Aggregator

A vulnerability categorized as critical has been discovered in Tenda JD12L 16.03.53.23. Impacted is the function formSetPPTPServer of the file /goform/SetPptpServerCfg. Such manipulation of the argument startIp leads to stack-based buffer overflow. This vulnerability is uniquely identified as CVE-2026-13515. The attack can be launched remotely. Moreover, an exploit is present.

A vulnerability was found in Chess Play and Learn App up to 4.9.42 on Android. It has been rated as problematic. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. This vulnerability is handled as CVE-2026-13514. It is feasible to perform the attack on the physical device. Additionally, an exploit exists. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

Submit #838993 / VDB-374527

Submit #838889 / VDB-374526

Submit #838888 / VDB-374525

Submit #838887 / VDB-374524

Submit #838885 / VDB-374523

Submit #838880 / VDB-374522

A vulnerability was found in MyScale MyScaleDB up to 1.8.0. It has been declared as problematic. This vulnerability affects the function SegmentId::getCacheKey in the library src/VectorIndex/Common/SegmentId.h. The manipulation results in insufficient verification of data authenticity. This vulnerability is known as CVE-2026-13513. It is possible to launch the attack remotely. Furthermore, an exploit is available. The pull request to fix this issue awaits acceptance.

A vulnerability was found in Databend up to 1.2.881 on HTTP. It has been classified as problematic. This affects the function ClientSessionManager::state_key of the file src/query/service/src/servers/http/v1/session/client_session_manager.rs of the component Tenant Handler. The manipulation leads to authorization bypass. This vulnerability is traded as CVE-2026-13512. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The pull request to fix this issue awaits acceptance.

A vulnerability was found in VoltAgent up to 2.1.17 and classified as problematic. Affected by this issue is the function handleGetMemoryConversation of the file packages/server-core/src/handlers/memory.handlers.ts of the component Memory REST API. Executing a manipulation of the argument conversationId can lead to improper authorization. This vulnerability appears as CVE-2026-13511. The attack may be performed from remote. In addition, an exploit is available. The pull request to fix this issue awaits acceptance.

Submit #838878 / VDB-374521

A vulnerability has been found in SimStudioAI sim up to 0.6.92 and classified as problematic. Affected by this vulnerability is an unknown functionality in the library apps/sim/lib/core/security/deployment.ts of the component Password Protection Handler. Performing a manipulation results in use of weak hash. This vulnerability is reported as CVE-2026-13510. The attack is possible to be carried out remotely. Moreover, an exploit is present. The pull request to fix this issue awaits acceptance.

Submit #838874 / VDB-374520

Submit #838873 / VDB-374519

A vulnerability, which was classified as critical, was found in RAGapp up to 0.1.5. Affected is the function FileHandler.upload_file/FileHandler.remove_file of the file src/ragapp/backend/controllers/files.py of the component Knowledge File Handler. Such manipulation leads to path traversal. This vulnerability is documented as CVE-2026-13509. The attack can be executed remotely. Additionally, an exploit exists. The pull request to fix this issue awaits acceptance.

Submit #838842 / VDB-374518

A vulnerability, which was classified as critical, has been found in khoj-ai khoj up to 2.0.0-beta.28. This impacts an unknown function of the file src/khoj/routers/api_chat.py of the component Conversation Sharing Handler. This manipulation of the argument conversation.agent causes incorrect authorization. This vulnerability is registered as CVE-2026-13508. Remote exploitation of the attack is possible. Furthermore, an exploit is available. The pull request to fix this issue awaits acceptance.

Submit #838838 / VDB-374517

A vulnerability classified as problematic was found in volcengine OpenViking up to 0.3.21. This affects the function str_to_uint64 of the file openviking/storage/vectordb/utils/str_to_uint64.py of the component Local VectorDB Primary-key Label Handler. The manipulation of the argument ID results in insufficient verification of data authenticity. This vulnerability is cataloged as CVE-2026-13507. The attack may be launched remotely. There is no exploit available. The pull request to fix this issue awaits acceptance.