VulDB Recent Entries

A vulnerability identified as problematic has been detected in code-projects Employee Management System 1.0. This affects an unknown part of the file 370project/edit.php. The manipulation of the argument ID leads to cross site scripting. This vulnerability is traded as CVE-2026-7095. It is possible to initiate the attack remotely. Furthermore, there is an exploit available.

A vulnerability categorized as critical has been discovered in ShadowCloneLabs GlutamateMCPServers up to e2de73280b01e5d943593dd1aa2c01c5b9112f78. Affected by this issue is some unknown functionality of the file src/puppeteer/index.ts of the component puppeteer_navigate. Executing a manipulation of the argument url can lead to server-side request forgery. This vulnerability appears as CVE-2026-7094. The attack may be performed from remote. In addition, an exploit is available. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in code-projects Invoice System in Laravel 1.0. It has been rated as critical. Affected by this vulnerability is an unknown functionality of the file /invoice/ of the component Invoice Endpoint. Performing a manipulation of the argument ID results in improper authorization. This vulnerability is reported as CVE-2026-7093. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability was found in code-projects Invoice System in Laravel 1.0. It has been declared as critical. Affected is an unknown function of the file /profile/ of the component Profile Handler. Such manipulation of the argument ID leads to improper authorization. This vulnerability is documented as CVE-2026-7092. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability was found in code-projects Invoice System in Laravel 1.0. It has been classified as critical. This impacts an unknown function of the file /user of the component User Management Handler. This manipulation causes improper authorization. This vulnerability is registered as CVE-2026-7091. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability was found in code-projects Chat System 1.0 and classified as problematic. This affects an unknown function of the file /admin/send_message.php of the component Chat Interface. The manipulation of the argument msg results in cross site scripting. This vulnerability is cataloged as CVE-2026-7090. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability has been found in code-projects Home Service System 1.0 and classified as problematic. The impacted element is an unknown function of the file /booking.php of the component Appointment Booking. The manipulation of the argument fname/lname leads to cross site scripting. This vulnerability is listed as CVE-2026-7089. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability, which was classified as critical, was found in SourceCodester Pharmacy Sales and Inventory System 1.0. The affected element is an unknown function of the file /ajax.php?action=save_receiving. Executing a manipulation of the argument ID can lead to sql injection. This vulnerability is tracked as CVE-2026-7088. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability, which was classified as critical, has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Impacted is an unknown function of the file /ajax.php?action=save_sales. Performing a manipulation of the argument ID results in sql injection. This vulnerability is identified as CVE-2026-7087. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability classified as critical was found in HBAI-Ltd Toonflow-app up to 1.1.1. This issue affects the function updateStoryboardUrl of the file replaceUrl.ts of the component Storyboard Export. Such manipulation of the argument url leads to path traversal. This vulnerability is referenced as CVE-2026-7086. It is possible to launch the attack remotely. Furthermore, an exploit is available. It is still unclear if this vulnerability genuinely exists. The vendor explains in a reply to the issue report, that "[t]he URL of this interface is designed to only be a local address or a trusted domain address configured in docker, and will not contain malicious links, unless the user modifies the code causing unexpected situations."

A vulnerability classified as critical has been found in HBAI-Ltd Toonflow-app up to 1.1.1. This vulnerability affects the function z.url of the file src/routes/setting/about/downloadApp.ts of the component downloadApp Endpoint. This manipulation of the argument url causes path traversal. The identification of this vulnerability is CVE-2026-7085. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The real existence of this vulnerability is still doubted at the moment. The vendor explains in a reply to the issue report, that "[t]his interface is used for online updates, and the update URL has been statically compiled in the official code repository. Unless users modify the code, the requested address will be the official source address."

A vulnerability described as critical has been identified in HBAI-Ltd Toonflow-app up to 1.1.1. This affects the function fetch of the file src/routes/setting/vendorConfig/getCodeByLink.ts of the component getCodeByLink Endpoint. The manipulation of the argument Link results in server-side request forgery. This vulnerability was named CVE-2026-7084. The attack may be performed from remote. In addition, an exploit is available. There is ongoing doubt regarding the real existence of this vulnerability. The vendor explains in a reply to the issue report, that "[t]he /getCodeByLink interface is used to obtain TS code and run it locally. It is inherently a high-risk interface, and users must clearly understand the risks before requesting to use it."

A vulnerability marked as critical has been reported in likeadmin-likeshop likeadmin_php up to 1.9.6. Affected by this issue is the function queryResult of the file server\app\adminapi\lists\tools\DataTableLists.php of the component dataTable Admin API. The manipulation leads to sql injection. This vulnerability is uniquely identified as CVE-2026-7083. The attack is possible to be carried out remotely. Moreover, an exploit is present. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability labeled as critical has been found in Tenda F456 1.0.0.5. Affected by this vulnerability is the function formWrlExtraSet of the file /goform/WrlExtraSet of the component httpd. Executing a manipulation of the argument Go can lead to buffer overflow. This vulnerability is handled as CVE-2026-7082. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability identified as critical has been detected in Tenda F456 1.0.0.5. Affected is the function fromGstDhcpSetSer of the file /goform/GstDhcpSetSer of the component httpd. Performing a manipulation of the argument dips results in buffer overflow. This vulnerability is known as CVE-2026-7081. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability categorized as critical has been discovered in Tenda F456 1.0.0.5. This impacts the function fromPPTPUserSetting of the file /goform/PPTPUserSetting of the component httpd. Such manipulation of the argument delno leads to buffer overflow. This vulnerability is traded as CVE-2026-7080. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability was found in Tenda F456 1.0.0.5. It has been rated as critical. This affects the function fromAdvSetWan of the file /goform/AdvSetWan of the component httpd. This manipulation of the argument wanmode causes buffer overflow. This vulnerability appears as CVE-2026-7079. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability was found in Tenda F456 1.0.0.5. It has been declared as critical. The impacted element is the function fromSetIpBind of the file /goform/SetIpBind of the component httpd. The manipulation of the argument page results in buffer overflow. This vulnerability is reported as CVE-2026-7078. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in itsourcecode Courier Management System 1.0. It has been classified as critical. The affected element is an unknown function of the file /edit_parcel.php. The manipulation of the argument ID leads to sql injection. This vulnerability is documented as CVE-2026-7077. The attack can be initiated remotely. Additionally, an exploit exists.

A vulnerability was found in itsourcecode Courier Management System 1.0 and classified as critical. Impacted is an unknown function of the file /edit_branch.php. Executing a manipulation of the argument ID can lead to sql injection. This vulnerability is registered as CVE-2026-7076. It is possible to launch the attack remotely. Furthermore, an exploit is available.