VulDB Recent Entries

A vulnerability was found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1 and classified as critical. Impacted is an unknown function of the file delete.php. Executing a manipulation of the argument user_id/course_id/teacher_id/student_id/application_id can lead to sql injection. The identification of this vulnerability is CVE-2026-10226. The attack may be launched remotely. Furthermore, there is an exploit available. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability has been found in raisulislamg4 student_management_system_by_php up to 310d950e09013d5133c6b9210aff9444382d16d1 and classified as critical. This issue affects some unknown processing of the file login_check.php of the component Login. Performing a manipulation of the argument Username results in sql injection. This vulnerability was named CVE-2026-10225. The attack may be initiated remotely. In addition, an exploit is available. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability, which was classified as problematic, was found in NousResearch hermes-agent up to 2026.4.30. This vulnerability affects the function _handle_webhook_request of the file gateway/platforms/feishu.py of the component Webhook Endpoint. Such manipulation leads to resource consumption. This vulnerability is uniquely identified as CVE-2026-10224. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in NousResearch hermes-agent up to 2026.4.30. This affects the function _scan_memory_content of the file tools/memory_tool.py. This manipulation causes injection. This vulnerability is handled as CVE-2026-10223. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical was found in NousResearch hermes-agent up to 2026.4.30. Affected by this issue is the function _sanitize_env_lines of the file hermes_cli/config.py. The manipulation results in injection. This vulnerability is known as CVE-2026-10222. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in NousResearch hermes-agent up to 0.12.0. Affected by this vulnerability is the function _compress_context of the file run_agent.py. The manipulation leads to injection. This vulnerability is traded as CVE-2026-10221. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as critical has been identified in NousResearch hermes-agent up to 2026.4.30. Affected is the function _serve_plugin_skill/skill_view of the file tools/skills_tool.py. Executing a manipulation can lead to injection. This vulnerability appears as CVE-2026-10220. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability marked as critical has been reported in nextlevelbuilder GoClaw up to 3.11.3. This impacts the function FsBridge.WriteFile of the file internal/sandbox/fsbridge.go of the component write_file Tool. Performing a manipulation results in os command injection. This vulnerability is reported as CVE-2026-10219. The attack is possible to be carried out remotely. Moreover, an exploit is present. The pull request to fix this issue awaits acceptance.

A vulnerability labeled as critical has been found in nextlevelbuilder GoClaw up to 3.11.3. This affects the function auth of the file internal/http/evolution_handlers.go. Such manipulation leads to improper authorization. This vulnerability is documented as CVE-2026-10218. The attack can be executed remotely. Additionally, an exploit exists. The project tagged the reported issue as bug.

A vulnerability identified as critical has been detected in nextlevelbuilder GoClaw up to 3.11.3. The impacted element is the function handleSave of the file internal/http/tts_config.go of the component RoleAdmin Gateway. This manipulation causes improper privilege management. This vulnerability is registered as CVE-2026-10217. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The project tagged the reported issue as bug.

A vulnerability categorized as problematic has been discovered in unitedbyai droidclaw up to 0.5.3. The affected element is an unknown function of the file server/src/routes/pairing.ts of the component claim Endpoint. The manipulation results in improper restriction of excessive authentication attempts. This vulnerability is cataloged as CVE-2026-10216. The attack may be launched remotely. Furthermore, there is an exploit available. The project was informed of the problem early through an issue report but has not responded yet.

A vulnerability was found in Dolibarr ERP CRM up to 23.0.1. It has been rated as critical. Impacted is the function checkUserAccessToObject of the file htdocs/holiday/class/api_holidays.class.php of the component Leave Request REST API. The manipulation leads to improper authorization. This vulnerability is listed as CVE-2026-10215. The attack may be initiated remotely. In addition, an exploit is available. Upgrading the affected component is advised.

A vulnerability was found in zhayujie chatgpt-on-wechat up to 2.0.8. It has been declared as critical. This issue affects the function _get_safety_warning of the file agent/tools/bash/bash.py of the component Bash Tool. Executing a manipulation can lead to os command injection. This vulnerability is tracked as CVE-2026-10214. The attack can be launched remotely. Moreover, an exploit is present. It is recommended to upgrade the affected component.

A vulnerability was found in AstrBotDevs AstrBot 4.23.6. It has been classified as critical. This vulnerability affects unknown code of the file /api/skills/delete of the component API Endpoint. Performing a manipulation of the argument Name results in path traversal. This vulnerability is identified as CVE-2026-10213. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in AstrBotDevs AstrBot 4.24.2 and classified as critical. This affects the function astr_main_agent of the file astrbot/core/astr_main_agent.py. Such manipulation of the argument session_id leads to authorization bypass. This vulnerability is referenced as CVE-2026-10212. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in AstrBotDevs AstrBot 4.23.6 and classified as critical. Affected by this issue is the function _normalize_rw_path of the file astrbot/core/tools/computer_tools/fs.py. This manipulation causes incorrect authorization. The identification of this vulnerability is CVE-2026-10211. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in AstrBotDevs AstrBot 4.23.6. Affected by this vulnerability is the function _sanitize_prompt_description of the file astrbot/core/skills/skill_manager.py. The manipulation results in injection. This vulnerability was named CVE-2026-10210. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, has been found in code-projects Online Hospital Management System 1.0. Affected is an unknown function of the file appointmentdetail.php of the component Appointment Handler. The manipulation of the argument editid leads to sql injection. This vulnerability is uniquely identified as CVE-2026-10209. The attack is possible to be carried out remotely. Moreover, an exploit is present.

A vulnerability classified as critical was found in code-projects Online Hospital Management System 1.php. This impacts the function login_user of the file login_1.php. Executing a manipulation of the argument Username can lead to sql injection. This vulnerability is handled as CVE-2026-10208. The attack can be executed remotely. Additionally, an exploit exists.

A vulnerability classified as critical has been found in D-Link DI-8400 up to 16.07.26A1. This affects an unknown function of the file /dbsrv.asp. Performing a manipulation of the argument str results in stack-based buffer overflow. This vulnerability is known as CVE-2026-10206. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The initial researcher advisory mentions contradicting parameter names to be affected.