jell.ie CVEs
Read at: 2026-03-05T07:22:11+00:00
CVE ID : CVE-2026-30777
Published : 5 maart 2026 05:31 | 14 minuten ago
Description : EC-CUBE provided by EC-CUBE CO.,LTD. contains a multi-factor authentication (MFA) bypass vulnerability. An attacker who has obtained a valid administrator ID and password may be able to bypass two-factor authentication and gain unauthorized access to the administrative page.
Severity: 6.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-27982
Published : 5 maart 2026 05:31 | 15 minuten ago
Description : An open redirect vulnerability exists in django-allauth versions prior to 65.14.1 when SAML IdP initiated SSO is enabled (it is disabled by default), which may allow an attacker to redirect users to an arbitrary external website via a crafted URL.
Severity: 5.1 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-3072
Published : 5 maart 2026 05:26 | 19 minuten ago
Description : The Media Library Assistant plugin for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the mla_update_compat_fields_action() function in all versions up to, and including, 3.33. This makes it possible for authenticated attackers, with Subscriber-level access and above, to modify taxonomy terms on arbitrary attachments.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-3523
Published : 5 maart 2026 05:16 | 29 minuten ago
Description : The Apocalypse Meow plugin for WordPress is vulnerable to SQL Injection via the 'type' parameter in all versions up to, and including, 22.1.0. This is due to a flawed logical operator in the type validation check on line 261 of ajax.php — the condition uses `&&` (AND) instead of `||` (OR), causing the `in_array()` validation to be short-circuited and never evaluated for any non-empty type value. Combined with `stripslashes_deep()` being called on line 101 which removes `wp_magic_quotes()` protection, attacker-controlled single quotes pass through unescaped into the SQL query on line 298. This makes it possible for authenticated attackers, with Administrator-level access and above, to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.
Severity: 4.9 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29128
Published : 5 maart 2026 05:12 | 33 minuten ago
Description : IDC SFX2100 Satellite Receiver firmware ships with multiple daemon configuration files for routing components (e.g., zebra, bgpd, ospfd, and ripd) that are owned by root but world-readable. The configuration files (e.g., zebra.conf, bgpd.conf, ospfd.conf, ripd.conf) contain hardcoded or otherwise insecure plaintext passwords (including “enable”/privileged-mode credentials). A remote actor is able to abuse the reuse/hardcoded nature of these credentials to further access other systems in the network, gain a foothold on the satellite receiver or potentially locally privilege escalate.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-3034
Published : 5 maart 2026 04:15 | 1 uur, 30 minuten ago
Description : The OoohBoi Steroids for Elementor plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the _ob_spacerat_link, _ob_bbad_link, and _ob_teleporter_link URL parameters in all versions up to, and including, 2.1.24. This makes it possible for authenticated attackers, with Contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user clicks on the injected element.
Severity: 6.4 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2899
Published : 5 maart 2026 04:15 | 1 uur, 30 minuten ago
Description : The Fluent Forms Pro Add On Pack plugin for WordPress is vulnerable to Missing Authorization in all versions up to, and including, 6.1.17. This is due to the `deleteFile()` method in the `Uploader` class lacking nonce verification and capability checks. The AJAX action is registered via `addPublicAjaxAction()` which creates both `wp_ajax_` and `wp_ajax_nopriv_` hooks. This makes it possible for unauthenticated attackers to delete arbitrary WordPress media attachments via the `attachment_id` parameter.
Note: The researcher described file deletion via the `path` parameter using `sanitize_file_name()`, but the actual code uses `Protector::decrypt()` for path-based deletion which prevents exploitation. The vulnerability is exploitable via the `attachment_id` parameter instead.
Severity: 6.5 | MEDIUM
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2365
Published : 5 maart 2026 04:15 | 1 uur, 30 minuten ago
Description : The Fluent Forms Pro plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the `fluentform_step_form_save_data` AJAX action in all versions up to, and including, 6.1.17. This is due to the draft form submission endpoint being publicly accessible without authentication or nonce verification, combined with insufficient input sanitization and output escaping of form field data. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever an administrator views a partial form entry.
Severity: 7.2 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26033
Published : 5 maart 2026 03:15 | 2 uur, 30 minuten ago
Description : UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Unquoted Search Path or Element (CWE-428) vulnerability, which allows a user with write access to a directory on the system drive to execute arbitrary code with SYSTEM privileges.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29127
Published : 5 maart 2026 03:15 | 2 uur, 30 minuten ago
Description : The IDC SFX2100 Satellite Receiver sets overly permissive file system permissions on the monitor user's home directory. The directory is configured with permissions 0777, granting read, write, and execute access to all local users on the system, which may cause local privilege escalation depending on conditions of the system due to the presence of highly privileged processes and binaries residing within the affected directory.
Severity: 9.2 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-26034
Published : 5 maart 2026 03:15 | 2 uur, 30 minuten ago
Description : UPS Multi-UPS Management Console (MUMC) version 01.06.0001 (A03) contains an Incorrect Default Permissions (CWE-276) vulnerability that allows an attacker to execute arbitrary code with SYSTEM privileges by causing the application to load a specially crafted DLL.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2024-57854
Published : 5 maart 2026 03:15 | 2 uur, 30 minuten ago
Description : Net::NSCA::Client versions through 0.009002 for Perl uses a poor random number generator.
Version v0.003 switched to use Data::Rand::Obscure instead of Crypt::Random for generation of a random initialisation vectors.
Data::Rand::Obscure uses Perl's built-in rand() function, which is not suitable for cryptographic functions.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-3381
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : Compress::Raw::Zlib versions through 2.219 for Perl use potentially insecure versions of zlib.
Compress::Raw::Zlib includes a copy of the zlib library. Compress::Raw::Zlib version 2.220 includes zlib 1.3.2, which addresses findings fron the 7ASecurity audit of zlib. The includes fixs for CVE-2026-27171.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-3257
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : UnQLite versions through 0.06 for Perl uses a potentially insecure version of the UnQLite library.
UnQLite for Perl embeds the UnQLite library. Version 0.06 and earlier of the Perl module uses a version of the library from 2014 that may be vulnerable to a heap-based overflow.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29122
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : International Data Casting (IDC) SFX2100 satellite receiver comes with the `/bin/date` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system. This allows an actor to be able to read any root read-only files, such as the /etc/shadow file or other configuration/secrets carrier files.
Severity: 8.3 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29123
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : A SUID root-owned binary in /home/xd/terminal/XDTerminal in International Data Casting (IDC) SFX2100 on Linux allows a local actor to potentially preform local privilege escalation depending on conditions of the system via execution of the affected SUID binary. This can be via PATH hijacking, symlink abuse or shared object hijacking.
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29125
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : IDC SFX2100 Satalite Recievers set the `/etc/resolv.conf` file to be world-writable by any local user, allowing DNS resolver tampering that can redirect network communications, facilitate man-in-the-middle attacks, and cause denial of service.
Severity: 7.1 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29126
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : Incorrect permission assignment (world-writable file) in /etc/udhcpc/default.script in International Data Casting (IDC) SFX2100 Satellite Receiver allows a local unprivileged attacker to potentially execute arbitrary commands with root privileges (local privilege escalation and persistence) via modification of a root-owned, world-writable BusyBox udhcpc DHCP event script, which is executed when a DHCP lease is obtained, renewed, or lost.
Severity: 8.5 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29124
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : Multiple SUID root-owned binaries are found in /home/monitor/terminal, /home/monitor/kore-terminal, /home/monitor/IDE-DPack/terminal-dpack, and /home/monitor/IDE-DPack/terminal-dpack2 in International Data Casting (IDC) SFX2100 Satellite Receiver, which may lead to local privlidge escalation from the `monitor` user to root
Severity: 8.6 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40931
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : Apache::Session::Generate::MD5 versions through 1.94 for Perl create insecure session id.
Apache::Session::Generate::MD5 generates session ids insecurely. The default session id generator returns a MD5 hash seeded with the built-in rand() function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage. Predicable session ids could allow an attacker to gain access to systems.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2025-40926
Published : 5 maart 2026 02:16 | 3 uur, 29 minuten ago
Description : Plack::Middleware::Session::Simple versions through 0.04 for Perl generates session ids insecurely.
The default session id generator returns a SHA-1 hash seeded with the built-in rand function, the epoch time, and the PID. The PID will come from a small set of numbers, and the epoch time may be guessed, if it is not leaked from the HTTP Date header. The built-in rand function is unsuitable for cryptographic usage.
Predicable session ids could allow an attacker to gain access to systems.
Plack::Middleware::Session::Simple is intended to be compatible with Plack::Middleware::Session, which had a similar security issue CVE-2025-40923.
Severity: 0.0 | NA
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-29121
Published : 5 maart 2026 01:15 | 4 uur, 30 minuten ago
Description : International Data Casting (IDC) SFX2100 satellite receiver comes with the `/sbin/ip` utility installed with the setuid bit set. This configuration grants elevated privileges to any local user who can execute the binary. A local actor is able to use the GTFObins resource to preform privileged file reads as the root user on the local file system and may potentially lead to other avenues for preforming privileged actions.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2836
Published : 5 maart 2026 00:15 | 5 uur, 30 minuten ago
Description : A cache poisoning vulnerability has been found in the Pingora HTTP proxy framework’s default cache key construction. The issue occurs because the default HTTP cache key implementation generates cache keys using only the URI path, excluding critical factors such as the host header (authority). Operators relying on the default are vulnerable to cache poisoning, and cross-origin responses may be improperly served to users.
Impact
This vulnerability affects users of Pingora's alpha proxy caching feature who relied on the default CacheKey implementation. An attacker could exploit this for:
* Cross-tenant data leakage: In multi-tenant deployments, poison the cache so that users from one tenant receive cached responses from another tenant
* Cache poisoning attacks: Serve malicious content to legitimate users by poisoning shared cache entries
Cloudflare's CDN infrastructure was not affected by this vulnerability, as Cloudflare's default cache key implementation uses multiple factors to prevent cache key poisoning and never made use of the previously provided default.
Mitigation:
We strongly recommend Pingora users to upgrade to Pingora v0.8.0 or higher, which removes the insecure default cache key implementation. Users must now explicitly implement their own callback that includes appropriate factors such as Host header, origin server HTTP scheme, and other attributes their cache should vary on.
Pingora users on previous versions may also remove any of their default CacheKey usage and implement their own that should at minimum include the host header / authority and upstream peer’s HTTP scheme.
Severity: 8.4 | HIGH
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2835
Published : 5 maart 2026 00:15 | 5 uur, 30 minuten ago
Description : An HTTP Request Smuggling vulnerability (CWE-444) has been found in Pingora's parsing of HTTP/1.0 and Transfer-Encoding requests. The issue occurs due to improperly allowing HTTP/1.0 request bodies to be close-delimited and incorrect handling of multiple Transfer-Encoding values, allowing attackers to send HTTP/1.0 requests in a way that would desync Pingora’s request framing from backend servers’.
Impact
This vulnerability primarily affects standalone Pingora deployments in front of certain backends that accept HTTP/1.0 requests. An attacker could craft a malicious payload following this request that Pingora forwards to the backend in order to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as its ingress proxy layers forwarded HTTP/1.1 requests only, rejected ambiguous framing such as invalid Content-Length values, and forwarded a single Transfer-Encoding: chunked header for chunked requests.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher that fixes this issue by correctly parsing message length headers per RFC 9112 and strictly adhering to more RFC guidelines, including that HTTP request bodies are never close-delimited.
As a workaround, users can reject certain requests with an error in the request filter logic in order to stop processing bytes on the connection and disable downstream connection reuse. The user should reject any non-HTTP/1.1 request, or a request that has invalid Content-Length, multiple Transfer-Encoding headers, or Transfer-Encoding header that is not an exact “chunked” string match.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
CVE ID : CVE-2026-2833
Published : 5 maart 2026 00:15 | 5 uur, 30 minuten ago
Description : An HTTP request smuggling vulnerability (CWE-444) was found in Pingora's handling of HTTP/1.1 connection upgrades. The issue occurs when a Pingora proxy reads a request containing an Upgrade header, causing the proxy to pass through the rest of the bytes on the connection to a backend before the backend has accepted the upgrade. An attacker can thus directly forward a malicious payload after a request with an Upgrade header to that backend in a way that may be interpreted as a subsequent request header, bypassing proxy-level security controls and enabling cross-user session hijacking.
Impact
This vulnerability primarily affects standalone Pingora deployments where a Pingora proxy is exposed to external traffic. An attacker could exploit this to:
* Bypass proxy-level ACL controls and WAF logic
* Poison caches and upstream connections, causing subsequent requests from legitimate users to receive responses intended for smuggled requests
* Perform cross-user attacks by hijacking sessions or smuggling requests that appear to originate from the trusted proxy IP
Cloudflare's CDN infrastructure was not affected by this vulnerability, as ingress proxies in the CDN stack maintain proper HTTP parsing boundaries and do not prematurely switch to upgraded connection forwarding mode.
Mitigation:
Pingora users should upgrade to Pingora v0.8.0 or higher
As a workaround, users may return an error on requests with the Upgrade header present in their request filter logic in order to stop processing bytes beyond the request header and disable downstream connection reuse.
Severity: 9.3 | CRITICAL
Visit the link for more details, such as CVSS details, affected products, timeline, and more...
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Bongeun Koo (@kiddo_pwn)' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Gu YongZeng (@0x0dee)' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Bongeun Koo (@kiddo_pwn)' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-03-04, 1 days ago. The vendor is given until 2026-07-02 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71215.
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Docker Desktop. An attacker must first obtain the ability to execute low-privileged code on the target guest system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2026-28400.
A CVSS score 7.6
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:L/A:L severity vulnerability discovered by 'kaijieguigui' was reported to the affected vendor on: 2026-03-03, 2 days ago. The vendor is given until 2026-07-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.3
AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Xavier DANEST' was reported to the affected vendor on: 2026-03-03, 2 days ago. The vendor is given until 2026-07-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peikai Li' was reported to the affected vendor on: 2026-03-03, 2 days ago. The vendor is given until 2026-07-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71214.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71216.
A CVSS score 7.5
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Zeeshan Shaikh (@bugzzzhunter)' was reported to the affected vendor on: 2026-03-03, 2 days ago. The vendor is given until 2026-07-01 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.4. The following CVEs are assigned: CVE-2025-71205.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71212.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.4. The following CVEs are assigned: CVE-2025-71206.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of LangChain LangGraph. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2026-27794.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-71210.
This vulnerability allows local attackers to create a denial-of-service condition on affected installations of Trend Micro Cleaner One Pro. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.0. The following CVEs are assigned: CVE-2025-71218.
This vulnerability allows remote attackers to bypass authentication on affected installations of Hewlett Packard Enterprise AutoPass License Server. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.3. The following CVEs are assigned: CVE-2026-23600.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71213.
This vulnerability allows network-adjacent attackers to execute arbitrary code on affected installations of Music Assistant. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.8. The following CVEs are assigned: CVE-2026-26975.
This vulnerability allows remote attackers to escalate privileges on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-71208.
This vulnerability allows remote attackers to escalate privileges on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 8.1. The following CVEs are assigned: CVE-2025-71209.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of Trend Micro Apex Central. Authentication is required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 4.4. The following CVEs are assigned: CVE-2025-71207.
This vulnerability allows local attackers to escalate privileges on affected installations of Trend Micro Apex One Security Agent. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2025-71217.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of Trend Micro Apex One. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-71211.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Rocco Calvi (@TecR0c) with TecSecurity' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.0
AV:L/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Zeeshan Shaikh (@bugzzzhunter)' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 4.7
AV:L/AC:H/PR:L/UI:N/S:U/C:N/I:N/A:H severity vulnerability discovered by 'hamdi' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'maxpl0it' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'rgod' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Lays (@_L4ys) of TRAPA Security' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Nicola Stauffer' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 3.3
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Jonathan Lein of TrendAI Research' was reported to the affected vendor on: 2026-03-02, 3 days ago. The vendor is given until 2026-06-30 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Dre Cura (@dre_cura) and Nicholas Zubrisky (@NZubrisky) of TrendAI Research' was reported to the affected vendor on: 2026-02-26, 7 days ago. The vendor is given until 2026-06-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.5
AV:L/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'GangMin Kim' was reported to the affected vendor on: 2026-02-26, 7 days ago. The vendor is given until 2026-06-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Dre Cura (@dre_cura) and Nicholas Zubrisky (@NZubrisky) of TrendAI Research' was reported to the affected vendor on: 2026-02-26, 7 days ago. The vendor is given until 2026-06-26 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:H/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Marcin Wiazowski' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'khongtrang' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:L/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Nitesh Surana (niteshsurana.com) of TrendAI Research' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'khongtrang' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 5.3
AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Peter Girnus (@gothburz), Demeng Chen (@DemengChen233), Project AESIR with TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to escalate privileges on affected installations of Siemens SINEC NMS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-25655.
A CVSS score 7.8
AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'khongtrang' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to disclose sensitive information on affected installations of Docker Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2026-2664.
This vulnerability allows network-adjacent attackers to downgrade the communication protocol on affected installations of Ubiquiti Networks AI Pro. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.4. The following CVEs are assigned: CVE-2026-21633.
This vulnerability allows network-adjacent attackers to disclose sensitive information on affected installations of Ubiquiti Networks AI Pro. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.3. The following CVEs are assigned: CVE-2026-21633.
This vulnerability allows network-adjacent attackers to create a denial-of-service condition on affected installations of Ubiquiti Networks AI Pro. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.5. The following CVEs are assigned: CVE-2026-21634.
This vulnerability allows remote attackers to disclose sensitive information on affected installations of IceWarp. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.5. The following CVEs are assigned: CVE-2026-2493.
A CVSS score 8.8
AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to escalate privileges on affected installations of Siemens SINEC NMS. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 7.8. The following CVEs are assigned: CVE-2026-25656.
This vulnerability allows network-adjacent attackers to bypass authentication on affected installations of Socomec DIRIS A-40 power monitoring devices. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 6.3. The following CVEs are assigned: CVE-2026-2491.
This vulnerability allows remote attackers to execute arbitrary code on affected installations of claude-hovercraft. Authentication is not required to exploit this vulnerability. The ZDI has assigned a CVSS rating of 9.8. The following CVEs are assigned: CVE-2025-15060.
A CVSS score 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Bobby Gould (@bobbygould5) of Trend Zero Day Initiative' was reported to the affected vendor on: 2026-02-25, 8 days ago. The vendor is given until 2026-06-25 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Nicholas Zubrisky (@NZubrisky) of TrendAI Research' was reported to the affected vendor on: 2026-02-24, 9 days ago. The vendor is given until 2026-06-24 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mark Vincent Yason (markyason.github.io)' was reported to the affected vendor on: 2026-02-24, 9 days ago. The vendor is given until 2026-06-24 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Anonymous' was reported to the affected vendor on: 2026-02-24, 9 days ago. The vendor is given until 2026-06-24 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.6
AV:L/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus (@gothburz), Demeng Chen (@DemengChen233), Project AESIR with TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-24, 9 days ago. The vendor is given until 2026-06-24 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael Argany of TrendAI Research' was reported to the affected vendor on: 2026-02-23, 10 days ago. The vendor is given until 2026-06-23 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.8
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael Argany of TrendAI Research' was reported to the affected vendor on: 2026-02-23, 10 days ago. The vendor is given until 2026-06-23 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
This vulnerability allows local attackers to disclose sensitive information on affected installations of Docker Desktop. An attacker must first obtain the ability to execute low-privileged code on the target system in order to exploit this vulnerability. The ZDI has assigned a CVSS rating of 5.5.
A CVSS score 7.5
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 9.8
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus (@gothburz), Demeng Chen (@DemengChen233), Project AESIR with TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 8.1
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Peter Girnus (@gothburz), Demeng Chen (@DemengChen233), Project AESIR with TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 9.3
AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N severity vulnerability discovered by 'Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 6.5
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N severity vulnerability discovered by 'Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.4
AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N severity vulnerability discovered by 'Peter Girnus (@gothburz) and Project AESIR of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-20, 13 days ago. The vendor is given until 2026-06-20 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Mat Powell of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-19, 14 days ago. The vendor is given until 2026-06-19 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 7.8
AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-19, 14 days ago. The vendor is given until 2026-06-19 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
A CVSS score 3.3
AV:L/AC:L/PR:N/UI:R/S:U/C:L/I:N/A:N severity vulnerability discovered by 'Michael DePlante (@izobashi) of TrendAI Zero Day Initiative' was reported to the affected vendor on: 2026-02-19, 14 days ago. The vendor is given until 2026-06-19 to publish a fix or workaround. Once the vendor has created and tested a patch we will coordinate the release of a public advisory.
count: 100