5.1
CVE-2026-29520 - Hereta ETH-IMC408M Reflected XSS via ping_ipaddr Parameter
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a reflected cross-site scripting vulnerability in the Network Diagnosis ping function that allows attackers to execute arbitrary JavaScript. Attackers can craft malicious links with injected script payloads in the ping_ipaddr parameter toโฆ
5.1
CVE-2026-29521 - Hereta ETH-IMC408M CSRF via Configuration Setup
Hereta ETH-IMC408M firmware version 1.0.15 and prior contain a cross-site request forgery vulnerability that allows attackers to modify device configuration by exploiting missing CSRF protections in setup.cgi. Attackers can host malicious pages that submit forged requests using automatically-includโฆ
9.3
CVE-2026-4252 - Tenda AC8 IPv6 check_is_ipv6 ip address for authentication
A vulnerability was identified in Tenda AC8 16.03.50.11. Affected by this issue is the function check_is_ipv6 of the component IPv6 Handler. The manipulation leads to reliance on ip address for authentication. It is possible to initiate the attack remotely. The exploit is publicly available and migโฆ
6.8
CVE-2026-4270 - AWS API MCP File Access Restriction Bypass
Improper Protection of Alternate Path exists in the no-access and workdir feature of the AWS API MCP Server versions >= 0.2.14 and < 1.3.9 on all platforms may allow the bypass of intended file access restriction and expose arbitrary local file contents in the MCP client application context. To reโฆ
2
CVE-2026-4251 - CityData CityChat ai.citydata.citychat credentials.json credentials storage
A vulnerability was determined in CityData CityChat up to 0.12.6 on Android. Affected by this vulnerability is an unknown functionality of the file resources/assets/flutter_assets/assets/credentials.json of the component ai.citydata.citychat. Executing a manipulation can lead to unprotected storageโฆ
2
CVE-2026-4250 - Albert Saฤlฤฑk Hizmetleri ve Ticaret Albert Health Google Cloud Service Account Key service-account.โฆ
A vulnerability was found in Albert Saฤlฤฑk Hizmetleri ve Ticaret Albert Health up to 1.7.3 on Android. Affected is an unknown function of the file resources/assets/service-account.json of the component Google Cloud Service Account Key Handler. Performing a manipulation results in unprotected storagโฆ
7.5
CVE-2026-4276 - LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to fโฆ
LibreChat RAG API, version 0.7.0, contains a log-injection vulnerability that allows attackers to forge log entries.
9.8
CVE-2025-62319 - Boolean-Based SQL Injection in Multiple Unica Components
Boolean-Based SQL Injection is a type of blind SQL injection where an attacker manipulates SQL queries by injecting Boolean conditions (TRUE or FALSE) into application input fields. Instead of returning database errors or visible data, the application responds differently depending on whether the iโฆ
5.4
CVE-2026-32587 - WordPress WP EasyPay plugin <= 4.2.11 - Broken Access Control vulnerability
Missing Authorization vulnerability in Saad Iqbal WP EasyPay allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects WP EasyPay: from n/a through 4.2.11.
5.3
CVE-2026-32583 - WordPress Modern Events Calendar plugin <= 7.29.0 - Broken Access Control vulnerability
Missing Authorization vulnerability in Webnus Inc. Modern Events Calendar allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Modern Events Calendar: from n/a through 7.29.0.