Total
4848 CVE
| CVE | Vendors | Products | Updated | CVSS v3.1 |
|---|---|---|---|---|
| CVE-2026-8777 | 1 Edimax | 2 Br-6428ns, Br-6428ns Firmware | 2026-05-18 | 6.3 Medium |
| A vulnerability was found in Edimax BR-6428NS 1.10. This issue affects the function formStaDrvSetup of the file /goform/formStaDrvSetup of the component POST Request Handler. Performing a manipulation of the argument stadrv_ssid results in command injection. The attack can be initiated remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8774 | 1 Edimax | 1 Br-6228nc | 2026-05-18 | 6.3 Medium |
| A vulnerability was detected in Edimax BR-6228NC 1.22. Affected by this issue is the function mp of the file /goform/mp of the component POST Request Handler. The manipulation of the argument command results in command injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8344 | 2 D-link, Dlink | 3 Dir-816, Dir-816, Dir-816 Firmware | 2026-05-17 | 6.3 Medium |
| A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform/formDMZ.cgi. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-42334 | 2 Automattic, Mongoosejs | 2 Mongoose, Mongoose | 2026-05-15 | 7.5 High |
| Mongoose is a MongoDB object modeling tool designed to work in an asynchronous environment. Prior to 6.13.9, 7.8.9, 8.22.1, and 9.1.6, a vulnerability allows bypassing Mongoose’s sanitizeFilter query sanitization mechanism via the $nor operator. When sanitizeFilter is enabled, Mongoose wraps query operators in $eq to neutralize them. However, prior to the fix, $nor was not included in the set of logical operators that are recursively sanitized. Because $nor accepts an array (like $and and $or), and arrays do not trigger hasDollarKeys(), malicious operators such as $ne, $gt, or $regex could be injected inside a $nor clause without being sanitized. This vulnerability is fixed in 6.13.9, 7.8.9, 8.22.1, and 9.1.6. | ||||
| CVE-2026-44458 | 1 Hono | 1 Hono | 2026-05-14 | 4.3 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.18, the JSX renderer escapes style attribute object values for HTML but not for CSS. Untrusted input in a style object value or property name can therefore inject additional CSS declarations into the rendered style attribute. The impact is limited to CSS and does not allow JavaScript execution or HTML attribute breakout. This vulnerability is fixed in 4.12.18. | ||||
| CVE-2026-42838 | 1 Microsoft | 1 Edge Chromium | 2026-05-14 | 5.4 Medium |
| Improper neutralization of special elements in output used by a downstream component ('injection') in Microsoft Edge (Chromium-based) allows an unauthorized attacker to elevate privileges over a network. | ||||
| CVE-2026-44455 | 1 Hono | 1 Hono | 2026-05-14 | 4.7 Medium |
| Hono is a Web application framework that provides support for any JavaScript runtime. Prior to 4.12.16, Improper handling of JSX element tag names in hono/jsx allowed unvalidated tag names to be directly inserted into the generated HTML output. When untrusted input is used as a tag name via the programmatic jsx() or createElement() APIs during server-side rendering, specially crafted values may break out of the intended element context and inject unintended HTML. This vulnerability is fixed in 4.12.16. | ||||
| CVE-2026-33833 | 1 Microsoft | 1 Azure Machine Learning | 2026-05-13 | 8.2 High |
| Improper neutralization of special elements in output used by a downstream component ('injection') in Azure Machine Learning allows an unauthorized attacker to perform spoofing over a network. | ||||
| CVE-2026-41109 | 1 Microsoft | 1 Visual Studio Code | 2026-05-13 | 8.8 High |
| Improper neutralization of special elements in output used by a downstream component ('injection') in GitHub Copilot and Visual Studio allows an unauthorized attacker to bypass a security feature over a network. | ||||
| CVE-2025-67486 | 1 Dolibarr | 2 Dolibarr, Dolibarr Erp\/crm | 2026-05-12 | 7.2 High |
| Dolibarr is an enterprise resource planning (ERP) and customer relationship management (CRM) software package. Versions 22.0.2 and earlier contains an authenticated remote code execution vulnerability in the user extrafields functionality. User-controlled input from the "computed value" field is passed to PHP's `eval()` function without adequate sanitization, allowing authenticated administrators to execute arbitrary PHP code on the server. As of time of publication, no patched versions are available. | ||||
| CVE-2026-8345 | 2 D-link, Dlink | 3 Dir-816, Dir-816, Dir-816 Firmware | 2026-05-12 | 6.3 Medium |
| A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such manipulation of the argument ip_address leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-8346 | 2 D-link, Dlink | 3 Dir-816, Dir-816, Dir-816 Firmware | 2026-05-12 | 6.3 Medium |
| A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command injection. The attack can be initiated remotely. The exploit is now public and may be used. | ||||
| CVE-2026-8210 | 1 Aandrew-me | 1 Tgpt | 2026-05-12 | 5.3 Medium |
| A security vulnerability has been detected in aandrew-me tgpt up to 2.11.1 on Linux/macOS. Affected by this vulnerability is the function helper.Update of the file helper.go of the component Update Handler. The manipulation leads to command injection. Local access is required to approach this attack. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8231 | 1 Codeastro | 1 Online Catering Ordering System | 2026-05-11 | 6.3 Medium |
| A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used. | ||||
| CVE-2026-8098 | 1 Code-projects | 1 Feedback System | 2026-05-11 | 7.3 High |
| A security vulnerability has been detected in code-projects Feedback System 1.0. Impacted is an unknown function of the file /admin/checklogin.php. Such manipulation of the argument email leads to sql injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used. | ||||
| CVE-2026-8114 | 1 Jeecg | 1 Jeecgboot | 2026-05-11 | 6.3 Medium |
| A vulnerability was identified in JeecgBoot up to 3.9.1. Affected by this issue is some unknown functionality of the file /sys/dict/loadTreeData of the component JSON Object Handler. The manipulation of the argument condition leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used. The vendor confirms (translated from Chinese): "It should have been fixed; a batch of issues were recently resolved." | ||||
| CVE-2026-8126 | 1 Sourcecodester | 1 Comment System | 2026-05-11 | 7.3 High |
| A flaw has been found in SourceCodester Comment System 1.0. This issue affects some unknown processing of the file post_comment.php. This manipulation of the argument Name causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used. | ||||
| CVE-2026-8132 | 1 Codeastro | 1 Leave Management System | 2026-05-11 | 7.3 High |
| A weakness has been identified in CodeAstro Leave Management System 1.0. Affected is an unknown function of the file /login.php. This manipulation of the argument txt_username causes sql injection. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. | ||||
| CVE-2026-8211 | 1 Codelibs | 1 Fess | 2026-05-11 | 4.7 Medium |
| A vulnerability was detected in codelibs Fess up to 15.5.1. Affected by this issue is the function update of the file org/codelibs/fess/app/web/admin/design/AdminDesignAction.java of the component JSP File Handler. The manipulation of the argument content results in code injection. The attack may be performed from remote. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way. | ||||
| CVE-2026-8128 | 1 Sourcecodester | 1 Sup Online Shopping | 2026-05-10 | 7.3 High |
| A vulnerability was found in SourceCodester SUP Online Shopping 1.0. The affected element is an unknown function of the file /admin/viewmsg.php. Performing a manipulation of the argument msgid results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used. | ||||