Briefs

A buffer overflow vulnerability (CVE-2026-6581) in H3C Magic B1 routers allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the SetMobileAPInfoById function.

A critical authentication bypass vulnerability in liangliangyy DjangoBlog up to version 2.1.0.0 (CVE-2026-6577) allows remote attackers to inject arbitrary GPS data without authentication via the logtracks endpoint, potentially leading to data manipulation and unauthorized access.

A phishing campaign is abusing legitimate Apple account change notifications to deliver fake iPhone purchase scams, tricking users into calling malicious support numbers.

CVE-2026-6574 allows remote attackers to manipulate the 'key' argument in the /public/install/lp.sql file via the API Upload Endpoint in osuuu LightPicture <= 1.2.2, leading to hardcoded credentials exposure.

KodExplorer up to version 4.52 is vulnerable to a path traversal attack via manipulation of the path argument in the share.class.php::initShareOld function, potentially allowing remote attackers to access sensitive files.

A buffer overflow vulnerability (CVE-2026-6560) in H3C Magic B0 up to 100R002 allows remote attackers to execute arbitrary code by manipulating the 'param' argument in the Edit_BasicSSID function of the /goform/aspForm file.

Anviz CrossChex Standard is vulnerable to unauthorized database access due to the manipulation of TDS7 PreLogin, which disables encryption, leading to plaintext transmission of database credentials.

A vulnerability in the `compressing` npm package (<=v2.1.0) allows for arbitrary file overwrite via symlink path traversal, bypassing a previous patch for CVE-2026-24884.

DNN (formerly DotNetNuke) before 10.2.2 is vulnerable to stored cross-site scripting (XSS) via malicious SVG file uploads, potentially leading to account takeover and arbitrary code execution.

Dolibarr versions 22.0.4 and earlier are vulnerable to OS Command Injection via the MAIN_ODT_AS_PDF configuration, allowing an authenticated administrator to inject a malicious payload, leading to arbitrary operating system command execution.

FastGPT versions before 4.14.9.5 are vulnerable to NoSQL injection, allowing unauthenticated attackers to bypass authentication and gain administrative access.

A vulnerability in OpenClaw versions 2026.4.7 to before 2026.4.15 allows a crafted tool-result media reference to cause the host to attempt local file reads or Windows UNC/network path access, potentially disclosing files or network credentials.

The Payouts King ransomware is leveraging QEMU VMs as a reverse SSH backdoor to execute payloads, store malicious files, and establish covert remote access tunnels, bypassing endpoint security measures.

PraisonAI is vulnerable to SQL injection across nine database backends due to unsanitized `table_prefix` parameters, and in PostgreSQL due to an unsanitized `schema` parameter, enabling arbitrary SQL execution.

A critical vulnerability in Sentry's SAML SSO implementation allows account takeover by exploiting improper authentication when multiple organizations are configured, affecting versions 21.12.0 to 26.2.0 and requiring a malicious SAML Identity Provider and knowledge of the victim's email address.

WeGIA versions prior to 3.6.10 are vulnerable to SQL injection via the cpf_usuario POST parameter, allowing authenticated users to query the database under an arbitrary identity.

An unauthenticated attacker can trigger a denial-of-service condition on vulnerable Firebird servers by sending a specially crafted op_crypt_key_callback packet, leading to a null pointer dereference and server crash.

A local privilege escalation vulnerability exists in NovumOS versions before 0.24, where Syscall 12 (JumpToUser) lacks input validation, allowing user-mode processes to execute arbitrary code in kernel mode.

A vulnerability exists in NovumOS versions prior to 0.24 where the MemoryMapRange syscall allows user-mode processes to map arbitrary virtual address ranges, including kernel structures, leading to privilege escalation.

A compromised SecureDrop server can achieve code execution on the SecureDrop client's virtual machine by exploiting improper filename validation during gzip archive extraction, allowing for the overwriting of critical files.

A SQL injection vulnerability exists in Dagster's DuckDB, Snowflake, BigQuery, and DeltaLake I/O managers, where a user with 'Add Dynamic Partitions' permission can inject arbitrary SQL due to improper escaping of dynamic partition key values, leading to unauthorized data access or modification.

YesWiki is vulnerable to authenticated SQL Injection via the id_fiche parameter in the EntryManager::formatDataBeforeSave() function, allowing attackers to inject arbitrary SQL commands and potentially extract sensitive data.

Movary versions prior to 0.71.1 allow authenticated users to escalate privileges to administrator by manipulating the `isAdmin` field via a PUT request to the `/settings/users/{userId}` endpoint, due to missing authorization checks.

Movary versions before 0.71.1 are vulnerable to server-side request forgery (SSRF) via the `/settings/jellyfin/server-url-verify` endpoint, allowing authenticated users to probe internal network resources.

FastGPT versions prior to 4.14.9.5 are vulnerable to NoSQL injection in the password change endpoint, allowing authenticated attackers to bypass password verification and perform account takeover.

The openclaw package versions prior to 2026.4.10 are vulnerable to environment variable injection, where the exec environment policy missed interpreter startup variables allowing operator-supplied environment overrides to influence downstream execution or network behavior, addressed in versions 2026.4.10 and later.

A stored Cross-Site Scripting (XSS) vulnerability exists in WeGIA versions prior to 3.6.10, allowing attackers to inject malicious scripts into the 'Member Name' field during member registration, leading to persistent execution upon user access.

Anviz CrossChex Standard lacks source verification in the client/server channel, enabling TCP packet injection by an attacker on the same network to alter or disrupt application traffic.

Anviz CX2 Lite and CX7 devices are vulnerable to unauthenticated POST requests that allow modification of debug settings such as enabling SSH, leading to unauthorized state changes and potential compromise.

An authenticated user with CREATE FUNCTION privileges can exploit a path traversal vulnerability in Firebird versions prior to 5.0.4, 4.0.7, and 3.0.14, to load an arbitrary shared library leading to code execution as the server's OS account.