7.3
CVE-2026-32649 - Milesight Cameras OS Command Injection
A command injection vulnerability exists in the web server of specific firmware versions of Milesight cameras.
9.2
CVE-2026-32644 - Milesight Cameras Use of Hard-coded Cryptographic Key
Specific firmware versions of Milesight AIOT cameras use SSL certificates with default private keys.
7.7
CVE-2026-27785 - Milesight Cameras Use of Hard-coded Credentials
Specific firmware versions of Milesight AIOT camera firmware contain hard-coded credentials.
4.7
CVE-2026-40977 - Spring Boot: Spring Boot: Local file corruption via PID file manipulation
When an application is configured to use `ApplicationPidFileWriter`, a local attacker with write access to the PID file's location can corrupt one file on the host each time the application is started. Affected: Spring Boot 4.0.0β4.0.5 (fix 4.0.6), 3.5.0β3.5.13 (fix 3.5.14), 3.4.0β3.4.15 (fix 3.4.β¦
9.1
CVE-2026-40976 - Default Web Security Misconfiguration in Spring Boot
In certain circumstances, Spring Boot's default web security is ineffective allowing unauthorized access to all endpoints. For an application to be vulnerable, it must: be a servlet-based web application; have no Spring Security configuration of its own and rely on the default web security filter cβ¦
4.8
CVE-2026-40975 - Weak Random Number Generator Used for Secrets in Spring Boot
Values produced by ${random.value} are not suitable for use as secrets. ${random.uuid} is not affected. ${random.int} and ${random.long} should never be used for secrets as they are numeric values with a predictable range. Affected: Spring Boot 4.0.0β4.0.5 (fix 4.0.6), 3.5.0β3.5.13 (fix 3.5.14), 3β¦
5
CVE-2026-40974 - Cassandra SSL Hostname Verification Bypass in Spring Boot AutoβConfiguration
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra. Affected: Spring Boot 4.0.0β4.0.5 (fix 4.0.6), 3.5.0β3.5.13 (fix 3.5.14), 3.4.0β3.4.15 (fix 3.4.16), 3.3.0β3.3.18 (fix 3.3.19), 2.7.0β2.7.32 (fix 2.7.33); Cassandra Sβ¦
5.3
CVE-2026-7200 - SourceCodester Pharmacy Sales and Inventory System index.php cross site scripting
A flaw has been found in SourceCodester Pharmacy Sales and Inventory System 1.0. Affected by this issue is some unknown functionality of the file /index.php?page=types. Executing a manipulation of the argument ID can lead to cross site scripting. It is possible to launch the attack remotely. The exβ¦
7
CVE-2026-40973 - Local Directory Control Enables Session Hijacking and Code Execution in Spring Boot
A local attacker on the same host as the application may be able to take control of the directory used by `ApplicationTemp`. When `server.servlet.session.persistent` is set to `true` and the attack persists across application restarts, this may allow the attacker to read session information and hijβ¦
6.9
CVE-2026-41372 - OpenClaw < 2026.4.2 - Loopback Protection Bypass via Trailing-Dot Localhost in CDP Discovery
OpenClaw before 2026.4.2 fails to normalize trailing-dot localhost hosts in remote CDP discovery responses, allowing bypass of loopback protections. Attackers can craft hostile discovery responses returning localhost. to retarget authenticated browser control toward localhost endpoints and expose bβ¦