6.9
CVE-2026-7235 - ErlichLiu claude-agent-sdk-master route.ts path traversal
A security vulnerability has been detected in ErlichLiu claude-agent-sdk-master up to b185aa7ff0d864581257008077b4010fca1747bf. Affected by this vulnerability is an unknown functionality of the file app/api/agent-output/route.ts. The manipulation of the argument outputFile leads to path traversal. β¦
6.9
CVE-2026-7234 - BrowserOperator browser-operator-core server.js startsWith path traversal
A weakness has been identified in BrowserOperator browser-operator-core up to 0.6.0. Affected is the function startsWith of the file scripts/component_server/server.js. Executing a manipulation of the argument request.url can lead to path traversal. The attack can be launched remotely. The exploit β¦
8.6
CVE-2026-40967 - Unescaped Filter Expressions Enable Query Injection in Spring AI
In Spring AI, various FilterExpressionConverter implementations accept a filter expression object and translate them to specific vector store query languages. In several cases, keys and values are not properly escaped, leading to the ability to alter the query. Affected versions: Spring AI: 1.0.0 β¦
4.8
CVE-2026-7233 - Artifex MuPDF CFF Index subset-cff.c fz_subset_cff_for_gids out-of-bounds
A vulnerability was determined in Artifex MuPDF up to 1.28.0. The impacted element is the function fz_subset_cff_for_gids of the file subset-cff.c of the component CFF Index Handler. This manipulation causes out-of-bounds read. The attack can only be executed locally. The exploit has been publicly β¦
5.4
CVE-2026-5306 - Check & Log Email < 2.0.13 - Unauthenticated Stored XSS
The Check & Log Email WordPress plugin before 2.0.13 does not properly handle email replacement, which could allow unauthenticated users to perform Stored XSS attacks when the email encoder setting is enabled
5.3
CVE-2026-7230 - SourceCodester Safety Anger Pad cross site scripting
A vulnerability was found in SourceCodester Safety Anger Pad 1.0. The affected element is an unknown function. The manipulation of the argument angerDisplay results in cross site scripting. The attack may be performed from remote. The exploit has been made public and could be used.
5.3
CVE-2026-7229 - code-projects Coaching Management System POST reply.php sql injection
A vulnerability was found in code-projects Coaching Management System 1.0. This affects an unknown function of the file /cims/modules/admin/reply.php of the component POST Handler. Performing a manipulation of the argument complaintreply results in sql injection. It is possible to initiate the attaβ¦
6.9
CVE-2026-7228 - SourceCodester Pizzafy Ecommerce System ajax.php get_cart_count sql injection
A flaw has been found in SourceCodester Pizzafy Ecommerce System 1.0. The affected element is the function get_cart_count of the file /admin/ajax.php?action=get_cart_count. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has β¦
6.9
CVE-2026-7227 - SourceCodester Pizzafy Ecommerce System ajax.php login sql injection
A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is the function Login of the file /admin/ajax.php?action=login. The manipulation of the argument e-mail results in sql injection. The attack can be executed remotely. The exploit is now public and may be used.
6.6
CVE-2026-42510 - OpenStack Ironic: ipmitool: OpenStack Ironic: Arbitrary Code Execution via Remote Hardware Managemeβ¦
OpenStack Ironic before 35.0.1 allows ipmitool execution in a non-default configuration that has a console interface.