Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
Common Vulnerability Scoring System76216
0
10
CVE-2026-16229
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 09:45
Updated-19 Jul, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Courier Management System index.php cross site scripting

A flaw has been found in itsourcecode Courier Management System up to 1.0. Affected by this vulnerability is an unknown functionality of the file /index.php. Executing a manipulation of the argument page can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-ITSourceCode
Product-Courier Management System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16228
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 09:30
Updated-19 Jul, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System edit_schoolyr.php sql injection

A vulnerability was detected in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /edit_schoolyr.php. Performing a manipulation of the argument ID results in sql injection. It is possible to initiate the attack remotely. The exploit is now public and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16227
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 09:15
Updated-19 Jul, 2026 | 10:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System edit_subject.php sql injection

A security vulnerability has been detected in SourceCodester Class and Exam Timetabling System 1.0. This impacts an unknown function of the file /edit_subject.php. Such manipulation of the argument ID leads to sql injection. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16226
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 08:15
Updated-19 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Pizzafy Ecommerce System admin_class_novo.php save_settings unrestricted upload

A weakness has been identified in SourceCodester Pizzafy Ecommerce System 1.0. This affects the function save_settings of the file /admin/admin_class_novo.php. This manipulation of the argument img causes unrestricted upload. The attack is possible to be carried out remotely.

Action-Not Available
Vendor-SourceCodester
Product-Pizzafy Ecommerce System
CWE ID-CWE-284
Improper Access Control
CWE ID-CWE-434
Unrestricted Upload of File with Dangerous Type
CVE-2026-16225
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 08:00
Updated-19 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
davenardella snap7 s7_peer.cpp NegotiatePDULength out-of-bounds write

A security flaw has been discovered in davenardella snap7 up to 1.4.3. The impacted element is the function TSnap7Peer::NegotiatePDULength of the file src/core/s7_peer.cpp. The manipulation of the argument PDULength results in out-of-bounds write. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-davenardella
Product-snap7
CWE ID-CWE-119
Improper Restriction of Operations within the Bounds of a Memory Buffer
CWE ID-CWE-787
Out-of-bounds Write
CVE-2026-16224
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 07:45
Updated-19 Jul, 2026 | 09:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
jxxghp MoviePilot Application API improper authorization

A vulnerability was identified in jxxghp MoviePilot up to 2.13.5. The affected element is an unknown function of the file /jxxghp/MoviePilot of the component Application API. The manipulation leads to improper authorization. Remote exploitation of the attack is possible. The identifier of the patch is dc2b6910a423b3bfadeffaa303e1ba75cfb33900. Applying a patch is the recommended action to fix this issue.

Action-Not Available
Vendor-jxxghp
Product-MoviePilot
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2026-16223
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 07:15
Updated-19 Jul, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1Panel-dev CordysCRM Third Party Edit Endpoint IntegrationConfigService.java getSqlBotSrc server-side request forgery

A vulnerability was determined in 1Panel-dev CordysCRM up to 1.4.1. Impacted is the function getSqlBotSrc of the file backend/crm/src/main/java/cn/cordys/crm/system/service/IntegrationConfigService.java of the component Third Party Edit Endpoint. Executing a manipulation of the argument appSecret can lead to server-side request forgery. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-1Panel (FIT2CLOUD Inc.)
Product-CordysCRM
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16222
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 06:45
Updated-19 Jul, 2026 | 08:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
1Panel-dev CordysCRM Third Party Endpoint TokenService.java server-side request forgery

A vulnerability was found in 1Panel-dev CordysCRM up to 1.4.1. This issue affects some unknown processing of the file backend/crm/src/main/java/cn/cordys/crm/integration/sso/service/TokenService.java of the component Third Party Endpoint. Performing a manipulation of the argument mkAddress results in server-side request forgery. The attack may be initiated remotely. The exploit has been made public and could be used. The project closed the issue report, stating that this is not the official way to report a security vulnerability.

Action-Not Available
Vendor-1Panel (FIT2CLOUD Inc.)
Product-CordysCRM
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16220
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 06:15
Updated-19 Jul, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
code-projects Online Examination System account.php cross site scripting

A vulnerability has been found in code-projects Online Examination System 1.0. This vulnerability affects unknown code of the file /account.php?q=quiz. Such manipulation of the argument eid/n/t leads to cross site scripting. The attack can be launched remotely. The exploit has been disclosed to the public and may be used.

Action-Not Available
Vendor-Source Code & Projects
Product-Online Examination System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16219
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 06:00
Updated-19 Jul, 2026 | 07:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Croogo CMS Admin File Manager FileManager.php isEditable path traversal

A flaw has been found in Croogo CMS up to 4.0.7. This affects the function FileManager::isEditable of the file FileManager/src/Utility/FileManager.php of the component Admin File Manager. This manipulation causes path traversal. The attack can be initiated remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-Croogo
Product-CMS
CWE ID-CWE-22
Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
CVE-2026-16217
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 05:30
Updated-19 Jul, 2026 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
guohongze adminset Delivery Deployment Endpoint deli.py authorization

A security vulnerability has been detected in guohongze adminset up to 0.61. Affected by this vulnerability is an unknown functionality of the file delivery/deli.py of the component Delivery Deployment Endpoint. The manipulation of the argument project_id leads to authorization bypass. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-guohongze
Product-adminset
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-16216
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 05:00
Updated-19 Jul, 2026 | 06:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
geex-arts django-jet OAuth cross-site request forgery

A weakness has been identified in geex-arts django-jet up to 1.0.8. Affected is an unknown function of the component OAuth Handler. Executing a manipulation can lead to cross-site request forgery. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-geex-arts
Product-django-jet
CWE ID-CWE-352
Cross-Site Request Forgery (CSRF)
CWE ID-CWE-862
Missing Authorization
CVE-2026-16215
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 04:30
Updated-19 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
geex-arts django-jet OAuth Credential Revoke authorization

A security flaw has been discovered in geex-arts django-jet up to 1.0.8. This impacts an unknown function of the component OAuth Credential Revoke Handler. Performing a manipulation results in missing authorization. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-geex-arts
Product-django-jet
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16214
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 04:15
Updated-19 Jul, 2026 | 05:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
geex-arts django-jet Dashboard views.py authorization

A vulnerability was identified in geex-arts django-jet up to 1.0.8. This affects an unknown function of the file jet/dashboard/views.py of the component Dashboard Module. Such manipulation leads to authorization bypass. The attack can be executed remotely. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-geex-arts
Product-django-jet
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-639
Authorization Bypass Through User-Controlled Key
CVE-2026-16210
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 03:15
Updated-19 Jul, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
newpanjing simpleui AjaxAdmin AJAX Endpoint admin.py self.get_action missing authentication

A vulnerability was found in newpanjing simpleui 2026.01.13. This affects the function self.get_action of the file simpleui/admin.py of the component AjaxAdmin AJAX Endpoint. Performing a manipulation results in missing authentication. Remote exploitation of the attack is possible. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-newpanjing
Product-simpleui
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-16209
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 03:00
Updated-19 Jul, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Gerapy Project Upload Endpoint views.py missing authentication

A vulnerability has been found in Gerapy up to 0.9.13. The impacted element is an unknown function of the file gerapy/server/core/views.py of the component Project Upload Endpoint. Such manipulation leads to missing authentication. The attack may be launched remotely. The exploit has been disclosed to the public and may be used. The name of the patch is bd4891c60315f17611a3b7a651ffe0fba7cfe71e. Applying a patch is advised to resolve this issue.

Action-Not Available
Vendor-n/a
Product-Gerapy
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-306
Missing Authentication for Critical Function
CVE-2026-16208
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-19 Jul, 2026 | 02:45
Updated-19 Jul, 2026 | 04:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
django-tastypie throttle.py CacheDBThrottle race condition

A flaw has been found in django-tastypie up to 0.15.1. The affected element is the function CacheThrottle/CacheDBThrottle of the file tastypie/throttle.py. This manipulation causes race condition. The attack may be initiated remotely. The complexity of an attack is rather high. The exploitability is described as difficult. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-n/a
Product-django-tastypie
CWE ID-CWE-362
Concurrent Execution using Shared Resource with Improper Synchronization ('Race Condition')
CVE-2026-16206
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 02:15
Updated-19 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
django-oauth django-oauth-toolkit oauth2_validators.py _load_id_token session expiration

A security vulnerability has been detected in django-oauth django-oauth-toolkit 3.3.0. This issue affects the function _load_id_token of the file oauth2_provider/oauth2_validators.py. The manipulation leads to session expiration. The attack can be initiated remotely. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-django-oauth
Product-django-oauth-toolkit
CWE ID-CWE-613
Insufficient Session Expiration
CVE-2026-16204
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 01:45
Updated-19 Jul, 2026 | 03:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw Telegram-to-AI Tool Execution Flow script.c tool_run_script_execute code injection

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This affects the function tool_run_script_execute of the file claw/services/tools/script.c of the component Telegram-to-AI Tool Execution Flow. Performing a manipulation results in code injection. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16203
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 01:30
Updated-19 Jul, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System forCYS.php cross site scripting

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /forCYS.php. Such manipulation of the argument course leads to cross site scripting. The attack may be performed from remote. The exploit is publicly available and might be used.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16202
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 01:15
Updated-19 Jul, 2026 | 02:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System CYS.php cross site scripting

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. Affected by this vulnerability is an unknown functionality of the file /CYS.php. This manipulation of the argument course causes cross site scripting. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16201
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 00:45
Updated-19 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw http_request net.c claw_net_post information disclosure

A vulnerability was found in zevorn rt-claw up to 0.2.0. Affected is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manipulation results in information disclosure. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-200
Exposure of Sensitive Information to an Unauthorized Actor
CWE ID-CWE-284
Improper Access Control
CVE-2026-16200
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 00:15
Updated-19 Jul, 2026 | 01:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw RPC swarm.c claw_tool_invoke authorization

A vulnerability has been found in zevorn rt-claw up to 0.2.0. This impacts the function claw_tool_invoke of the file claw/services/swarm/swarm.c of the component RPC Handler. The manipulation leads to incorrect authorization. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16199
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-19 Jul, 2026 | 00:00
Updated-19 Jul, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder GoClaw credentialed_exec.go ExecTool.Execute improper authorization

A flaw has been found in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This affects the function ExecTool.Execute of the file goclaw/internal/tools/credentialed_exec.go. Executing a manipulation can lead to improper authorization. The attack may be launched remotely. The exploit has been published and may be used.

Action-Not Available
Vendor-nextlevelbuilder
Product-GoClaw
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2026-16198
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 23:30
Updated-19 Jul, 2026 | 00:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sipeed PicoClaw First Run Setup access_control.go authentication bypass

A vulnerability was detected in Sipeed PicoClaw up to 0.2.9. The impacted element is an unknown function of the file web/backend/middleware/access_control.go of the component First Run Setup. Performing a manipulation of the argument allowed_cidrs results in authentication bypass using alternate channel. The attack may be initiated remotely. The attack's complexity is rated as high. The exploitability is regarded as difficult. The exploit is now public and may be used. The patch is named 017601354be38cb027ff3ffb01aed79bd5d12610. Applying a patch is the recommended action to fix this issue.

Action-Not Available
Vendor-Sipeed
Product-PicoClaw
CWE ID-CWE-287
Improper Authentication
CWE ID-CWE-288
Authentication Bypass Using an Alternate Path or Channel
CVE-2026-16197
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 23:00
Updated-18 Jul, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sipeed PicoClaw Group Message feishu_64.go handleMessageReceive authorization

A security vulnerability has been detected in Sipeed PicoClaw up to 0.2.9. The affected element is the function handleMessageReceive of the file pkg/channels/feishu/feishu_64.go of the component Group Message Handler. Such manipulation leads to missing authorization. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. The reported GitHub issue was closed automatically due to inactivity.

Action-Not Available
Vendor-Sipeed
Product-PicoClaw
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16196
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 22:45
Updated-18 Jul, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sipeed PicoClaw web_fetch web.go isPrivateOrRestrictedIP server-side request forgery

A weakness has been identified in Sipeed PicoClaw up to 0.2.9. Impacted is the function isPrivateOrRestrictedIP of the file pkg/tools/integration/web.go of the component web_fetch. This manipulation causes server-side request forgery. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks. Patch name: 2efbe5d560e7ed9bc5209c203dc4aa6ecdbc7405. To fix this issue, it is recommended to deploy a patch.

Action-Not Available
Vendor-Sipeed
Product-PicoClaw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16195
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 22:30
Updated-18 Jul, 2026 | 23:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Sipeed PicoClaw Group Message wecom.go dispatchIncoming authorization

A security flaw has been discovered in Sipeed PicoClaw up to 0.2.9. This issue affects the function dispatchIncoming of the file pkg/channels/wecom/wecom.go of the component Group Message Handler. The manipulation results in incorrect authorization. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks. The reported GitHub issue was closed automatically due to inactivity.

Action-Not Available
Vendor-Sipeed
Product-PicoClaw
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16194
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 21:15
Updated-18 Jul, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zhayujie CowAgent web_fetch.py WebFetch.execute server-side request forgery

A vulnerability was determined in zhayujie CowAgent up to 2.1.1. This affects the function WebFetch.execute of the file agent/tools/web_fetch/web_fetch.py. Executing a manipulation of the argument url can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized. Upgrading to version 2.1.2 is able to mitigate this issue. This patch is called ea47f3097eed4f8295c4cb3d76ecb97e0f43d632. It is recommended to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.

Action-Not Available
Vendor-zhayujie
Product-CowAgent
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16156
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 21:00
Updated-18 Jul, 2026 | 22:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System forexam.php cross site scripting

A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0. This affects an unknown part of the file /forexam.php. The manipulation of the argument day results in cross site scripting. It is possible to launch the attack remotely. The exploit has been released to the public and may be used for attacks.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16155
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 20:45
Updated-18 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System schoolyr.php cross site scripting

A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. Affected by this issue is some unknown functionality of the file /schoolyr.php. The manipulation of the argument sy leads to cross site scripting. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-57857
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-5.1||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 20:33
Updated-18 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Flow Payment Plugin for WordPress Reflected Cross-Site Scripting via error_message Parameter

The Flow Payment plugin for WordPress (flow.cl) version 3.0.8 is vulnerable to reflected cross-site scripting on the WooCommerce checkout page. When the plugin handles an order cancellation, the error_message GET parameter is passed directly to wc_add_notice() in flowpayment-fl.php (lines 57-58) without input sanitization (for example sanitize_text_field()) or output escaping (for example esc_html()) before being rendered in the checkout notice HTML. An unauthenticated attacker can craft a URL containing a JavaScript payload in the error_message parameter (for example /checkout/?add-to-cart={product-id}&cancel_order=true&error_message={payload}); when a victim with an active WooCommerce checkout session follows the link, the payload executes in the victim's browser in the origin of the WordPress site.

Action-Not Available
Vendor-Flow
Product-Flow Payment
CWE ID-CWE-79
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting')
CVE-2026-16154
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 20:15
Updated-18 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System edit_room1.php sql injection

A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0/1.php. Affected by this vulnerability is an unknown functionality of the file /edit_room1.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16152
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 20:00
Updated-18 Jul, 2026 | 21:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SourceCodester Class and Exam Timetabling System edit_rooma.php sql injection

A vulnerability was found in SourceCodester Class and Exam Timetabling System 1.0. Affected is an unknown function of the file /edit_rooma.php. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been made public and could be used.

Action-Not Available
Vendor-SourceCodester
Product-Class and Exam Timetabling System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16151
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 19:45
Updated-18 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
CartoDB carto-api-client filters.ts addFilter prototype pollution

A vulnerability has been found in CartoDB carto-api-client 0.5.29. This impacts the function addFilter of the file src/filters.ts. Such manipulation of the argument column leads to improperly controlled modification of object prototype attributes. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-CartoDB
Product-carto-api-client
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-57848
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6.8||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 19:15
Updated-18 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
Stoat for Android Internal File Disclosure via Exported ShareTargetActivity URI Validation

Stoat for Android exports the chat.stoat.activities.ShareTargetActivity component (reachable to any process on the device via the android.intent.action.SEND intent) and accepts the file to share as a URI supplied through the android.intent.extra.STREAM extra. The activity does not validate or filter the incoming URI before using it as the outgoing attachment, so a caller can pass a file:// URI pointing at the application's own internal storage (for example /data/data/chat.revolt/databases/revolt.db, cached authentication token files, or preferences) and have the app treat that internal file as a user-selected attachment. An attacker who can invoke intents on the victim's device (via ADB access, a co-installed malicious application, or any other route that reaches Android's intent dispatch) can launch ShareTargetActivity with such a URI and cause the victim, on a single channel-selection interaction, to send the internal file to any Stoat channel or user of the attacker's choosing. The composer displays the attachment as \"attachment\" with no filename indication, so the victim has no visible signal that the file being sent is their own internal application data. Consequences include disclosure of the local Stoat database (message history, contact list, cached content), disclosure of authentication tokens permitting full account takeover, and disclosure of any other file readable by the app process.

Action-Not Available
Vendor-stoatchat
Product-Stoat for Android
CWE ID-CWE-926
Improper Export of Android Application Components
CVE-2026-16150
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 19:15
Updated-18 Jul, 2026 | 20:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
RobinHerbots Inputmask Internal Deep Merge Helper extend.js extendAliases prototype pollution

A vulnerability was found in RobinHerbots Inputmask up to 5.0.9. Affected by this issue is the function extendDefaults/extendDefinitions/extendAliases in the library lib/dependencyLibs/extend.js of the component Internal Deep Merge Helper. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be performed from remote. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-RobinHerbots
Product-Inputmask
CWE ID-CWE-1321
Improperly Controlled Modification of Object Prototype Attributes ('Prototype Pollution')
CWE ID-CWE-94
Improper Control of Generation of Code ('Code Injection')
CVE-2026-16133
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-2.3||LOW
EPSS-Not Assigned
Published-18 Jul, 2026 | 19:00
Updated-18 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
LiuMengxuan04 MiniCode mcp.ts child_process.spawn command injection

A flaw has been found in LiuMengxuan04 MiniCode 0.1.0. Affected by this vulnerability is the function child_process.spawn of the file mcp.ts. Executing a manipulation can lead to command injection. The attack can be launched remotely. The attack requires a high level of complexity. The exploitation appears to be difficult. The exploit has been published and may be used. The pull request to fix this issue awaits acceptance.

Action-Not Available
Vendor-LiuMengxuan04
Product-MiniCode
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-77
Improper Neutralization of Special Elements used in a Command ('Command Injection')
CVE-2026-16131
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 18:15
Updated-18 Jul, 2026 | 19:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
itsourcecode Hospital Management System prescriptionrecord.php sql injection

A weakness has been identified in itsourcecode Hospital Management System 1.0. This affects an unknown function of the file /prescriptionrecord.php. This manipulation of the argument delid causes sql injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-ITSourceCode
Product-Hospital Management System
CWE ID-CWE-74
Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection')
CWE ID-CWE-89
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
CVE-2026-16129
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-4.8||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 17:00
Updated-18 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
princezuda SafestClaw Built-in Web shell.py ShellAction._validate_command incomplete blacklist

A vulnerability has been found in princezuda SafestClaw up to 4.2.4. This vulnerability affects the function ShellAction._validate_command of the file src/safestclaw/actions/shell.py of the component Built-in Web Interface. Such manipulation leads to incomplete blacklist. An attack has to be approached locally. The exploit has been disclosed to the public and may be used. The presence of this vulnerability remains uncertain at this time. The project maintainer explains: "On paper you're correct, this is a vulnerability. In practice, nothing your AI generated shows how it makes users vulnerable. It's open source. Someone can mod the shell allow list or remove that system. Present an actual poc that shows a threat to users."

Action-Not Available
Vendor-princezuda
Product-SafestClaw
CWE ID-CWE-183
Permissive List of Allowed Inputs
CWE ID-CWE-184
Incomplete List of Disallowed Inputs
CVE-2026-16128
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 16:30
Updated-18 Jul, 2026 | 17:16
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw http_request swarm.c receiver_thread server-side request forgery

A security flaw has been discovered in zevorn rt-claw up to 0.2.0. This impacts the function receiver_thread of the file claw/services/swarm/swarm.c of the component http_request. Performing a manipulation results in server-side request forgery. It is possible to initiate the attack remotely. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16127
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 16:00
Updated-18 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw http_request tool_net.c claw_net_post server-side request forgery

A vulnerability was identified in zevorn rt-claw up to 0.2.0. This affects the function claw_net_get/claw_net_post of the file claw/tools/tool_net.c of the component http_request. Such manipulation of the argument url leads to server-side request forgery. The attack may be performed from remote. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16126
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 15:45
Updated-18 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw Swarm RPC Receiver swarm.c handle_rpc_request authorization

A vulnerability was determined in zevorn rt-claw up to 0.2.0. The impacted element is the function handle_rpc_request of the file claw/services/swarm/swarm.c of the component Swarm RPC Receiver. This manipulation causes incorrect authorization. The attack is possible to be carried out remotely. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-285
Improper Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16125
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-6.9||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 15:15
Updated-18 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
zevorn rt-claw http_request net.c claw_net_post server-side request forgery

A vulnerability was found in zevorn rt-claw up to 0.2.0. The affected element is the function claw_net_get/claw_net_post of the file claw/services/tools/net.c of the component http_request. The manipulation of the argument url results in server-side request forgery. The attack can be executed remotely. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.

Action-Not Available
Vendor-zevorn
Product-rt-claw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16124
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 15:00
Updated-18 Jul, 2026 | 16:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder GoClaw web_fetch web_shared.go isPrivateIP server-side request forgery

A security vulnerability has been detected in nextlevelbuilder GoClaw up to 3.15.0-beta.32. This affects the function CheckSSRF/isPrivateIP of the file internal/tools/web_shared.go of the component web_fetch. Such manipulation leads to server-side request forgery. The attack can be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 3.15.0-beta.33 is able to mitigate this issue. The name of the patch is 12a0168271827650ddb0026d6277fbadf3dcf3ea. Upgrading the affected component is recommended.

Action-Not Available
Vendor-nextlevelbuilder
Product-GoClaw
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2026-16123
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 14:45
Updated-18 Jul, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder GoClaw Invoke Endpoint tools_invoke.go ToolsInvokeHandler.ServeHTTP authorization

A weakness has been identified in nextlevelbuilder GoClaw up to 3.13.2. Affected by this issue is the function ToolsInvokeHandler.ServeHTTP of the file internal/http/tools_invoke.go of the component Invoke Endpoint. This manipulation causes missing authorization. The attack can be initiated remotely. The exploit has been made available to the public and could be used for attacks.

Action-Not Available
Vendor-nextlevelbuilder
Product-GoClaw
CWE ID-CWE-862
Missing Authorization
CWE ID-CWE-863
Incorrect Authorization
CVE-2026-16121
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 14:15
Updated-18 Jul, 2026 | 15:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder GoClaw exec_approval.go isSafeBin improper authorization

A vulnerability was identified in nextlevelbuilder GoClaw up to 3.13.2. Affected is the function isSafeBin of the file internal/tools/exec_approval.go. The manipulation leads to improper authorization. It is possible to initiate the attack remotely. The exploit is publicly available and might be used.

Action-Not Available
Vendor-nextlevelbuilder
Product-GoClaw
CWE ID-CWE-266
Incorrect Privilege Assignment
CWE ID-CWE-285
Improper Authorization
CVE-2026-16120
Assigner-VulDB
ShareView Details
Assigner-VulDB
CVSS Score-5.3||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:30
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
nextlevelbuilder GoClaw exec_approval.go extractBin name resolution

A vulnerability was determined in nextlevelbuilder GoClaw up to 3.13.3-beta.3. This impacts the function matchesAllowlist/extractBin of the file internal/tools/exec_approval.go. Executing a manipulation can lead to incorrectly-resolved name. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Action-Not Available
Vendor-nextlevelbuilder
Product-GoClaw
CWE ID-CWE-706
Use of Incorrectly-Resolved Name or Reference
CVE-2025-71398
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-5.8||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.2.2 SSRF via HTTP Redirect Bypass

SurrealDB before 2.2.2 fails to validate HTTP redirects in http functions, allowing authenticated users to bypass deny-net restrictions by redirecting to blocked IP addresses. Attackers can host a public server that redirects to denied network targets, enabling server-side request forgery to access internal endpoints and retrieve sensitive information.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-918
Server-Side Request Forgery (SSRF)
CVE-2025-71393
Assigner-VulnCheck
ShareView Details
Assigner-VulnCheck
CVSS Score-6||MEDIUM
EPSS-Not Assigned
Published-18 Jul, 2026 | 13:10
Updated-18 Jul, 2026 | 14:17
Rejected-Not Available
Known To Be Used In Ransomware Campaigns?-Not Available
KEV Added-Not Available
KEV Action Due Date-Not Available
SurrealDB before 2.2.2 Memory Exhaustion via Nested Functions

SurrealDB before 2.2.2 with scripting enabled fails to properly enforce recursion limits when native functions contain embedded JavaScript that issues new queries. Authenticated attackers can bypass the recursion limit by chaining native and JavaScript function calls to trigger infinite recursion and exhaust server memory.

Action-Not Available
Vendor-surrealdb
Product-surrealdb
CWE ID-CWE-674
Uncontrolled Recursion
  • Previous
  • 1
  • 2
  • 3
  • ...
  • 1524
  • 1525
  • Next