4
CVE-2026-32776 - libexpat: libexpat: Denial of Service due to NULL pointer dereference
libexpat before 2.7.5 allows a NULL pointer dereference with empty external parameter entity content.
8.7
CVE-2026-25083 - Unauthorized Access to GROWI OpenAI Thread/Message APIs Exposes User Data
GROWI OpenAI thread/message API endpoints do not perform authorization. Affected are v7.4.5 and earlier versions. A logged-in user who knows a shared AI assistant's identifier may view and/or tamper the other user's threads/messages.
5.1
CVE-2026-4222 - SSCMS download PathUtils.RemoveParentPath path traversal
A vulnerability was determined in SSCMS up to 7.4.0. This vulnerability affects the function PathUtils.RemoveParentPath of the file /api/admin/plugins/install/actions/download. This manipulation of the argument path causes path traversal. Remote exploitation of the attack is possible. The exploit hβ¦
6.9
CVE-2026-4221 - Tiandy Easy7 Integrated Management Platform Endpoint uploadLedImage unrestricted upload
A vulnerability was found in Tiandy Easy7 Integrated Management Platform 7.17.0. This affects an unknown part of the file /rest/file/uploadLedImage of the component Endpoint. The manipulation of the argument File results in unrestricted upload. The attack may be launched remotely. The exploit has bβ¦
7.4
CVE-2026-32775 - libexif: libexif: Buffer overwrite via integer underflow in MakerNotes decoding
libexif through 0.6.25 has a flaw in decoding MakerNotes. If the exif_mnote_data_get_value function gets passed in a 0 size, the passed in-buffer would be overwritten due to an integer underflow.
3.7
CVE-2025-71264 -
Mumble before 1.6.870 is prone to an out-of-bounds array access, which may result in denial of service (client crash).
6.9
CVE-2026-4220 - Technologies Integrated Management Platform SetWebpagePic.jsp unrestricted upload
A vulnerability has been found in Technologies Integrated Management Platform 7.17.0. Affected by this issue is some unknown functionality of the file /SetWebpagePic.jsp. The manipulation of the argument targetPath/Suffix leads to unrestricted upload. The attack may be initiated remotely. The exploβ¦
4.8
CVE-2026-4219 - INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App ae.index.apgcs BuildConfig.java harβ¦
A flaw has been found in INDEX Conferences & Exhibitions Organization YWF BPOF APGCS App up to 1.0.2 on Android. Affected by this vulnerability is an unknown functionality of the file com/index/event/BuildConfig.java of the component ae.index.apgcs. Executing a manipulation of the argument ACCESS_Kβ¦
2
CVE-2026-4218 - myAEDES App aedes.me.beta EngageBayUtils.java information disclosure
A vulnerability was detected in myAEDES App up to 1.18.4 on Android. Affected is an unknown function of the file aedes/me/beta/utils/EngageBayUtils.java of the component aedes.me.beta. Performing a manipulation of the argument AUTH_KEY results in information disclosure. The attack is only possible β¦
8.6
CVE-2026-31386 - Admin Command Injection Vulnerability in LiteSpeed OpenLiteSpeed and LSWS Enterprise
OpenLiteSpeed and LSWS Enterprise provided by LiteSpeed Technologies contain an OS command injection vulnerability. An arbitrary OS command may be executed by an attacker with the administrative privilege.