9.1
CVE-2026-21643 -
An improper neutralization of special elements used in an sql command ('sql injection') vulnerability in Fortinet FortiClientEMS 7.4.4 may allow an unauthenticated attacker to execute unauthorized code or commands via specifically crafted HTTP requests.
8.4
CVE-2026-24926 - OutโofโBounds Write in HarmonyOS Camera Module
Out-of-bounds write vulnerability in the camera module. Impact: Successful exploitation of this vulnerability may affect availability.
7.3
CVE-2026-24925 - Heap-Based Buffer Overflow in Image Module
Heap-based buffer overflow vulnerability in the image module. Impact: Successful exploitation of this vulnerability may affect availability.
5.3
CVE-2026-2100 - P11-kit: null dereference via c_derivekey with specific null parameters
A flaw was found in p11-kit. A remote attacker could exploit this vulnerability by calling the C_DeriveKey function on a remote token with specific IBM kyber or IBM btc derive mechanism parameters set to NULL. This could lead to the RPC-client attempting to return an uninitialized value, potentiallโฆ
2.3
CVE-2026-2010 - Sanluan PublicCMS Trade Payment TradePaymentService.java paid improper authorization
A vulnerability has been found in Sanluan PublicCMS up to 4.0.202506.d/5.202506.d/6.202506.d. Impacted is the function Paid of the file publiccms-parent/publiccms-trade/src/main/java/com/publiccms/logic/service/trade/TradePaymentService.java of the component Trade Payment Handler. The manipulation โฆ
9.2
CVE-2026-21626 - Extension - stackideas.com - Information disclosure in post custom fields in EasyDiscuss 1.0.0-5.0.โฆ
Access control settings for forum post custom fields are not applied to the JSON output type, leading to an ACL violation vector an information disclosure
5.3
CVE-2026-2009 - SourceCodester Gas Agency Management System createUser.php access control
A flaw has been found in SourceCodester Gas Agency Management System 1.0. This issue affects some unknown processing of the file /gasmark/php_action/createUser.php. Executing a manipulation can lead to improper access controls. It is possible to launch the attack remotely. The exploit has been publโฆ
6.4
CVE-2026-1279 - Employee Directory <= 1.2.1 - Authenticated (Contributor+) Stored Cross-Site Scripting via 'form_tiโฆ
The Employee Directory plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'form_title' parameter in the `search_employee_directory` shortcode in all versions up to, and including, 1.2.1 due to insufficient input sanitization and output escaping. This makes it possible for autโฆ
5.3
CVE-2026-2008 - abhiphile fermat-mcp eqn_chart.py eqn_chart code injection
A vulnerability was detected in abhiphile fermat-mcp up to 47f11def1cd37e45dd060f30cdce346cbdbd6f0a. This vulnerability affects the function eqn_chart of the file fmcp/mpl_mcp/core/eqn_chart.py. Performing a manipulation of the argument equations results in code injection. It is possible to initiatโฆ
6.4
CVE-2026-1401 - Tune Library <= 1.6.3 - Missing Authorization to Authenticated (Subscriber+) Stored Cross-Site Scriโฆ
The Tune Library plugin for WordPress is vulnerable to Stored Cross-Site Scripting via CSV import in all versions up to, and including, 1.6.3. This is due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with Subโฆ