9.3
CVE-2026-7240 - Totolink A8000RU CGI cstecgi.cgi setVpnAccountCfg os command injection
A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setVpnAccountCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument User leads to os command injection. The attack can be executed remotely. β¦
8.7
CVE-2024-54013 - Authentication Bypass
Penetration Testing engineers at Amazon have identified a security flaw related to request handling in the web server component that could, under certain conditions, lead to unintended access to protected functions. The manufacturer has released patch firmware for the flaw, please refer to the manuβ¦
8.5
CVE-2024-54012 - Command Injection
Penetration Testing engineers at Amazon discovered a vulnerability where the camera system failed to properly validate input, allowing specially crafted requests containing malicious commands to be executed on the device. The manufacturer has released patch firmware for the flaw; please refer to thβ¦
5.1
CVE-2026-7238 - code-projects Online Music Site AdminUpdateAlbum.php unrestricted upload
A flaw has been found in code-projects Online Music Site 1.0. This affects an unknown part of the file /Administrator/PHP/AdminUpdateAlbum.php. This manipulation of the argument txtimage causes unrestricted upload. Remote exploitation of the attack is possible. The exploit has been published and maβ¦
5.3
CVE-2024-54011 - Missing Error/Exception Handling
Penetration Testing engineers at Amazon have discovered a flaw where the camera system fails to properly handle data supplied in certain requests,Β causing a service disruption. The manufacturer has released patch firmware for the flaw, please refer to the manufacturer's report for details and workaβ¦
6.4
CVE-2026-4805 - Woostify <= 2.5.0 - Authenticated (Contributor+) Stored Cross-Site Scripting via Lity.js Library viβ¦
The Woostify plugin for WordPress is vulnerable to Stored Cross-Site Scripting in versions up to, and including, 2.5.0 This is due to insufficient input sanitization and output escaping in the bundled Lity.js lightbox library, where user-controlled input from the href attribute is concatenated direβ¦
5.3
CVE-2026-4911 - Booking Package <= 1.7.06 - Unauthenticated Price Manipulation via 'amount' Parameter
The Booking Package plugin for WordPress is vulnerable to Price Manipulation in versions up to, and including, 1.7.06 This is due to the intentForStripe() function passing user-controlled $_POST['amount'] directly to the Stripe PaymentIntent API without validation, and the commitStripe() function iβ¦
6.9
CVE-2026-7237 - AgiFlow scaffold-mcp write-to-file Tool index.ts path traversal
A vulnerability was detected in AgiFlow scaffold-mcp up to 1.0.27. Affected by this issue is some unknown functionality of the file packages/scaffold-mcp/src/server/index.ts of the component write-to-file Tool. The manipulation of the argument file_path results in path traversal. The attack may be β¦
5.9
CVE-2026-40966 - VectorStoreChatMemoryAdvisor conversation scoping can lead to cross-tenant memory exfiltration
In Spring AI, an attacker can bypass conversation isolation and exfiltrate sensitive memory from other usersβ chat histories, including secrets and credentials, by injecting filter logic through conversationId. Only applications that use VectorStoreChatMemoryAdvisor and pass user-supplied input as β¦
6.9
CVE-2026-7235 - ErlichLiu claude-agent-sdk-master route.ts path traversal
A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. β¦