CVE Brief Security Intelligence

The WowStore – Store Builder & Product Blocks for WooCommerce plugin for WordPress is vulnerable to SQL Injection via the ‘search’ parameter in all versions up to, and including, 4

Unraid Update Request Path Traversal Remote Code Execution Vulnerability

xmlseclibs is a library written in PHP for working with XML Encryption and Signatures

All versions of the sjcl library are vulnerable to improper cryptographic signature verification due to missing point-on-curve validation.

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers

Open Neural Network Exchange (ONNX) is an open standard for machine learning interoperability

jsPDF contains a high-severity vulnerability within its JavaScript-based PDF generation logic that could allow for malicious exploitation during document creation.

SQL Injection vulnerability in Chyrp v

This issue affects Apache Spark: before 3

Chamilo LMS is a learning management system

The `flow/admin/moniteur

LDAP Account Manager (LAM) is a webfrontend for managing entries (e

The NEX-Forms – Ultimate Forms Plugin for WordPress plugin for WordPress is vulnerable to Insecure Direct Object Reference in all versions up to, and including, 9

The Bedrock AgentCore Starter Toolkit is vulnerable to an S3 ownership verification flaw, potentially allowing unauthorized access to cloud storage resources.

Next Click Ventures RealtyScript 4

Apache Airflow versions 3

Dell ThinOS 10 versions prior to ThinOS 2602_10

Apache Airflow versions 3

Philips Hue Bridge HomeKit Pair-Setup Heap-based Buffer Overflow Remote Code Execution Vulnerability

Philips Hue Bridge HomeKit hk_hap_pair_storage_put Heap-based Buffer Overflow Remote Code Execution Vulnerability

A weakness has been identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205

A security vulnerability has been detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205

A vulnerability was detected in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205

A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205

Philips Hue Bridge Zigbee Stack Custom Command Handler Heap-based Buffer Overflow Remote Code Execution Vulnerability

Philips Hue Bridge hap_pair_verify_handler Sub-TLV Parsing Heap-based Buffer Overflow Remote Code Execution Vulnerability

Philips Hue Bridge hk_hap characteristics Heap-based Buffer Overflow Remote Code Execution Vulnerability

AnythingLLM contains a high-severity vulnerability related to how it processes content into context for Large Language Models, potentially leading to unauthorized access.

Authlib is a Python library which builds OAuth and OpenID Connect servers

Cockpit is a headless content management system

GStreamer's rtpqdm2depay component is vulnerable to an Out-Of-Bounds Write, which could allow an unauthenticated attacker to execute remote code.

GStreamer's rtpqdm2depay component contains a heap-based buffer overflow that could lead to unauthenticated remote code execution.

Philips Hue Bridge HomeKit Accessory Protocol Transient Pairing Mode Authentication Bypass Vulnerability

Philips Hue Bridge HomeKit Accessory Protocol Static Nonce Authentication Bypass Vulnerability

Local privilege escalation in snapd on Linux allows local attackers to get root privilege by re-creating snap's private /tmp directory when systemd-tmpfiles is configured to automatically clean up this directory

A security flaw has been discovered in D-Link DIR-619L 2

GStreamer ASF Demuxer Heap-based Buffer Overflow Remote Code Execution Vulnerability

GStreamer RIFF Palette Integer Overflow Remote Code Execution Vulnerability

GStreamer RealMedia Demuxer Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer DVB Subtitles Out-Of-Bounds Write Remote Code Execution Vulnerability

GStreamer JPEG Parser Heap-based Buffer Overflow Remote Code Execution Vulnerability

GROWI OpenAI thread/message API endpoints do not perform authorization

Serviio PRO 1

A critical SQL injection vulnerability in Spring AI's MariaDBFilterExpressionConverter allows attackers to bypass metadata-based access controls and execute arbitrary SQL commands

Telesquare SKT LTE Router SDT-CS3B1 software version 1

LibreChat RAG API, version 0

The Angeet ES3 KVM allows a remote, unauthenticated attacker to write arbitrary files, including configuration files or system binaries

ZKTeco ZKAccess Professional 3

Wowza Streaming Engine 4

"Functions" module in Raytha CMS allows privileged users to write custom code to add functionality to application

Raytha CMS allows an attacker to spoof `X-Forwarded-Host` or `Host` headers to attacker controlled domain

arduino-TuyaOpen before version 1

A vulnerability was determined in Belkin F9K1122 1

A weakness has been identified in LB-LINK BL-WR9000 2

A security vulnerability has been detected in LB-LINK BL-WR9000 2

A local, non-privileged attacker can abuse a vulnerable IOCTL interface exposed by the OpenEDR 2

Chamilo LMS is a learning management system

A vulnerability was determined in UTT HiPER 810G up to 1

A use-after-free vulnerability can be triggered in sharded clusters by an authenticated user with the read role who issues a specially crafted $lookup or $graphLookup aggregation pipeline

cpp-httplib is a C++11 single-file header-only cross platform HTTP/HTTPS library

A JSONPath injection vulnerability in Spring AI's AbstractFilterExpressionConverter allows authenticated users to bypass metadata-based access controls through crafted filter expressions

arduino-TuyaOpen before version 1

A flaw was found in libucl

Missing authorization checks on multiple gRPC service endpoints in PowerShell Universal before 2026

Next Click Ventures RealtyScript 4

xml-security is a library that implements XML signatures and encryption

Pigeon is a message board/notepad/social system/blog

Sipeed NanoKVM before 2

OpenClaw versions prior to 2026

Runtipi is a personal homeserver orchestrator

Outline is a service that allows for collaborative documentation

Edimax GS-5008PL firmware version 1

A flaw was found in Keycloak

Wowza Streaming Engine 4

PX4 autopilot is a flight control solution for drones

GStreamer H

GStreamer H

GStreamer H

A Code Injection vulnerability affecting SOLIDWORKS Desktop from Release 2025 through Release 2026 could allow an attacker to execute arbitrary code on the user's machine while opening a specially crafted file

A local attacker can bypass OpenEDR's 2

An out‑of‑bounds write vulnerability exists in the EMF functionality of Canva Affinity

A type confusion vulnerability exists in the EMF functionality of Canva Affinity

Improper trust boundary enforcement in Kiro IDE before version 0

arduino-TuyaOpen before version 1

A flaw was found in Keycloak

Mattermost Plugins versions <=2

IncusOS is an immutable OS image dedicated to running Incus

Qool CMS contains multiple persistent cross-site scripting vulnerabilities in several administrative scripts where POST parameters are not properly sanitized before being stored and returned to users

Serviio PRO 1

Serviio PRO 1

A command injection vulnerability exists in mlflow/mlflow versions before v3

Mattermost versions 11

IceWarp collaboration Directory Traversal Information Disclosure Vulnerability

Go ShangMi (Commercial Cryptography) Library (GMSM) is a cryptographic library that covers the Chinese commercial cryptographic public algorithms SM2/SM3/SM4/SM9/ZUC

An issue in GoBGP gobgpd v

Doom Launcher 3

The GL-iNet Comet (GL-RM1) KVM web interface does not limit login requests, enabling brute-force attempts to guess credentials

JetKVM before 0

A path traversal vulnerability was identified in Ray Dashboard (default port 8265) in Ray versions prior to 2

A high-severity vulnerability has been identified in IBM i version 7, requiring immediate vendor-supplied security updates to mitigate risk.