VulDB Recent Entries

A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been rated as critical. This impacts an unknown function of the file /goform/form2Wl5RepeaterStep2.cgi of the component goahead. This manipulation of the argument key1/key2/key3/key4/pskValue causes stack-based buffer overflow. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is registered as CVE-2026-4182. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been declared as critical. This affects an unknown function of the file /goform/form2RepeaterStep2.cgi of the component goahead. The manipulation of the argument key1/key2/key3/key4/pskValue results in stack-based buffer overflow. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is cataloged as CVE-2026-4181. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in D-Link DIR-816 1.10CNB05. It has been classified as critical. The impacted element is an unknown function of the file redirect.asp of the component goahead. The manipulation of the argument token_id leads to improper access controls. This vulnerability only affects products that are no longer supported by the maintainer. This vulnerability is listed as CVE-2026-4180. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in Aureus ERP up to 1.3.0-BETA2 and classified as problematic. The affected element is an unknown function of the file plugins/webkul/chatter/resources/views/filament/infolists/components/messages/content-text-entry.blade.php of the component Chatter Message Handler. Executing a manipulation of the argument subject/body can lead to cross site scripting. This vulnerability is tracked as CVE-2026-4175. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability has been found in thimpress Thim Kit for Elementor Plugin up to 1.3.7 on WordPress and classified as problematic. Impacted is an unknown function of the file /thim-ekit/archive-course/get-courses of the component REST Endpoint. Performing a manipulation of the argument post_status results in missing authorization. This vulnerability is identified as CVE-2026-1870. The attack can be initiated remotely. There is not any exploit available.

A vulnerability, which was classified as problematic, was found in Radare2 5.9.9. This issue affects the function walk_exports_trie of the file libr/bin/format/mach0/mach0.c of the component Mach-O File Parser. Such manipulation leads to resource consumption. This vulnerability is referenced as CVE-2026-4174. The attack can only be performed from a local environment. Furthermore, an exploit is available. The existence of this vulnerability is still disputed at present. You should upgrade the affected component. The code maintainer states that, "[he] wont consider this bug a DoS".

A vulnerability, which was classified as critical, has been found in CodePhiliaX Chat2DB up to 0.3.7. This vulnerability affects the function exportTable/exportTableColumnComment/exportView/exportProcedure/exportTriggers/exportTrigger/updateProcedure of the file DMDBManage.java of the component Database Export Handler. This manipulation causes sql injection. The identification of this vulnerability is CVE-2026-4173. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in TRENDnet TEW-632BRP 1.010B32. This affects an unknown part of the file /ping_response.cgi of the component HTTP POST Request Handler. The manipulation of the argument ping_ipaddr results in stack-based buffer overflow. This vulnerability was named CVE-2026-4172. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in CodeGenieApp serverless-express up to 4.17.1. Affected by this issue is some unknown functionality of the file examples/lambda-function-url/packages/api/models/TodoList.ts of the component API Endpoint. The manipulation of the argument userId leads to authorization bypass. This vulnerability is uniquely identified as CVE-2026-4171. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as critical has been identified in Topsec TopACM 3.0. Affected by this vulnerability is an unknown functionality of the file /view/systemConfig/management/nmc_sync.php of the component HTTP Request Handler. Executing a manipulation of the argument template_path can lead to os command injection. This vulnerability is handled as CVE-2026-4170. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability marked as problematic has been reported in Tecnick TCExam up to 16.6.0. Affected is the function F_xml_export_users of the file admin/code/tce_xml_users.php of the component XML Export. Performing a manipulation results in cross site scripting. This vulnerability is known as CVE-2026-4169. Remote exploitation of the attack is possible. No exploit is available. There are still doubts about whether this vulnerability truly exists. It is suggested to upgrade the affected component. When the vendor was informed about another security issue, he identified and fixed this flaw during analysis. He doubts the impact of this: "However, this is difficult to justify as security issue. It requires to be administrator to both create and consume the exploit. Administrators can do pretty much anything in the platform, so I don't see the point of this from a security perspective." This is reflected by the CVSS vector.

A vulnerability labeled as problematic has been found in Tecnick TCExam 16.5.0. This impacts an unknown function of the file /admin/code/tce_edit_group.php of the component Group Handler. Such manipulation of the argument Name leads to cross site scripting. This vulnerability is traded as CVE-2026-4168. The attack may be launched remotely. Furthermore, there is an exploit available. The presence of this vulnerability remains uncertain at this time. The affected component should be upgraded. The vendor explained: "I was not able to reproduce the same exploit as the TCExam version was already advanced in the meanwhile." Therefore, it can be assumed that this issue got fixed in a later release.

A vulnerability identified as critical has been detected in Belkin F9K1122 1.00.33. This affects the function formReboot of the file /goform/formReboot. This manipulation of the argument webpage causes stack-based buffer overflow. This vulnerability appears as CVE-2026-4167. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability categorized as problematic has been discovered in Wavlink WL-NU516U1 240425. The impacted element is the function sub_404F68 of the file /cgi-bin/login.cgi. The manipulation of the argument homepage/hostname results in cross site scripting. This vulnerability is reported as CVE-2026-4166. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure.

A vulnerability was found in Worksuite HR, CRM and Project Management up to 5.5.25. It has been rated as problematic. The affected element is an unknown function of the file /account/orders/create. The manipulation of the argument Client Note leads to cross site scripting. This vulnerability is documented as CVE-2026-4165. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability was found in Wavlink WL-WN578W2 221110. It has been declared as critical. Impacted is the function Delete_Mac_list/SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Executing a manipulation can lead to command injection. This vulnerability is registered as CVE-2026-4164. It is possible to launch the attack remotely. Furthermore, an exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in Wavlink WL-WN579A3 220323. It has been classified as critical. This issue affects the function SetName/GuestWifi of the file /cgi-bin/wireless.cgi of the component POST Request Handler. Performing a manipulation results in command injection. This vulnerability is cataloged as CVE-2026-4163. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. Upgrading the affected component is recommended.

A vulnerability was found in Apache Spark up to 3.5.6/4.0.0 and classified as critical. This vulnerability affects unknown code. Such manipulation leads to privilege escalation. This vulnerability is listed as CVE-2025-54920. The attack may be performed from remote. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability has been found in webaways NEX-Forms Plugin up to 9.1.9 on WordPress and classified as critical. This affects the function deactivate_license. This manipulation causes missing authorization. This vulnerability is tracked as CVE-2026-1948. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability, which was classified as problematic, was found in angular up to 19.2.19/20.3.17/21.2.3. Affected by this issue is some unknown functionality. The manipulation results in cross site scripting. This vulnerability is identified as CVE-2026-32635. The attack can be executed remotely. There is not any exploit available. You should upgrade the affected component.