by entering a malformed server name or ad…
ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Attackers can paste 180 or more characters into the Project name field during project creation to trigge…
LanHelper 1.74 contains a local buffer overflow vulnerability that allows attackers to crash the application by sending excessively long input strings. Attackers can exploit the Form Send Message feature by pasting 6000 bytes of data into the Message text field to trigger a denia…
River Past Ringtone Converter 2.7.6.1601 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to activation fields. Attackers can paste 300 bytes of data into the Email textbox and Activation code textarea via …
CVE-2019-25666
SpotAuditor 3.6.7 contains a local buffer overflow vulnerability in the Base64 Password Decoder component that allows at
05:32 KSA
SpotAuditor 3.6.7 contains a local buffer overflow vulnerability in the Base64 Password Decoder component that allows attackers to crash the application. Attackers can supply an oversized Base64 string through the decoder interface to trigger a denial of service condition.
TaskInfo 8.2.0.280 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to registration fields. Attackers can paste excessively long strings into the New User Name or New Serial Number textboxes in the Help men…
FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Attackers can trigger the crash by entering a crafted path containing 384 'A' characters follow…
CVE-2019-25712
BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers t
01:25 KSA
BlueAuditor 1.7.2.0 contains a buffer overflow vulnerability in the registration key field that allows local attackers to crash the application by submitting an oversized key value. Attackers can trigger a denial of service by entering a 256-byte buffer of repeated characters in …
CVE-2020-37234
Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local
01:16 KSA
Internet Download Manager 6.38.12 contains a buffer overflow vulnerability in the Scheduler component that allows local attackers to crash the application by supplying oversized input. Attackers can paste malicious data exceeding 5000 bytes into the 'Open the following file when …
Supsystic Backup 2.3.9 contains a local file inclusion vulnerability that allows unauthenticated attackers to read and delete arbitrary files by manipulating the download path parameter. Attackers can modify the download parameter in admin.php requests with directory traversal se…
ProcessMaker 3.5.4 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting improper path traversal validation. Attackers can send requests with directory traversal sequences to access sensitive system files like /e…
CVE-2022-50954
WordPress cab-fare-calculator Plugin LFI via Path Traversal in Controller Parameter
20:16 KSA
WordPress Plugin cab-fare-calculator 1.0.3 contains a local file inclusion vulnerability that allows unauthenticated attackers to read arbitrary files by manipulating the controller parameter in tblight.php. Attackers can supply path traversal sequences through the controller GET…
WordPress Plugin amministrazione-aperta 3.7.3 contains a local file read vulnerability that allows unauthenticated attackers to read arbitrary files by exploiting insufficient input validation in the open parameter. Attackers can supply file paths through the open GET parameter i…
IBM Concert 1.0.0 through 2.2.0 contains hard-coded credentials that could be obtained by a local user.
IBM Concert 1.0.0 through 2.2.0 creates temporary files with predictable names, which allows local users to overwrite arbitrary files via a symlink attack.
IBM watsonx.data intelligence 5.2.0, 5.2.1, 5.3.0, 5.3.1 stores user credentials in plain text which can be read by a local user.
IBM Concert 1.0.0 through 2.2.0 could allow an attacker to access sensitive information in memory due to the buffer not properly clearing resources.
CVE-2026-0005
Android KeyguardServiceDelegate App Pinning Bypass via Missing Permission Check
02:48 KSA
In onServiceDisconnected of KeyguardServiceDelegate.java, there is a possible partial bypass of app pinning allowing limited interaction with other apps without knowing the LSKF due to a missing permission check. This could lead to local information disclosure where the extent of…
In setHideSensitive of ExpandableNotificationRow.java, there is a possible contact name leak due due to a logic error in the code. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
CVE-2026-32072
Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.
00:48 KSA
Improper authentication in Windows Active Directory allows an unauthorized attacker to perform spoofing locally.
OpenClaw before 2026.3.8 contains a path traversal vulnerability in the skills download installer that validates the tools root lexically but reuses the mutable path during archive download and copy operations. A local attacker can rebind the tools-root path between validation an…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service …
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Underflow (Wrap or Wraparound) vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application de…
CVE-2026-34677
CAI Content Credentials Uncontrolled Resource Consumption DoS Vulnerability
01:18 KSA
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application de…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Uncontrolled Resource Consumption vulnerability that could lead to application denial-of-service. An attacker could exploit this vulnerability to exhaust system resources, resulting in an application de…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Integer Overflow or Wraparound vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service …
CAI Content Credentials versions 0.78.2, 0.7.0 and earlier are affected by an Improper Input Validation vulnerability that could result in an application denial-of-service. An attacker could exploit this vulnerability to crash the application, leading to a denial-of-service condi…
barebox prior to version 2026.04.0 contains out-of-bounds read vulnerabilities in ext4 extent parsing due to missing validation of the eh_entries field against buffer capacity in fs/ext4/ext4_common.c. Attackers can supply a malicious ext4 filesystem image via USB, SD card, or ne…
barebox version prior to 2026.04.0 contains a denial-of-service vulnerability in ext4 directory parsing in fs/ext4/ext4_common.c where the ext4fs_iterate_dir() function fails to validate that directory entry length values are non-zero. Attackers can supply a malicious ext4 filesy…
Heap-based buffer overflow in Volume Manager Extension Driver allows an authorized attacker to execute code with a physical attack.
Improper access control in M365 Copilot for Desktop allows an unauthorized attacker to perform spoofing locally.
jq is a command-line JSON processor. In 1.8.1 and earlier, when decNumberFromString is given a number literal of INT_MAX-1 (2147483646) digits, the D2U() macro overflows during signed-int arithmetic. The wrapped negative value bypasses the heap-allocation size check, causes the f…
jq is a command-line JSON processor. In 1.8.1 and earlier, unbounded recursion in jv_object_merge_recursive() allows a crafted jq program to crash the process with a segfault. The function is reachable through the * operator when both operands are objects.
CVE-2018-25247
MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts b
03:38 KSA
MyBB Like Plugin 3.0.0 contains a cross-site scripting vulnerability that allows attackers to inject malicious scripts by creating posts or threads with unvalidated subject content. Attackers can craft post subjects containing script tags that execute when other users view the at…
CVE-2018-25331
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to i
20:32 KSA
Zenar Content Management System contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating form parameters in POST requests. Attackers can inject script tags through the current_page parameter sent to the ajax.p…
The WP Blockade plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'shortcode' parameter in all versions up to and including 0.9.14. This is due to insufficient input sanitization and output escaping in the render_shortcode_preview() function. The functi…
The CBX 5 Star Rating & Review plugin for WordPress is vulnerable to Reflected Cross-Site Scripting via the 'page' parameter in all versions up to, and including, 1.0.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attacker…
Open ISES Tickets before 3.44.2 disables TLS certificate verification in incs/login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the login/authentication …
Open ISES Tickets before 3.44.2 disables TLS certificate verification in rm/incs/mobile_login.inc.php by setting CURLOPT_SSL_VERIFYPEER to false (and not setting CURLOPT_SSL_VERIFYHOST) when issuing outbound HTTPS requests for outbound HTTPS requests issued during the mobile (Rou…
CVE-2026-22678
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the
19:18 KSA
Webmin before 2.641 contains a stored cross-site scripting vulnerability in the email template description field of the System and Server Status module that allows low-privileged authenticated attackers to execute arbitrary commands by injecting unsanitized input stored in save_t…
The FluentCRM – Email Newsletter, Automation, Email Marketing, Email Campaigns, Optins, Leads, and CRM Solution plugin for WordPress is vulnerable to Blind Server-Side Request Forgery in all versions up to, and including, 2.9.87 via the 'SubscribeURL' parameter. This makes it pos…
The MotoPress Hotel Booking plugin for WordPress is vulnerable to authorization bypass in all versions up to, and including, 6.0.1. This is due to the plugin not properly verifying that a user is authorized to perform an action. This makes it possible for unauthenticated attacker…
⚠️ Threat Intelligence
29 threats
rss:The Hacker News
—
01:32 KSA
First VPN Dismantled in Global Takedown Over Use by 25 Ransomware Groups
European and North American authorities have successfully dismantled First VPN, a criminal virtual private network service that was actively used by 25 ransomware groups to conceal attack o…
rss:SecurityWeek
—
00:07 KSA
Drupal Vulnerability in Hacker Crosshairs Shortly After Disclosure
Drupal has disclosed CVE-2026-9082, a vulnerability that is already being actively exploited by attackers against thousands of websites. Security firms are reporting widespread attack attempts ta…
rss:The Hacker News
—
00:07 KSA
Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware
The Belarus-aligned threat actor Ghostwriter (UAC-0057/UNC1151) is conducting phishing campaigns against Ukrainian government entities using lures impersonating Prometheus, a Ukrain…
rss:BleepingComputer
—
00:07 KSA
Netherlands seizes 800 servers of hosting firm enabling cyberattacks
Dutch financial crime investigators arrested two individuals and seized 800 servers from a web hosting company that facilitated cyberattacks, interference operations, and disinformation campaig…
rss:Dark Reading
—
22:57 KSA
Akamai Joins Growing Chorus of Vendors Betting Big on Secure Enterprise Browsers
Akamai has acquired LayerX to expand its cybersecurity offerings with secure enterprise browser technology. This move reflects industry-wide recognition that browser security is cri…
rss:Krebs on Securit
—
22:57 KSA
Lawmakers Demand Answers as CISA Tries to Contain Data Leak
A CISA contractor intentionally published AWS GovCloud keys and sensitive agency secrets on a public GitHub account, prompting Congressional lawmakers to demand answers from the U.S. Cybersecurity & Inf…
rss:Dark Reading
—
21:48 KSA
Verizon DBIR: Healthcare Fends Off Increased Social Engineering Attacks
The healthcare sector faces escalating social engineering attacks alongside persistent ransomware and vendor breach threats, according to Verizon's 2026 Data Breach Investigations Report. Ev…
rss:BleepingComputer
—
21:48 KSA
Former US execs plead guilty to aiding tech support scammers
Two former executives pleaded guilty to concealing a multi-year tech support fraud scheme that victimized individuals globally. The executives' company provided infrastructure that enabled scammers to …
rss:SecurityWeek
—
20:27 KSA
In Other News: Industrial Router Exploitation, CISA KEV Nomination Form, Gas Station Hacking
Multiple critical security incidents reported including industrial router exploitation, CISA contractor credential exposure, and Huawei router vulnerability causing tele…
rss:BleepingComputer
—
20:27 KSA
Trend Micro warns of Apex One zero-day exploited in the wild
Trend Micro has patched a zero-day vulnerability in Apex One that is actively being exploited in attacks against Windows systems. This vulnerability poses a significant risk to organizations using Tren…
rss:Malwarebytes Lab
—
19:21 KSA
Update Chrome now: Critical bugs could let attackers run code
Google has released a critical Chrome update addressing multiple vulnerabilities that could allow attackers to execute arbitrary code through malicious websites. The update patches severe flaws but n…
rss:The Hacker News
—
19:21 KSA
Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective
This technical analysis examines how Windows kernel mode drivers can be exploited from user mode without requiring the specific hardware they were designed for, introducing the BYOVD …
rss:The Hacker News
—
19:21 KSA
Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows
A large-scale automated campaign called Megalodon has injected 5,718 malicious commits into 5,561 GitHub repositories using forged identities and throwaway accounts within a six-hour wind…
rss:BleepingComputer
—
19:21 KSA
Drupal: Critical SQL injection flaw now targeted in attacks
Drupal has issued a critical warning regarding active exploitation of a highly critical SQL injection vulnerability. Attackers are actively attempting to exploit this flaw, posing significant risk to or…
rss:BleepingComputer
—
19:21 KSA
Why Chargebacks are Just One Piece of the Fraud Puzzle
Organizations face broader fraud risks beyond chargebacks, including false declines, account takeovers, and abuse that impact revenue and customer trust. Comprehensive fraud detection requires visibility acr…
rss:SecurityWeek
—
18:16 KSA
Canadian Man Arrested for Operating Kimwolf Botnet
A 23-year-old Canadian man, Jacob Butler, has been arrested and faces extradition to the US on computer hacking charges related to operating the Kimwolf botnet. This case highlights law enforcement's continued e…
rss:BleepingComputer
—
18:16 KSA
Ubiquiti patches three max severity UniFi OS vulnerabilities
Ubiquiti released security patches for three critical vulnerabilities in UniFi OS that allow remote attackers to exploit the system without requiring authentication or privileges. These maximum severit…
rss:SecurityWeek
—
16:48 KSA
‘First VPN’ Cybercrime Service Disrupted, Administrator Arrested
The FBI has disrupted the 'First VPN' cybercrime service and arrested its administrator. The VPN service was actively used by dozens of ransomware groups for network reconnaissance and conducting i…
rss:SecurityWeek
—
15:18 KSA
TrendAI Patches Apex One Zero-Day Exploited in the Wild
TrendAI has patched CVE-2026-34926, a critical directory traversal vulnerability in the on-premise version of Apex One that is actively being exploited in the wild. This zero-day flaw poses significant risk…
rss:The Hacker News
—
15:18 KSA
Kimwolf DDoS Botnet Operator Arrested in Canada Over DDoS-for-Hire Attacks
A 23-year-old Canadian man named Jacob Butler was arrested by U.S. authorities for operating the Kimwolf DDoS botnet used to conduct distributed denial-of-service attacks for hire. The ar…
rss:BleepingComputer
—
15:18 KSA
US and Canada arrest and charge suspected Kimwolf botnet admin
U.S. and Canadian authorities arrested a Canadian individual suspected of operating the KimWolf DDoS botnet that compromised nearly two million devices globally. This takedown represents a significan…
rss:SecurityWeek
—
13:54 KSA
Grafana Says Codebase and Other Data Stolen via TanStack Supply Chain Attack
Grafana's codebase and sensitive data were compromised after attackers exploited a compromised token from the TanStack supply chain attack. The security breach occurred because the orga…
rss:Dark Reading
—
13:54 KSA
China's Webworm Uses Discord, Microsoft Graphs to Hack EU Govts.
A Chinese advanced persistent threat group exploited Discord and Microsoft Graph APIs to compromise European government entities. The attackers utilized SOCKS proxies and tunneling tools like …
rss:The Hacker News
—
13:54 KSA
CISA Adds Exploited Langflow and Trend Micro Apex One Vulnerabilities to KEV
CISA has added two actively exploited vulnerabilities affecting Langflow and Trend Micro Apex One to its Known Exploited Vulnerabilities catalog. These security flaws pose immediate thr…
rss:The Hacker News
—
12:32 KSA
Cisco Patches CVSS 10.0 Secure Workload REST API Flaw Enabling Data Access
Cisco has released patches for a critical vulnerability (CVE-2026-20223) with a maximum CVSS score of 10.0 in its Secure Workload REST API that allows unauthenticated remote attackers to …
rss:Krebs on Securit
—
05:39 KSA
Alleged Kimwolf Botmaster ‘Dort’ Arrested, Charged in U.S. and Canada
A 23-year-old from Ottawa was arrested for allegedly developing and operating Kimwolf, an IoT botnet that compromised millions of devices to conduct large-scale DDoS attacks over six months. T…
rss:Recorded Future
—
03:35 KSA
The Vulnerability Flood Is Now a Board Conversation. Here's How to Lead It.
The article discusses how board members are increasingly questioning organizations about AI-driven vulnerability discovery and management. Leaders who effectively communicate their …
rss:Dark Reading
—
03:35 KSA
How CISOs Should Prep for Agentic-Ready AI BOMs
CISOs need to develop comprehensive documentation strategies for AI Bills of Materials (BOMs) that capture both component and execution attributes. This preparation is critical for managing security risks in agenti…
rss:Dark Reading
—
03:35 KSA
Google API Keys Remain Active After Deletion
A critical vulnerability was discovered where Google API keys remain functional for up to 23 minutes after deletion, contradicting Google's claims of immediate deletion. This delay creates a significant security windo…
📰 Cybersecurity News
0 articles
No news aggregated today yet
This digest is updated automatically every day — Last updated: Friday, May 22, 2026
CVE Archive ·
Threats ·
News