Aggregator

Среди жертв — компоненты Azure, демо-проекты для ИИ и библиотеки, которыми пользуются тысячи разрабов.

Submit #835649 / VDB-369124

Submit #835648 / VDB-369123

A vulnerability marked as problematic has been reported in JeecgBoot up to 3.9.2. Impacted is the function HttpServletResponse.sendRedirect of the file jeecg-module-system/jeecg-system-biz/src/main/java/org/jeecg/modules/system/controller/ThirdLoginController.java of the component Third-Party Login. This manipulation of the argument state causes open redirect. This vulnerability is handled as CVE-2026-11502. The attack can be initiated remotely. Additionally, an exploit exists. The project replied: "After evaluation, this vulnerability has low exploitability in real-world scenarios: 1) Exploiting this vulnerability requires attackers to use social engineering techniques to induce victims to actively click on an OAuth login link constructed by the attacker; it cannot be triggered passively. 2) Third-party login (DingTalk/WeChat, etc.) is an optional feature and may not be enabled in most projects."

Submit #835622 / VDB-369122

A vulnerability categorized as critical has been discovered in Linux Kernel up to 5.10.179/5.15.110/6.1.27/6.2.14/6.3.1. This affects the function intel_get_crtc_new_encoder of the component i915. Executing a manipulation can lead to state issue. This vulnerability is handled as CVE-2023-53571. The attack can only be done within the local network. There is not any exploit available. It is advisable to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.15.86/6.0.16/6.1.2. It has been declared as critical. Affected by this issue is the function run_unpack of the component ntfs3. Executing a manipulation can lead to use after free. This vulnerability is registered as CVE-2022-50507. The attack requires access to the local network. No exploit is available. It is recommended to upgrade the affected component.

A vulnerability was found in Linux Kernel up to 5.4.228/5.10.162/5.15.85/6.0.15/6.1.1. It has been declared as critical. This issue affects the function power_supply_get_battery_info of the component power. Executing a manipulation can lead to null pointer dereference. The identification of this vulnerability is CVE-2022-50276. The attack needs to be done within the local network. There is no exploit available. It is recommended to upgrade the affected component.

A vulnerability, which was classified as critical, has been found in Linux Kernel up to 5.10.162/5.15.85/6.0.15/6.1.1. Affected is the function snr_uncore_mmio_map. The manipulation leads to improper update of reference count. This vulnerability is referenced as CVE-2022-50615. The attack needs to be initiated within the local network. No exploit is available. It is advisable to upgrade the affected component.

A vulnerability identified as critical has been detected in Linux Kernel up to 5.4.250/5.10.187/5.15.149/6.1.41/6.4.6. Affected by this issue is the function devlink_port_type_warn of the file net/devlink/leftover.c of the component devlink. The manipulation leads to state issue. This vulnerability is listed as CVE-2023-53841. The attack must be carried out from within the local network. There is no available exploit. You should upgrade the affected component.

A vulnerability was found in Linux Kernel up to 6.1.3 and classified as critical. This vulnerability affects the function ext4_xattr_block_set of the component ext4. Such manipulation leads to improper update of reference count. This vulnerability is listed as CVE-2022-50668. The attack must be carried out from within the local network. There is no available exploit. It is suggested to upgrade the affected component.

A vulnerability classified as critical was found in Linux Kernel up to 6.1.55/6.5.4. This issue affects the function multipath_message. Such manipulation leads to use after free. This vulnerability is referenced as CVE-2023-54324. The attack needs to be initiated within the local network. No exploit is available. Upgrading the affected component is advised.

A vulnerability was found in Linux Kernel up to 5.10.187/5.15.149/6.4.6. It has been declared as critical. The affected element is the function filter_irq_stacks in the library lib/stackdepot.c. Executing a manipulation can lead to missing initialization of a variable. This vulnerability is handled as CVE-2023-54322. The attack can only be done within the local network. There is not any exploit available. It is recommended to upgrade the affected component.

A vulnerability labeled as critical has been found in SourceCodester Hospitals Patient Records Management System 1.0. This issue affects some unknown processing of the file /classes/Master.php?f=save_patient. The manipulation of the argument ID results in sql injection. This vulnerability is known as CVE-2026-11501. It is possible to launch the attack remotely. Furthermore, an exploit is available.

Submit #835506 / VDB-369121

A vulnerability identified as critical has been detected in Weaviate up to 1.37.7. This vulnerability affects the function validateConfig of the file usecases/auth/authentication/apikey/client.go of the component Static API Key Handler. The manipulation of the argument StaticApiKey leads to authorization bypass. This vulnerability is traded as CVE-2026-11500. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. You should upgrade the affected component.

A vulnerability classified as problematic was found in CodeAstro Human Resource Management System 1.0. Impacted is an unknown function of the file /notice/All_notice of the component Notice Board Management. Such manipulation of the argument Notice Title with the input <svg onload="alert('Stored XSS Triggered by Ashik Mohamed')"> as part of POST leads to cross site scripting. This vulnerability is referenced as CVE-2026-11491. It is possible to launch the attack remotely. Furthermore, an exploit is available.

Submit #835080 / VDB-369120

A vulnerability categorized as critical has been discovered in Tenda HG7HG9 and HG10 300001138_en_xpon. This affects the function formDOMAINBLK of the file /boaform/formDOMAINBLK. Executing a manipulation of the argument blkDomain can lead to stack-based buffer overflow. This vulnerability appears as CVE-2026-11499. The attack may be performed from remote. There is no available exploit.

A vulnerability was found in Tenda HG7HG9 and HG10 300001138_en_xpon. It has been rated as critical. Affected by this issue is the function asp_voip_OtherSet of the file /boaform/voip_other_set of the component Web Management Interface. Performing a manipulation of the argument funckey_transfer results in stack-based buffer overflow. This vulnerability is reported as CVE-2026-11498. The attack is possible to be carried out remotely. No exploit exists.