Aggregator

CVE-2026-4500 | bagofwords1 bagofwords up to 0.0.297 code_execution.py generate_df injection (Issue 60)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability was found in bagofwords1 bagofwords up to 0.0.297. It has been declared as critical. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. This vulnerability is traded as CVE-2026-4500. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.
vuldb.com

Google slows Android sideloading to trip up scammers

Help Net Security
2 months 2 weeks ago

Google’s advanced flow for Android changes how apps from unverified developers are installed, adding steps to reduce scam-driven sideloading. The feature is aimed at experienced users and allows sideloading through a controlled, one-time setup. It addresses scam scenarios where attackers pressure individuals to install malicious software. In these cases, scammers often stay on the phone and guide victims step by step, pushing them to bypass security warnings and disable protections before they can pause or … More →

The post Google slows Android sideloading to trip up scammers appeared first on Help Net Security.

Anamarija Pogorelec

CVE-2026-33135 | LabRedesCefetRJ WeGIA up to 3.6.6 novo_memorandoo.php msg cross site scripting (GHSA-w5rv-5884-w94v)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.6. It has been classified as problematic. This affects an unknown function of the file /html/memorando/novo_memorandoo.php. This manipulation of the argument msg causes cross site scripting. This vulnerability appears as CVE-2026-33135. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.
vuldb.com

CVE-2026-33134 | LabRedesCefetRJ WeGIA up to 3.6.5 GET Parameter restaurar_produto.php id_produto sql injection (GHSA-qg95-x997-66wq)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.5 and classified as critical. The impacted element is an unknown function of the file html/matPat/restaurar_produto.php of the component GET Parameter Handler. The manipulation of the argument id_produto results in sql injection. This vulnerability is reported as CVE-2026-33134. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.
vuldb.com

CVE-2026-33132 | Zitadel up to 3.4.8/4.12.2 API V2 Endpoint authorization (GHSA-g2pf-ww5m-2r9m)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability has been found in Zitadel up to 3.4.8/4.12.2 and classified as problematic. The affected element is an unknown function of the component API V2 Endpoint. The manipulation leads to incorrect authorization. This vulnerability is documented as CVE-2026-33132. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.
vuldb.com

CVE-2026-33136 | LabRedesCefetRJ WeGIA up to 3.6.6 Memorando listar_memorandos_ativos.php msg cross site scripting (GHSA-xjqp-5q3h-2cxh)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability, which was classified as problematic, was found in LabRedesCefetRJ WeGIA up to 3.6.6. Impacted is an unknown function of the file /html/memorando/listar_memorandos_ativos.php of the component Memorando Module. Executing a manipulation of the argument msg can lead to cross site scripting. This vulnerability is registered as CVE-2026-33136. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.
vuldb.com

CVE-2026-32595 | Traefik up to 2.11.40/3.6.10 timing discrepancy (GHSA-g3hg-j4jv-cwfr)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability, which was classified as problematic, has been found in Traefik up to 2.11.40/3.6.10. This issue affects some unknown processing. Performing a manipulation results in observable timing discrepancy. This vulnerability is cataloged as CVE-2026-32595. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.
vuldb.com

CVE-2026-33131 | h3js h3 up to 2.0.0-0/2.0.1-rc.14/2.0.1-rc.15 Host event.url/event.url.hostname/event.url._url authentication spoofing (GHSA-3vj8-jmxq-cgj5)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability classified as critical was found in h3js h3 up to 2.0.0-0/2.0.1-rc.14/2.0.1-rc.15. This vulnerability affects unknown code of the component Host Handler. Such manipulation of the argument event.url/event.url.hostname/event.url._url leads to authentication bypass by spoofing. This vulnerability is listed as CVE-2026-33131. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.
vuldb.com

CVE-2026-32305 | Traefik up to 2.11.40/3.6.10 TLS Configuration improper authentication (GHSA-wvvq-wgcr-9q48)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability described as critical has been identified in Traefik up to 2.11.40/3.6.10. Affected by this issue is some unknown functionality of the component TLS Configuration Handler. The manipulation results in improper authentication. This vulnerability is identified as CVE-2026-32305. The attack can be executed remotely. There is not any exploit available. Upgrading the affected component is recommended.
vuldb.com

CVE-2026-33133 | LabRedesCefetRJ WeGIA up to 3.6.6 SQL File Parser loadBackupDB sql injection (GHSA-qqff-p8fc-hg5f)

VulDB Recent Entries
2 months 2 weeks ago
A vulnerability marked as critical has been reported in LabRedesCefetRJ WeGIA up to 3.6.6. Affected by this vulnerability is the function loadBackupDB of the component SQL File Parser. The manipulation leads to sql injection. This vulnerability is referenced as CVE-2026-33133. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.
vuldb.com

Terminated contract led to $2.5 million cyber extortion scheme

Help Net Security
2 months 2 weeks ago

A federal jury convicted Cameron Curry, 27, a Charlotte resident, of carrying out an extensive cyber extortion scheme targeting a Washington, D.C.-based international technology company. He faces up to two years in prison on each of the six charges. Curry, who worked as a data analyst for about six months with the victim company and had access to its data files and internal personnel and corporate information, began the scheme after learning his contract would … More →

The post Terminated contract led to $2.5 million cyber extortion scheme appeared first on Help Net Security.

Sinisa Markovic

Managed ad