6.9
CVE-2026-7733 - funadmin Frontend Chunked Upload Endpoint UploadService.php chunkUpload unrestricted upload
A flaw has been found in funadmin up to 7.1.0-rc6. This affects the function UploadService::chunkUpload of the file app/common/service/UploadService.php of the component Frontend Chunked Upload Endpoint. This manipulation of the argument File causes unrestricted upload. The attack is possible to beโฆ
5.3
CVE-2026-7732 - code-projects BloodBank Managing System request_blood.php unrestricted upload
A vulnerability was detected in code-projects BloodBank Managing System 1.0. The impacted element is an unknown function of the file request_blood.php. The manipulation results in unrestricted upload. The attack can be executed remotely. The exploit is now public and may be used.
5.3
CVE-2026-7731 - code-projects BloodBank Managing System get_state.php sql injection
A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. The affected element is an unknown function of the file get_state.php. The manipulation of the argument G_STATE_ID leads to sql injection. Remote exploitation of the attack is possible. The exploit has been dโฆ
5.3
CVE-2026-7730 - privsim mcp-test-runner MCP index.ts child_process.spawn os command injection
A weakness has been identified in privsim mcp-test-runner 0.2.0. Impacted is the function child_process.spawn of the file src/index.ts of the component MCP Interface. Executing a manipulation of the argument command can lead to os command injection. The attack may be launched remotely. The exploit โฆ
5.3
CVE-2026-7729 - pixelsock directus-mcp MCP index.ts validateUrl server-side request forgery
A security flaw has been discovered in pixelsock directus-mcp 1.0.0. This issue affects the function validateUrl of the file index.ts of the component MCP Interface. Performing a manipulation of the argument fileUrl results in server-side request forgery. The attack may be initiated remotely. The eโฆ
5.3
CVE-2026-7728 - ryanjoachim mcp-rtfm MCP update_doc path traversal
A vulnerability was identified in ryanjoachim mcp-rtfm 0.1.0. This vulnerability affects the function get_doc_content/read_doc/update_doc of the component MCP Interface. Such manipulation of the argument docFile leads to path traversal. The attack can be launched remotely. The exploit is publicly aโฆ
6.9
CVE-2026-7727 - Shandong Hoteam Software PDM Product Data Management System DataService GetQueryMachineGridOnePageDโฆ
A vulnerability was determined in Shandong Hoteam Software PDM Product Data Management System up to 8.3.9. This affects the function GetQueryMachineGridOnePageData of the file /Base/BaseService.asmx/DataService. This manipulation of the argument SortOrder causes sql injection. The attack can be iniโฆ
5.3
CVE-2026-7725 - PrefectHQ prefect GitRepository Pull storage.py argument injection
A vulnerability was found in PrefectHQ prefect up to 3.6.25.dev6. Affected by this issue is some unknown functionality of the file src/prefect/runner/storage.py of the component GitRepository Pull Handler. The manipulation of the argument commit_sha/directories results in argument injection. It is โฆ
2.3
CVE-2026-7724 - PrefectHQ prefect Webhook/Notification validate_restricted_url toctou
A vulnerability has been found in PrefectHQ prefect up to 3.6.28.dev1. Affected by this vulnerability is the function validate_restricted_url of the component Webhook/Notification. The manipulation leads to time-of-check time-of-use. It is possible to initiate the attack remotely. The attack is conโฆ
6.9
CVE-2026-7723 - PrefectHQ prefect WebSocket Endpoint in missing authentication
A flaw has been found in PrefectHQ prefect up to 3.6.13. Affected is an unknown function of the file /api/events/in of the component WebSocket Endpoint. Executing a manipulation can lead to missing authentication. The attack may be performed from remote. The exploit has been published and may be usโฆ