Vuldb Updates

A vulnerability has been found in ZenTao up to 21.7.6-85642 and classified as critical. The impacted element is the function fetchHook of the file module/webhook/model.php of the component Webhook Module. This manipulation causes server-side request forgery. This vulnerability appears as CVE-2026-1884. The attack may be initiated remotely. In addition, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in WeKan up to 8.20 and classified as critical. This affects the function setBoardOrgs of the file models/boards.js of the component REST API. Such manipulation of the argument item.cardId/item.checklistId/card.boardId leads to improper authorization. This vulnerability is traded as CVE-2026-1892. The attack may be launched remotely. There is no exploit available. It is suggested to upgrade the affected component.

A vulnerability was found in WeKan up to 8.20. It has been classified as critical. This impacts an unknown function of the file models/checklistItems.js of the component REST API. Performing a manipulation of the argument item.cardId/item.checklistId/card.boardId results in improper authorization. This vulnerability is known as CVE-2026-1894. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is recommended.

A vulnerability was found in IBM Cloud Pak System and OS Image for Red Hat Linux Systems and classified as problematic. This affects an unknown part of the component User Message Handler. Such manipulation leads to information exposure through error message. This vulnerability is referenced as CVE-2023-38010. It is possible to launch the attack remotely. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability identified as problematic has been detected in Navidrome up to 0.59.x. Affected is an unknown function of the file /rest/getCoverArt. Performing a manipulation of the argument size results in resource consumption. This vulnerability is cataloged as CVE-2026-25579. It is possible to initiate the attack remotely. There is no exploit available. You should upgrade the affected component.

A vulnerability marked as problematic has been reported in Keats jsonwebtoken up to 10.2.x. This issue affects some unknown processing. This manipulation causes type confusion. This vulnerability is registered as CVE-2026-25537. Remote exploitation of the attack is possible. No exploit is available. It is suggested to upgrade the affected component.

A vulnerability was found in tokio-rs bytes up to 1.11.0. It has been classified as problematic. This issue affects the function spare_capacity_mut. The manipulation leads to integer overflow to buffer overflow. This vulnerability is uniquely identified as CVE-2026-25541. Local access is required to approach this attack. No exploit exists. Upgrading the affected component is recommended.

A vulnerability was found in SportsPress Plugin up to 2.7.26 on WordPress. It has been declared as critical. Affected by this issue is the function template_name of the component Shortcode Handler. Executing a manipulation can lead to file inclusion. The identification of this vulnerability is CVE-2025-15368. The attack may be launched remotely. There is no exploit available.

A vulnerability marked as critical has been reported in SIBS woocommerce Payment Gateway Plugin up to 2.2.0 on WordPress. The affected element is an unknown function. Performing a manipulation of the argument referencedId results in sql injection. This vulnerability is cataloged as CVE-2026-1370. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability described as critical has been identified in gtlwpdev All push notification for WP Plugin up to 1.5.3 on WordPress. Affected is an unknown function. The manipulation of the argument delete_id results in sql injection. This vulnerability is cataloged as CVE-2026-0816. The attack may be launched remotely. There is no exploit available.

A vulnerability, which was classified as problematic, has been found in WP Content Permission Plugin up to 1.2 on WordPress. This affects an unknown part. Performing a manipulation of the argument ohmem-message results in cross site scripting. This vulnerability is reported as CVE-2026-0743. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability described as problematic has been identified in Ercom Cryptobox up to 4.39.x. This affects an unknown part of the component Administration Console. Such manipulation leads to cross site scripting. This vulnerability is listed as CVE-2026-0873. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability classified as critical has been found in Zenitel TCIS-3+ prior 9.2.3.3. This vulnerability affects unknown code of the component Uploaded File Handler. Performing a manipulation results in command injection. This vulnerability is cataloged as CVE-2025-59818. It is possible to initiate the attack remotely. There is no exploit available.

A vulnerability labeled as critical has been found in Cisco Meeting Management up to 3.12.0. This vulnerability affects unknown code of the component Certificate Management. Such manipulation leads to unrestricted upload. This vulnerability is referenced as CVE-2026-20098. It is possible to launch the attack remotely. No exploit is available. The affected component should be upgraded.

A vulnerability marked as critical has been reported in Linux Kernel up to 6.6.121/6.12.67/6.18.7/6.19-rc6. This issue affects the function trace_event_raw_event_synth. Performing a manipulation results in memory corruption. This vulnerability is identified as CVE-2026-23088. The attack can only be performed from the local network. There is not any exploit available. It is suggested to upgrade the affected component.

A vulnerability labeled as critical has been found in Linux Kernel up to 6.6.121/6.12.67/6.18.7/6.19-rc6. The affected element is the function tcf_ife_encode of the component sched. Executing a manipulation can lead to null pointer dereference. The identification of this vulnerability is CVE-2026-23064. The attack needs to be done within the local network. There is no exploit available. The affected component should be upgraded.

A vulnerability was found in Chapa Payment Gateway Plugin for WooCommerce Plugin up to 1.0.3 on WordPress. It has been rated as problematic. This affects the function chapa_proceed of the component API Endpoint. The manipulation leads to information disclosure. This vulnerability is referenced as CVE-2025-15482. Remote exploitation of the attack is possible. No exploit is available.

A vulnerability categorized as critical has been discovered in MyRewards Plugin up to 5.6.0 on WordPress. This vulnerability affects the function ajax. The manipulation results in missing authorization. This vulnerability is identified as CVE-2025-15260. The attack can be executed remotely. There is not any exploit available.

A vulnerability identified as problematic has been detected in Magic Import Document Extractor Plugin up to 1.0.4 on WordPress. This issue affects the function get_frontend_settings. This manipulation causes information disclosure. This vulnerability is tracked as CVE-2025-15508. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability labeled as problematic has been found in Fortis for WooCommerce Plugin up to 1.2.0 on WordPress. Impacted is the function check_fortis_notify_response of the component Order Status Update Handler. Such manipulation leads to missing authorization. This vulnerability is listed as CVE-2026-0679. The attack may be performed from remote. There is no available exploit.