Aggregator

Submit #771242 / VDB-351159

Submit #771241 / VDB-351159

Submit #771239 / VDB-351159

Submit #771240 / VDB-351158

A vulnerability was found in Tiandy Integrated Management Platform 7.17.0. It has been declared as critical. Affected by this issue is some unknown functionality of the file /rest/user/getAuthorityByUserId. Executing a manipulation of the argument userId can lead to sql injection. The identification of this vulnerability is CVE-2026-4232. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #771238 / VDB-351157

A vulnerability was found in vanna-ai vanna up to 2.0.2. It has been classified as critical. Affected by this vulnerability is the function update_sql/run_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Performing a manipulation results in server-side request forgery. This vulnerability was named CVE-2026-4231. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in vanna-ai vanna up to 2.0.2 and classified as critical. Affected is the function update_sql of the file src/vanna/legacy/flask/__init__.py of the component Endpoint. Such manipulation leads to sql injection. This vulnerability is uniquely identified as CVE-2026-4230. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in vanna-ai vanna up to 2.0.2 and classified as critical. This impacts the function remove_training_data of the file src/vanna/legacy/google/bigquery_vector.py. This manipulation of the argument ID causes sql injection. This vulnerability is handled as CVE-2026-4229. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #771234 / VDB-351156

Submit #771216 / VDB-351155

A vulnerability, which was classified as critical, was found in LB-LINK BL-WR9000 2.4.9. This affects the function sub_458754 of the file /goform/set_wifi. The manipulation results in command injection. This vulnerability is known as CVE-2026-4228. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in LB-LINK BL-WR9000 2.4.9. The impacted element is the function sub_44D844 of the file /goform/get_hidessid_cfg. The manipulation leads to buffer overflow. This vulnerability is traded as CVE-2026-4227. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in LB-LINK BL-WR9000 2.4.9. The affected element is the function sub_44E8D0 of the file /goform/get_virtual_cfg. Executing a manipulation can lead to stack-based buffer overflow. This vulnerability appears as CVE-2026-4226. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #771217 / VDB-351154

Submit #771215 / VDB-351153

Submit #771214 / VDB-351152

A vulnerability classified as problematic has been found in CMS Made Simple up to 2.2.21. Impacted is an unknown function of the file admin/listusers.php of the component User Management Module. Performing a manipulation of the argument Message results in cross site scripting. This vulnerability is reported as CVE-2026-4225. The attack is possible to be carried out remotely. Moreover, an exploit is present.

Submit #771210 / VDB-351151

Submit #771209 / VDB-351150