Aggregator

A vulnerability was found in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. It has been declared as critical. This vulnerability affects the function Upload of the file business/business-system/src/main/java/com/glowxq/system/admin/controller/SysFileController.java. Executing a manipulation can lead to unrestricted upload. This vulnerability is tracked as CVE-2026-4201. The attack can be launched remotely. Moreover, an exploit is present. This product does not use versioning. This is why information about affected and unaffected releases are unavailable. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in glowxq glowxq-oj up to 6f7c723090472057252040fd2bbbdaa1b5ed2393. It has been classified as critical. This affects the function uploadTestcaseZipUrl of the file business/business-oj/src/main/java/com/glowxq/oj/problem/controller/ProblemCaseController.java. Performing a manipulation results in server-side request forgery. This vulnerability is identified as CVE-2026-4200. The attack can be initiated remotely. Additionally, an exploit exists. Continious delivery with rolling releases is used by this product. Therefore, no version details of affected nor updated releases are available. The vendor was contacted early about this disclosure but did not respond in any way.

包场 AWE 的追觅，用百万台销量建立洗地机市场的「高端局」。

A vulnerability was found in bazinga012 mcp_code_executor up to 0.3.0 and classified as critical. Affected by this issue is the function installDependencies of the file src/index.ts. Such manipulation leads to command injection. This vulnerability is referenced as CVE-2026-4199. The attack can only be performed from a local environment. Furthermore, an exploit is available. It is best practice to apply a patch to resolve this issue. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability has been found in hypermodel-labs mcp-server-auto-commit 1.0.0 and classified as critical. Affected by this vulnerability is the function getGitChanges of the file index.ts. This manipulation causes command injection. The identification of this vulnerability is CVE-2026-4198. The attack can only be executed locally. Furthermore, there is an exploit available. Applying a patch is the recommended action to fix this issue. The project was informed of the problem early through an issue report but has not responded yet.

Submit #770477 / VDB-351113

Submit #770476 / VDB-351112

A vulnerability has been found in hypermodel-labs mcp-server-auto-commit 1.0.0 and classified as critical. Affected by this vulnerability is the function getGitChanges of the file index.ts. This manipulation causes command injection. The identification of this vulnerability is CVE-2026-4198. The attack can only be executed locally. Furthermore, there is an exploit available. Applying a patch is the recommended action to fix this issue. The project was informed of the problem early through an issue report but has not responded yet.

Submit #770424 / VDB-351111

Submit #770421 / VDB-351110

A vulnerability, which was classified as critical, was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Affected is the function RSS_Get_Update_Status/RSS_Update/RSS_Channel_AutoDownlaod/RSS_Add/RSS_Channel_Item_Downlaod/RSS_History_Item_List/RSS_Item_List of the file /cgi-bin/download_mgr.cgi. The manipulation results in command injection. This vulnerability was named CVE-2026-4197. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability, which was classified as critical, has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This impacts the function cgi_recovery/cgi_backup_now/cgi_set_schedule/cgi_set_rsync_server of the file /cgi-bin/remote_backup.cgi. The manipulation leads to command injection. This vulnerability is uniquely identified as CVE-2026-4196. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability classified as critical was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This affects an unknown function of the file /cgi-bin/wizard_mgr.cgi. Executing a manipulation can lead to command injection. This vulnerability is handled as CVE-2026-4195. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability classified as critical has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_set_wto of the file /cgi-bin/system_mgr.cgi. Performing a manipulation results in improper access controls. This vulnerability is known as CVE-2026-4194. Remote exploitation of the attack is possible. Furthermore, an exploit is available. It is suggested to use restrictive firewalling.

Submit #769870 / VDB-351109

Submit #769869 / VDB-351109

Submit #769868 / VDB-351109

Submit #769867 / VDB-351109

Submit #769866 / VDB-351109

Submit #769865 / VDB-351109