Aggregator

A vulnerability, which was classified as critical, has been found in GNU inetutils up to 2.7. The impacted element is an unknown function of the component telnetd. Performing a manipulation of the argument CREDENTIALS_DIRECTORY results in inclusion of functionality from untrusted control sphere. This vulnerability is cataloged as CVE-2026-28372. The attack must be initiated from a local position. There is no exploit available.

A vulnerability was found in Doditsolutions Homey BNB V4. It has been classified as critical. This affects an unknown part of the file admin/getrecord.php. The manipulation of the argument val leads to sql injection. This vulnerability is referenced as CVE-2019-25493. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability labeled as critical has been found in Doditsolutions Homey BNB V4. The impacted element is an unknown function of the file admin/edit.php. Executing a manipulation of the argument ID can lead to sql injection. This vulnerability is registered as CVE-2019-25490. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability classified as critical was found in Doditsolutions Homey BNB V4. Affected by this vulnerability is an unknown functionality of the file admin/cms_getpagetitle.php. Such manipulation of the argument catid leads to sql injection. This vulnerability is traded as CVE-2019-25491. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in Doditsolutions Homey BNB V4. Affected by this issue is some unknown functionality of the file admin/getcmsdata.php. Performing a manipulation of the argument pt results in sql injection. This vulnerability is known as CVE-2019-25492. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability, which was classified as critical, was found in Doditsolutions Homey BNB V4. Impacted is an unknown function of the file rooms/ajax_refresh_subtotal. The manipulation of the argument hosting_id results in sql injection. This vulnerability is known as CVE-2019-25489. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability was found in OCaml up to 4.14.2/5.4.0 and classified as problematic. Affected is the function readblock of the file runtime/intern.c of the component Marshal Handler. The manipulation results in buffer over-read. This vulnerability is reported as CVE-2026-28364. The attack requires a local approach. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in chainguard-forks kaniko up to 1.25.9. This affects an unknown function. The manipulation results in path traversal. This vulnerability is identified as CVE-2026-28406. The attack can be executed remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability, which was classified as critical, has been found in go-vikunja vikunja up to 2.0.x. This issue affects some unknown processing of the component Authentication Control Handler. The manipulation leads to incomplete cleanup. This vulnerability is traded as CVE-2026-28268. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in bufanyun HotGo up to 2.0 and classified as critical. This issue affects the function ImageTransferStorage of the file /server/internal/logic/common/upload.go of the component Endpoint. The manipulation results in server-side request forgery. This vulnerability is cataloged as CVE-2026-3683. The attack may be launched remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in welovemedia FFmate up to 2.0.15 and classified as critical. This vulnerability affects the function Execute of the file /internal/service/ffmpeg/ffmpeg.go. The manipulation leads to argument injection. This vulnerability is listed as CVE-2026-3682. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in welovemedia FFmate up to 2.0.15. This affects the function fireWebhook of the file /internal/service/webhook/webhook.go. Executing a manipulation can lead to server-side request forgery. This vulnerability is tracked as CVE-2026-3681. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

Submit #765588 / VDB-349585

A vulnerability, which was classified as critical, has been found in RyuzakiShinji biome-mcp-server up to 1.0.0. Affected by this issue is some unknown functionality of the file biome-mcp-server.ts. Performing a manipulation results in command injection. This vulnerability is identified as CVE-2026-3680. The attack can be initiated remotely. Additionally, an exploit exists. Applying a patch is the recommended action to fix this issue.

Submit #765587 / VDB-349584

Submit #765558 / VDB-349583

A vulnerability classified as critical was found in Tenda FH451 1.0.0.9. Affected by this vulnerability is the function formQuickIndex of the file /goform/QuickIndex. Such manipulation of the argument mit_linktype/PPPOEPassword leads to stack-based buffer overflow. This vulnerability is referenced as CVE-2026-3679. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability classified as critical has been found in Tenda FH451 1.0.0.9. Affected is the function sub_3C434 of the file /goform/AdvSetWan. This manipulation of the argument wanmode/PPPOEPassword causes stack-based buffer overflow. The identification of this vulnerability is CVE-2026-3678. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability described as critical has been identified in Tenda FH451 1.0.0.9. This impacts the function fromSetCfm of the file /goform/setcfm. The manipulation of the argument funcname/funcpara1 results in stack-based buffer overflow. This vulnerability was named CVE-2026-3677. The attack may be performed from remote. In addition, an exploit is available.

Submit #765399 / VDB-349582