Aggregator

CVE-2026-4170 | Topsec TopACM 3.0 HTTP Request nmc_sync.php template_path os command injection (EUVD-2026-12214)

VulDB Recent Entries
1 month 1 week ago
A vulnerability described as critical has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. This vulnerability is handled as CVE-2026-4170. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

GlassWorm Supply-Chain Attack Abuses 72 Open VSX Extensions to Target Developers

The Hackers News
1 month 1 week ago
Cybersecurity researchers have flagged a new iteration of the GlassWorm campaign that they say represents a "significant escalation" in how it propagates through the Open VSX registry. "Instead of requiring every malicious listing to embed the loader directly, the threat actor is now abusing extensionPack and extensionDependencies to turn initially standalone-looking extensions into transitive
The Hacker News

CVE-2026-4169 | Tecnick TCExam up to 16.6.0 XML Export tce_xml_users.php F_xml_export_users cross site scripting (EUVD-2026-12213)

VulDB Recent Entries
1 month 1 week ago
A vulnerability marked as problematic has been reported in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. This vulnerability is known as CVE-2026-4169. Remote exploitation of the attack is possible. No exploit is available. There are still doubts about whether this vulnerability truly exists. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.
vuldb.com

CVE-2026-4168 | Tecnick TCExam 16.5.0 Group tce_edit_group.php Name cross site scripting (EUVD-2026-12212)

VulDB Recent Entries
1 month 1 week ago
A vulnerability labeled as problematic has been found in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. This vulnerability is traded as CVE-2026-4168. The attack may be launched remotely. Furthermore, there is an exploit available. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release.
vuldb.com

CVE-2026-4167 | Belkin F9K1122 1.00.33 /goform/formReboot webpage stack-based overflow (EUVD-2026-12210)

VulDB Recent Entries
1 month 1 week ago
A vulnerability identified as critical has been detected in Belkin F9K1122 1.00.33. This affects the function formReboot of the file /goform/formReboot. This manipulation of the argument webpage causes stack-based buffer overflow. This vulnerability appears as CVE-2026-4167. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.
vuldb.com

CVE-2026-4166 | Wavlink WL-NU516U1 240425 /cgi-bin/login.cgi sub_404F68 homepage/hostname cross site scripting (EUVD-2026-12208)

VulDB Recent Entries
1 month 1 week ago
A vulnerability categorized as problematic has been discovered in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. This vulnerability is reported as CVE-2026-4166. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure.
vuldb.com

CVE-2026-4165 | Worksuite HR, CRM and Project Management up to 5.5.25 /account/orders/create Client Note cross site scripting (EUVD-2026-12207)

VulDB Recent Entries
1 month 1 week ago
A vulnerability was found in Worksuite HR, CRM and Project Management up to 5.5.25. It has been rated as problematic. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. This vulnerability is documented as CVE-2026-4165. The attack can be initiated remotely. Additionally, an exploit exists.
vuldb.com

Managed ad