VulDB Recent Entries

A vulnerability was found in WeKan up to 8.18. It has been rated as critical. The affected element is an unknown function of the file server/routes/attachmentApi.js of the component Attachment Upload API. This manipulation causes incorrect authorization. This vulnerability is handled as CVE-2026-25561. The attack can be initiated remotely. There is not any exploit available. Upgrading the affected component is advised.

A vulnerability was found in WeKan up to 8.18. It has been declared as critical. Impacted is an unknown function of the file packages/wekan-ldap/server/ldap.js. The manipulation results in ldap injection. This vulnerability is known as CVE-2026-25560. It is possible to launch the attack remotely. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in WeKan up to 8.18. It has been classified as critical. This issue affects some unknown processing of the file models/boards.js. The manipulation leads to incorrect authorization. This vulnerability is traded as CVE-2026-25568. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is recommended.

A vulnerability was found in WeKan up to 8.19 and classified as problematic. This vulnerability affects unknown code of the component Migration Operation Handler. Executing a manipulation can lead to incorrect authorization. This vulnerability appears as CVE-2026-25859. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability has been found in macrozheng mall up to 1.0.3 and classified as critical. This affects an unknown part. Performing a manipulation results in weak password recovery. This vulnerability is reported as CVE-2026-25858. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability, which was classified as critical, was found in Tenda G300-F up to 16.01.14.2. Affected by this issue is the function formSetWanDiag of the component Management Interface. Such manipulation leads to os command injection. This vulnerability is documented as CVE-2026-25857. The attack can be executed remotely. There is not any exploit available.

A vulnerability, which was classified as critical, has been found in Tenda AC8 16.03.33.05. Affected by this vulnerability is an unknown functionality of the file /goform/fast_setting_wifi_set of the component Embedded Httpd Service. This manipulation of the argument timeZone causes buffer overflow. This vulnerability is registered as CVE-2026-2203. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability classified as critical was found in Tenda AC8 16.03.33.05. Affected is the function fromSetWifiGusetBasic of the file /goform/WifiGuestSet of the component httpd. The manipulation of the argument shareSpeed results in buffer overflow. This vulnerability is cataloged as CVE-2026-2202. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability classified as problematic has been found in ZeroWdd studentmanager up to 2151560fc0a50ec00426785ec1e01a3763b380d9. This impacts the function addLeave of the file src/main/java/com/wdd/studentmanager/controller/LeaveController.java. The manipulation of the argument Reason for Leave leads to cross site scripting. This vulnerability is listed as CVE-2026-2201. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The code repository of the project has not been active for many years.

A vulnerability described as problematic has been identified in heyewei JFinalCMS 5.0.0. This affects an unknown function of the file /admin/admin/save of the component API Endpoint. Executing a manipulation can lead to cross site scripting. This vulnerability is tracked as CVE-2026-2200. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability marked as critical has been reported in code-projects Online Reviewer System 1.0. The impacted element is an unknown function of the file /reviewer/system/system/admins/manage/users/user-delete.php. Performing a manipulation of the argument ID results in sql injection. This vulnerability is identified as CVE-2026-2199. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability labeled as critical has been found in code-projects Online Reviewer System 1.0. The affected element is an unknown function of the file /system/system/admins/assessments/pretest/loaddata.php. Such manipulation of the argument difficulty_id leads to sql injection. This vulnerability is referenced as CVE-2026-2198. It is possible to launch the attack remotely. Furthermore, an exploit is available.

A vulnerability identified as critical has been detected in code-projects Online Reviewer System 1.0. Impacted is an unknown function of the file /system/system/admins/assessments/pretest/exam-delete.php. This manipulation of the argument test_id causes sql injection. The identification of this vulnerability is CVE-2026-2197. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability categorized as critical has been discovered in code-projects Online Reviewer System 1.0. This issue affects some unknown processing of the file /system/system/admins/assessments/pretest/exam-update.php. The manipulation of the argument test_id results in sql injection. This vulnerability was named CVE-2026-2196. The attack may be performed from remote. In addition, an exploit is available.

A vulnerability was found in code-projects Online Reviewer System 1.0. It has been rated as critical. This vulnerability affects unknown code of the file /system/system/admins/assessments/pretest/questions-view.php. The manipulation of the argument ID leads to sql injection. This vulnerability is uniquely identified as CVE-2026-2195. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability was found in D-Link DI-7100G C1 24.04.18D1. It has been declared as critical. This affects the function start_proxy_client_email. Executing a manipulation can lead to command injection. This vulnerability is handled as CVE-2026-2194. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in D-Link DI-7100G C1 24.04.18D1. It has been classified as critical. Affected by this issue is the function set_jhttpd_info. Performing a manipulation of the argument usb_username results in command injection. This vulnerability is known as CVE-2026-2193. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in Tenda AC9 15.03.06.42_multi and classified as critical. Affected by this vulnerability is the function formGetRebootTimer. Such manipulation of the argument sys.schedulereboot.start_time/sys.schedulereboot.end_time leads to stack-based buffer overflow. This vulnerability is traded as CVE-2026-2192. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in Tenda AC9 15.03.06.42_multi and classified as critical. Affected is the function formGetDdosDefenceList. This manipulation of the argument security.ddos.map causes stack-based buffer overflow. This vulnerability appears as CVE-2026-2191. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability, which was classified as critical, was found in itsourcecode School Management System 1.0. This impacts an unknown function of the file /ramonsys/user/controller.php. The manipulation of the argument ID results in sql injection. This vulnerability is reported as CVE-2026-2190. The attack can be launched remotely. Moreover, an exploit is present.