8.2
CVE-2026-24790 - Welker OdorEyes EcoSystem Pulse Bypass System with XL4 Controller Missing Authentication for Criticβ¦
The underlying PLC of the device can be remotely influenced, without proper safeguards or authentication.
7.5
CVE-2026-26048 - Jinan USR IOT Technology Limited (PUSR) USR-W610 Missing Authentication for Critical Function
The Wi-Fi router is vulnerable to de-authentication attacks due to the absence of management frame protection, allowing forged deauthentication and disassociation frames to be broadcast without authentication or encryption. An attacker can use this to cause unauthorized disruptions and create aβ¦
5.7
CVE-2026-26049 - Jinan USR IOT Technology Limited (PUSR) USR-W610 Insufficiently Protected Credentials
The web management interface of the device renders the passwords in a plaintext input field. The current password is directly visible to anyone with access to the UI, potentially exposing administrator credentials to unauthorized observation via shoulder surfing, screenshots, or browser form caβ¦
8.2
CVE-2026-2818 - Zip Slip Path Traversal in Snapshot Archive Extraction (Windows-Specific)
A zip-slip path traversal vulnerability in Spring Data Geode's import snapshot functionality allows attackers to write files outside the intended extraction directory. This vulnerability appears to be susceptible on Windows OS only.
5.3
CVE-2026-2849 - yeqifu warehouse Cache Sync CacheController.java syncCache access control
A vulnerability has been found in yeqifu warehouse up to aaf29962ba407d22d991781de28796ee7b4670e4. Affected by this issue is the function deleteCache/removeAllCache/syncCache of the file dataset\repos\warehouse\src\main\java\com\yeqifu\sys\controller\CacheController.java of the component Cache Syncβ¦
6.9
CVE-2026-2848 - SourceCodester Simple Responsive Tourism Website Registration Master.php sql injection
A flaw has been found in SourceCodester Simple Responsive Tourism Website 1.0. Affected by this vulnerability is an unknown functionality of the file /classes/Master.php?f=register of the component Registration. This manipulation of the argument Username causes sql injection. The attack may be initβ¦
7.5
CVE-2026-24455 - Jinan USR IOT Technology Limited (PUSR) USR-W610 Cleartext Transmission of Sensitive Information
The embedded web interface of the device does not support HTTPS/TLS for authentication and uses HTTP Basic Authentication. Traffic is encoded but not encrypted, exposing user credentials to passive interception by attackers on the same network.
9.8
CVE-2026-25715 - Jinan USR IOT Technology Limited (PUSR) USR-W610 Weak Password Requirements
The web management interface of the device allows the administrator username and password to be set to blank values. Once applied, the device permits authentication with empty credentials over the web management interface and Telnet service. This effectively disables authentication across all cβ¦
7.1
CVE-2026-27072 - WordPress PixelYourSite β Your smart PIXEL (TAG) Manager plugin <= 11.2.0.1 - Cross Site Scripting β¦
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in PixelYourSite PixelYourSite β Your smart PIXEL (TAG) Manager pixelyoursite allows Stored XSS.This issue affects PixelYourSite β Your smart PIXEL (TAG) Manager: from n/a through <= 11.2.0.1.
8.5
CVE-2026-24959 - WordPress JS Help Desk plugin <= 3.0.1 - SQL Injection vulnerability
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in JoomSky JS Help Desk js-support-ticket allows Blind SQL Injection.This issue affects JS Help Desk: from n/a through <= 3.0.1.