6.9
CVE-2026-5150 - code-projects Accounting System Parameter viewin_costumer.php sql injection
A security vulnerability has been detected in code-projects Accounting System 1.0. This issue affects some unknown processing of the file /viewin_costumer.php of the component Parameter Handler. Such manipulation of the argument cos_id leads to sql injection. The attack can be launched remotely. Thβ¦
5.1
CVE-2026-5148 - YunaiV yudao-cloud page sql injection
A weakness has been identified in YunaiV yudao-cloud up to 2026.01. This vulnerability affects unknown code of the file /admin-api/system/mail-log/page. This manipulation of the argument toMail causes sql injection. The attack can be initiated remotely. The exploit has been made available to the puβ¦
7.4
CVE-2026-32275 - Tautulli: Unsanitized JSONP callback parameter allows cross-origin script injection and API key theβ¦
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 1.3.10 to before version 2.17.0, an unsanitized JSONP callback parameter allows cross-origin script injection and API key theft. This issue has been patched in version 2.17.0.
4.9
CVE-2026-31799 - Tautulli: SQL Injection in get_home_stats API endpoint via unsanitised filter parameters
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. From version 2.14.2 to before version 2.17.0 for parameters "before" and "after" and from version 2.1.0-beta to before version 2.17.0 for parameters "section_id" and "user_id", the /api/v2?cmd=get_home_stats endpoint pasβ¦
8.7
CVE-2026-31831 - Tautulli: Unauthenticated Path Traversal in `/newsletter/image/images` endpoint
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /newsletter/image/images API endpoint is vulnerable to path traversal, allowing unauthenticated attackers to read arbitrary files from the application server's filesystem. This issue has beenβ¦
4
CVE-2026-31804 - Tautulli: Unauthenticated pms_image_proxy endpoint proxies arbitrary HTTP requests through the Plexβ¦
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the /pms_image_proxy endpoint accepts a user-supplied img parameter and forwards it to Plex Media Server's /photo/:/ transcode transcoder without authentication and without restricting the schemeβ¦
7.5
CVE-2026-28505 - Tautulli: RCE via eval() sandbox bypass using lambda nested scope to escape co_names whitelist check
Tautulli is a Python based monitoring and tracking tool for Plex Media Server. Prior to version 2.17.0, the str_eval() function in notification_handler.py implements a sandboxed eval() for notification text templates. The sandbox attempts to restrict callable names by inspecting code.co_names of thβ¦
9.4
CVE-2026-33026 - nginx-ui Backup Restore Allows Tampering with Encrypted Backups
Nginx UI is a web user interface for the Nginx web server. Prior to version 2.3.4, the nginx-ui backup restore mechanism allows attackers to tamper with encrypted backup archives and inject malicious configuration during restoration. This issue has been patched in version 2.3.4.
7.5
CVE-2026-21710 -
A flaw in Node.js HTTP request handling causes an uncaught `TypeError` when a request is received with a header named `__proto__` and the application accesses `req.headersDistinct`. When this occurs, `dest["__proto__"]` resolves to `Object.prototype` rather than `undefined`, causing `.push()` toβ¦
3.3
CVE-2026-21716 -
An incomplete fix for CVE-2024-36137 leaves `FileHandle.chmod()` and `FileHandle.chown()` in the promises API without the required permission checks, while their callback-based equivalents (`fs.fchmod()`, `fs.fchown()`) were correctly patched. As a result, code running under `--permission` with β¦