2.8
CVE-2026-2239 - gimp: GIMP: Application crash (DoS) via crafted PSD file due to heap-buffer-overflow
No description is available for this CVE.
6.9
CVE-2026-2221 - code-projects Online Reviewer System Login index.php sql injection
A security flaw has been discovered in code-projects Online Reviewer System 1.0. Affected is an unknown function of the file /login/index.php of the component Login. Performing a manipulation of the argument Username results in sql injection. The attack is possible to be carried out remotely. The eβ¦
8.4
CVE-2026-24466 -
Products provided by Oki Electric Industry Co., Ltd. and its OEM products (Ricoh Co., Ltd., Murata Machinery, Ltd.) register Windows services with unquoted file paths. A user with the write permission on the root directory of the system drive may execute arbitrary code with SYSTEM privilege.
9.9
CVE-2026-1868 - Improper Neutralization of Special Elements Used in a Template Engine in GitLab AI Gateway
GitLab has remediated a vulnerability in the Duo Workflow Service component of GitLab AI Gateway affecting all versions of the AI Gateway from 18.1.6, 18.2.6, 18.3.1 to 18.6.1, 18.7.0, and 18.8.0 in which AI Gateway was vulnerable to insecure template expansion of user supplied data via crafted Duoβ¦
6.9
CVE-2026-2220 - code-projects Online Reviewer System btn_functions.php sql injection
A vulnerability was identified in code-projects Online Reviewer System 1.0. This impacts an unknown function of the file /system/system/admins/assessments/pretest/btn_functions.php. Such manipulation of the argument difficulty_id leads to sql injection. The attack can be executed remotely. The explβ¦
8.5
CVE-2026-0870 - GIGABYTEο½MacroHub - Local Privilege Escalation
MacroHub developed by GIGABYTE has a Local Privilege Escalation vulnerability. Due to the MacroHub application launching external applications with improper privileges, allowing authenticated local attackers to execute arbitrary code with SYSTEM privileges.
5.3
CVE-2026-2218 - D-Link DCS-933L alphapd setSystemAdmin command injection
A vulnerability was determined in D-Link DCS-933L up to 1.14.11. This affects an unknown function of the file /setSystemAdmin of the component alphapd. This manipulation of the argument AdminID causes command injection. Remote exploitation of the attack is possible. The exploit has been publicly diβ¦
5.7
CVE-2026-22613 -
The server identity check mechanism for firmware upgrade performed via command shell is insecurely implemented potentially allowing an attacker to perform a Man-in-the-middle attack. This security issue has been fixed in the latest firmware version of Eaton Network M3 which is available on the β¦
6.9
CVE-2026-2217 - itsourcecode Event Management System manage_user.php sql injection
A vulnerability was found in itsourcecode Event Management System 1.0. The impacted element is an unknown function of the file /admin/manage_user.php. The manipulation of the argument ID results in sql injection. The attack may be launched remotely. The exploit has been made public and could be useβ¦
5.3
CVE-2026-2216 - rachelos WeRSS we-mp-rss tools.py download_export_file path traversal
A flaw has been found in rachelos WeRSS we-mp-rss up to 1.4.8. Impacted is the function download_export_file of the file apis/tools.py. Executing a manipulation of the argument filename can lead to path traversal. The attack can be launched remotely. The exploit has been published and may be used.