ZCyberNews
中文

Articles

432 articles

Stored XSS in pgAdmin 4 Lets Attackers Execute JS via Database ObjectMEDIUM
Vulnerabilities

Stored XSS in pgAdmin 4 Lets Attackers Execute JS via Database Object

CVE-2026-7814 (CVSS 4.8): pgAdmin 4 fails to sanitize user-controlled PostgreSQL object names, enabling stored XSS via the Browser Tree and Explain Visualizer modules.

CVE-2026-7814
3 min read
Tenda AC6 Command Injection Flaw CVE-2026-8263 Lets Attackers ExecuteHIGH
Vulnerabilities

Tenda AC6 Command Injection Flaw CVE-2026-8263 Lets Attackers Execute

CVE-2026-8263 (CVSS 5.8) in Tenda AC6 firmware 15.03.06.49multiTDE01 allows unauthenticated remote OS command injection via the /goform/WifiExtraSet endpoint.

CVE-2026-8263
3 min read
Tenda AC6 Router Flaws Enable Remote Command InjectionHIGH
Vulnerabilities

Tenda AC6 Router Flaws Enable Remote Command Injection

Two command injection vulnerabilities in Tenda AC6 firmware 15.03.06.23 let remote attackers execute arbitrary OS commands via the getLogFile and formWifiApScan functions.

CVE-2026-8265CVE-2026-8264
3 min read
Wikimedia AbuseFilter Flaw CVE-2026-34086 Lets Editors BypassHIGH
Vulnerabilities

Wikimedia AbuseFilter Flaw CVE-2026-34086 Lets Editors Bypass

CVE-2026-34086 in Wikimedia Foundation's AbuseFilter extension allows editors to bypass configured restrictions; affects versions before 1.43.7, 1.44.4, and 1.45.2.

CVE-2026-34086
3 min read
WSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users BypassMEDIUM
Vulnerabilities

WSO2 API Manager Flaw CVE-2025-8325 Lets Low-Privilege Users Bypass

CVE-2025-8325 (CVSS 6.3) in WSO2 API Manager lets users with the Internal/Everyone role invoke Gateway and Internal Service APIs without authorization, affecting APIM 3.x...

CVE-2025-8325
3 min read
Zephyr TLS 1.3 Socket Flaw Lets Peers Downgrade to TLS 1.2MEDIUM
Vulnerabilities

Zephyr TLS 1.3 Socket Flaw Lets Peers Downgrade to TLS 1.2

CVE-2026-1677 (CVSS 5.3): Zephyr RTOS sockets using IPPROTOTLS1_3 can negotiate TLS 1.2 when both versions are enabled, breaking application security assumptions.

CVE-2026-1677
3 min read
Aero CMS 0.0.1 PHP Code Injection Flaw Lets Authenticated AttackersHIGH
Vulnerabilities

Aero CMS 0.0.1 PHP Code Injection Flaw Lets Authenticated Attackers

CVE-2022-50944 (CVSS 8.8): Authenticated attackers can upload malicious PHP files via the image parameter in Aero CMS 0.0.1, achieving remote code execution on the server.

CVE-2022-50944
3 min read
CMDBuild 3.3.2 Stored XSS Flaw Allows Persistent Script InjectionMEDIUM
Vulnerabilities

CMDBuild 3.3.2 Stored XSS Flaw Allows Persistent Script Injection

CVE-2021-47925 (CVSS 6.4): Authenticated attackers can inject persistent XSS payloads via Employee card parameters or SVG file attachments in CMDBuild 3.3.2, affecting all users...

CVE-2021-47925
4 min read
CyberPanel 2.1 Flaw Lets Authenticated Attackers Execute Remote CodeHIGH
Vulnerabilities

CyberPanel 2.1 Flaw Lets Authenticated Attackers Execute Remote Code

CVE-2021-47949 (CVSS 8.8) in CyberPanel 2.1 lets authenticated attackers read arbitrary files and execute code via symlink attacks through the filemanager controller endpoint.

CVE-2021-47949
3 min read
Emlog CSRF Flaw CVE-2026-42286 Lets Attackers Hijack Admin ActionsHIGH
Vulnerabilities

Emlog CSRF Flaw CVE-2026-42286 Lets Attackers Hijack Admin Actions

CVE-2026-42286: Missing CSRF protection in Emlog prior to 2.6.11 lets attackers trick authenticated admins into unauthorized plugin management and config changes.

CVE-2026-42286
3 min read
Google Ads, Claude Chats Push MacSync Infostealer to macOS UsersHIGH
Malware

Google Ads, Claude Chats Push MacSync Infostealer to macOS Users

Attackers abuse Google Ads linking to real claude.ai and shared Claude chats to deliver MacSync infostealer, harvesting browser credentials and Keychain data.

4 min read
Opencart TMD Vendor System 3.x SQLi Lets Attackers Dump UserHIGH
Vulnerabilities

Opencart TMD Vendor System 3.x SQLi Lets Attackers Dump User

CVE-2021-47928 (CVSS 8.2): Unauthenticated blind SQL injection in Opencart TMD Vendor System 3.x lets attackers extract usernames, emails, and password reset codes from the...

CVE-2021-47928
3 min read
← PrevPage 10 of 36Next →