Articles

CVE-2026-7813: pgAdmin 4 Server Mode Flaw Lets Users Access Private

CVE-2026-7813 (CVSS 9.9) in pgAdmin 4 server mode lets authenticated users access private servers, groups, and debugger data from other users by guessing object IDs.

CVE-2026-7813

D-Link DNS-320 OS Command Injection Flaw CVE-2026-8273 Lets Remote

D-Link DNS-320 OS Command Injection Flaw CVE-2026-8273 Lets Remote

CVE-2026-8273 (CVSS 5.8) in D-Link DNS-320 2.06B01 allows remote OS command injection via multiple CGI endpoints in system_mgr.cgi. No patch available.

CVE-2026-8273

Dell ECS Hard-Coded Credentials Flaw CVE-2026-40636 Hits 9.8 CVSS

CRITICAL

CVE-2026-40636CVE-2026-35157

Dell ECS Hard-Coded Credentials Flaw CVE-2026-40636 Hits 9.8 CVSS

CVE-2026-40636 (CVSS 9.8) in Dell ECS and ObjectScale uses hard-coded credentials, letting local attackers gain filesystem access.

Devs Palace ERP Online XSS Flaws Allow Remote Script Injection

CVE-2026-8255CVE-2026-8254

Devs Palace ERP Online XSS Flaws Allow Remote Script Injection

Two stored XSS vulnerabilities in Devs Palace ERP Online up to 4.0.0 let remote attackers inject scripts via /inventory/addnewcustomer and /inventory/sales_save.

Dirty Frag Linux Flaws Let Unprivileged Users Gain Root, Escape

CVE-2026-43284CVE-2026-43500

Dirty Frag Linux Flaws Let Unprivileged Users Gain Root, Escape

CVE-2026-43284 and CVE-2026-43500 in the Linux kernel's networking code allow unprivileged users to gain root and escape containers. Exploit published after embargo broke.

4 min read

Docling JATS XML Backend XXE Flaw CVE-2026-31247 Enables DoS

Docling JATS XML Backend XXE Flaw CVE-2026-31247 Enables DoS

CVE-2026-31247: Docling's JATS XML backend through 2.61.0 uses etree.parse() without disabling entity expansion, allowing XML bomb attacks that consume excessive resources and...

CVE-2026-31247

FCC Delays Ban on Security Updates for Foreign-Made Routers to 2029

Industry NewsMay 11, 2026

FCC Delays Ban on Security Updates for Foreign-Made Routers to 2029

The FCC extended the deadline for banning software updates on foreign-made routers from March 2027 to January 2029, citing public interest concerns and industry pushback.

GPT-Pilot Command Injection Flaw CVE-2026-31246 Lets Users Execute

CRITICAL

GPT-Pilot Command Injection Flaw CVE-2026-31246 Lets Users Execute

CVE-2026-31246 (CVSS 9.8) in GPT-Pilot's Executor.run() passes unvalidated user input to asyncio.createsubprocessshell(), enabling arbitrary command injection during project...

CVE-2026-31246

4 min read

Open5GS SMF DoS Flaws CVE-2026-8251, CVE-2026-8249 Exploited Publicly

CVE-2026-8251CVE-2026-8249

Open5GS SMF DoS Flaws CVE-2026-8251, CVE-2026-8249 Exploited Publicly

Two CVSS 4.3 denial-of-service vulnerabilities in Open5GS up to 2.7.7 allow remote attackers to crash the SMF via crafted PCC rule updates. Public exploits exist.

4 min read

pgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout

pgAdmin 4 Brute-Force Flaw CVE-2026-7820 Bypasses Account Lockout

CVE-2026-7820 (CVSS 6.5) in pgAdmin 4 lets attackers brute-force passwords via Flask-Security's default /login view, bypassing MAXLOGINATTEMPTS enforcement.

CVE-2026-7820

pgAdmin 4 File Manager Flaw CVE-2026-7819 Lets Authenticated Users

pgAdmin 4 File Manager Flaw CVE-2026-7819 Lets Authenticated Users

CVE-2026-7819 (CVSS 8.1) in pgAdmin 4's File Manager lets authenticated users write files outside their storage directory via symlink path traversal. No patch yet.

CVE-2026-7819

SailPoint Discloses GitHub Repo Breach via Third-Party App

Industry NewsMay 11, 2026

SailPoint Discloses GitHub Repo Breach via Third-Party App

SailPoint reported to the SEC that attackers accessed a subset of its GitHub repositories on April 20 via a third-party app vulnerability.