Common Vulnerabilities and Exposures (CVE)

CVE-2026-44927

May 10, 2026 05:46:18 UTC

In uriparser before 1.0.2, there is pointer difference truncation to int in various places.

CVE-2026-44928

May 10, 2026 05:45:32 UTC

In uriparser before 1.0.2, the function family EqualsUri can misclassify two unequal URIs as equal.

CVE-2026-8233

May 10, 2026 05:30:13 UTC

A vulnerability was determined in Dotouch XproUPF 2.0.0-release-088aa7c4. Affected is an unknown function of the component UPF. This manipulation causes improper access controls. A high degree of complexity is needed for the attack. The exp...

CVE-2026-44916

May 10, 2026 05:23:59 UTC

In OpenStack Ironic through 35.x, instance_info['ks_template'] is rendered without sandboxing.

CVE-2026-8232

May 10, 2026 05:15:07 UTC

A vulnerability was found in Dotouch XproUPF 2.0.0-release-088aa7c4. This impacts the function vlib_worker_loop in the library /usr/xpro/upf/tools/libs/libvlib.so of the component UPF Process. The manipulation results in denial of service. ...

CVE-2026-8231

May 10, 2026 05:00:14 UTC

A vulnerability has been found in CodeAstro Online Catering Ordering System 1.0. This affects an unknown function of the file /deleteorder.php. The manipulation of the argument ID leads to sql injection. The attack is possible to be carried...

CVE-2026-7263

May 10, 2026 04:46:28 UTC

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, DOMNode::C14N() method may process the XML data incorrectly, causing a circular linked list in the data structure representing the XML document. This may cause subsequent processin...

CVE-2026-7258

May 10, 2026 04:45:03 UTC

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, some functions, including urldecode(), pass signed char to ctype functions (like isxdigit()). On the systems with default signed char and...

CVE-2026-7568

May 10, 2026 04:44:29 UTC

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the metaphone() function in ext/standard/metaphone.c uses a signed int variable to track the current position within the input string. If...

CVE-2026-6104

May 10, 2026 04:35:17 UTC

In PHP versions 8.4.* before 8.4.21 and 8.5.* before 8.5.6, when an encoding name containing an embedded NUL byte is passed to mb_convert_encoding() or related mbstring functions, the code incorrectly assumes that when strncasecmp() returns...

CVE-2026-8230

May 10, 2026 04:30:09 UTC

A flaw has been found in Wavlink NU516U1 240425. The impacted element is the function sys_login1 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to os command injection. The attack can be executed re...

CVE-2026-6722

May 10, 2026 04:19:15 UTC

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, the SOAP extension's object deduplication mechanism stores pointers to PHP objects in a global map without incrementing their reference c...

CVE-2026-8229

May 10, 2026 04:15:09 UTC

A vulnerability was detected in Wavlink NU516U1 240425. The affected element is the function WifiBasic of the file /cgi-bin/wireless.cgi. Performing a manipulation of the argument AuthMethod/EncrypType results in os command injection. Remot...

CVE-2026-7259

May 10, 2026 04:13:26 UTC

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, a mismatch between encoding lists in Oniguruma and mbfl leads to  a NULL pointer dereference, resulting in a segmentation fault and denia...

CVE-2026-7261

May 10, 2026 04:07:25 UTC

In PHP versions 8.2.* before 8.2.31, 8.3.* before 8.3.31, 8.4.* before 8.4.21, and 8.5.* before 8.5.6, when SoapServer is configured with SOAP_PERSISTENCE_SESSION, the handler object is persisted across requests via session storage. However...