Search criteria
ⓘ
Use full-text search for keyword queries.
Combine vendor, product, and sources to narrow results.
Enable “Apply ordering” to sort by dates instead of relevance.
13095 vulnerabilities
CVE-2026-5310 (GCVE-0-2026-5310)
Vulnerability from cvelistv5 – Published: 2026-04-01 16:30 – Updated: 2026-04-01 17:54
VLAI?
Title
Enter Software Iperius Backup IperiusAccounts.ini hard-coded key
Summary
A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key
. The attack must be carried out locally. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is publicly available and might be used. Upgrading to version 8.7.4 will fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Enter Software | Iperius Backup |
Affected:
8.7.0
Affected: 8.7.1 Affected: 8.7.2 Unaffected: 8.7.4 |
Credits
VulnaraByte (VulDB User)
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5310",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T17:52:04.996671Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T17:54:16.358Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Iperius Backup",
"vendor": "Enter Software",
"versions": [
{
"status": "affected",
"version": "8.7.0"
},
{
"status": "affected",
"version": "8.7.1"
},
{
"status": "affected",
"version": "8.7.2"
},
{
"status": "unaffected",
"version": "8.7.4"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "VulnaraByte (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Enter Software Iperius Backup up to 8.7.2. This impacts an unknown function of the file IperiusAccounts.ini. Such manipulation leads to use of hard-coded cryptographic key\r . The attack must be carried out locally. This attack is characterized by high complexity. The exploitability is said to be difficult. The exploit is publicly available and might be used. Upgrading to version 8.7.4 will fix this issue. It is suggested to upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 2,
"baseSeverity": "LOW",
"vectorString": "CVSS:4.0/AV:L/AC:H/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:N/A:N/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 1,
"vectorString": "AV:L/AC:H/Au:S/C:P/I:N/A:N/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-321",
"description": "Use of Hard-coded Cryptographic Key",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-320",
"description": "Key Management Error",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T16:30:21.522Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354639 | Enter Software Iperius Backup IperiusAccounts.ini hard-coded key",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354639"
},
{
"name": "VDB-354639 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354639/cti"
},
{
"name": "Submit #778602 | Iperius Iperius Backup \u003c= 8.7.2 Use of Hard-coded Cryptographic Key",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/778602"
},
{
"tags": [
"related"
],
"url": "https://github.com/VulnaraByte/iperius-backup-security-advisories"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/VulnaraByte/iperius-backup-security-advisories/blob/main/poc/decrypt_iperius.py"
},
{
"tags": [
"patch"
],
"url": "https://www.iperiusbackup.com/download-software-backup.aspx"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-01T14:07:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "Enter Software Iperius Backup IperiusAccounts.ini hard-coded key"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5310",
"datePublished": "2026-04-01T16:30:21.522Z",
"dateReserved": "2026-04-01T12:02:06.531Z",
"dateUpdated": "2026-04-01T17:54:16.358Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-1879 (GCVE-0-2026-1879)
Vulnerability from cvelistv5 – Published: 2026-04-01 10:00 – Updated: 2026-04-01 13:08
VLAI?
Title
Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload
Summary
A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Harvard University | IQSS Dataverse |
Affected:
6.0
Affected: 6.1 Affected: 6.2 Affected: 6.3 Affected: 6.4 Affected: 6.5 Affected: 6.6 Affected: 6.7 Affected: 6.8 Unaffected: 6.10 |
Credits
JustF0rFun (VulDB User)
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-1879",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:08:37.370000Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:08:49.098Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Theme Customization"
],
"product": "IQSS Dataverse",
"vendor": "Harvard University",
"versions": [
{
"status": "affected",
"version": "6.0"
},
{
"status": "affected",
"version": "6.1"
},
{
"status": "affected",
"version": "6.2"
},
{
"status": "affected",
"version": "6.3"
},
{
"status": "affected",
"version": "6.4"
},
{
"status": "affected",
"version": "6.5"
},
{
"status": "affected",
"version": "6.6"
},
{
"status": "affected",
"version": "6.7"
},
{
"status": "affected",
"version": "6.8"
},
{
"status": "unaffected",
"version": "6.10"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "JustF0rFun (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in Harvard University IQSS Dataverse up to 6.8. This affects an unknown function of the file /ThemeAndWidgets.xhtml of the component Theme Customization. Performing a manipulation of the argument uploadLogo results in unrestricted upload. Remote exploitation of the attack is possible. The exploit is now public and may be used. Upgrading to version 6.10 mitigates this issue. You should upgrade the affected component. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:O/RC:C",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:OF/RC:C",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T10:00:10.991Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354616 | Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354616"
},
{
"name": "VDB-354616 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354616/cti"
},
{
"name": "Submit #749003 | Harvard University Dataverse Project 6.8 build 1994-92d1ec8 Unrestricted Upload",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/749003"
},
{
"tags": [
"exploit"
],
"url": "https://gist.github.com/KaiqueFerreiraPeres/ba039887d7f894a7c38252314e0ef2cc"
},
{
"tags": [
"patch"
],
"url": "https://github.com/IQSS/dataverse/releases/tag/v6.10"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-04-01T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-04-01T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-04-01T11:22:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "Harvard University IQSS Dataverse Theme Customization ThemeAndWidgets.xhtml unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-1879",
"datePublished": "2026-04-01T10:00:10.991Z",
"dateReserved": "2026-02-04T07:49:19.915Z",
"dateUpdated": "2026-04-01T13:08:49.098Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5261 (GCVE-0-2026-5261)
Vulnerability from cvelistv5 – Published: 2026-04-01 08:15 – Updated: 2026-04-01 08:15
VLAI?
Title
Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload
Summary
A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| Shandong Hoteam | InforCenter PLM |
Affected:
8.3.0
Affected: 8.3.1 Affected: 8.3.2 Affected: 8.3.3 Affected: 8.3.4 Affected: 8.3.5 Affected: 8.3.6 Affected: 8.3.7 Affected: 8.3.8 |
Credits
0menc (VulDB User)
VulDB
{
"containers": {
"cna": {
"affected": [
{
"product": "InforCenter PLM",
"vendor": "Shandong Hoteam",
"versions": [
{
"status": "affected",
"version": "8.3.0"
},
{
"status": "affected",
"version": "8.3.1"
},
{
"status": "affected",
"version": "8.3.2"
},
{
"status": "affected",
"version": "8.3.3"
},
{
"status": "affected",
"version": "8.3.4"
},
{
"status": "affected",
"version": "8.3.5"
},
{
"status": "affected",
"version": "8.3.6"
},
{
"status": "affected",
"version": "8.3.7"
},
{
"status": "affected",
"version": "8.3.8"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "0menc (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Shandong Hoteam InforCenter PLM up to 8.3.8. The impacted element is the function uploadFileToIIS of the file /Base/BaseHandler.ashx. The manipulation of the argument File leads to unrestricted upload. It is possible to initiate the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-434",
"description": "Unrestricted Upload",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T08:15:55.111Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354450 | Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354450"
},
{
"name": "VDB-354450 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354450/cti"
},
{
"name": "Submit #780725 | Shandong Hoteam Software Co., Ltd. Huatian Software InforCenter PLM \u003c8.3.8 Remote Code Execution",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780725"
},
{
"tags": [
"exploit"
],
"url": "https://my.feishu.cn/docx/ToGkdd5jwokb4PxEMkHcKrfXn3b?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:30:52.000Z",
"value": "VulDB entry last update"
}
],
"title": "Shandong Hoteam InforCenter PLM BaseHandler.ashx uploadFileToIIS unrestricted upload"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5261",
"datePublished": "2026-04-01T08:15:55.111Z",
"dateReserved": "2026-03-31T16:25:46.805Z",
"dateUpdated": "2026-04-01T08:15:55.111Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5259 (GCVE-0-2026-5259)
Vulnerability from cvelistv5 – Published: 2026-04-01 07:30 – Updated: 2026-04-01 11:42
VLAI?
Title
AutohomeCorp frostmourne Alarm Preview AlarmController.java server-side request forgery
Summary
A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| AutohomeCorp | frostmourne |
Affected:
1.0
|
Credits
xcxr (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5259",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T11:42:02.303064Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T11:42:16.770Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Alarm Preview"
],
"product": "frostmourne",
"vendor": "AutohomeCorp",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "xcxr (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in AutohomeCorp frostmourne up to 1.0. The affected element is an unknown function of the file frostmourne-monitor/src/main/java/com/autohome/frostmourne/monitor/controller/AlarmController.java of the component Alarm Preview. Executing a manipulation can lead to server-side request forgery. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T07:30:51.295Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354449 | AutohomeCorp frostmourne Alarm Preview AlarmController.java server-side request forgery",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354449"
},
{
"name": "VDB-354449 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354449/cti"
},
{
"name": "Submit #780669 | AutohomeCorp frostmourne frostmourne \u003c= 1.0 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780669"
},
{
"tags": [
"exploit"
],
"url": "https://fx4tqqfvdw4.feishu.cn/docx/GE4GdxBxKoSvBOxhkTRcsawlnhc?from=from_copylink"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:27:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "AutohomeCorp frostmourne Alarm Preview AlarmController.java server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5259",
"datePublished": "2026-04-01T07:30:51.295Z",
"dateReserved": "2026-03-31T16:22:43.175Z",
"dateUpdated": "2026-04-01T11:42:16.770Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5258 (GCVE-0-2026-5258)
Vulnerability from cvelistv5 – Published: 2026-04-01 06:45 – Updated: 2026-04-01 19:05
VLAI?
Title
Sanster IOPaint File Manager file_manager.py _get_file path traversal
Summary
A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
Yu_Bao (VulDB User)
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5258",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T19:05:47.291976Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:05:54.855Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"File Manager"
],
"product": "IOPaint",
"vendor": "Sanster",
"versions": [
{
"status": "affected",
"version": "1.5.3"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Yu_Bao (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in Sanster IOPaint 1.5.3. Impacted is the function _get_file of the file iopaint/file_manager/file_manager.py of the component File Manager. Performing a manipulation of the argument filename results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T06:45:12.484Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354448 | Sanster IOPaint File Manager file_manager.py _get_file path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354448"
},
{
"name": "VDB-354448 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354448/cti"
},
{
"name": "Submit #780666 | Sanster IOPaint 1.5.3 Path Traversal - Arbitrary File Read",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780666"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/August829/CVEP/issues/11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:25:14.000Z",
"value": "VulDB entry last update"
}
],
"title": "Sanster IOPaint File Manager file_manager.py _get_file path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5258",
"datePublished": "2026-04-01T06:45:12.484Z",
"dateReserved": "2026-03-31T16:20:10.685Z",
"dateUpdated": "2026-04-01T19:05:54.855Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5257 (GCVE-0-2026-5257)
Vulnerability from cvelistv5 – Published: 2026-04-01 06:00 – Updated: 2026-04-01 15:50 X_Freeware
VLAI?
Title
code-projects Simple Laundry System Parameter delstaffinfo.php sql injection
Summary
A vulnerability has been found in code-projects Simple Laundry System 1.0. This issue affects some unknown processing of the file /delstaffinfo.php of the component Parameter Handler. Such manipulation of the argument userid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| code-projects | Simple Laundry System |
Affected:
1.0
cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:* |
Credits
ningfashui1996 (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5257",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:41:02.154398Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:50:17.586Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "Simple Laundry System",
"vendor": "code-projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "ningfashui1996 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in code-projects Simple Laundry System 1.0. This issue affects some unknown processing of the file /delstaffinfo.php of the component Parameter Handler. Such manipulation of the argument userid leads to sql injection. The attack can be executed remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T06:00:19.417Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354447 | code-projects Simple Laundry System Parameter delstaffinfo.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354447"
},
{
"name": "VDB-354447 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354447/cti"
},
{
"name": "Submit #780723 | code-projects Simple Laundry System V1.0 SQL injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780723"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/ningfashui123/louplus/issues/1"
},
{
"tags": [
"product"
],
"url": "https://code-projects.org/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:23:05.000Z",
"value": "VulDB entry last update"
}
],
"title": "code-projects Simple Laundry System Parameter delstaffinfo.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5257",
"datePublished": "2026-04-01T06:00:19.417Z",
"dateReserved": "2026-03-31T16:17:51.772Z",
"dateUpdated": "2026-04-01T15:50:17.586Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5256 (GCVE-0-2026-5256)
Vulnerability from cvelistv5 – Published: 2026-04-01 06:00 – Updated: 2026-04-01 13:10 X_Freeware
VLAI?
Title
code-projects Simple Laundry System Parameter modify.php sql injection
Summary
A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| code-projects | Simple Laundry System |
Affected:
1.0
cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:* |
Credits
fftt (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5256",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:10:39.312515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:10:46.469Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "Simple Laundry System",
"vendor": "code-projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fftt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in code-projects Simple Laundry System 1.0. This vulnerability affects unknown code of the file /modify.php of the component Parameter Handler. This manipulation of the argument firstName causes sql injection. Remote exploitation of the attack is possible. The exploit has been published and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T06:00:17.225Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354446 | code-projects Simple Laundry System Parameter modify.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354446"
},
{
"name": "VDB-354446 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354446/cti"
},
{
"name": "Submit #780618 | code-projects Simple Laundry System V1.0 SQL injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780618"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/kunlan567-boop/test/issues/1"
},
{
"tags": [
"product"
],
"url": "https://code-projects.org/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:23:00.000Z",
"value": "VulDB entry last update"
}
],
"title": "code-projects Simple Laundry System Parameter modify.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5256",
"datePublished": "2026-04-01T06:00:17.225Z",
"dateReserved": "2026-03-31T16:17:48.737Z",
"dateUpdated": "2026-04-01T13:10:46.469Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5255 (GCVE-0-2026-5255)
Vulnerability from cvelistv5 – Published: 2026-04-01 05:15 – Updated: 2026-04-01 05:15 X_Freeware
VLAI?
Title
code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting
Summary
A vulnerability was detected in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /delstaffinfo.php of the component Parameter Handler. The manipulation of the argument userid results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| code-projects | Simple Laundry System |
Affected:
1.0
cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:* |
Credits
fftt (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:code-projects:simple_laundry_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "Simple Laundry System",
"vendor": "code-projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "fftt (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in code-projects Simple Laundry System 1.0. This affects an unknown part of the file /delstaffinfo.php of the component Parameter Handler. The manipulation of the argument userid results in cross site scripting. The attack may be launched remotely. The exploit is now public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T05:15:14.164Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354445 | code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354445"
},
{
"name": "VDB-354445 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354445/cti"
},
{
"name": "Submit #780617 | code-projects Simple Laundry System V1.0 cross site scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780617"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/kunlan567-boop/test/issues/2"
},
{
"tags": [
"product"
],
"url": "https://code-projects.org/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:22:57.000Z",
"value": "VulDB entry last update"
}
],
"title": "code-projects Simple Laundry System Parameter delstaffinfo.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5255",
"datePublished": "2026-04-01T05:15:14.164Z",
"dateReserved": "2026-03-31T16:17:45.849Z",
"dateUpdated": "2026-04-01T05:15:14.164Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5254 (GCVE-0-2026-5254)
Vulnerability from cvelistv5 – Published: 2026-04-01 04:15 – Updated: 2026-04-01 11:46
VLAI?
Title
welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting
Summary
A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| welovemedia | FFmate |
Affected:
2.0.0
Affected: 2.0.1 Affected: 2.0.2 Affected: 2.0.3 Affected: 2.0.4 Affected: 2.0.5 Affected: 2.0.6 Affected: 2.0.7 Affected: 2.0.8 Affected: 2.0.9 Affected: 2.0.10 Affected: 2.0.11 Affected: 2.0.12 Affected: 2.0.13 Affected: 2.0.14 Affected: 2.0.15 |
Credits
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5254",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T11:43:19.114846Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T11:46:56.167Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Webhook Handler"
],
"product": "FFmate",
"vendor": "welovemedia",
"versions": [
{
"status": "affected",
"version": "2.0.0"
},
{
"status": "affected",
"version": "2.0.1"
},
{
"status": "affected",
"version": "2.0.2"
},
{
"status": "affected",
"version": "2.0.3"
},
{
"status": "affected",
"version": "2.0.4"
},
{
"status": "affected",
"version": "2.0.5"
},
{
"status": "affected",
"version": "2.0.6"
},
{
"status": "affected",
"version": "2.0.7"
},
{
"status": "affected",
"version": "2.0.8"
},
{
"status": "affected",
"version": "2.0.9"
},
{
"status": "affected",
"version": "2.0.10"
},
{
"status": "affected",
"version": "2.0.11"
},
{
"status": "affected",
"version": "2.0.12"
},
{
"status": "affected",
"version": "2.0.13"
},
{
"status": "affected",
"version": "2.0.14"
},
{
"status": "affected",
"version": "2.0.15"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in welovemedia FFmate up to 2.0.15. Affected by this issue is some unknown functionality of the file /ui/app/components/AppJsonTreeView.vue of the component Webhook Handler. The manipulation leads to cross site scripting. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T04:15:13.335Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354444 | welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354444"
},
{
"name": "VDB-354444 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354444/cti"
},
{
"name": "Submit #780615 | welovemedia FFmate \u003c= v2.0.15 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780615"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/ffmate/vulnerability-2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:20:58.000Z",
"value": "VulDB entry last update"
}
],
"title": "welovemedia FFmate Webhook AppJsonTreeView.vue cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5254",
"datePublished": "2026-04-01T04:15:13.335Z",
"dateReserved": "2026-03-31T16:15:53.686Z",
"dateUpdated": "2026-04-01T11:46:56.167Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5253 (GCVE-0-2026-5253)
Vulnerability from cvelistv5 – Published: 2026-04-01 03:15 – Updated: 2026-04-01 19:05
VLAI?
Title
bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting
Summary
A weakness has been identified in bufanyun HotGo 1.0/2.0. Affected by this vulnerability is an unknown functionality of the file /web/src/layout/components/Header/MessageList.vue of the component editNotice Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5253",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T19:05:21.578944Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:05:29.371Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"editNotice Endpoint"
],
"product": "HotGo",
"vendor": "bufanyun",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in bufanyun HotGo 1.0/2.0. Affected by this vulnerability is an unknown functionality of the file /web/src/layout/components/Header/MessageList.vue of the component editNotice Endpoint. Executing a manipulation can lead to cross site scripting. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T03:15:16.089Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354443 | bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354443"
},
{
"name": "VDB-354443 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354443/cti"
},
{
"name": "Submit #780614 | bufanyun HotGo \u003c= v2.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780614"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/hotgo/vulnerability-2"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:18:26.000Z",
"value": "VulDB entry last update"
}
],
"title": "bufanyun HotGo editNotice Endpoint MessageList.vue cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5253",
"datePublished": "2026-04-01T03:15:16.089Z",
"dateReserved": "2026-03-31T16:13:21.226Z",
"dateUpdated": "2026-04-01T19:05:29.371Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5252 (GCVE-0-2026-5252)
Vulnerability from cvelistv5 – Published: 2026-04-01 03:15 – Updated: 2026-04-01 15:50
VLAI?
Title
z-9527 admin Message Create Endpoint message.js cross site scripting
Summary
A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5252",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:43:00.387032Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:50:24.439Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Message Create Endpoint"
],
"product": "admin",
"vendor": "z-9527",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in z-9527 admin 1.0/2.0. Affected is an unknown function of the file /server/routes/message.js of the component Message Create Endpoint. Performing a manipulation results in cross site scripting. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T03:15:13.404Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354442 | z-9527 admin Message Create Endpoint message.js cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354442"
},
{
"name": "VDB-354442 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354442/cti"
},
{
"name": "Submit #780613 | z-9527 admin \u2264 commit 72aaf2d Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780613"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-10"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:16:48.000Z",
"value": "VulDB entry last update"
}
],
"title": "z-9527 admin Message Create Endpoint message.js cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5252",
"datePublished": "2026-04-01T03:15:13.404Z",
"dateReserved": "2026-03-31T16:11:40.802Z",
"dateUpdated": "2026-04-01T15:50:24.439Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5251 (GCVE-0-2026-5251)
Vulnerability from cvelistv5 – Published: 2026-04-01 02:30 – Updated: 2026-04-01 13:12
VLAI?
Title
z-9527 admin User Update Endpoint user.js dynamically-determined object attributes
Summary
A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Credits
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5251",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:12:39.257313Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:12:46.568Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"User Update Endpoint"
],
"product": "admin",
"vendor": "z-9527",
"versions": [
{
"status": "affected",
"version": "1.0"
},
{
"status": "affected",
"version": "2.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in z-9527 admin 1.0/2.0. This impacts an unknown function of the file /server/routes/user.js of the component User Update Endpoint. Such manipulation of the argument isAdmin with the input 1 leads to dynamically-determined object attributes. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T02:30:14.392Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354441 | z-9527 admin User Update Endpoint user.js dynamically-determined object attributes",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354441"
},
{
"name": "VDB-354441 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354441/cti"
},
{
"name": "Submit #780607 | z-9527 admin \u2264 commit 72aaf2d Dynamically-Determined Object Attributes",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780607"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/CC-T-454455/Vulnerabilities/tree/master/z9527-admin/vulnerability-11"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:16:45.000Z",
"value": "VulDB entry last update"
}
],
"title": "z-9527 admin User Update Endpoint user.js dynamically-determined object attributes"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5251",
"datePublished": "2026-04-01T02:30:14.392Z",
"dateReserved": "2026-03-31T16:11:37.477Z",
"dateUpdated": "2026-04-01T13:12:46.568Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5249 (GCVE-0-2026-5249)
Vulnerability from cvelistv5 – Published: 2026-04-01 01:30 – Updated: 2026-04-01 01:30
VLAI?
Title
gougucms Record Endpoint record.html cross site scripting
Summary
A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \gougucms-master\app\admin\view\user\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
thinhnee (VulDB User)
VulDB
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*"
],
"modules": [
"Record Endpoint"
],
"product": "gougucms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.08.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "thinhnee (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in gougucms 4.08.18. This impacts an unknown function of the file \\gougucms-master\\app\\admin\\view\\user\\record.html of the component Record Endpoint. Performing a manipulation of the argument value.content results in cross site scripting. It is possible to initiate the attack remotely. The exploit has been made public and could be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 3.5,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4,
"vectorString": "AV:N/AC:L/Au:S/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T01:30:16.723Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354430 | gougucms Record Endpoint record.html cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354430"
},
{
"name": "VDB-354430 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354430/cti"
},
{
"name": "Submit #780716 | \u52fe\u80a1\u5f00\u6e90 gougucms v4.08.18 Stored XSS",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780716"
},
{
"tags": [
"exploit"
],
"url": "https://thinhneee.github.io/posts/gougu-blind-xss/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:06:07.000Z",
"value": "VulDB entry last update"
}
],
"title": "gougucms Record Endpoint record.html cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5249",
"datePublished": "2026-04-01T01:30:16.723Z",
"dateReserved": "2026-03-31T16:00:50.059Z",
"dateUpdated": "2026-04-01T01:30:16.723Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5248 (GCVE-0-2026-5248)
Vulnerability from cvelistv5 – Published: 2026-04-01 00:45 – Updated: 2026-04-01 12:14
VLAI?
Title
gougucms User Registration Login.php reg_submit dynamically-determined object attributes
Summary
A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\app\home\controller\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
Credits
thinhnee (VulDB User)
VulDB
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5248",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:12:35.114498Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:14:32.764Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:gougucms:gougucms:*:*:*:*:*:*:*:*"
],
"modules": [
"User Registration Handler"
],
"product": "gougucms",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.08.18"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "thinhnee (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in gougucms 4.08.18. This affects the function reg_submit of the file gougucms-master\\app\\home\\controller\\Login.php of the component User Registration Handler. Such manipulation of the argument level leads to dynamically-determined object attributes. The attack may be performed from remote. The exploit has been disclosed to the public and may be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-915",
"description": "Dynamically-Determined Object Attributes",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-913",
"description": "Dynamically-Managed Code Resources",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T00:45:12.460Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354429 | gougucms User Registration Login.php reg_submit dynamically-determined object attributes",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354429"
},
{
"name": "VDB-354429 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354429/cti"
},
{
"name": "Submit #780589 | \u52fe\u80a1\u5f00\u6e90 gougucms v4.08.18 Business Logic Errors",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780589"
},
{
"tags": [
"exploit"
],
"url": "https://thinhneee.github.io/posts/gougu-mass-assign/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T18:06:04.000Z",
"value": "VulDB entry last update"
}
],
"title": "gougucms User Registration Login.php reg_submit dynamically-determined object attributes"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5248",
"datePublished": "2026-04-01T00:45:12.460Z",
"dateReserved": "2026-03-31T16:00:46.705Z",
"dateUpdated": "2026-04-01T12:14:32.764Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5240 (GCVE-0-2026-5240)
Vulnerability from cvelistv5 – Published: 2026-03-31 23:45 – Updated: 2026-04-01 19:03 X_Freeware
VLAI?
Title
code-projects BloodBank Managing System admin_state.php cross site scripting
Summary
A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. This affects an unknown part of the file /admin_state.php. The manipulation of the argument statename leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| code-projects | BloodBank Managing System |
Affected:
1.0
|
Credits
AhmadMarzouk (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5240",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T19:02:59.146860Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T19:03:08.962Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "BloodBank Managing System",
"vendor": "code-projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "AhmadMarzouk (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in code-projects BloodBank Managing System 1.0. This affects an unknown part of the file /admin_state.php. The manipulation of the argument statename leads to cross site scripting. It is possible to initiate the attack remotely. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5,
"vectorString": "AV:N/AC:L/Au:N/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T23:45:13.436Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354390 | code-projects BloodBank Managing System admin_state.php cross site scripting",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354390"
},
{
"name": "VDB-354390 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354390/cti"
},
{
"name": "Submit #780525 | code-projects Blood Bank Managing System PHP 1.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780525"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/ahmadmarz10-hub/CVEsMarz/blob/main/Stored%20Cross-Site%20Scripting%20(XSS)%20in%20Blood%20Bank%20Managing%20System%20PHP%20statename%20Parameter.md"
},
{
"tags": [
"product"
],
"url": "https://code-projects.org/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T16:22:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "code-projects BloodBank Managing System admin_state.php cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5240",
"datePublished": "2026-03-31T23:45:13.436Z",
"dateReserved": "2026-03-31T14:17:07.427Z",
"dateUpdated": "2026-04-01T19:03:08.962Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5238 (GCVE-0-2026-5238)
Vulnerability from cvelistv5 – Published: 2026-03-31 23:45 – Updated: 2026-04-01 15:52 X_Freeware
VLAI?
Title
itsourcecode Payroll Management System Parameter view_employee.php sql injection
Summary
A weakness has been identified in itsourcecode Payroll Management System 1.0. Affected by this issue is some unknown functionality of the file /view_employee.php of the component Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| itsourcecode | Payroll Management System |
Affected:
1.0
cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:* |
Credits
s1incere (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5238",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:20:25.268340Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:52:15.064Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "Payroll Management System",
"vendor": "itsourcecode",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s1incere (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A weakness has been identified in itsourcecode Payroll Management System 1.0. Affected by this issue is some unknown functionality of the file /view_employee.php of the component Parameter Handler. Executing a manipulation of the argument ID can lead to sql injection. The attack may be performed from remote. The exploit has been made available to the public and could be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T23:45:10.870Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354389 | itsourcecode Payroll Management System Parameter view_employee.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354389"
},
{
"name": "VDB-354389 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354389/cti"
},
{
"name": "Submit #780475 | itsourcecode Payroll Management System - V1.0 Argument Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780475"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/K4ptor/itsourcecode-Payroll-Management-System-V1.0-SQL-Injection2"
},
{
"tags": [
"product"
],
"url": "https://itsourcecode.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T16:19:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "itsourcecode Payroll Management System Parameter view_employee.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5238",
"datePublished": "2026-03-31T23:45:10.870Z",
"dateReserved": "2026-03-31T14:14:40.980Z",
"dateUpdated": "2026-04-01T15:52:15.064Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5237 (GCVE-0-2026-5237)
Vulnerability from cvelistv5 – Published: 2026-03-31 23:00 – Updated: 2026-04-01 13:21 X_Freeware
VLAI?
Title
itsourcecode Payroll Management System Parameter manage_user.php sql injection
Summary
A security flaw has been discovered in itsourcecode Payroll Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /manage_user.php of the component Parameter Handler. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| itsourcecode | Payroll Management System |
Affected:
1.0
cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:* |
Credits
s1incere (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5237",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:21:25.072514Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:21:33.845Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:itsourcecode:payroll_management_system:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "Payroll Management System",
"vendor": "itsourcecode",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "s1incere (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security flaw has been discovered in itsourcecode Payroll Management System 1.0. Affected by this vulnerability is an unknown functionality of the file /manage_user.php of the component Parameter Handler. Performing a manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be used for attacks."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T23:00:22.205Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354388 | itsourcecode Payroll Management System Parameter manage_user.php sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354388"
},
{
"name": "VDB-354388 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354388/cti"
},
{
"name": "Submit #780474 | itsourcecode Payroll Management System - V1.0 Argument Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780474"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/K4ptor/itsourcecode-Payroll-Management-System-V1.0-SQL-Injection"
},
{
"tags": [
"product"
],
"url": "https://itsourcecode.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T16:19:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "itsourcecode Payroll Management System Parameter manage_user.php sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5237",
"datePublished": "2026-03-31T23:00:22.205Z",
"dateReserved": "2026-03-31T14:14:36.810Z",
"dateUpdated": "2026-04-01T13:21:33.845Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5236 (GCVE-0-2026-5236)
Vulnerability from cvelistv5 – Published: 2026-03-31 23:00 – Updated: 2026-03-31 23:00 X_Freeware
VLAI?
Title
Axiomatic Bento4 DSI v1 Ap4Dac4Atom.cpp SkipBits heap-based overflow
Summary
A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of the file Ap4Dac4Atom.cpp of the component DSI v1 Parser. Such manipulation of the argument n_presentations leads to heap-based buffer overflow. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
breakingbad (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bento4:bento4:*:*:*:*:*:*:*:*"
],
"modules": [
"DSI v1 Parser"
],
"product": "Bento4",
"vendor": "Axiomatic",
"versions": [
{
"status": "affected",
"version": "1.6.0-641"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "breakingbad (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in Axiomatic Bento4 up to 1.6.0-641. Affected is the function AP4_BitReader::SkipBits of the file Ap4Dac4Atom.cpp of the component DSI v1 Parser. Such manipulation of the argument n_presentations leads to heap-based buffer overflow. The attack needs to be performed locally. The exploit is publicly available and might be used. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T23:00:19.377Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354387 | Axiomatic Bento4 DSI v1 Ap4Dac4Atom.cpp SkipBits heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354387"
},
{
"name": "VDB-354387 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354387/cti"
},
{
"name": "Submit #780473 | Bento4 \u003c=1.6.0-641 Memory Corruption",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780473"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/axiomatic-systems/Bento4/issues/1059"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/axiomatic-systems/Bento4/issues/1059#issue-4078584738"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T16:14:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "Axiomatic Bento4 DSI v1 Ap4Dac4Atom.cpp SkipBits heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5236",
"datePublished": "2026-03-31T23:00:19.377Z",
"dateReserved": "2026-03-31T14:08:36.184Z",
"dateUpdated": "2026-03-31T23:00:19.377Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5235 (GCVE-0-2026-5235)
Vulnerability from cvelistv5 – Published: 2026-03-31 22:15 – Updated: 2026-04-01 12:26 X_Freeware
VLAI?
Title
Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow
Summary
A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
breakingbad (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5235",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:25:12.265664Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:26:03.529Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:bento4:bento4:*:*:*:*:*:*:*:*"
],
"modules": [
"MP4 File Parser"
],
"product": "Bento4",
"vendor": "Axiomatic",
"versions": [
{
"status": "affected",
"version": "1.6.0-641"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "breakingbad (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Axiomatic Bento4 up to 1.6.0-641. This impacts the function AP4_BitReader::ReadCache of the file Ap4Dac4Atom.cpp of the component MP4 File Parser. This manipulation causes heap-based buffer overflow. The attack needs to be launched locally. The exploit has been publicly disclosed and may be utilized. The project was informed of the problem early through an issue report but has not responded yet."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:L/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 4.3,
"vectorString": "AV:L/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-122",
"description": "Heap-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T22:15:13.447Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354386 | Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354386"
},
{
"name": "VDB-354386 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354386/cti"
},
{
"name": "Submit #780472 | Bento4 \u003c=1.6.0-641 Memory Corruption",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780472"
},
{
"tags": [
"issue-tracking"
],
"url": "https://github.com/axiomatic-systems/Bento4/issues/1058"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/axiomatic-systems/Bento4/issues/1058#issue-4078583078"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T16:14:23.000Z",
"value": "VulDB entry last update"
}
],
"title": "Axiomatic Bento4 MP4 File Ap4Dac4Atom.cpp ReadCache heap-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5235",
"datePublished": "2026-03-31T22:15:13.447Z",
"dateReserved": "2026-03-31T14:08:31.340Z",
"dateUpdated": "2026-04-01T12:26:03.529Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5215 (GCVE-0-2026-5215)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:15 – Updated: 2026-04-01 18:46
VLAI?
Title
D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control
Summary
A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_get_ipv6 of the file /cgi-bin/network_mgr.cgi. Such manipulation leads to improper access controls. The exploit is publicly available and might be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20260205
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Ziyue Xie (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5215",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:46:15.471970Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:46:26.685Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ziyue Xie (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The impacted element is the function cgi_get_ipv6 of the file /cgi-bin/network_mgr.cgi. Such manipulation leads to improper access controls. The exploit is publicly available and might be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:A/AC:L/AT:N/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:A/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:A/AC:L/Au:N/C:P/I:N/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-284",
"description": "Improper Access Controls",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-266",
"description": "Incorrect Privilege Assignment",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:15:19.202Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354351 | D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354351"
},
{
"name": "VDB-354351 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354351/cti"
},
{
"name": "Submit #780440 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Improper Access Controls",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780440"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_170/170.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:35:16.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 network_mgr.cgi cgi_get_ipv6 access control"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5215",
"datePublished": "2026-03-31T21:15:19.202Z",
"dateReserved": "2026-03-31T10:29:41.841Z",
"dateUpdated": "2026-04-01T18:46:26.685Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5214 (GCVE-0-2026-5214)
Vulnerability from cvelistv5 – Published: 2026-03-31 21:15 – Updated: 2026-04-01 15:53
VLAI?
Title
D-Link DNS-1550-04 account_mgr.cgi cgi_addgroup_get_group_quota_minsize stack-based overflow
Summary
A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_addgroup_get_group_quota_minsize of the file /cgi-bin/account_mgr.cgi. The manipulation of the argument Name results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20260205
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Ziyue Xie (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5214",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T15:38:40.244697Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T15:53:13.104Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ziyue Xie (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. Impacted is the function cgi_addgroup_get_group_quota_minsize of the file /cgi-bin/account_mgr.cgi. The manipulation of the argument Name results in stack-based buffer overflow. The attack may be performed from remote. The exploit has been made public and could be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T21:15:14.464Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354349 | D-Link DNS-1550-04 account_mgr.cgi cgi_addgroup_get_group_quota_minsize stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354349"
},
{
"name": "VDB-354349 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354349/cti"
},
{
"name": "Submit #780439 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780439"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_169/169.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:35:06.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 account_mgr.cgi cgi_addgroup_get_group_quota_minsize stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5214",
"datePublished": "2026-03-31T21:15:14.464Z",
"dateReserved": "2026-03-31T10:29:38.215Z",
"dateUpdated": "2026-04-01T15:53:13.104Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5213 (GCVE-0-2026-5213)
Vulnerability from cvelistv5 – Published: 2026-03-31 20:15 – Updated: 2026-04-01 13:41
VLAI?
Title
D-Link DNS-1550-04 account_mgr.cgi cgi_adduser_to_session stack-based overflow
Summary
A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_adduser_to_session of the file /cgi-bin/account_mgr.cgi. This manipulation of the argument read_list causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20260205
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Ziyue Xie (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5213",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:41:23.464600Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:41:31.158Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ziyue Xie (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. The affected element is the function cgi_adduser_to_session of the file /cgi-bin/account_mgr.cgi. This manipulation of the argument read_list causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T20:15:18.498Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354350 | D-Link DNS-1550-04 account_mgr.cgi cgi_adduser_to_session stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354350"
},
{
"name": "VDB-354350 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354350/cti"
},
{
"name": "Submit #780437 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780437"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_168/168.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:35:09.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 account_mgr.cgi cgi_adduser_to_session stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5213",
"datePublished": "2026-03-31T20:15:18.498Z",
"dateReserved": "2026-03-31T10:29:35.164Z",
"dateUpdated": "2026-04-01T13:41:31.158Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5212 (GCVE-0-2026-5212)
Vulnerability from cvelistv5 – Published: 2026-03-31 20:15 – Updated: 2026-03-31 20:15
VLAI?
Title
D-Link DNS-1550-04 webdav_mgr.cgi Webdav_Upload_File stack-based overflow
Summary
A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function Webdav_Upload_File of the file /cgi-bin/webdav_mgr.cgi. The manipulation of the argument f_file leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used.
Severity ?
Assigner
References
| URL | Tags | |||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20260205
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Ziyue Xie (VulDB User)
{
"containers": {
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ziyue Xie (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This issue affects the function Webdav_Upload_File of the file /cgi-bin/webdav_mgr.cgi. The manipulation of the argument f_file leads to stack-based buffer overflow. The attack is possible to be carried out remotely. The exploit has been disclosed to the public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T20:15:13.429Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354348 | D-Link DNS-1550-04 webdav_mgr.cgi Webdav_Upload_File stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354348"
},
{
"name": "VDB-354348 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354348/cti"
},
{
"name": "Submit #780435 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780435"
},
{
"name": "Submit #780436 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Stack-based Buffer Overflow (Duplicate)",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780436"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_166/166.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:34:50.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 webdav_mgr.cgi Webdav_Upload_File stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5212",
"datePublished": "2026-03-31T20:15:13.429Z",
"dateReserved": "2026-03-31T10:29:30.918Z",
"dateUpdated": "2026-03-31T20:15:13.429Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5211 (GCVE-0-2026-5211)
Vulnerability from cvelistv5 – Published: 2026-03-31 19:30 – Updated: 2026-04-01 12:32
VLAI?
Title
D-Link DNS-1550-04 app_mgr.cgi UPnP_AV_Server_Path_Del stack-based overflow
Summary
A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function UPnP_AV_Server_Path_Del of the file /cgi-bin/app_mgr.cgi. Executing a manipulation of the argument f_dir can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | |||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| D-Link | DNS-120 |
Affected:
20260205
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
|
|||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
Credits
Ziyue Xie (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5211",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T12:28:53.734289Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T12:32:31.520Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "DNS-120",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-202L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-315L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-320LW",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-321",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-322L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-323",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-325",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-327L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNR-326",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-340L",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-343",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-345",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-726-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1100-4",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1200-05",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
},
{
"product": "DNS-1550-04",
"vendor": "D-Link",
"versions": [
{
"status": "affected",
"version": "20260205"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ziyue Xie (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A flaw has been found in D-Link DNS-120, DNR-202L, DNS-315L, DNS-320, DNS-320L, DNS-320LW, DNS-321, DNR-322L, DNS-323, DNS-325, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05 and DNS-1550-04 up to 20260205. This vulnerability affects the function UPnP_AV_Server_Path_Del of the file /cgi-bin/app_mgr.cgi. Executing a manipulation of the argument f_dir can lead to stack-based buffer overflow. The attack can be executed remotely. The exploit has been published and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T19:30:17.872Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354347 | D-Link DNS-1550-04 app_mgr.cgi UPnP_AV_Server_Path_Del stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354347"
},
{
"name": "VDB-354347 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354347/cti"
},
{
"name": "Submit #780434 | D-Link DNS-120/202L/315L/320/320L/320LW/321/322L/323/325/326/327L/326/340L/343/345/726-4/1100-4/1200-05/1550-04 up to 20260205 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780434"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/wudipjq/my_vuln/blob/main/D-Link8/vuln_165/165.md"
},
{
"tags": [
"product"
],
"url": "https://www.dlink.com/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:34:47.000Z",
"value": "VulDB entry last update"
}
],
"title": "D-Link DNS-1550-04 app_mgr.cgi UPnP_AV_Server_Path_Del stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5211",
"datePublished": "2026-03-31T19:30:17.872Z",
"dateReserved": "2026-03-31T10:29:27.201Z",
"dateUpdated": "2026-04-01T12:32:31.520Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5210 (GCVE-0-2026-5210)
Vulnerability from cvelistv5 – Published: 2026-03-31 18:30 – Updated: 2026-04-01 18:35 X_Freeware
VLAI?
Title
SourceCodester Leave Application System file inclusion
Summary
A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used.
Severity ?
CWE
- CWE-73 - File Inclusion
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SourceCodester | Leave Application System |
Affected:
1.0
|
Credits
Hemant Raj Bhati (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5210",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T18:35:02.338690Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T18:35:09.571Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "Leave Application System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was detected in SourceCodester Leave Application System 1.0. This affects an unknown part. Performing a manipulation of the argument page results in file inclusion. Remote exploitation of the attack is possible. The exploit is now public and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 6.9,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 7.3,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 7.5,
"vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-73",
"description": "File Inclusion",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:30:14.803Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354346 | SourceCodester Leave Application System file inclusion",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354346"
},
{
"name": "VDB-354346 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354346/cti"
},
{
"name": "Submit #780419 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Local File Inclusion",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780419"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/local-file-inclusion-lfi-in-leave-application-system-php-sqlite3-4e095bb7ee40"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:23:33.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Leave Application System file inclusion"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5210",
"datePublished": "2026-03-31T18:30:14.803Z",
"dateReserved": "2026-03-31T10:18:25.536Z",
"dateUpdated": "2026-04-01T18:35:09.571Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5209 (GCVE-0-2026-5209)
Vulnerability from cvelistv5 – Published: 2026-03-31 18:30 – Updated: 2026-03-31 20:30 X_Freeware
VLAI?
Title
SourceCodester Leave Application System User Management cross site scripting
Summary
A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| SourceCodester | Leave Application System |
Affected:
1.0
|
Credits
Hemant Raj Bhati (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5209",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T20:30:32.902818Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T20:30:43.222Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"User Management Handler"
],
"product": "Leave Application System",
"vendor": "SourceCodester",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Hemant Raj Bhati (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in SourceCodester Leave Application System 1.0. Affected by this issue is some unknown functionality of the component User Management Handler. Such manipulation leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 4.8,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:P/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 2.4,
"baseSeverity": "LOW",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:R/S:U/C:N/I:L/A:N/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 3.3,
"vectorString": "AV:N/AC:L/Au:M/C:N/I:P/A:N/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-79",
"description": "Cross Site Scripting",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-94",
"description": "Code Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T18:30:12.047Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354345 | SourceCodester Leave Application System User Management cross site scripting",
"tags": [
"vdb-entry"
],
"url": "https://vuldb.com/vuln/354345"
},
{
"name": "VDB-354345 | CTI Indicators (IOB, IOC, TTP)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354345/cti"
},
{
"name": "Submit #780417 | SourceCodester Leave Application System in PHP and SQLite3 1.0 Cross Site Scripting",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780417"
},
{
"tags": [
"broken-link",
"exploit"
],
"url": "https://medium.com/@hemantrajbhati5555/stored-cross-site-scripting-xss-in-php-leave-application-system-3260c881a1fa"
},
{
"tags": [
"product"
],
"url": "https://www.sourcecodester.com/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T12:23:30.000Z",
"value": "VulDB entry last update"
}
],
"title": "SourceCodester Leave Application System User Management cross site scripting"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5209",
"datePublished": "2026-03-31T18:30:12.047Z",
"dateReserved": "2026-03-31T10:18:21.484Z",
"dateUpdated": "2026-03-31T20:30:43.222Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5206 (GCVE-0-2026-5206)
Vulnerability from cvelistv5 – Published: 2026-03-31 17:30 – Updated: 2026-04-01 13:57 X_Freeware
VLAI?
Title
code-projects Simple Gym Management System Payment sql injection
Summary
A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| code-projects | Simple Gym Management System |
Affected:
1.0
|
Credits
nomath (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5206",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-01T13:57:46.721784Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-01T13:57:53.811Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"modules": [
"Payment Handler"
],
"product": "Simple Gym Management System",
"vendor": "code-projects",
"versions": [
{
"status": "affected",
"version": "1.0"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "nomath (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A security vulnerability has been detected in code-projects Simple Gym Management System 1.0. This vulnerability affects unknown code of the component Payment Handler. The manipulation of the argument Payment_id/Amount/customer_id/payment_type/customer_name leads to sql injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-89",
"description": "SQL Injection",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-74",
"description": "Injection",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T17:30:13.639Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354336 | code-projects Simple Gym Management System Payment sql injection",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354336"
},
{
"name": "VDB-354336 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354336/cti"
},
{
"name": "Submit #780406 | code-projects Simple Gym Management System 1.0 SQL Injection",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780406"
},
{
"tags": [
"exploit",
"issue-tracking"
],
"url": "https://github.com/maidangdang1/CVE/issues/5"
},
{
"tags": [
"product"
],
"url": "https://code-projects.org/"
}
],
"tags": [
"x_freeware"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T10:57:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "code-projects Simple Gym Management System Payment sql injection"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5206",
"datePublished": "2026-03-31T17:30:13.639Z",
"dateReserved": "2026-03-31T08:52:35.942Z",
"dateUpdated": "2026-04-01T13:57:53.811Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5205 (GCVE-0-2026-5205)
Vulnerability from cvelistv5 – Published: 2026-03-31 16:30 – Updated: 2026-03-31 16:30
VLAI?
Title
chatwoot Webhook API trigger.rb Trigger server-side request forgery
Summary
A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.
Severity ?
CWE
- CWE-918 - Server-Side Request Forgery
Assigner
References
| URL | Tags | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||
Impacted products
Credits
Ghufran Khan (VulDB User)
VulDB
{
"containers": {
"cna": {
"affected": [
{
"modules": [
"Webhook API"
],
"product": "chatwoot",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "4.11.0"
},
{
"status": "affected",
"version": "4.11.1"
},
{
"status": "affected",
"version": "4.11.2"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "Ghufran Khan (VulDB User)"
},
{
"lang": "en",
"type": "coordinator",
"value": "VulDB"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was identified in chatwoot up to 4.11.2. Affected by this vulnerability is the function Webhooks::Trigger in the library lib/webhooks/trigger.rb of the component Webhook API. Such manipulation of the argument url leads to server-side request forgery. The attack can be launched remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 6.5,
"vectorString": "AV:N/AC:L/Au:S/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-918",
"description": "Server-Side Request Forgery",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T16:30:11.076Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354333 | chatwoot Webhook API trigger.rb Trigger server-side request forgery",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354333"
},
{
"name": "VDB-354333 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354333/cti"
},
{
"name": "Submit #780305 | Chatwoot 4.11.2 Server-Side Request Forgery",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780305"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T10:53:40.000Z",
"value": "VulDB entry last update"
}
],
"title": "chatwoot Webhook API trigger.rb Trigger server-side request forgery"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5205",
"datePublished": "2026-03-31T16:30:11.076Z",
"dateReserved": "2026-03-31T08:48:35.949Z",
"dateUpdated": "2026-03-31T16:30:11.076Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5204 (GCVE-0-2026-5204)
Vulnerability from cvelistv5 – Published: 2026-03-31 15:45 – Updated: 2026-03-31 16:02
VLAI?
Title
Tenda CH22 Parameter webtypelibrary formWebTypeLibrary stack-based overflow
Summary
A vulnerability was determined in Tenda CH22 1.0.0.1. Affected is the function formWebTypeLibrary of the file /goform/webtypelibrary of the component Parameter Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.
Severity ?
Assigner
References
| URL | Tags | ||||||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
|||||||||||||||||
Impacted products
Credits
LtzHust2 (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5204",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T16:02:31.737999Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T16:02:44.391Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:o:tenda:ch22_firmware:*:*:*:*:*:*:*:*"
],
"modules": [
"Parameter Handler"
],
"product": "CH22",
"vendor": "Tenda",
"versions": [
{
"status": "affected",
"version": "1.0.0.1"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "LtzHust2 (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was determined in Tenda CH22 1.0.0.1. Affected is the function formWebTypeLibrary of the file /goform/webtypelibrary of the component Parameter Handler. This manipulation of the argument webSiteId causes stack-based buffer overflow. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized."
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 8.7,
"baseSeverity": "HIGH",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 8.8,
"baseSeverity": "HIGH",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 9,
"vectorString": "AV:N/AC:L/Au:S/C:C/I:C/A:C/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-121",
"description": "Stack-based Buffer Overflow",
"lang": "en",
"type": "CWE"
}
]
},
{
"descriptions": [
{
"cweId": "CWE-119",
"description": "Memory Corruption",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:45:13.000Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354332 | Tenda CH22 Parameter webtypelibrary formWebTypeLibrary stack-based overflow",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354332"
},
{
"name": "VDB-354332 | CTI Indicators (IOB, IOC, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354332/cti"
},
{
"name": "Submit #780209 | Tenda CH22 V1.0.0.1 Stack-based Buffer Overflow",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/780209"
},
{
"tags": [
"exploit"
],
"url": "https://github.com/Litengzheng/vuldb_new/blob/main/CH22/vul_49/README.md"
},
{
"tags": [
"product"
],
"url": "https://www.tenda.com.cn/"
}
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T10:48:01.000Z",
"value": "VulDB entry last update"
}
],
"title": "Tenda CH22 Parameter webtypelibrary formWebTypeLibrary stack-based overflow"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5204",
"datePublished": "2026-03-31T15:45:13.000Z",
"dateReserved": "2026-03-31T08:42:55.909Z",
"dateUpdated": "2026-03-31T16:02:44.391Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-5203 (GCVE-0-2026-5203)
Vulnerability from cvelistv5 – Published: 2026-03-31 15:45 – Updated: 2026-03-31 17:35 X_Open Source
VLAI?
Title
CMS Made Simple UserGuide Module XML Import class.UserGuideImporterExporter.php _copyFilesToFolder path traversal
Summary
A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function _copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This issue has been reported early to the project. They confirmed, that "this has already been discovered and fixed for the next release."
Severity ?
CWE
- CWE-22 - Path Traversal
Assigner
References
| URL | Tags | |||||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
|
||||||||||||||
Impacted products
| Vendor | Product | Version | ||
|---|---|---|---|---|
| n/a | CMS Made Simple |
Affected:
2.2.0
Affected: 2.2.1 Affected: 2.2.2 Affected: 2.2.3 Affected: 2.2.4 Affected: 2.2.5 Affected: 2.2.6 Affected: 2.2.7 Affected: 2.2.8 Affected: 2.2.9 Affected: 2.2.10 Affected: 2.2.11 Affected: 2.2.12 Affected: 2.2.13 Affected: 2.2.14 Affected: 2.2.15 Affected: 2.2.16 Affected: 2.2.17 Affected: 2.2.18 Affected: 2.2.19 Affected: 2.2.20 Affected: 2.2.21 Affected: 2.2.22 cpe:2.3:a:cms_made_simple:cms_made_simple:*:*:*:*:*:*:*:* |
Credits
caginkyr (VulDB User)
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-5203",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-31T17:35:26.772515Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T17:35:35.625Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"cpes": [
"cpe:2.3:a:cms_made_simple:cms_made_simple:*:*:*:*:*:*:*:*"
],
"modules": [
"UserGuide Module XML Import"
],
"product": "CMS Made Simple",
"vendor": "n/a",
"versions": [
{
"status": "affected",
"version": "2.2.0"
},
{
"status": "affected",
"version": "2.2.1"
},
{
"status": "affected",
"version": "2.2.2"
},
{
"status": "affected",
"version": "2.2.3"
},
{
"status": "affected",
"version": "2.2.4"
},
{
"status": "affected",
"version": "2.2.5"
},
{
"status": "affected",
"version": "2.2.6"
},
{
"status": "affected",
"version": "2.2.7"
},
{
"status": "affected",
"version": "2.2.8"
},
{
"status": "affected",
"version": "2.2.9"
},
{
"status": "affected",
"version": "2.2.10"
},
{
"status": "affected",
"version": "2.2.11"
},
{
"status": "affected",
"version": "2.2.12"
},
{
"status": "affected",
"version": "2.2.13"
},
{
"status": "affected",
"version": "2.2.14"
},
{
"status": "affected",
"version": "2.2.15"
},
{
"status": "affected",
"version": "2.2.16"
},
{
"status": "affected",
"version": "2.2.17"
},
{
"status": "affected",
"version": "2.2.18"
},
{
"status": "affected",
"version": "2.2.19"
},
{
"status": "affected",
"version": "2.2.20"
},
{
"status": "affected",
"version": "2.2.21"
},
{
"status": "affected",
"version": "2.2.22"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "reporter",
"value": "caginkyr (VulDB User)"
}
],
"descriptions": [
{
"lang": "en",
"value": "A vulnerability was found in CMS Made Simple up to 2.2.22. This impacts the function _copyFilesToFolder in the library modules/UserGuide/lib/class.UserGuideImporterExporter.php of the component UserGuide Module XML Import. The manipulation results in path traversal. It is possible to launch the attack remotely. The exploit has been made public and could be used. This issue has been reported early to the project. They confirmed, that \"this has already been discovered and fixed for the next release.\""
}
],
"metrics": [
{
"cvssV4_0": {
"baseScore": 5.1,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:H/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:P",
"version": "4.0"
}
},
{
"cvssV3_1": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.1"
}
},
{
"cvssV3_0": {
"baseScore": 4.7,
"baseSeverity": "MEDIUM",
"vectorString": "CVSS:3.0/AV:N/AC:L/PR:H/UI:N/S:U/C:L/I:L/A:L/E:P/RL:X/RC:R",
"version": "3.0"
}
},
{
"cvssV2_0": {
"baseScore": 5.8,
"vectorString": "AV:N/AC:L/Au:M/C:P/I:P/A:P/E:POC/RL:ND/RC:UR",
"version": "2.0"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-22",
"description": "Path Traversal",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-31T15:45:08.773Z",
"orgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"shortName": "VulDB"
},
"references": [
{
"name": "VDB-354331 | CMS Made Simple UserGuide Module XML Import class.UserGuideImporterExporter.php _copyFilesToFolder path traversal",
"tags": [
"vdb-entry",
"technical-description"
],
"url": "https://vuldb.com/vuln/354331"
},
{
"name": "VDB-354331 | CTI Indicators (IOB, IOC, TTP, IOA)",
"tags": [
"signature",
"permissions-required"
],
"url": "https://vuldb.com/vuln/354331/cti"
},
{
"name": "Submit #772855 | CMSMadeSimple CMS Made Simple (CMSMS) 2.2.22 and old versions modules/UserGuide/lib/class.UserGuideImporterExporter.php",
"tags": [
"third-party-advisory"
],
"url": "https://vuldb.com/submit/772855"
},
{
"tags": [
"exploit"
],
"url": "https://drive.proton.me/urls/Q0JHZ339BW#X9P2G3Guwvwa"
}
],
"tags": [
"x_open-source"
],
"timeline": [
{
"lang": "en",
"time": "2026-03-31T00:00:00.000Z",
"value": "Advisory disclosed"
},
{
"lang": "en",
"time": "2026-03-31T02:00:00.000Z",
"value": "VulDB entry created"
},
{
"lang": "en",
"time": "2026-03-31T10:45:27.000Z",
"value": "VulDB entry last update"
}
],
"title": "CMS Made Simple UserGuide Module XML Import class.UserGuideImporterExporter.php _copyFilesToFolder path traversal"
}
},
"cveMetadata": {
"assignerOrgId": "1af790b2-7ee1-4545-860a-a788eba489b5",
"assignerShortName": "VulDB",
"cveId": "CVE-2026-5203",
"datePublished": "2026-03-31T15:45:08.773Z",
"dateReserved": "2026-03-31T08:40:14.589Z",
"dateUpdated": "2026-03-31T17:35:35.625Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}