Common Vulnerabilities and Exposures (CVE)

CVE-2023-24215

Jul 5, 2026 16:16:43 UTC

Incorrect access control in the /uci/get/ endpoint of NOVUS AirGate 4G firmware v1.1.16 allows unauthenticated attackers to obtain administrator credentials via a crafted POST request.

CVE-2025-65857

Jul 5, 2026 16:16:39 UTC

An issue was discovered in Xiongmai XM530 IP cameras on firmware V5.00.R02.000807D8.10010.346624.S.ONVIF 21.06. The GetStreamUri exposes RTSP URIs containing hardcoded credentials enabling direct unauthorized video stream access.

CVE-2026-36356

Jul 5, 2026 16:16:35 UTC

The GoAhead web server on MeiG Smart FORGE_SLT711 devices (firmware MDM9607.LE.1.0-00110-STD.PROD-1) allows unauthenticated OS command injection via the /action/SetRemoteAccessCfg endpoint.

CVE-2026-36239

Jul 5, 2026 16:16:31 UTC

PbootCMS v.3.2.11 contains a code injection vulnerability in its site configuration functionality

CVE-2026-39087

Jul 5, 2026 16:16:27 UTC

ntfy before 2.22.0 allows SSRF because of an unanchored regular expression for web push endpoint URLs.

CVE-2026-38931

Jul 5, 2026 16:16:23 UTC

A stored cross-site scripting (XSS) vulnerability in the /admin/config-module.php component of creatorsofcode simplephp GitHub commit 5184cff (Latest as of 2026-02-27) via injecting a crafted payload.

CVE-2026-38930

Jul 5, 2026 16:16:18 UTC

OpenRapid RapidCMS v1.3.1 was discovered to contain an authentication bypass in the /template/default/menu.php component. This vulnerability is exploited via injecting a crafted SQL payload into the name cookie parameter.

CVE-2025-60889

Jul 5, 2026 16:16:14 UTC

Insecure deserialization of untrusted input in StellarGroup HPX 1.11.0 under certain conditions may allow attackers to execute arbitrary code or other unspecified impacts.

CVE-2025-63743

Jul 5, 2026 16:16:10 UTC

Cross-Site Scripting vulnerability in the Snipe-IT web-based asset management system v8.3.0 to up and including v8.3.1 allows authenticated attacker with lowest privileges sufficient only to log in, to inject arbitrary JavaScript code via "...

CVE-2026-30462

Jul 5, 2026 16:16:05 UTC

A path traversal vulnerability in the Blocks module of Daylight Studio FuelCMS v1.5.2 allows attackers to execute a directory traversal.

CVE-2026-30461

Jul 5, 2026 16:15:58 UTC

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability via the /controllers/Installer.php and the function add_git_submodule.

CVE-2026-30460

Jul 5, 2026 16:15:54 UTC

Daylight Studio FuelCMS v1.5.2 was discovered to contain an authenticated remote code execution (RCE) vulnerability in the Blocks module.

CVE-2026-30459

Jul 5, 2026 16:15:50 UTC

An issue in the Forgot Password feature of Daylight Studio FuelCMS v1.5.2 allows unauthenticated attackers to obtain the password reset token of a victim user via a crafted link placed in a valid e-mail message.

CVE-2026-30352

Jul 5, 2026 16:15:46 UTC

A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.

CVE-2026-30266

Jul 5, 2026 16:15:42 UTC

Insecure Permissions vulnerability in DeepCool DeepCreative v.1.2.12 and before allows a local attacker to execute arbitrary code via a crafted file