Search

Find a vulnerability

Search criteria

    15249 vulnerabilities

    CVE-2026-15607 (GCVE-0-2026-15607)

    Vulnerability from cvelistv5 – Published: 2026-07-13 23:00 – Updated: 2026-07-13 23:00 X_Open Source
    VLAI
    Title
    tanstack db Alias Path select.ts select prototype pollution
    Summary
    A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    tanstack db Affected: 0.6.0
    Affected: 0.6.1
    Affected: 0.6.2
    Affected: 0.6.3
    Affected: 0.6.4
    Affected: 0.6.5
    Affected: 0.6.6
    Affected: 0.6.7
    Affected: 0.6.8
        cpe:2.3:a:tanstack:db:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dremig (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:tanstack:db:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Alias Path Handler"
              ],
              "product": "db",
              "vendor": "tanstack",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.6.0"
                },
                {
                  "status": "affected",
                  "version": "0.6.1"
                },
                {
                  "status": "affected",
                  "version": "0.6.2"
                },
                {
                  "status": "affected",
                  "version": "0.6.3"
                },
                {
                  "status": "affected",
                  "version": "0.6.4"
                },
                {
                  "status": "affected",
                  "version": "0.6.5"
                },
                {
                  "status": "affected",
                  "version": "0.6.6"
                },
                {
                  "status": "affected",
                  "version": "0.6.7"
                },
                {
                  "status": "affected",
                  "version": "0.6.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dremig (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in tanstack db up to 0.6.8. Affected by this vulnerability is the function select of the file src/query/compiler/select.ts of the component Alias Path Handler. The manipulation results in improperly controlled modification of object prototype attributes. The attack may be launched remotely. The exploit is now public and may be used. The patch is identified as ac09b1177a100eafa85cba3cd09dd1f53f933ded. A patch should be applied to remediate this issue."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:N/E:P/RL:O/RC:C",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:OF/RC:C",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T23:00:15.192Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378115 | tanstack db Alias Path select.ts select prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378115"
            },
            {
              "name": "VDB-378115 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378115/cti"
            },
            {
              "name": "CVE-2026-15607 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15607"
            },
            {
              "name": "Submit #855677 | Node.js @tanstack/db 0.6.8 Prototype Pollution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855677"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/TanStack/db/issues/1584"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/TanStack/db/pull/1595"
            },
            {
              "tags": [
                "patch"
              ],
              "url": "https://github.com/TanStack/db/commit/ac09b1177a100eafa85cba3cd09dd1f53f933ded"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/TanStack/db/"
            }
          ],
          "tags": [
            "x_open-source"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T17:45:22.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "tanstack db Alias Path select.ts select prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15607",
        "datePublished": "2026-07-13T23:00:15.192Z",
        "dateReserved": "2026-07-13T15:40:19.194Z",
        "dateUpdated": "2026-07-13T23:00:15.192Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15605 (GCVE-0-2026-15605)

    Vulnerability from cvelistv5 – Published: 2026-07-13 22:45 – Updated: 2026-07-13 22:45
    VLAI
    Title
    wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash
    Summary
    A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity Validation. The manipulation leads to use of weak hash. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The pull request to fix this issue awaits acceptance.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378114 vdb-entrytechnical-description
    https://vuldb.com/vuln/378114/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15605 third-party-advisory
    https://vuldb.com/submit/855675 third-party-advisory
    https://github.com/wandb/wandb/issues/12030 issue-tracking
    https://github.com/wandb/wandb/pull/12031 issue-trackingpatch
    https://github.com/wandb/wandb/ product
    Impacted products
    Vendor Product Version
    n/a wandb Affected: 0.25.2.dev1
        cpe:2.3:a:wandb:wandb:*:*:*:*:*:*:*:*
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:wandb:wandb:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Artifact Integrity Validation"
              ],
              "product": "wandb",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.25.2.dev1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in wandb 0.25.2.dev1. Affected is the function ArtifactManifestEntry.download in the library wandb/sdk/lib/hashutil.py of the component Artifact Integrity Validation. The manipulation leads to use of weak hash. The attack may be initiated remotely. A high degree of complexity is needed for the attack. The exploitability is told to be difficult. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 2.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.1,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.1,
                "vectorString": "AV:N/AC:H/Au:S/C:P/I:N/A:N/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-328",
                  "description": "Use of Weak Hash",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-327",
                  "description": "Risky Cryptographic Algorithm",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T22:45:09.813Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378114 | wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378114"
            },
            {
              "name": "VDB-378114 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378114/cti"
            },
            {
              "name": "CVE-2026-15605 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15605"
            },
            {
              "name": "Submit #855675 | Weights \u0026 Biases wandb 0.25.2.dev1 at commit 28cc0bf5a9b529b72e5e501d0a48c6c42220ae0a; earlier versions may be affected if they use the same MD5-based  CWE-328 Use of Weak Hash",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855675"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/wandb/wandb/issues/12030"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/wandb/wandb/pull/12031"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/wandb/wandb/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T17:43:16.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "wandb Artifact Integrity Validation hashutil.py ArtifactManifestEntry.download weak hash"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15605",
        "datePublished": "2026-07-13T22:45:09.813Z",
        "dateReserved": "2026-07-13T15:38:12.267Z",
        "dateUpdated": "2026-07-13T22:45:09.813Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15598 (GCVE-0-2026-15598)

    Vulnerability from cvelistv5 – Published: 2026-07-13 22:00 – Updated: 2026-07-13 22:00
    VLAI
    Title
    antv layout object.js setNestedValue prototype pollution
    Summary
    A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet.
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378113 vdb-entrytechnical-description
    https://vuldb.com/vuln/378113/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15598 third-party-advisory
    https://vuldb.com/submit/855637 third-party-advisory
    https://github.com/antvis/layout/issues/292 issue-tracking
    Impacted products
    Vendor Product Version
    antv layout Affected: 2.0.0
        cpe:2.3:a:antv:layout:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dremig (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:antv:layout:*:*:*:*:*:*:*:*"
              ],
              "product": "layout",
              "vendor": "antv",
              "versions": [
                {
                  "status": "affected",
                  "version": "2.0.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dremig (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in antv layout 2.0.0. This impacts the function setNestedValue in the library lib/util/object.js. Executing a manipulation of the argument path can lead to improperly controlled modification of object prototype attributes. The attack can be launched remotely. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T22:00:11.338Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378113 | antv layout object.js setNestedValue prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378113"
            },
            {
              "name": "VDB-378113 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378113/cti"
            },
            {
              "name": "CVE-2026-15598 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15598"
            },
            {
              "name": "Submit #855637 | Node.js @antv/layout 2.0.0 Prototype Pollution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855637"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/antvis/layout/issues/292"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T16:13:50.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "antv layout object.js setNestedValue prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15598",
        "datePublished": "2026-07-13T22:00:11.338Z",
        "dateReserved": "2026-07-13T14:08:46.995Z",
        "dateUpdated": "2026-07-13T22:00:11.338Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15597 (GCVE-0-2026-15597)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:45 – Updated: 2026-07-13 21:45 X_Freeware
    VLAI
    Title
    SourceCodester Class and Exam Timetabling System edit_exam2.php sql injection
    Summary
    A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/2.php. This affects an unknown function of the file /edit_exam2.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378112 vdb-entrytechnical-description
    https://vuldb.com/vuln/378112/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15597 third-party-advisory
    https://vuldb.com/submit/855298 third-party-advisory
    https://github.com/asdasddqwdq29-a11y/new-cve/issues/1 exploitissue-tracking
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Class and Exam Timetabling System Affected: 1.0
    Affected: 2.php
        cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    bzdXBHu0xzWRJ (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Class and Exam Timetabling System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "2.php"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "bzdXBHu0xzWRJ (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in SourceCodester Class and Exam Timetabling System 1.0/2.php. This affects an unknown function of the file /edit_exam2.php. Performing a manipulation of the argument ID results in sql injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:45:09.410Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378112 | SourceCodester Class and Exam Timetabling System edit_exam2.php sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378112"
            },
            {
              "name": "VDB-378112 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378112/cti"
            },
            {
              "name": "CVE-2026-15597 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15597"
            },
            {
              "name": "Submit #855298 | sourcecodester  Class and Exam Timetabling System V1.0 SQL injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855298"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/asdasddqwdq29-a11y/new-cve/issues/1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T16:09:23.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Class and Exam Timetabling System edit_exam2.php sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15597",
        "datePublished": "2026-07-13T21:45:09.410Z",
        "dateReserved": "2026-07-13T14:04:19.950Z",
        "dateUpdated": "2026-07-13T21:45:09.410Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15596 (GCVE-0-2026-15596)

    Vulnerability from cvelistv5 – Published: 2026-07-13 21:30 – Updated: 2026-07-13 21:30 X_Freeware
    VLAI
    Title
    SourceCodester Class and Exam Timetabling System subject.php cross site scripting
    Summary
    A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /subject.php. Such manipulation of the argument subject leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378111 vdb-entrytechnical-description
    https://vuldb.com/vuln/378111/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15596 third-party-advisory
    https://vuldb.com/submit/855269 third-party-advisory
    https://github.com/AlbaDove/cve/issues/5 exploitissue-tracking
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Class and Exam Timetabling System Affected: 1.0
        cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    AlbaDove (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Class and Exam Timetabling System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AlbaDove (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in SourceCodester Class and Exam Timetabling System 1.0. The impacted element is an unknown function of the file /subject.php. Such manipulation of the argument subject leads to cross site scripting. It is possible to launch the attack remotely. The exploit is publicly available and might be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T21:30:08.683Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378111 | SourceCodester Class and Exam Timetabling System subject.php cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378111"
            },
            {
              "name": "VDB-378111 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378111/cti"
            },
            {
              "name": "CVE-2026-15596 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15596"
            },
            {
              "name": "Submit #855269 | sourcecodester Class and Exam Timetabling System V1.0 cross site scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855269"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/AlbaDove/cve/issues/5"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T16:07:46.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Class and Exam Timetabling System subject.php cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15596",
        "datePublished": "2026-07-13T21:30:08.683Z",
        "dateReserved": "2026-07-13T14:02:39.572Z",
        "dateUpdated": "2026-07-13T21:30:08.683Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15595 (GCVE-0-2026-15595)

    Vulnerability from cvelistv5 – Published: 2026-07-13 20:30 – Updated: 2026-07-13 20:30 X_Freeware
    VLAI
    Title
    SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting
    Summary
    A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378110 vdb-entrytechnical-description
    https://vuldb.com/vuln/378110/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15595 third-party-advisory
    https://vuldb.com/submit/855268 third-party-advisory
    https://github.com/AlbaDove/cve/issues/6 exploitissue-tracking
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Class and Exam Timetabling System Affected: 1.0
        cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    AlbaDove (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:class_and_exam_timetabling_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Class and Exam Timetabling System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "AlbaDove (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in SourceCodester Class and Exam Timetabling System 1.0. The affected element is an unknown function of the file /forsubject.php. This manipulation of the argument subject causes cross site scripting. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T20:30:08.129Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378110 | SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378110"
            },
            {
              "name": "VDB-378110 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378110/cti"
            },
            {
              "name": "CVE-2026-15595 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15595"
            },
            {
              "name": "Submit #855268 | sourcecodester  Class and Exam Timetabling System V1.0 cross site scripting",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855268"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/AlbaDove/cve/issues/6"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T16:07:44.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Class and Exam Timetabling System forsubject.php cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15595",
        "datePublished": "2026-07-13T20:30:08.129Z",
        "dateReserved": "2026-07-13T14:02:36.735Z",
        "dateUpdated": "2026-07-13T20:30:08.129Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15594 (GCVE-0-2026-15594)

    Vulnerability from cvelistv5 – Published: 2026-07-13 20:15 – Updated: 2026-07-13 20:15
    VLAI
    Title
    waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization
    Summary
    A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
    CWE
    • CWE-285 - Improper Authorization
    • CWE-266 - Incorrect Privilege Assignment
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/378109 vdb-entrytechnical-description
    https://vuldb.com/vuln/378109/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15594 third-party-advisory
    https://vuldb.com/submit/855264 third-party-advisory
    https://github.com/waooAI/waoowaoo/issues/201 exploitissue-tracking
    https://github.com/waooAI/waoowaoo/ product
    Impacted products
    Vendor Product Version
    waooAI waoowaoo Affected: 0.4.0
    Affected: 0.4.1
        cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Media Handler"
              ],
              "product": "waoowaoo",
              "vendor": "waooAI",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "affected",
                  "version": "0.4.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in waooAI waoowaoo up to 0.4.1. Impacted is the function stablePublicIdFromStorageKey in the library src/lib/media/hash.ts of the component Media Handler. The manipulation of the argument storageKey results in improper authorization. The attack may be performed from remote. The attack requires a high level of complexity. The exploitability is considered difficult. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:H/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.7,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 2.6,
                "vectorString": "AV:N/AC:H/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-285",
                  "description": "Improper Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-266",
                  "description": "Incorrect Privilege Assignment",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T20:15:10.868Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-378109 | waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/378109"
            },
            {
              "name": "VDB-378109 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/378109/cti"
            },
            {
              "name": "CVE-2026-15594 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15594"
            },
            {
              "name": "Submit #855264 | waooAI waoowaoo 0.4.1 Improper Access Control",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855264"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/waooAI/waoowaoo/issues/201"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/waooAI/waoowaoo/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T16:06:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "waooAI waoowaoo Media hash.ts stablePublicIdFromStorageKey improper authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15594",
        "datePublished": "2026-07-13T20:15:10.868Z",
        "dateReserved": "2026-07-13T14:01:13.127Z",
        "dateUpdated": "2026-07-13T20:15:10.868Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15559 (GCVE-0-2026-15559)

    Vulnerability from cvelistv5 – Published: 2026-07-13 12:00 – Updated: 2026-07-13 13:03
    VLAI
    Title
    CodeAstro Simple Online Leave Management System POST accept.php sql injection
    Summary
    A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. This affects an unknown part of the file /SimpleOnlineLeave/admin/accept.php of the component POST Handler. Performing a manipulation of the argument appid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377908 vdb-entrytechnical-description
    https://vuldb.com/vuln/377908/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15559 third-party-advisory
    https://vuldb.com/submit/855189 third-party-advisory
    https://github.com/sl1der-fr0g/Findings/issues/3 exploitissue-tracking
    https://codeastro.com/ product
    Impacted products
    Vendor Product Version
    CodeAstro Simple Online Leave Management System Affected: 1.0
        cpe:2.3:a:codeastro:simple_online_leave_management_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cshwswwsshd99 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15559",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:03:30.545173Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:03:35.884Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:codeastro:simple_online_leave_management_system:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "POST Handler"
              ],
              "product": "Simple Online Leave Management System",
              "vendor": "CodeAstro",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cshwswwsshd99 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in CodeAstro Simple Online Leave Management System 1.0. This affects an unknown part of the file /SimpleOnlineLeave/admin/accept.php of the component POST Handler. Performing a manipulation of the argument appid results in sql injection. The attack is possible to be carried out remotely. The exploit is now public and may be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T12:00:08.787Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377908 | CodeAstro Simple Online Leave Management System POST accept.php sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377908"
            },
            {
              "name": "VDB-377908 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377908/cti"
            },
            {
              "name": "CVE-2026-15559 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15559"
            },
            {
              "name": "Submit #855189 | codeastro  Simple Online Leave Management System V1.0 SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855189"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sl1der-fr0g/Findings/issues/3"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://codeastro.com/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T07:10:54.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "CodeAstro Simple Online Leave Management System POST accept.php sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15559",
        "datePublished": "2026-07-13T12:00:08.787Z",
        "dateReserved": "2026-07-13T05:05:47.193Z",
        "dateUpdated": "2026-07-13T13:03:35.884Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15558 (GCVE-0-2026-15558)

    Vulnerability from cvelistv5 – Published: 2026-07-13 11:30 – Updated: 2026-07-13 13:44
    VLAI
    Title
    CodeAstro Simple Online Leave Management System deletemp.php sql injection
    Summary
    A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377907 vdb-entrytechnical-description
    https://vuldb.com/vuln/377907/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15558 third-party-advisory
    https://vuldb.com/submit/855188 third-party-advisory
    https://github.com/sl1der-fr0g/Findings/issues/2 exploitissue-tracking
    https://codeastro.com/ product
    Impacted products
    Vendor Product Version
    CodeAstro Simple Online Leave Management System Affected: 1.0
        cpe:2.3:a:codeastro:simple_online_leave_management_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    cshwswwsshd99 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15558",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T13:44:29.944959Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T13:44:38.097Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:codeastro:simple_online_leave_management_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Simple Online Leave Management System",
              "vendor": "CodeAstro",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "cshwswwsshd99 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in CodeAstro Simple Online Leave Management System 1.0. Affected by this issue is some unknown functionality of the file /SimpleOnlineLeave/admin/deletemp.php. Such manipulation of the argument ID leads to sql injection. The attack can be executed remotely. The exploit has been disclosed publicly and may be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T11:30:08.876Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377907 | CodeAstro Simple Online Leave Management System deletemp.php sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377907"
            },
            {
              "name": "VDB-377907 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377907/cti"
            },
            {
              "name": "CVE-2026-15558 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15558"
            },
            {
              "name": "Submit #855188 | codeastro  Simple Online Leave Management System V1.0 SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855188"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/sl1der-fr0g/Findings/issues/2"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://codeastro.com/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T07:10:51.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "CodeAstro Simple Online Leave Management System deletemp.php sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15558",
        "datePublished": "2026-07-13T11:30:08.876Z",
        "dateReserved": "2026-07-13T05:05:45.068Z",
        "dateUpdated": "2026-07-13T13:44:38.097Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15557 (GCVE-0-2026-15557)

    Vulnerability from cvelistv5 – Published: 2026-07-13 09:30 – Updated: 2026-07-13 18:11
    VLAI
    Title
    waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication
    Summary
    A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377906 vdb-entrytechnical-description
    https://vuldb.com/vuln/377906/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15557 third-party-advisory
    https://vuldb.com/submit/855187 third-party-advisory
    https://github.com/waooAI/waoowaoo/issues/200 exploitissue-tracking
    https://github.com/waooAI/waoowaoo/ product
    Impacted products
    Vendor Product Version
    waooAI waoowaoo Affected: 0.4.0
    Affected: 0.4.1
        cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15557",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:07:18.524271Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:46.126Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:waooai:waoowaoo:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Internal Task Header Handler"
              ],
              "product": "waoowaoo",
              "vendor": "waooAI",
              "versions": [
                {
                  "status": "affected",
                  "version": "0.4.0"
                },
                {
                  "status": "affected",
                  "version": "0.4.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in waooAI waoowaoo up to 0.4.1. Affected by this vulnerability is the function getInternalTaskSession/getAuthSession/requireUserAuth/requireProjectAuth/requireProjectAuthLight in the library src/lib/api-auth.ts of the component Internal Task Header Handler. This manipulation of the argument x-internal-user-id request causes improper authentication. Remote exploitation of the attack is possible. The exploit has been made available to the public and could be used for attacks. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T09:30:09.319Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377906 | waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377906"
            },
            {
              "name": "VDB-377906 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377906/cti"
            },
            {
              "name": "CVE-2026-15557 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15557"
            },
            {
              "name": "Submit #855187 | waooAI waoowaoo 0.4.1 Improper Authentication",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855187"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/waooAI/waoowaoo/issues/200"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/waooAI/waoowaoo/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-13T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-13T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-13T07:08:58.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "waooAI waoowaoo Internal Task Header api-auth.ts requireProjectAuthLight improper authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15557",
        "datePublished": "2026-07-13T09:30:09.319Z",
        "dateReserved": "2026-07-13T05:03:01.385Z",
        "dateUpdated": "2026-07-13T18:11:46.126Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15548 (GCVE-0-2026-15548)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:45 – Updated: 2026-07-13 08:45
    VLAI
    Title
    Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow
    Summary
    A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub_407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely. This project is superseded by FreshTomato.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377898 vdb-entrytechnical-description
    https://vuldb.com/vuln/377898/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15548 third-party-advisory
    https://vuldb.com/submit/855121 third-party-advisory
    https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5R issue-tracking
    Impacted products
    Vendor Product Version
    Shibby Tomato Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28.0000
        cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Cormac315 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "DNS List Rendering"
              ],
              "product": "Tomato",
              "vendor": "Shibby",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28.0000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Cormac315 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in Shibby Tomato up to 1.28.0000. This vulnerability affects the function sub_407220 of the file /usr/sbin/httpd of the component DNS List Rendering. The manipulation leads to stack-based buffer overflow. The attack is possible to be carried out remotely. This project is superseded by FreshTomato."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 9,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:45:12.464Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377898 | Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377898"
            },
            {
              "name": "VDB-377898 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377898/cti"
            },
            {
              "name": "CVE-2026-15548 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15548"
            },
            {
              "name": "Submit #855121 | Tomato by Shibby Tomato Firmware  Tomato v1.28 RT-N5x MIPSR2 build 132 Max Stack-based Buffer Overflow",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855121"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5R"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T23:06:25.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Shibby Tomato DNS List Rendering httpd sub_407220 stack-based overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15548",
        "datePublished": "2026-07-13T08:45:12.464Z",
        "dateReserved": "2026-07-12T21:01:09.003Z",
        "dateUpdated": "2026-07-13T08:45:12.464Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15547 (GCVE-0-2026-15547)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:30 – Updated: 2026-07-13 14:27
    VLAI
    Title
    Shibby Tomato CIFS Mount sub_2D048 os command injection
    Summary
    A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This project is superseded by FreshTomato.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377897 vdb-entrytechnical-description
    https://vuldb.com/vuln/377897/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15547 third-party-advisory
    https://vuldb.com/submit/855117 third-party-advisory
    https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5P exploitissue-tracking
    Impacted products
    Vendor Product Version
    Shibby Tomato Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28.0000
        cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    VulDB Gitee Analyzer VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15547",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:27:33.166926Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:27:43.603Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "CIFS Mount Handler"
              ],
              "product": "Tomato",
              "vendor": "Shibby",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28.0000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB Gitee Analyzer"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in Shibby Tomato up to 1.28.0000. This affects the function sub_2D048 of the component CIFS Mount Handler. Executing a manipulation of the argument cifs1/cifs2 can lead to os command injection. The attack can be executed remotely. The exploit has been made available to the public and could be used for attacks. This project is superseded by FreshTomato."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:30:16.900Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377897 | Shibby Tomato CIFS Mount sub_2D048 os command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377897"
            },
            {
              "name": "VDB-377897 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377897/cti"
            },
            {
              "name": "CVE-2026-15547 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15547"
            },
            {
              "name": "Submit #855117 | Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855117"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5P"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T23:06:23.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Shibby Tomato CIFS Mount sub_2D048 os command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15547",
        "datePublished": "2026-07-13T08:30:16.900Z",
        "dateReserved": "2026-07-12T21:01:06.356Z",
        "dateUpdated": "2026-07-13T14:27:43.603Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15546 (GCVE-0-2026-15546)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:15 – Updated: 2026-07-13 18:37
    VLAI
    Title
    Shibby Tomato start_jffs2 sub_2D568 os command injection
    Summary
    A security flaw has been discovered in Shibby Tomato up to 1.28.0000. Affected by this issue is the function sub_2D568 of the component start_jffs2. Performing a manipulation of the argument jffs2_exec results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This project is superseded by FreshTomato.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377896 vdb-entrytechnical-description
    https://vuldb.com/vuln/377896/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15546 third-party-advisory
    https://vuldb.com/submit/855115 third-party-advisory
    https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5O exploitissue-tracking
    Impacted products
    Vendor Product Version
    Shibby Tomato Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28.0000
        cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    VulDB Gitee Analyzer VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15546",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:37:17.667667Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:37:30.207Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "references": [
              {
                "tags": [
                  "exploit"
                ],
                "url": "https://vuldb.com/submit/855115"
              }
            ],
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "start_jffs2"
              ],
              "product": "Tomato",
              "vendor": "Shibby",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28.0000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB Gitee Analyzer"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in Shibby Tomato up to 1.28.0000. Affected by this issue is the function sub_2D568 of the component start_jffs2. Performing a manipulation of the argument jffs2_exec results in os command injection. Remote exploitation of the attack is possible. The exploit has been released to the public and may be used for attacks. This project is superseded by FreshTomato."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-78",
                  "description": "OS Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-77",
                  "description": "Command Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:15:12.769Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377896 | Shibby Tomato start_jffs2 sub_2D568 os command injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377896"
            },
            {
              "name": "VDB-377896 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377896/cti"
            },
            {
              "name": "CVE-2026-15546 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15546"
            },
            {
              "name": "Submit #855115 | Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K OS Command Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855115"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5O"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T23:06:20.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Shibby Tomato start_jffs2 sub_2D568 os command injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15546",
        "datePublished": "2026-07-13T08:15:12.769Z",
        "dateReserved": "2026-07-12T21:01:03.730Z",
        "dateUpdated": "2026-07-13T18:37:30.207Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15545 (GCVE-0-2026-15545)

    Vulnerability from cvelistv5 – Published: 2026-07-13 08:00 – Updated: 2026-07-13 14:44
    VLAI
    Title
    Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write
    Summary
    A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly available and might be used. This project is superseded by FreshTomato.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377895 vdb-entrytechnical-description
    https://vuldb.com/vuln/377895/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15545 third-party-advisory
    https://vuldb.com/submit/855114 third-party-advisory
    https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5N exploitissue-tracking
    Impacted products
    Vendor Product Version
    Shibby Tomato Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28.0000
        cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    VulDB Gitee Analyzer VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15545",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:44:13.470062Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:44:19.548Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "apcupsd"
              ],
              "product": "Tomato",
              "vendor": "Shibby",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28.0000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB Gitee Analyzer"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in Shibby Tomato up to 1.28.0000. Affected by this vulnerability is the function main of the file www/apcupsd/tomatodata.cgi of the component apcupsd. Such manipulation leads to out-of-bounds write. The attack may be launched remotely. The exploit is publicly available and might be used. This project is superseded by FreshTomato."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 9,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-787",
                  "description": "Out-of-bounds Write",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T08:00:14.476Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377895 | Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377895"
            },
            {
              "name": "VDB-377895 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377895/cti"
            },
            {
              "name": "CVE-2026-15545 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15545"
            },
            {
              "name": "Submit #855114 | Tomato by Shibby Tomato Firmware Tomato v1.28.0000 -120 K26ARM USB AIO-64K Out-of-bounds Write",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855114"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5N"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T23:06:17.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Shibby Tomato apcupsd tomatodata.cgi main out-of-bounds write"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15545",
        "datePublished": "2026-07-13T08:00:14.476Z",
        "dateReserved": "2026-07-12T21:01:00.552Z",
        "dateUpdated": "2026-07-13T14:44:19.548Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15544 (GCVE-0-2026-15544)

    Vulnerability from cvelistv5 – Published: 2026-07-13 07:30 – Updated: 2026-07-13 15:23
    VLAI
    Title
    Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow
    Summary
    A vulnerability was determined in Shibby Tomato up to 1.28.0000. Affected is the function getupsvar of the file www/apcupsd/tomatodata.cgi of the component apcupsd. This manipulation of the argument Field causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377894 vdb-entrytechnical-description
    https://vuldb.com/vuln/377894/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15544 third-party-advisory
    https://vuldb.com/submit/855110 third-party-advisory
    https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5M exploitissue-tracking
    Impacted products
    Vendor Product Version
    Shibby Tomato Affected: 1.0
    Affected: 1.1
    Affected: 1.2
    Affected: 1.3
    Affected: 1.4
    Affected: 1.5
    Affected: 1.6
    Affected: 1.7
    Affected: 1.8
    Affected: 1.9
    Affected: 1.10
    Affected: 1.11
    Affected: 1.12
    Affected: 1.13
    Affected: 1.14
    Affected: 1.15
    Affected: 1.16
    Affected: 1.17
    Affected: 1.18
    Affected: 1.19
    Affected: 1.20
    Affected: 1.21
    Affected: 1.22
    Affected: 1.23
    Affected: 1.24
    Affected: 1.25
    Affected: 1.26
    Affected: 1.27
    Affected: 1.28.0000
        cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    VulDB Gitee Analyzer VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15544",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:23:08.728713Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:23:20.254Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:shibby:tomato:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "apcupsd"
              ],
              "product": "Tomato",
              "vendor": "Shibby",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                },
                {
                  "status": "affected",
                  "version": "1.1"
                },
                {
                  "status": "affected",
                  "version": "1.2"
                },
                {
                  "status": "affected",
                  "version": "1.3"
                },
                {
                  "status": "affected",
                  "version": "1.4"
                },
                {
                  "status": "affected",
                  "version": "1.5"
                },
                {
                  "status": "affected",
                  "version": "1.6"
                },
                {
                  "status": "affected",
                  "version": "1.7"
                },
                {
                  "status": "affected",
                  "version": "1.8"
                },
                {
                  "status": "affected",
                  "version": "1.9"
                },
                {
                  "status": "affected",
                  "version": "1.10"
                },
                {
                  "status": "affected",
                  "version": "1.11"
                },
                {
                  "status": "affected",
                  "version": "1.12"
                },
                {
                  "status": "affected",
                  "version": "1.13"
                },
                {
                  "status": "affected",
                  "version": "1.14"
                },
                {
                  "status": "affected",
                  "version": "1.15"
                },
                {
                  "status": "affected",
                  "version": "1.16"
                },
                {
                  "status": "affected",
                  "version": "1.17"
                },
                {
                  "status": "affected",
                  "version": "1.18"
                },
                {
                  "status": "affected",
                  "version": "1.19"
                },
                {
                  "status": "affected",
                  "version": "1.20"
                },
                {
                  "status": "affected",
                  "version": "1.21"
                },
                {
                  "status": "affected",
                  "version": "1.22"
                },
                {
                  "status": "affected",
                  "version": "1.23"
                },
                {
                  "status": "affected",
                  "version": "1.24"
                },
                {
                  "status": "affected",
                  "version": "1.25"
                },
                {
                  "status": "affected",
                  "version": "1.26"
                },
                {
                  "status": "affected",
                  "version": "1.27"
                },
                {
                  "status": "affected",
                  "version": "1.28.0000"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "tool",
              "value": "VulDB Gitee Analyzer"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in Shibby Tomato up to 1.28.0000. Affected is the function getupsvar of the file www/apcupsd/tomatodata.cgi of the component apcupsd. This manipulation of the argument Field causes stack-based buffer overflow. The attack may be initiated remotely. The exploit has been publicly disclosed and may be utilized. This project is superseded by FreshTomato."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 9,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-121",
                  "description": "Stack-based Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T07:30:14.239Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377894 | Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377894"
            },
            {
              "name": "VDB-377894 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377894/cti"
            },
            {
              "name": "CVE-2026-15544 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15544"
            },
            {
              "name": "Submit #855110 | Tomato by Shibby Tomato Firmware 1.28 Stack-based Buffer Overflow",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855110"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://gitee.com/Fengyi-Wang/CVE/issues/IJTQ5M"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T23:06:15.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Shibby Tomato apcupsd tomatodata.cgi getupsvar stack-based overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15544",
        "datePublished": "2026-07-13T07:30:14.239Z",
        "dateReserved": "2026-07-12T21:00:57.952Z",
        "dateUpdated": "2026-07-13T15:23:20.254Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15543 (GCVE-0-2026-15543)

    Vulnerability from cvelistv5 – Published: 2026-07-13 07:15 – Updated: 2026-07-13 18:11
    VLAI
    Title
    Tenda CH22 CertListInfo formCertListInfo buffer overflow
    Summary
    A vulnerability was found in Tenda CH22 1.0.0.1. This impacts the function formCertListInfo of the file /goform/CertListInfo. The manipulation of the argument Name results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: total
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    Tenda CH22 Affected: 1.0.0.1
        cpe:2.3:o:tenda:ch22_firmware:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    ysnysn0121 (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15543",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "total"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:06:20.580870Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:49.862Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:o:tenda:ch22_firmware:*:*:*:*:*:*:*:*"
              ],
              "product": "CH22",
              "vendor": "Tenda",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0.0.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "ysnysn0121 (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in Tenda CH22 1.0.0.1. This impacts the function formCertListInfo of the file /goform/CertListInfo. The manipulation of the argument Name results in buffer overflow. The attack can be launched remotely. The exploit has been made public and could be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 8.7,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 8.8,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 9,
                "vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-120",
                  "description": "Buffer Overflow",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-119",
                  "description": "Memory Corruption",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T07:15:09.242Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377893 | Tenda CH22 CertListInfo formCertListInfo buffer overflow",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377893"
            },
            {
              "name": "VDB-377893 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377893/cti"
            },
            {
              "name": "CVE-2026-15543 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15543"
            },
            {
              "name": "Submit #855077 | Tenda CH22 V1.0.0.1 Buffer Overflow",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855077"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://candle-throne-f75.notion.site/Tenda-CH22-formCertListInfo-377df0aa11858088aabaeb0f5e1909c9"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.tenda.com.cn/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:19:52.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "Tenda CH22 CertListInfo formCertListInfo buffer overflow"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15543",
        "datePublished": "2026-07-13T07:15:09.242Z",
        "dateReserved": "2026-07-12T18:14:49.133Z",
        "dateUpdated": "2026-07-13T18:11:49.862Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15542 (GCVE-0-2026-15542)

    Vulnerability from cvelistv5 – Published: 2026-07-13 07:00 – Updated: 2026-07-13 07:00
    VLAI
    Title
    will-moss Isaiah Websocket Connection Authentication main.go improper authentication
    Summary
    A vulnerability has been found in will-moss Isaiah up to 1.36.9. This affects an unknown function of the file app/main.go of the component Websocket Connection Authentication. The manipulation leads to improper authentication. The attack can be initiated remotely. The pull request to fix this issue awaits acceptance.
    CWE
    • CWE-287 - Improper Authentication
    Assigner
    Impacted products
    Vendor Product Version
    will-moss Isaiah Affected: 1.36.0
    Affected: 1.36.1
    Affected: 1.36.2
    Affected: 1.36.3
    Affected: 1.36.4
    Affected: 1.36.5
    Affected: 1.36.6
    Affected: 1.36.7
    Affected: 1.36.8
    Affected: 1.36.9
        cpe:2.3:a:will-moss:isaiah:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:will-moss:isaiah:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Websocket Connection Authentication"
              ],
              "product": "Isaiah",
              "vendor": "will-moss",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.36.0"
                },
                {
                  "status": "affected",
                  "version": "1.36.1"
                },
                {
                  "status": "affected",
                  "version": "1.36.2"
                },
                {
                  "status": "affected",
                  "version": "1.36.3"
                },
                {
                  "status": "affected",
                  "version": "1.36.4"
                },
                {
                  "status": "affected",
                  "version": "1.36.5"
                },
                {
                  "status": "affected",
                  "version": "1.36.6"
                },
                {
                  "status": "affected",
                  "version": "1.36.7"
                },
                {
                  "status": "affected",
                  "version": "1.36.8"
                },
                {
                  "status": "affected",
                  "version": "1.36.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in will-moss Isaiah up to 1.36.9. This affects an unknown function of the file app/main.go of the component Websocket Connection Authentication. The manipulation leads to improper authentication. The attack can be initiated remotely. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-287",
                  "description": "Improper Authentication",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T07:00:09.998Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377892 | will-moss Isaiah Websocket Connection Authentication main.go improper authentication",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/377892"
            },
            {
              "name": "VDB-377892 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377892/cti"
            },
            {
              "name": "CVE-2026-15542 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15542"
            },
            {
              "name": "Submit #855075 | will-moss Isaiah 1.36.9 CWE-287 Improper Authentication",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855075"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/will-moss/isaiah/issues/33"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/will-moss/isaiah/pull/36"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/will-moss/isaiah/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:18:56.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "will-moss Isaiah Websocket Connection Authentication main.go improper authentication"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15542",
        "datePublished": "2026-07-13T07:00:09.998Z",
        "dateReserved": "2026-07-12T18:13:53.748Z",
        "dateUpdated": "2026-07-13T07:00:09.998Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15541 (GCVE-0-2026-15541)

    Vulnerability from cvelistv5 – Published: 2026-07-13 06:45 – Updated: 2026-07-13 14:28
    VLAI
    Title
    will-moss Isaiah Master Websocket server.go Server.Handle authorization
    Summary
    A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    will-moss Isaiah Affected: 1.36.0
    Affected: 1.36.1
    Affected: 1.36.2
    Affected: 1.36.3
    Affected: 1.36.4
    Affected: 1.36.5
    Affected: 1.36.6
    Affected: 1.36.7
    Affected: 1.36.8
    Affected: 1.36.9
        cpe:2.3:a:will-moss:isaiah:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15541",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:28:18.172388Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:28:26.935Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:will-moss:isaiah:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Master Websocket Handler"
              ],
              "product": "Isaiah",
              "vendor": "will-moss",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.36.0"
                },
                {
                  "status": "affected",
                  "version": "1.36.1"
                },
                {
                  "status": "affected",
                  "version": "1.36.2"
                },
                {
                  "status": "affected",
                  "version": "1.36.3"
                },
                {
                  "status": "affected",
                  "version": "1.36.4"
                },
                {
                  "status": "affected",
                  "version": "1.36.5"
                },
                {
                  "status": "affected",
                  "version": "1.36.6"
                },
                {
                  "status": "affected",
                  "version": "1.36.7"
                },
                {
                  "status": "affected",
                  "version": "1.36.8"
                },
                {
                  "status": "affected",
                  "version": "1.36.9"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in will-moss Isaiah up to 1.36.9. The impacted element is the function Server.Handle of the file app/server/server/server.go of the component Master Websocket Handler. Executing a manipulation of the argument Agent can lead to missing authorization. It is possible to launch the attack remotely. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-862",
                  "description": "Missing Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-863",
                  "description": "Incorrect Authorization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T06:45:10.052Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377891 | will-moss Isaiah Master Websocket server.go Server.Handle authorization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377891"
            },
            {
              "name": "VDB-377891 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377891/cti"
            },
            {
              "name": "CVE-2026-15541 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15541"
            },
            {
              "name": "Submit #855074 | will-moss Isaiah 1.36.9 CWE-862 Missing Authorization",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855074"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/will-moss/isaiah/issues/34"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/will-moss/isaiah/pull/35"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/will-moss/isaiah/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:17:31.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "will-moss Isaiah Master Websocket server.go Server.Handle authorization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15541",
        "datePublished": "2026-07-13T06:45:10.052Z",
        "dateReserved": "2026-07-12T18:12:28.084Z",
        "dateUpdated": "2026-07-13T14:28:26.935Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15540 (GCVE-0-2026-15540)

    Vulnerability from cvelistv5 – Published: 2026-07-13 06:30 – Updated: 2026-07-13 18:39 X_Freeware
    VLAI
    Title
    SourceCodester Online Book Store System Administrative index.php php file inclusion
    Summary
    A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/require statement in php program. It is possible to initiate the attack remotely. The exploit is now public and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-98 - Improper Control of Filename for Include/Require Statement in PHP Program
    • CWE-73 - File Inclusion
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377890 vdb-entrytechnical-description
    https://vuldb.com/vuln/377890/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15540 third-party-advisory
    https://vuldb.com/submit/855048 third-party-advisory
    https://medium.com/@hemantrajbhati5555/local-file… broken-linkexploit
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Online Book Store System Affected: 1.0
        cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Hemant Raj Bhati (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15540",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:39:23.588424Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:39:28.827Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Administrative Interface"
              ],
              "product": "Online Book Store System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hemant Raj Bhati (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in SourceCodester Online Book Store System 1.0. The affected element is an unknown function of the file /admin/index.php of the component Administrative Interface. Performing a manipulation of the argument page results in improper control of filename for include/require statement in php program. It is possible to initiate the attack remotely. The exploit is now public and may be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-98",
                  "description": "Improper Control of Filename for Include/Require Statement in PHP Program",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-73",
                  "description": "File Inclusion",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T06:30:08.672Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377890 | SourceCodester Online Book Store System Administrative index.php php file inclusion",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377890"
            },
            {
              "name": "VDB-377890 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377890/cti"
            },
            {
              "name": "CVE-2026-15540 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15540"
            },
            {
              "name": "Submit #855048 | SourceCodester Online Book Store System 1.0 Local File Inclusion",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855048"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-via-page-parameter-leading-to-source-code-disclosure-ce722de0c407"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:12:46.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Online Book Store System Administrative index.php php file inclusion"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15540",
        "datePublished": "2026-07-13T06:30:08.672Z",
        "dateReserved": "2026-07-12T18:07:43.505Z",
        "dateUpdated": "2026-07-13T18:39:28.827Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15539 (GCVE-0-2026-15539)

    Vulnerability from cvelistv5 – Published: 2026-07-13 06:15 – Updated: 2026-07-13 14:48 X_Freeware
    VLAI
    Title
    SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload
    Summary
    A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    SourceCodester Online Book Store System Affected: 1.0
        cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Hemant Raj Bhati (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15539",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:47:59.519430Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:48:07.777Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Book Image Upload Feature"
              ],
              "product": "Online Book Store System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Hemant Raj Bhati (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security vulnerability has been detected in SourceCodester Online Book Store System 1.0. Impacted is an unknown function of the file /admin/index.php?page=books of the component Book Image Upload Feature. Such manipulation leads to unrestricted upload. The attack may be performed from remote. The exploit has been disclosed publicly and may be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-434",
                  "description": "Unrestricted Upload",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T06:15:07.726Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377889 | SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload",
              "tags": [
                "vdb-entry"
              ],
              "url": "https://vuldb.com/vuln/377889"
            },
            {
              "name": "VDB-377889 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377889/cti"
            },
            {
              "name": "CVE-2026-15539 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15539"
            },
            {
              "name": "Submit #855046 | SourceCodester Online Book Store System 1.0 Remote Code Execution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855046"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://medium.com/@hemantrajbhati5555/critical-authenticated-remote-code-execution-rce-via-unrestricted-file-upload-5a4a313ea1f1"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:09:51.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Online Book Store System Book Image Upload Feature index.php books unrestricted upload"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15539",
        "datePublished": "2026-07-13T06:15:07.726Z",
        "dateReserved": "2026-07-12T18:04:47.797Z",
        "dateUpdated": "2026-07-13T14:48:07.777Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15538 (GCVE-0-2026-15538)

    Vulnerability from cvelistv5 – Published: 2026-07-13 06:00 – Updated: 2026-07-13 15:22 Unsupported When Assigned
    VLAI
    Title
    primefaces primereact API ObjectUtils.mutateFieldData prototype pollution
    Summary
    A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer.
    SSVC
    Exploitation: none Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-1321 - Improperly Controlled Modification of Object Prototype Attributes
    • CWE-94 - Code Injection
    Assigner
    References
    Impacted products
    Vendor Product Version
    primefaces primereact Affected: 10.9.0
    Affected: 10.9.1
    Affected: 10.9.2
    Affected: 10.9.3
    Affected: 10.9.4
    Affected: 10.9.5
    Affected: 10.9.6
    Affected: 10.9.7
    Affected: 10.9.8
        cpe:2.3:a:primefaces:primereact:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dremig (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15538",
                    "options": [
                      {
                        "Exploitation": "none"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:21:54.694785Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:22:07.104Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:primefaces:primereact:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "API"
              ],
              "product": "primereact",
              "vendor": "primefaces",
              "versions": [
                {
                  "status": "affected",
                  "version": "10.9.0"
                },
                {
                  "status": "affected",
                  "version": "10.9.1"
                },
                {
                  "status": "affected",
                  "version": "10.9.2"
                },
                {
                  "status": "affected",
                  "version": "10.9.3"
                },
                {
                  "status": "affected",
                  "version": "10.9.4"
                },
                {
                  "status": "affected",
                  "version": "10.9.5"
                },
                {
                  "status": "affected",
                  "version": "10.9.6"
                },
                {
                  "status": "affected",
                  "version": "10.9.7"
                },
                {
                  "status": "affected",
                  "version": "10.9.8"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dremig (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A weakness has been identified in primefaces primereact up to 10.9.8. This issue affects the function ObjectUtils.mutateFieldData of the component API. This manipulation of the argument Field causes improperly controlled modification of object prototype attributes. The attack is possible to be carried out remotely. The project was informed of the problem early through an issue report but has not responded yet. This vulnerability only affects products that are no longer supported by the maintainer."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-1321",
                  "description": "Improperly Controlled Modification of Object Prototype Attributes",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T06:00:11.115Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377888 | primefaces primereact API ObjectUtils.mutateFieldData prototype pollution",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377888"
            },
            {
              "name": "VDB-377888 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377888/cti"
            },
            {
              "name": "CVE-2026-15538 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15538"
            },
            {
              "name": "Submit #855024 | Node.js primereact 10.9.8 Prototype Pollution",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855024"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/primefaces/primereact/issues/8553"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/Mantle-UI/mantle-ui/issues/50"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/primefaces/primereact/"
            }
          ],
          "tags": [
            "unsupported-when-assigned"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:08:10.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "primefaces primereact API ObjectUtils.mutateFieldData prototype pollution"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15538",
        "datePublished": "2026-07-13T06:00:11.115Z",
        "dateReserved": "2026-07-12T18:03:07.553Z",
        "dateUpdated": "2026-07-13T15:22:07.104Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15537 (GCVE-0-2026-15537)

    Vulnerability from cvelistv5 – Published: 2026-07-13 05:45 – Updated: 2026-07-13 18:11 X_Freeware
    VLAI
    Title
    SourceCodester Online Book Store System login.php sql injection
    Summary
    A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377887 vdb-entrytechnical-description
    https://vuldb.com/vuln/377887/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15537 third-party-advisory
    https://vuldb.com/submit/855010 third-party-advisory
    https://medium.com/@gauravkumar67482/sql-injectio… broken-linkexploit
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Online Book Store System Affected: 1.0
        cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Gaurav kumar (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15537",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:07:20.645571Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:53.767Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Online Book Store System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gaurav kumar (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in SourceCodester Online Book Store System 1.0. This vulnerability affects unknown code of the file admin/login.php. The manipulation of the argument Username results in sql injection. The attack can be executed remotely. The exploit has been released to the public and may be used for attacks."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 7.3,
                "baseSeverity": "HIGH",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 7.5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T05:45:09.011Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377887 | SourceCodester Online Book Store System login.php sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377887"
            },
            {
              "name": "VDB-377887 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377887/cti"
            },
            {
              "name": "CVE-2026-15537 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15537"
            },
            {
              "name": "Submit #855010 | SourceCodester Online Book Store System 1.0 SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855010"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://medium.com/@gauravkumar67482/sql-injection-leading-to-authentication-bypass-43b773da1967"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:05:34.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Online Book Store System login.php sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15537",
        "datePublished": "2026-07-13T05:45:09.011Z",
        "dateReserved": "2026-07-12T18:00:30.574Z",
        "dateUpdated": "2026-07-13T18:11:53.767Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15536 (GCVE-0-2026-15536)

    Vulnerability from cvelistv5 – Published: 2026-07-13 05:30 – Updated: 2026-07-13 05:30 X_Freeware
    VLAI
    Title
    itsourcecode Hospital Management System patviewprescription.php sql injection
    Summary
    A vulnerability was identified in itsourcecode Hospital Management System 1.0. This affects an unknown part of the file /patviewprescription.php. The manipulation of the argument delid leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used.
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377886 vdb-entrytechnical-description
    https://vuldb.com/vuln/377886/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15536 third-party-advisory
    https://vuldb.com/submit/855008 third-party-advisory
    https://github.com/ltranquility/submit_vuln/issues/7 exploitissue-tracking
    https://itsourcecode.com/ product
    Impacted products
    Vendor Product Version
    itsourcecode Hospital Management System Affected: 1.0
        cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    in2io3jgeiow (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:itsourcecode:hospital_management_system:*:*:*:*:*:*:*:*"
              ],
              "product": "Hospital Management System",
              "vendor": "itsourcecode",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "in2io3jgeiow (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in itsourcecode Hospital Management System 1.0. This affects an unknown part of the file /patviewprescription.php. The manipulation of the argument delid leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and might be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-89",
                  "description": "SQL Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T05:30:09.461Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377886 | itsourcecode Hospital Management System patviewprescription.php sql injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377886"
            },
            {
              "name": "VDB-377886 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377886/cti"
            },
            {
              "name": "CVE-2026-15536 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15536"
            },
            {
              "name": "Submit #855008 | itsourcecode Hospital Management System V1.0 SQL Injection",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/855008"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/ltranquility/submit_vuln/issues/7"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://itsourcecode.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:04:26.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "itsourcecode Hospital Management System patviewprescription.php sql injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15536",
        "datePublished": "2026-07-13T05:30:09.461Z",
        "dateReserved": "2026-07-12T17:59:23.159Z",
        "dateUpdated": "2026-07-13T05:30:09.461Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15535 (GCVE-0-2026-15535)

    Vulnerability from cvelistv5 – Published: 2026-07-13 05:00 – Updated: 2026-07-13 14:59
    VLAI
    Title
    AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization
    Summary
    A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99. Affected by this issue is the function Indexer.deserialize_from of the file retrieval_lm/src/index.py of the component retrieval_lm. Executing a manipulation of the argument index_meta.faiss can lead to deserialization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    AkariAsai self-rag Affected: 1fcdc420e48f50a7d7ab1ece5494221b93252e99
        cpe:2.3:a:akariasai:self-rag:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem00000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15535",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T14:59:00.183386Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T14:59:55.663Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:akariasai:self-rag:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "retrieval_lm"
              ],
              "product": "self-rag",
              "vendor": "AkariAsai",
              "versions": [
                {
                  "status": "affected",
                  "version": "1fcdc420e48f50a7d7ab1ece5494221b93252e99"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem00000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was determined in AkariAsai self-rag up to 1fcdc420e48f50a7d7ab1ece5494221b93252e99. Affected by this issue is the function Indexer.deserialize_from of the file retrieval_lm/src/index.py of the component retrieval_lm. Executing a manipulation of the argument index_meta.faiss can lead to deserialization. The attack may be launched remotely. The exploit has been publicly disclosed and may be utilized. This product operates on a rolling release basis, ensuring continuous delivery. Consequently, there are no version details for either affected or updated releases. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "Deserialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T05:00:09.553Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377885 | AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377885"
            },
            {
              "name": "VDB-377885 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377885/cti"
            },
            {
              "name": "CVE-2026-15535 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15535"
            },
            {
              "name": "Submit #854999 | AkariAsai self-rag 1fcdc420e48f50a7d7ab1ece5494221b93252e99 Unsafe Deserialization / Integrity Bypass",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854999"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/AkariAsai/self-rag/issues/105"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/AkariAsai/self-rag/pull/106"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/AkariAsai/self-rag/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T20:01:22.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "AkariAsai self-rag retrieval_lm index.py Indexer.deserialize_from deserialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15535",
        "datePublished": "2026-07-13T05:00:09.553Z",
        "dateReserved": "2026-07-12T17:56:16.350Z",
        "dateUpdated": "2026-07-13T14:59:55.663Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15533 (GCVE-0-2026-15533)

    Vulnerability from cvelistv5 – Published: 2026-07-13 04:45 – Updated: 2026-07-13 19:22
    VLAI
    Title
    DedeCMS Column Management search.php code injection
    Summary
    A security flaw has been discovered in DedeCMS 5.7.118. Impacted is an unknown function of the file /plus/search.php of the component Column Management. Performing a manipulation of the argument Column Name results in code injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377878 vdb-entrytechnical-description
    https://vuldb.com/vuln/377878/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15533 third-party-advisory
    https://vuldb.com/submit/854988 third-party-advisory
    https://vuldb.com/submit/854989 third-party-advisory
    https://github.com/DunkBoyZz/cve/blob/cb7d6aa088d… exploit
    Impacted products
    Vendor Product Version
    n/a DedeCMS Affected: 5.7.118
        cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
    Credits
    dunkboy (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15533",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T19:22:11.612012Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T19:22:17.467Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Column Management"
              ],
              "product": "DedeCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "5.7.118"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "dunkboy (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A security flaw has been discovered in DedeCMS 5.7.118. Impacted is an unknown function of the file /plus/search.php of the component Column Management. Performing a manipulation of the argument Column Name results in code injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.1,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 4.7,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5.8,
                "vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-74",
                  "description": "Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T04:45:06.261Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377878 | DedeCMS Column Management search.php code injection",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377878"
            },
            {
              "name": "VDB-377878 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377878/cti"
            },
            {
              "name": "CVE-2026-15533 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15533"
            },
            {
              "name": "Submit #854988 | \u4e0a\u6d77\u5353\u5353\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8 DedeCMS 5.7.118 Command Shell in Externally Accessible Directory",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854988"
            },
            {
              "name": "Submit #854989 | \u4e0a\u6d77\u5353\u5353\u7f51\u7edc\u79d1\u6280\u6709\u9650\u516c\u53f8 DedeCMS 5.7.118 Command Shell in Externally Accessible Directory (Duplicate)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854989"
            },
            {
              "tags": [
                "exploit"
              ],
              "url": "https://github.com/DunkBoyZz/cve/blob/cb7d6aa088d5ae4b603399af0a3279c18b084f11/DedeCMS%20V5.7.118%20Column%20Name%20Cache%20File%20Writing%20RCE%20Vulnerability.docx"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T18:13:41.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "DedeCMS Column Management search.php code injection"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15533",
        "datePublished": "2026-07-13T04:45:06.261Z",
        "dateReserved": "2026-07-12T16:07:42.717Z",
        "dateUpdated": "2026-07-13T19:22:17.467Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15532 (GCVE-0-2026-15532)

    Vulnerability from cvelistv5 – Published: 2026-07-13 04:30 – Updated: 2026-07-13 15:51 X_Freeware
    VLAI
    Title
    SourceCodester Online Book Store System User Management cross site scripting
    Summary
    A vulnerability was identified in SourceCodester Online Book Store System 1.0. This issue affects some unknown processing of the component User Management Module. Such manipulation of the argument Name/Username leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377877 vdb-entrytechnical-description
    https://vuldb.com/vuln/377877/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15532 third-party-advisory
    https://vuldb.com/submit/854983 third-party-advisory
    https://medium.com/@gauravkumar67482/authenticate… broken-linkexploit
    https://www.sourcecodester.com/ product
    Impacted products
    Vendor Product Version
    SourceCodester Online Book Store System Affected: 1.0
        cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Gaurav kumar (VulDB User)
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15532",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:51:49.552657Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:51:56.052Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:sourcecodester:online_book_store_system:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "User Management Module"
              ],
              "product": "Online Book Store System",
              "vendor": "SourceCodester",
              "versions": [
                {
                  "status": "affected",
                  "version": "1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Gaurav kumar (VulDB User)"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was identified in SourceCodester Online Book Store System 1.0. This issue affects some unknown processing of the component User Management Module. Such manipulation of the argument Name/Username leads to cross site scripting. The attack can be executed remotely. The exploit is publicly available and might be used."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 2.4,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 3.3,
                "vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-79",
                  "description": "Cross Site Scripting",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-94",
                  "description": "Code Injection",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T04:30:08.174Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377877 | SourceCodester Online Book Store System User Management cross site scripting",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377877"
            },
            {
              "name": "VDB-377877 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377877/cti"
            },
            {
              "name": "CVE-2026-15532 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15532"
            },
            {
              "name": "Submit #854983 | SourceCodester Online Book Store System 1.0 Stored Cross-Site Scripting (Authenticated)",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854983"
            },
            {
              "tags": [
                "broken-link",
                "exploit"
              ],
              "url": "https://medium.com/@gauravkumar67482/authenticated-stored-cross-site-scripting-xss-in-user-management-module-2c2ba72b2cdf"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://www.sourcecodester.com/"
            }
          ],
          "tags": [
            "x_freeware"
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T18:05:18.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "SourceCodester Online Book Store System User Management cross site scripting"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15532",
        "datePublished": "2026-07-13T04:30:08.174Z",
        "dateReserved": "2026-07-12T16:00:14.084Z",
        "dateUpdated": "2026-07-13T15:51:56.052Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15531 (GCVE-0-2026-15531)

    Vulnerability from cvelistv5 – Published: 2026-07-13 04:15 – Updated: 2026-07-13 15:27
    VLAI
    Title
    yashbhalgat HashNeRF-pytorch Checkpoint File run_nerf.py torch.load deserialization
    Summary
    A vulnerability has been found in yashbhalgat HashNeRF-pytorch up to 82885e698295982504eb6a26d060a6b2473e3706. Affected by this issue is the function torch.load of the file run_nerf.py of the component Checkpoint File Handler. The manipulation of the argument ckpt_path leads to deserialization. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The pull request to fix this issue awaits acceptance.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    yashbhalgat HashNeRF-pytorch Affected: 82885e698295982504eb6a26d060a6b2473e3706
        cpe:2.3:a:yashbhalgat:hashnerf-pytorch:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15531",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:27:00.088732Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:27:17.248Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:yashbhalgat:hashnerf-pytorch:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Checkpoint File Handler"
              ],
              "product": "HashNeRF-pytorch",
              "vendor": "yashbhalgat",
              "versions": [
                {
                  "status": "affected",
                  "version": "82885e698295982504eb6a26d060a6b2473e3706"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability has been found in yashbhalgat HashNeRF-pytorch up to 82885e698295982504eb6a26d060a6b2473e3706. Affected by this issue is the function torch.load of the file run_nerf.py of the component Checkpoint File Handler. The manipulation of the argument ckpt_path leads to deserialization. The attack must be carried out locally. The exploit has been disclosed to the public and may be used. This product uses a rolling release model to deliver continuous updates. As a result, specific version information for affected or updated releases is not available. The pull request to fix this issue awaits acceptance."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 4.3,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "Deserialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T04:15:09.036Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377874 | yashbhalgat HashNeRF-pytorch Checkpoint File run_nerf.py torch.load deserialization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377874"
            },
            {
              "name": "VDB-377874 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377874/cti"
            },
            {
              "name": "CVE-2026-15531 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15531"
            },
            {
              "name": "Submit #854906 | Yash Bhalgat HashNeRF-pytorch Affected: repository version up to commit c49502ff492abca6243505961f1aa312 CWE-502 Deserialization of Untrusted Data",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854906"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/yashbhalgat/HashNeRF-pytorch/issues/49"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/yashbhalgat/HashNeRF-pytorch/pull/50"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/yashbhalgat/HashNeRF-pytorch/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T18:01:32.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "yashbhalgat HashNeRF-pytorch Checkpoint File run_nerf.py torch.load deserialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15531",
        "datePublished": "2026-07-13T04:15:09.036Z",
        "dateReserved": "2026-07-12T15:56:12.103Z",
        "dateUpdated": "2026-07-13T15:27:17.248Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15530 (GCVE-0-2026-15530)

    Vulnerability from cvelistv5 – Published: 2026-07-13 04:00 – Updated: 2026-07-13 18:11
    VLAI
    Title
    WuzhiCMS Attachment API index.php listimage information disclosure
    Summary
    A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment&f=index&v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: yes Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377873 vdb-entrytechnical-description
    https://vuldb.com/vuln/377873/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15530 third-party-advisory
    https://vuldb.com/submit/854588 third-party-advisory
    https://github.com/wuzhicms/wuzhicms/issues/217 exploitissue-tracking
    https://github.com/wuzhicms/wuzhicms/ product
    Impacted products
    Vendor Product Version
    n/a WuzhiCMS Affected: 4.0
    Affected: 4.1.0
        cpe:2.3:a:wuzhicms:wuzhicms:*:*:*:*:*:*:*:*
    Credits
    huluwa888 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15530",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "yes"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T18:07:22.449442Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T18:11:59.931Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:wuzhicms:wuzhicms:*:*:*:*:*:*:*:*"
              ],
              "modules": [
                "Attachment API"
              ],
              "product": "WuzhiCMS",
              "vendor": "n/a",
              "versions": [
                {
                  "status": "affected",
                  "version": "4.0"
                },
                {
                  "status": "affected",
                  "version": "4.1.0"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "huluwa888 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A flaw has been found in WuzhiCMS up to 4.1.0. Affected by this vulnerability is the function config/listimage of the file /index.php?m=attachment\u0026f=index\u0026v=upload of the component Attachment API. Executing a manipulation can lead to information disclosure. The attack can be launched remotely. The exploit has been published and may be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 6.9,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 5,
                "vectorString": "AV:N/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-200",
                  "description": "Information Disclosure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-284",
                  "description": "Improper Access Controls",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T04:00:08.752Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377873 | WuzhiCMS Attachment API index.php listimage information disclosure",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377873"
            },
            {
              "name": "VDB-377873 | CTI Indicators (IOB, IOC, TTP, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377873/cti"
            },
            {
              "name": "CVE-2026-15530 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15530"
            },
            {
              "name": "Submit #854588 | WuzhiCMS 4.1.0 Information Disclosure",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854588"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/wuzhicms/wuzhicms/issues/217"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/wuzhicms/wuzhicms/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T17:55:38.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "WuzhiCMS Attachment API index.php listimage information disclosure"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15530",
        "datePublished": "2026-07-13T04:00:08.752Z",
        "dateReserved": "2026-07-12T15:50:34.631Z",
        "dateUpdated": "2026-07-13T18:11:59.931Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15529 (GCVE-0-2026-15529)

    Vulnerability from cvelistv5 – Published: 2026-07-13 03:45 – Updated: 2026-07-13 03:45
    VLAI
    Title
    yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization
    Summary
    A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. Affected is the function pyod.utils.persistence.load of the file pyod/utils/persistence.py. Performing a manipulation of the argument path results in deserialization. The attack can be initiated remotely. The pull request to fix this issue requires some minor changes.
    CWE
    Assigner
    References
    Impacted products
    Vendor Product Version
    yzhao062 pyod Affected: 3.5.0
    Affected: 3.5.1
    Affected: 3.5.2
        cpe:2.3:a:yzhao062:pyod:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Dem0000000 (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:yzhao062:pyod:*:*:*:*:*:*:*:*"
              ],
              "product": "pyod",
              "vendor": "yzhao062",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.5.0"
                },
                {
                  "status": "affected",
                  "version": "3.5.1"
                },
                {
                  "status": "affected",
                  "version": "3.5.2"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Dem0000000 (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was detected in yzhao062 pyod 3.5.0/3.5.1/3.5.2. Affected is the function pyod.utils.persistence.load of the file pyod/utils/persistence.py. Performing a manipulation of the argument path results in deserialization. The attack can be initiated remotely. The pull request to fix this issue requires some minor changes."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 5.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 6.3,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 6.5,
                "vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:ND/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-502",
                  "description": "Deserialization",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            },
            {
              "descriptions": [
                {
                  "cweId": "CWE-20",
                  "description": "Improper Input Validation",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T03:45:08.697Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377872 | yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377872"
            },
            {
              "name": "VDB-377872 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377872/cti"
            },
            {
              "name": "CVE-2026-15529 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15529"
            },
            {
              "name": "Submit #854559 | Yue Zhao / yzhao062 pyod 3.5.0 through 3.5.2 CWE-502: Deserialization of Untrusted Data",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854559"
            },
            {
              "tags": [
                "issue-tracking"
              ],
              "url": "https://github.com/yzhao062/pyod/issues/697"
            },
            {
              "tags": [
                "issue-tracking",
                "patch"
              ],
              "url": "https://github.com/yzhao062/pyod/pull/698"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/yzhao062/pyod/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T17:52:27.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "yzhao062 pyod persistence.py pyod.utils.persistence.load deserialization"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15529",
        "datePublished": "2026-07-13T03:45:08.697Z",
        "dateReserved": "2026-07-12T15:47:24.318Z",
        "dateUpdated": "2026-07-13T03:45:08.697Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }

    CVE-2026-15528 (GCVE-0-2026-15528)

    Vulnerability from cvelistv5 – Published: 2026-07-13 03:15 – Updated: 2026-07-13 15:16
    VLAI
    Title
    lamaalrajih kicad-mcp path_validator.py protection mechanism
    Summary
    A vulnerability was found in lamaalrajih kicad-mcp up to 3.3.1. This issue affects some unknown processing of the file kicad_mcp/utils/path_validator.py. Performing a manipulation of the argument project_path/schematic_path results in protection mechanism failure. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet.
    SSVC
    Exploitation: poc Automatable: no Technical Impact: partial
    CISA Coordinator (v2.0.3)
    CWE
    • CWE-693 - Protection Mechanism Failure
    Assigner
    References
    URL Tags
    https://vuldb.com/vuln/377866 vdb-entrytechnical-description
    https://vuldb.com/vuln/377866/cti signaturepermissions-required
    https://vuldb.com/cve/CVE-2026-15528 third-party-advisory
    https://vuldb.com/submit/854531 third-party-advisory
    https://github.com/lamaalrajih/kicad-mcp/issues/57 exploitissue-tracking
    https://github.com/lamaalrajih/kicad-mcp/ product
    Impacted products
    Vendor Product Version
    lamaalrajih kicad-mcp Affected: 3.3.0
    Affected: 3.3.1
        cpe:2.3:a:lamaalrajih:kicad-mcp:*:*:*:*:*:*:*:*
    Create a notification for this product.
    Credits
    Mcfly_Zhang (VulDB User) VulDB CNA Team
    Show details on NVD website

    {
      "containers": {
        "adp": [
          {
            "metrics": [
              {
                "other": {
                  "content": {
                    "id": "CVE-2026-15528",
                    "options": [
                      {
                        "Exploitation": "poc"
                      },
                      {
                        "Automatable": "no"
                      },
                      {
                        "Technical Impact": "partial"
                      }
                    ],
                    "role": "CISA Coordinator",
                    "timestamp": "2026-07-13T15:09:08.963249Z",
                    "version": "2.0.3"
                  },
                  "type": "ssvc"
                }
              }
            ],
            "providerMetadata": {
              "dateUpdated": "2026-07-13T15:16:42.484Z",
              "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
              "shortName": "CISA-ADP"
            },
            "title": "CISA ADP Vulnrichment"
          }
        ],
        "cna": {
          "affected": [
            {
              "cpes": [
                "cpe:2.3:a:lamaalrajih:kicad-mcp:*:*:*:*:*:*:*:*"
              ],
              "product": "kicad-mcp",
              "vendor": "lamaalrajih",
              "versions": [
                {
                  "status": "affected",
                  "version": "3.3.0"
                },
                {
                  "status": "affected",
                  "version": "3.3.1"
                }
              ]
            }
          ],
          "credits": [
            {
              "lang": "en",
              "type": "reporter",
              "value": "Mcfly_Zhang (VulDB User)"
            },
            {
              "lang": "en",
              "type": "coordinator",
              "value": "VulDB CNA Team"
            }
          ],
          "descriptions": [
            {
              "lang": "en",
              "value": "A vulnerability was found in lamaalrajih kicad-mcp up to 3.3.1. This issue affects some unknown processing of the file kicad_mcp/utils/path_validator.py. Performing a manipulation of the argument project_path/schematic_path results in protection mechanism failure. Attacking locally is a requirement. The exploit has been made public and could be used. The project was informed of the problem early through an issue report but has not responded yet."
            }
          ],
          "metrics": [
            {
              "cvssV4_0": {
                "baseScore": 4.8,
                "baseSeverity": "MEDIUM",
                "vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
                "version": "4.0"
              }
            },
            {
              "cvssV3_1": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.1"
              }
            },
            {
              "cvssV3_0": {
                "baseScore": 3.3,
                "baseSeverity": "LOW",
                "vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
                "version": "3.0"
              }
            },
            {
              "cvssV2_0": {
                "baseScore": 1.7,
                "vectorString": "AV:L/AC:L/Au:S/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
                "version": "2.0"
              }
            }
          ],
          "problemTypes": [
            {
              "descriptions": [
                {
                  "cweId": "CWE-693",
                  "description": "Protection Mechanism Failure",
                  "lang": "en",
                  "type": "CWE"
                }
              ]
            }
          ],
          "providerMetadata": {
            "dateUpdated": "2026-07-13T03:15:09.151Z",
            "orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
            "shortName": "VulDB"
          },
          "references": [
            {
              "name": "VDB-377866 | lamaalrajih kicad-mcp path_validator.py protection mechanism",
              "tags": [
                "vdb-entry",
                "technical-description"
              ],
              "url": "https://vuldb.com/vuln/377866"
            },
            {
              "name": "VDB-377866 | CTI Indicators (IOB, IOC, IOA)",
              "tags": [
                "signature",
                "permissions-required"
              ],
              "url": "https://vuldb.com/vuln/377866/cti"
            },
            {
              "name": "CVE-2026-15528 | CVE Analysis and Report",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/cve/CVE-2026-15528"
            },
            {
              "name": "Submit #854531 | lamaalrajih kicad-mcp 3.3.1 Information Disclosure",
              "tags": [
                "third-party-advisory"
              ],
              "url": "https://vuldb.com/submit/854531"
            },
            {
              "tags": [
                "exploit",
                "issue-tracking"
              ],
              "url": "https://github.com/lamaalrajih/kicad-mcp/issues/57"
            },
            {
              "tags": [
                "product"
              ],
              "url": "https://github.com/lamaalrajih/kicad-mcp/"
            }
          ],
          "timeline": [
            {
              "lang": "en",
              "time": "2026-07-12T00:00:00.000Z",
              "value": "Advisory disclosed"
            },
            {
              "lang": "en",
              "time": "2026-07-12T02:00:00.000Z",
              "value": "VulDB entry created"
            },
            {
              "lang": "en",
              "time": "2026-07-12T14:58:25.000Z",
              "value": "VulDB entry last update"
            }
          ],
          "title": "lamaalrajih kicad-mcp path_validator.py protection mechanism"
        }
      },
      "cveMetadata": {
        "assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
        "assignerShortName": "VulDB",
        "cveId": "CVE-2026-15528",
        "datePublished": "2026-07-13T03:15:09.151Z",
        "dateReserved": "2026-07-12T12:53:22.698Z",
        "dateUpdated": "2026-07-13T15:16:42.484Z",
        "state": "PUBLISHED"
      },
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }