Aggregator

Submit #808421 / VDB-361907

Submit #808420 / VDB-361906

A vulnerability was found in SourceCodester Pizzafy Ecommerce System 1.0 and classified as problematic. This issue affects some unknown processing of the file /admin/index.php. Such manipulation of the argument page leads to cross site scripting. This vulnerability is traded as CVE-2026-8117. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in huangjunsen0406 xiaozhi-mcphub up to 1.0.3 and classified as critical. This vulnerability affects unknown code of the file src/controllers/dxtController.ts. This manipulation of the argument manifest.name causes path traversal. This vulnerability appears as CVE-2026-8116. The attack may be initiated remotely. In addition, an exploit is available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability, which was classified as problematic, was found in gyoridavid short-video-maker up to 1.3.4. This affects an unknown part of the file src/server/routers/rest.ts of the component REST API. The manipulation of the argument req.params.tmpFile results in path traversal. This vulnerability is reported as CVE-2026-8115. The attack can be launched remotely. Moreover, an exploit is present. The project was informed of the problem early through an issue report but has not responded yet.

根据 Counterpoint Research 的报告，虽然因内存和储存价格飙升而导致手机价格上涨销量下滑，但 2026年一季度全球智能手机市场营收同比增长 8% 达到 1170 亿美元，平均售价同比上涨 12% 达到 399 美元，创下第一季度历史新高。苹果在 2026 年第一季度营收同比增长 22%，在前五大智能手机品牌中增速最快，同时也创下第一季度营收的历史新高。苹果首次于第一季度在全球智能手机市场出货量位居第一，市占率达 21%。三星在 2026 年第一季度的营收和出货量均位居第二。小米一季度出货量同比下降 19%，营收同比下降 18%。OPPO 和 vivo 分别位列 2026 年第一季度营收排名的第四和第五。

A threat actor claims to be selling a 2.47GB CSV database from real estate platform homes.at.world, totaling 7,023,773 lines split between 4,883,773 agent records and 2,140,000 investor records.

Submit #808344 / VDB-360119

Submit #808327 / VDB-361905

A vulnerability, which was classified as critical, has been found in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. This vulnerability is documented as CVE-2026-8114. The attack can be initiated remotely. Additionally, an exploit exists. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved."

Submit #808297 / VDB-359827

Submit #808260 / VDB-361904

Submit #808258 / VDB-361903

A vulnerability classified as critical was found in 8421bit MiniClaw up to 43905b934cf76489ab28e4d17da28ee97970f91f. Affected by this vulnerability is the function isPathInside of the file src/kernel.ts of the component executeSkillScript. Executing a manipulation can lead to path traversal. This vulnerability is registered as CVE-2026-8113. It is possible to launch the attack remotely. Furthermore, an exploit is available. This product takes the approach of rolling releases to provide continious delivery. Therefore, version details for affected and updated releases are not available. It is advisable to implement a patch to correct this issue.

A vulnerability classified as critical has been found in 8421bit MiniClaw up to 223c16a1088e138838dcbd18cd65a37c35ac5a84. Affected is the function executeCognitivePulse of the file src/kernel.ts. Performing a manipulation results in os command injection. This vulnerability is cataloged as CVE-2026-8112. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. This product is using a rolling release to provide continious delivery. Therefore, no version details for affected nor updated releases are available. To fix this issue, it is recommended to deploy a patch.

Submit #808186 / VDB-361902

Submit #808185 / VDB-359948

Submit #808167 / VDB-361901

Submit #808166 / VDB-361900

A vulnerability described as problematic has been identified in Krayin CRM 2.1.5. This impacts an unknown function of the file /admin/activities/create. Such manipulation of the argument Comment leads to cross site scripting. This vulnerability is listed as CVE-2026-36341. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.