VulDB Recent Entries

A vulnerability was found in ibericode koko-analytics Plugin up to 2.1.2 on WordPress. It has been rated as critical. This affects an unknown function of the file src/Admin/Data_Export.php of the component Public Tracking Endpoint. The manipulation of the argument pa/r leads to sql injection. This vulnerability is traded as CVE-2026-22850. It is possible to initiate the attack remotely. There is no exploit available. Upgrading the affected component is advised.

A vulnerability was found in CRMEB up to 5.6.3. It has been declared as critical. The impacted element is the function remoteRegister of the file crmeb/app/services/user/LoginServices.php of the component JSON Token Handler. Executing a manipulation of the argument uid can lead to improper authentication. This vulnerability appears as CVE-2026-1203. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in CRMEB up to 5.6.3. It has been classified as critical. The affected element is the function appleLogin of the file crmeb/app/api/controller/v1/LoginController.php. Performing a manipulation of the argument openId results in improper authentication. This vulnerability is reported as CVE-2026-1202. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in LearnPress Plugin up to 4.3.2.4 on WordPress and classified as problematic. Impacted is the function get_item_permissions_check of the component REST API. Such manipulation leads to missing authorization. This vulnerability is documented as CVE-2025-14798. The attack can be executed remotely. There is not any exploit available.

A vulnerability has been found in PeachPay Plugin up to 1.119.8 on WordPress and classified as problematic. This issue affects some unknown processing of the component REST Endpoint. This manipulation causes missing authorization. This vulnerability is registered as CVE-2025-14978. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability, which was classified as problematic, was found in hexpm hex.pm. This vulnerability affects unknown code in the library lib/hexpm_web/views/shared_authorization_view.ex. The manipulation results in cross site scripting. This vulnerability is cataloged as CVE-2026-21618. The attack may be launched remotely. There is no exploit available. Applying a patch is advised to resolve this issue.

A vulnerability, which was classified as critical, has been found in Devolutions Server up to 2025.3.12. This affects an unknown part. The manipulation leads to sql injection. This vulnerability is listed as CVE-2026-0610. The attack may be initiated remotely. There is no available exploit.

A vulnerability classified as critical was found in Devolutions Server up to 2025.3.12. Affected by this issue is some unknown functionality. Executing a manipulation can lead to incorrect authorization. This vulnerability is tracked as CVE-2026-1007. The attack can be launched remotely. No exploit exists.

A vulnerability classified as problematic has been found in MineAdmin 1.x/2.x. Affected by this vulnerability is an unknown functionality of the file /system/downloadById. Performing a manipulation of the argument ID results in information disclosure. This vulnerability is identified as CVE-2026-1197. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as problematic has been identified in MineAdmin 1.x/2.x. Affected is an unknown function of the file /system/getFileInfoById. Such manipulation of the argument ID leads to information disclosure. This vulnerability is referenced as CVE-2026-1196. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability marked as critical has been reported in MineAdmin 1.x/2.x. This impacts the function refresh of the file /system/refresh of the component JWT Token Handler. This manipulation causes insufficient verification of data authenticity. The identification of this vulnerability is CVE-2026-1195. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability labeled as problematic has been found in MineAdmin 1.x/2.x. This affects an unknown function of the component Swagger. The manipulation results in information disclosure. This vulnerability was named CVE-2026-1194. The attack may be performed from remote. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability identified as critical has been detected in MineAdmin 1.x/2.x. The impacted element is an unknown function of the file /system/cache/view of the component View Interface. The manipulation leads to improper authorization. This vulnerability is uniquely identified as CVE-2026-1193. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability categorized as critical has been discovered in Tosei Online Store Management System ネット店舗管理システム 1.01. The affected element is an unknown function of the file /cgi-bin/imode_alldata.php. Executing a manipulation of the argument DevId can lead to command injection. This vulnerability is handled as CVE-2026-1192. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in Newsletter Plugin up to 9.1.0 on WordPress. It has been rated as problematic. Impacted is the function hook_newsletter_action. Performing a manipulation results in cross-site request forgery. This vulnerability is known as CVE-2026-1051. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability was found in Image Photo Gallery Final Tiles Grid Plugin up to 3.6.9 on WordPress. It has been declared as critical. This issue affects some unknown processing. Such manipulation leads to missing authorization. This vulnerability is traded as CVE-2025-15466. The attack may be launched remotely. There is no exploit available.

A vulnerability was found in Altium 365 up to 4.4.5. It has been classified as problematic. This vulnerability affects unknown code of the component Post Handler. This manipulation causes cross site scripting. This vulnerability appears as CVE-2026-1181. The attack may be initiated remotely. There is no available exploit.

A vulnerability was found in Yonyou KSOA 9.0 and classified as critical. This affects an unknown part of the file /kmf/user_popedom.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid results in sql injection. This vulnerability is reported as CVE-2026-1179. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in Yonyou KSOA 9.0 and classified as critical. Affected by this issue is some unknown functionality of the file /kmf/select.jsp of the component HTTP GET Parameter Handler. The manipulation of the argument folderid leads to sql injection. This vulnerability is documented as CVE-2026-1178. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability, which was classified as critical, was found in Yonyou KSOA 9.0. Affected by this vulnerability is an unknown functionality of the file /kmf/save_folder.jsp of the component HTTP GET Parameter Handler. Executing a manipulation of the argument folderid can lead to sql injection. This vulnerability is registered as CVE-2026-1177. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.