9.3
CVE-2026-5976 - Totolink A7100RU CGI cstecgi.cgi setStorageCfg os command injection
A security flaw has been discovered in Totolink A7100RU 7.4cu.2313_b20191024. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sambaEnabled results in os command injection. It is possible to initiate theโฆ
9.3
CVE-2025-13926 - Contemporary Controls BASC 20T Reliance on Untrusted Inputs in a Security Decision
An attacker could use data obtained by sniffing the network traffic to forge packets in order to make arbitrary requests to Contemporary Controls BASC 20T.
2.3
CVE-2026-5187 - Heap Out-of-Bounds Write in DecodeObjectId() in wolfSSL
Two potential heap out-of-bounds write locations existed in DecodeObjectId() in wolfcrypt/src/asn.c. First, a bounds check only validates one available slot before writing two OID arc values (out[0] and out[1]), enabling a 2-byte out-of-bounds write when outSz equals 1. Second, multiple callers pasโฆ
9.3
CVE-2026-5975 - Totolink A7100RU CGI cstecgi.cgi setDmzCfg os command injection
A vulnerability was identified in Totolink A7100RU 7.4cu.2313_b20191024. The impacted element is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument wanIdx leads to os command injection. The attack may be performed from remote. Theโฆ
9.7
CVE-2026-40088 - Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection') in praisโฆ
PraisonAI is a multi-agent teams system. Prior to 4.5.121, the execute_command function and workflow shell execution are exposed to user-controlled input via agent workflows, YAML definitions, and LLM-generated tool calls, allowing attackers to inject arbitrary shell commands through shell metacharโฆ
9.9
CVE-2026-40089 - Sonicverse has Server-Side Request Forgery via user-controlled URLs in dashboard API client
Sonicverse is a Self-hosted Docker Compose stack for live radio streaming. The Sonicverse Radio Audio Streaming Stack dashboard contains a Server-Side Request Forgery (SSRF) vulnerability in its API client (apps/dashboard/lib/api.ts). Installations created using the provided install.sh script (inclโฆ
6.8
CVE-2026-35577 - Missing Host Header Validation in Apollo MCP Server for Localhost Deployments
Apollo MCP Server is a Model Context Protocol server that exposes GraphQL operations as MCP tools. Prior to version 1.7.0, the Apollo MCP Server did not validate the Host header on incoming HTTP requests when using StreamableHTTP transport. In configurations where an HTTP-based MCP server is run onโฆ
6.5
CVE-2026-34500 - Apache Tomcat: OCSP checks sometimes soft-fail with FFM even when soft-fail is disabled
CLIENT_CERT authentication does not fail as expected for some scenarios when soft fail is disabled and FFM is used in Apache Tomcat. This issue affects Apache Tomcat: from 11.0.0-M14 through 11.0.20, from 10.1.22 through 10.1.53, from 9.0.92 through 9.0.116. Users are recommended to upgrade to veโฆ
7.5
CVE-2026-34487 - Apache Tomcat: Cloud membership for clustering component exposed the Kubernetes bearer token
Insertion of Sensitive Information into Log File vulnerability in the cloud membership for clustering component of Apache Tomcat exposed the Kubernetes bearer token. This issue affects Apache Tomcat: from 11.0.0-M1 through 11.0.20, from 10.1.0-M1 through 10.1.53, from 9.0.13 through 9.0.116. Userโฆ
7.5
CVE-2026-34486 - Apache Tomcat: Fix for CVE-2026-29146 allowed bypass of EncryptInterceptor
Missing Encryption of Sensitive Data vulnerability in Apache Tomcat due to theย fix for CVE-2026-29146 allowing the bypass of the EncryptInterceptor. This issue affects Apache Tomcat: 11.0.20, 10.1.53, 9.0.116. Users are recommended to upgrade to version 11.0.21, 10.1.54 or 9.0.117, which fix the โฆ