🔓
Missing Authentication Flaw in SimpleUI AjaxAdmin
Anyone running the affected SimpleUI release should mitigate or patch immediately. Public exploit availability makes this a high-priority issue even without confirmed active exploitation.
CVE-2026-16210 is a missing authentication vulnerability affecting newpanjing simpleui 2026.01.13 in the AjaxAdmin AJAX Endpoint’s self.get_action function. It allows remote attackers to access functionality without authentication. The vulnerability is rated CVSS 7.3 HIGH, and a public exploit is available while the project has not responded to the reported issue.
🔗 Read more 🔗
Source: NVD
🛡️
Gerapy Project Upload Endpoint Authentication Bypass
Organizations using Gerapy should apply the published patch as soon as possible. Public exploit disclosure raises the urgency for internet-exposed deployments.
CVE-2026-16209 is a missing authentication vulnerability affecting Gerapy up to 0.9.13 in the Project Upload Endpoint. Remote attackers can exploit the flaw without authentication. The issue is rated CVSS 7.3 HIGH, a public exploit has been disclosed, and patch bd4891c60315f17611a3b7a651ffe0fba7cfe71e is available.
🔗 Read more 🔗
Source: NVD
⚠️
Authorization Bug Exposes RT-Claw RPC Handler
Teams using affected RT-Claw versions should prioritize remediation, especially if the RPC interface is reachable remotely. Public exploit availability increases operational risk.
CVE-2026-16200 is an incorrect authorization vulnerability affecting zevorn rt-claw up to 0.2.0 in the claw_tool_invoke RPC handler. Remote attackers can exploit the authorization weakness. The vulnerability carries a CVSS 7.3 HIGH rating, and a public exploit has been disclosed.
🔗 Read more 🔗
Source: NVD
🚨
QueryWeaver Signup Flow Authentication Bypass
Patch this quickly if QueryWeaver is exposed to users. The vulnerability directly enables account takeover scenarios and should be treated as urgent.
CVE-2026-10130 is an authentication bypass vulnerability in QueryWeaver. An unauthenticated attacker can obtain a valid session token for an existing account by submitting a signup request with a known victim email address. The flaw is rated CVSS 8.2 HIGH and can result in account compromise without user interaction.
🔗 Read more 🔗
Source: NVD
💉
SQL Injection in Class and Exam Timetabling System
Administrators should patch or restrict access immediately. Public exploit availability makes internet-facing deployments especially vulnerable.
CVE-2026-16154 is a SQL injection vulnerability affecting SourceCodester Class and Exam Timetabling System 1.0 via /edit_room1.php. Manipulation of the ID parameter allows remote SQL injection. The vulnerability is rated CVSS 7.3 HIGH and a public exploit has been disclosed.
🔗 Read more 🔗
Source: NVD
🧨
SQL Injection Found in edit_rooma.php
Patch affected systems promptly and limit external exposure until fixed. Public exploit availability significantly raises the likelihood of opportunistic attacks.
CVE-2026-16152 is a SQL injection vulnerability affecting SourceCodester Class and Exam Timetabling System 1.0 through /edit_rooma.php. Attackers can exploit the ID parameter remotely. The issue is rated CVSS 7.3 HIGH, and public exploit code is available.
🔗 Read more 🔗
Source: NVD
🕷️
Stored XSS Can Lead to Account Takeover in LoLLMS
Users of the affected application should update as soon as fixes are available. Any deployment where users exchange messages should treat this as a high-priority client-side security issue.
CVE-2026-12228 is a stored cross-site scripting vulnerability affecting parisneo/lollms through the POST /api/prompts/share endpoint. Unsanitized prompt content is rendered with v-html, allowing authenticated attackers to execute arbitrary JavaScript when a victim opens a direct message. The flaw is rated CVSS 8.7 HIGH and can lead to authenticated actions, data exposure, and potential account takeover.
🔗 Read more 🔗
Source: NVD
💥
Heap Buffer Overflow in ProFTPD mod_sftp
Administrators running ProFTPD with mod_sftp should prioritize updates, particularly where untrusted users have SFTP access. Even though denial of service is the demonstrated impact, memory corruption deserves urgent attention.
CVE-2026-53994 is a heap-based buffer overflow in ProFTPD mod_sftp triggered by a malformed authenticated SFTP packet. The flaw can reliably crash a session, producing authenticated remote denial of service, with possible further impact depending on heap layout. It is rated CVSS 7.5 HIGH.
🔗 Read more 🔗
Source: NVD
🔍
SurrealDB Permission Enforcement Bypass
Database administrators should upgrade affected SurrealDB deployments. This is especially important for environments relying on field-level access controls.
CVE-2024-58367 affects SurrealDB versions before 2.0.4 by failing to properly enforce field permissions during SELECT, UPDATE, and DELETE operations. Authorized users can retrieve protected field values through multiple query techniques despite lacking permission. The vulnerability is rated CVSS 7.1 HIGH.
🔗 Read more 🔗
Source: NVD
⚡
Format String Vulnerability in SurrealDB
Upgrade promptly if scripting is enabled in SurrealDB. Environments granting scripting access should consider this an urgent fix due to the potential for code execution.
CVE-2024-58366 is a format string vulnerability affecting SurrealDB before 1.1.1 when scripting is enabled. Attackers with scripting privileges may read arbitrary memory or execute code with SurrealDB process privileges. The issue is rated CVSS 8.5 HIGH.
🔗 Read more 🔗
Source: NVD
🚨
RPC Signin Flaw Enables Privileged Database Actions
Patch affected SurrealDB versions immediately if the RPC API is exposed to untrusted users. The ability to perform privileged database operations makes this a critical operational concern.
CVE-2024-58362 affects SurrealDB before 1.5.5 and 2.0.0-beta before 2.0.0-beta.3 by insufficiently validating objects supplied to RPC signin and signup operations. An unauthenticated attacker can execute subqueries with elevated privileges against non-IAM resources. The vulnerability is rated CVSS 8.8 HIGH.
🔗 Read more 🔗
Source: NVD
📂
Unsafe Default Permissions in SurrealDB
Review deployments for affected versions and upgrade as soon as possible. Publicly exposed databases are at the greatest risk because insecure defaults can expose data and modification capabilities.
CVE-2023-54366 affects SurrealDB before 1.0.1 by assigning FULL table permissions instead of NONE by default. Users with database access, or unauthenticated users on publicly exposed instances, may perform unrestricted operations on unprotected tables. The vulnerability is rated CVSS 8.8 HIGH.
🔗 Read more 🔗
Source: NVD