Overview
- SimStudioAI
- sim
02 Mar 2026
Published
02 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV
Description
On SimStudio version below to 0.5.74, the MongoDB tool endpoints accept arbitrary connection parameters from the caller without authentication or host restrictions. An attacker can leverage these endpoints to connect to any reachable MongoDB instance and perform unauthorized operations including reading, modifying, and deleting data.
Statistics
- 1 Post
Last activity: Last hour
Overview
Description
Gogs is an open source self-hosted Git service. Prior to version 0.14.2, a stored cross-site scripting (XSS) vulnerability exists in the comment and issue description functionality. The application's HTML sanitizer explicitly allows data: URI schemes, enabling authenticated users to inject arbitrary JavaScript execution via malicious links. This issue has been patched in version 0.14.2.
Statistics
- 1 Post
Last activity: 14 hours ago
Overview
- Anhui Seeker Electronic Technology Co., LTD.
- XikeStor SKS8310-8X
07 Mar 2026
Published
07 Mar 2026
Updated
CVSS v4.0
CRITICAL (9.3)
EPSS
Pending
KEV
Description
XikeStor SKS8310-8X Network Switch firmware versions 1.04.B07 and prior contain an OS command injection vulnerability in the /goform/PingTestSet endpoint that allows unauthenticated remote attackers to execute arbitrary operating system commands. Attackers can inject malicious commands through the destIp parameter to achieve remote code execution with root privileges on the network switch.
Statistics
- 1 Post
Last activity: 4 hours ago
Fediverse
⚠️ CRITICAL: CVE-2026-25070 in XikeStor SKS8310-8X allows unauthenticated remote OS command injection (CVSS 9.3). No patch yet. Restrict access, segment networks, and monitor endpoints. Full root risk! https://radar.offseq.com/threat/cve-2026-25070-cwe-78-improper-neutralization-of-s-f0039eef #OffSeq #Vulnerability #NetworkSecurity
Overview
- The Biosig Project
- libbiosig
03 Mar 2026
Published
03 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
0.11%
KEV
Description
A heap-based buffer overflow vulnerability exists in the Intan CLP parsing functionality of The Biosig Project libbiosig 3.9.2 and Master Branch (db9a9a63). A specially crafted Intan CLP file can lead to arbitrary code execution. An attacker can provide a malicious file to trigger this vulnerability.
Statistics
- 1 Post
Last activity: 20 hours ago
Overview
- niteosoft
- Simple Job Script
04 Mar 2026
Published
05 Mar 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.18%
KEV
Description
Simple Job Script contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the landing_location parameter. Attackers can send POST requests to the searched endpoint with malicious SQL payloads to bypass authentication and extract sensitive database information.
Statistics
- 1 Post
Last activity: 7 hours ago
Overview
- Doditsolutions
- Homey BNB (Airbnb Clone Script)
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.09%
KEV
Description
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'val' parameter. Attackers can send GET requests to the admin/getrecord.php endpoint with malicious 'val' values to extract sensitive database information.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- Mobiliti
- e-mobi.hu
06 Mar 2026
Published
06 Mar 2026
Updated
CVSS v3.1
CRITICAL (9.4)
EPSS
Pending
KEV
Description
WebSocket endpoints lack proper authentication mechanisms, enabling attackers to perform unauthorized station impersonation and manipulate data sent to the backend. An unauthenticated attacker can connect to the OCPP WebSocket endpoint using a known or discovered charging station identifier, then issue or receive OCPP commands as a legitimate charger. Given that no authentication is required, this can lead to privilege escalation, unauthorized control of charging infrastructure, and corruption of charging network data reported to the backend.
Statistics
- 1 Post
Last activity: Last hour
Fediverse
⚠️ CVE-2026-26051 (CRITICAL, CVSS 9.4) in Mobiliti e-mobi.hu: Unauthenticated OCPP WebSocket endpoints allow charging station impersonation + backend manipulation. Enforce strong auth & monitor now. https://radar.offseq.com/threat/cve-2026-26051-cwe-306-in-mobiliti-e-mobihu-70ec4ea6 #OffSeq #CVE202626051 #EVsecurity
Overview
- Doditsolutions
- Homey BNB (Airbnb Clone Script)
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.09%
KEV
Description
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the catid parameter. Attackers can send GET requests to the admin/cms_getpagetitle.php endpoint with malicious catid values to extract sensitive database information.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
- Doditsolutions
- Homey BNB (Airbnb Clone Script)
27 Feb 2026
Published
27 Feb 2026
Updated
CVSS v4.0
HIGH (8.8)
EPSS
0.09%
KEV
Description
Homey BNB V4 contains an SQL injection vulnerability that allows unauthenticated attackers to manipulate database queries by injecting SQL code through the 'pt' parameter. Attackers can send GET requests to the admin/getcmsdata.php endpoint with malicious 'pt' values to extract sensitive database information.
Statistics
- 1 Post
Last activity: 6 hours ago
Overview
Description
Traefik is an HTTP reverse proxy and load balancer. Prior to versions 2.11.38 and 3.6.9, there is a potential vulnerability in Traefik managing TLS handshake on TCP routers. When Traefik processes a TLS connection on a TCP router, the read deadline used to bound protocol sniffing is cleared before the TLS handshake is completed. When a TLS handshake read error occurs, the code attempts a second handshake with different connection parameters, silently ignoring the initial error. A remote unauthenticated client can exploit this by sending an incomplete TLS record and stopping further data transmission, causing the TLS handshake to stall indefinitely and holding connections open. By opening many such stalled connections in parallel, an attacker can exhaust file descriptors and goroutines, degrading availability of all services on the affected entrypoint. This issue has been patched in versions 2.11.38 and 3.6.9.
Statistics
- 1 Post
Last activity: 12 hours ago