VulDB Recent Entries

A vulnerability was found in vanna-ai vanna up to 2.0.2. It has been classified as critical. Affected by this vulnerability is the function ask of the file vanna\legacy\base\base.py. Performing a manipulation results in sql injection. This vulnerability is reported as CVE-2026-4513. The attack is possible to be carried out remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability was found in vanna-ai vanna up to 2.0.2 and classified as critical. Affected is the function exec of the file /src/vanna/legacy. Such manipulation leads to injection. This vulnerability is documented as CVE-2026-4511. The attack can be executed remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability has been found in PbootCMS up to 3.2.12 and classified as problematic. This impacts the function alert_location of the file apps/home/controller/MemberController.php of the component Parameter Handler. This manipulation of the argument backurl causes cross site scripting. This vulnerability is registered as CVE-2026-4510. Remote exploitation of the attack is possible. Furthermore, an exploit is available.

A vulnerability, which was classified as critical, was found in PbootCMS up to 3.2.12. This affects an unknown function of the file core/function/file.php of the component File Upload. The manipulation of the argument black results in incomplete blacklist. This vulnerability is cataloged as CVE-2026-4509. The attack may be launched remotely. Furthermore, there is an exploit available.

A vulnerability, which was classified as critical, has been found in PbootCMS up to 3.2.12. The impacted element is the function checkUsername of the file apps/home/controller/MemberController.php of the component Member Login. The manipulation of the argument Username leads to sql injection. This vulnerability is listed as CVE-2026-4508. The attack may be initiated remotely. In addition, an exploit is available.

A vulnerability classified as critical was found in Mindinventory MindSQL up to 0.2.1. The affected element is the function ask_db of the file mindsql/core/mindsql_core.py. Executing a manipulation can lead to sql injection. This vulnerability is tracked as CVE-2026-4507. The attack can be launched remotely. Moreover, an exploit is present. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability classified as critical has been found in Mindinventory MindSQL up to 0.2.1. Impacted is the function ask_db of the file mindsql/core/mindsql_core.py. Performing a manipulation results in code injection. This vulnerability is identified as CVE-2026-4506. The attack can be initiated remotely. Additionally, an exploit exists. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability described as critical has been identified in eosphoros-ai DB-GPT up to 0.7.5. This issue affects the function module_plugin.refresh_plugins of the file packages/dbgpt-serve/src/dbgpt_serve/agent/hub/controller.py of the component FastAPI Endpoint. Such manipulation leads to unrestricted upload. This vulnerability is referenced as CVE-2026-4505. It is possible to launch the attack remotely. Furthermore, an exploit is available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability marked as critical has been reported in eosphoros-ai db-gpt up to 0.7.5. This vulnerability affects unknown code of the file /api/v1/editor/ of the component Incomplete Fix. This manipulation causes sql injection. The identification of this vulnerability is CVE-2026-4504. It is possible to initiate the attack remotely. Furthermore, there is an exploit available. The vendor was contacted early about this disclosure but did not respond in any way.

A vulnerability labeled as critical has been found in SysAK up to 2.0. This affects an unknown part. The manipulation results in command injection. This vulnerability was named CVE-2024-44722. The attack may be performed from remote. There is no available exploit.

A vulnerability identified as problematic has been detected in Gainsight Assist. Affected by this issue is some unknown functionality of the component Parameters Handler. The manipulation of the argument error_description leads to cross site scripting. This vulnerability is uniquely identified as CVE-2026-31382. The attack is possible to be carried out remotely. No exploit exists.

A vulnerability categorized as problematic has been discovered in Gainsight Assist. Affected by this vulnerability is an unknown functionality of the component OAuth Call Handler. Executing a manipulation of the argument state can lead to use of get request method with sensitive query strings. This vulnerability is handled as CVE-2026-31381. The attack can be executed remotely. There is not any exploit available.

A vulnerability was found in Devolutions Server up to 2026.0. It has been rated as critical. Affected is an unknown function of the component TLS Certificate Verification. Performing a manipulation results in improper certificate validation. This vulnerability is known as CVE-2026-4434. Remote exploitation of the attack is possible. No exploit is available. Upgrading the affected component is advised.

A vulnerability was found in bagofwords1 bagofwords up to 0.0.297. It has been declared as critical. This impacts the function generate_df of the file backend/app/ai/code_execution/code_execution.py. Such manipulation leads to injection. This vulnerability is traded as CVE-2026-4500. The attack may be launched remotely. Furthermore, there is an exploit available. It is recommended to upgrade the affected component.

A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.6. It has been classified as problematic. This affects an unknown function of the file /html/memorando/novo_memorandoo.php. This manipulation of the argument msg causes cross site scripting. This vulnerability appears as CVE-2026-33135. The attack may be initiated remotely. There is no available exploit. Upgrading the affected component is recommended.

A vulnerability was found in LabRedesCefetRJ WeGIA up to 3.6.5 and classified as critical. The impacted element is an unknown function of the file html/matPat/restaurar_produto.php of the component GET Parameter Handler. The manipulation of the argument id_produto results in sql injection. This vulnerability is reported as CVE-2026-33134. The attack can be launched remotely. No exploit exists. It is suggested to upgrade the affected component.

A vulnerability has been found in Zitadel up to 3.4.8/4.12.2 and classified as problematic. The affected element is an unknown function of the component API V2 Endpoint. The manipulation leads to incorrect authorization. This vulnerability is documented as CVE-2026-33132. The attack can be initiated remotely. There is not any exploit available. The affected component should be upgraded.

A vulnerability, which was classified as problematic, was found in LabRedesCefetRJ WeGIA up to 3.6.6. Impacted is an unknown function of the file /html/memorando/listar_memorandos_ativos.php of the component Memorando Module. Executing a manipulation of the argument msg can lead to cross site scripting. This vulnerability is registered as CVE-2026-33136. It is possible to launch the attack remotely. No exploit is available. You should upgrade the affected component.

A vulnerability, which was classified as problematic, has been found in Traefik up to 2.11.40/3.6.10. This issue affects some unknown processing. Performing a manipulation results in observable timing discrepancy. This vulnerability is cataloged as CVE-2026-32595. It is possible to initiate the attack remotely. There is no exploit available. It is advisable to upgrade the affected component.

A vulnerability classified as critical was found in h3js h3 up to 2.0.0-0/2.0.1-rc.14/2.0.1-rc.15. This vulnerability affects unknown code of the component Host Handler. Such manipulation of the argument event.url/event.url.hostname/event.url._url leads to authentication bypass by spoofing. This vulnerability is listed as CVE-2026-33131. The attack may be performed from remote. There is no available exploit. Upgrading the affected component is advised.