6.9
CVE-2026-1449 - Hisense TransTech Smart Bus Management System TireMng.aspx Page_Load sql injection
A flaw has been found in Hisense TransTech Smart Bus Management System up to 20260113. Affected is the function Page_Load of the file YZSoft/Forms/XForm/BM/BusComManagement/TireMng.aspx. Executing a manipulation of the argument key can lead to sql injection. It is possible to launch the attack remoβ¦
8.6
CVE-2026-1448 - D-Link DIR-615 Web Management wiz_policy_3_machine.php os command injection
A vulnerability was detected in D-Link DIR-615 up to 4.10. This impacts an unknown function of the file /wiz_policy_3_machine.php of the component Web Management Interface. Performing a manipulation of the argument ipaddr results in os command injection. It is possible to initiate the attack remoteβ¦
7.2
CVE-2026-24478 - AnythingLLM vulnerable to Path Traversal
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. Prior to version 1.10.0, a critical Path Traversal vulnerability in the DrupalWiki integration allows a malicious admin (or an attacker who can convince an admin to configure β¦
8.7
CVE-2026-24477 - AnythingLLM has key leak in `systemSettings.js`
AnythingLLM is an application that turns pieces of content into context that any LLM can use as references during chatting. If AnythingLLM prior to version 1.10.0 is configured to use Qdrant as the vector database with an API key, this QdrantApiKey could be exposed in plain text to unauthenticated β¦
8.9
CVE-2025-30248 -
DLL hijacking in the WD Discovery Installer in Western Digital WD Discovery 5.2.730 on Windows allows a local attacker to execute arbitrary code via placement of a crafted dll in the installer's search path.
5.3
CVE-2026-24476 - Shaarli vulnerable to stored XSS via Suggested Tags
Shaarli is a personal bookmarking service. Prior to version 0.16.0, crafting a malicious tag which starting with `"` prematurely ends the `<input>` tag on the start page and allows an attacker to add arbitrary html leading to a possible XSS attack. Version 0.16.0 fixes the issue.
8.1
CVE-2026-24470 - Skipper Ingress Controller Allows Unauthorized Access to Internal Services via ExternalName
Skipper is an HTTP router and reverse proxy for service composition. Prior to version 0.24.0, when running Skipper as an Ingress controller, users with permissions to create an Ingress and a Service of type ExternalName can create routes that enable them to use Skipper's network access to reach intβ¦
0
CVE-2026-24408 - sigstore has CSRF possibility in OIDC authentication during signing
sigstore-python is a Python tool for generating and verifying Sigstore signatures. Prior to version 4.2.0, the sigstore-python OAuth authentication flow is susceptible to Cross-Site Request Forgery. `_OAuthSession` creates a unique "state" and sends it as a parameter in the authentication request bβ¦
8.2
CVE-2026-24400 - AssertJ has XML External Entity (XXE) vulnerability when parsing untrusted XML via isXmlEqualTo assβ¦
AssertJ provides Fluent testing assertions for Java and the Java Virtual Machine (JVM). Starting in version 1.4.0 and prior to version 3.27.7, an XML External Entity (XXE) vulnerability exists in `org.assertj.core.util.xml.XmlStringPrettyFormatter`: the `toXmlDocument(String)` method initializes `Dβ¦
7.4
CVE-2026-24123 - BentoML has a Path Traversal via Bentofile Configuration
BentoML is a Python library for building online serving systems optimized for AI apps and model inference. Prior to version 1.4.34, BentoML's `bentofile.yaml` configuration allows path traversal attacks through multiple file path fields (`description`, `docker.setup_script`, `docker.dockerfile_tempβ¦