24h | 7d | 30d

CVE-2026-1137

Overview

  • UTT
  • ่ฟ›ๅ– 520W
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

A vulnerability was detected in UTT ่ฟ›ๅ– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out remotely. The exploit is now public and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
Last activity: 18 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-1137 - High (8.8)

A vulnerability was detected in UTT ่ฟ›ๅ– 520W 1.7.7-180627. Affected by this issue is the function strcpy of the file /goform/formWebAuthGlobalConfig. Performing a manipulation results in buffer overflow. The attack is possible to be carried out...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-1138

Overview

  • UTT
  • ่ฟ›ๅ– 520W
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.04%
KEV

Description

A flaw has been found in UTT ่ฟ›ๅ– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been published and may be used. The vendor was contacted early about this disclosure but did not respond in any way.

Statistics

  • 1 Post
Last activity: 18 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-1138 - High (8.8)

A flaw has been found in UTT ่ฟ›ๅ– 520W 1.7.7-180627. This affects the function strcpy of the file /goform/ConfigExceptQQ. Executing a manipulation can lead to buffer overflow. The attack may be performed from remote. The exploit has been publish...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 18h ago

CVE-2026-23840

Overview

  • leepeuker
  • movary
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
Pending
KEV

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`. Version 0.70.0 fixes the issue.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2026-23840 - Critical (9.3)

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryDeleted=`...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-23841

Overview

  • leepeuker
  • movary
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.3)
EPSS
Pending
KEV

Description

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`. Version 0.70.0 fixes the issue.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2026-23841 - Critical (9.3)

Movary is a web application to track, rate and explore your movie watch history. Due to insufficient input validation, attackers can trigger cross-site scripting payloads in versions prior to 0.70.0. The vulnerable parameter is `?categoryCreated=`...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-23846

Overview

  • Quenary
  • tugtainer
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.1)
EPSS
Pending
KEV

Description

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to be logged in server access logs and potentially exposed through browser history, Referer headers, and proxy logs. Version 1.16.1 patches the issue.

Statistics

  • 1 Post
Last activity: 3 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-23846 - High (8.1)

Tugtainer is a self-hosted app for automating updates of Docker containers. In versions prior to 1.16.1, the password authentication mechanism transmits passwords via URL query parameters instead of the HTTP request body. This causes passwords to ...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 3h ago

CVE-2026-23625

Overview

  • opf
  • openproject
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.7)
EPSS
Pending
KEV

Description

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProjectโ€™s roadmap view renders the โ€œRelated work packagesโ€ list for each version. When a version contains work packages from a different project (e.g., a subproject), the helper link_to_work_package prepends package.project.to_s to the link and returns the entire string with .html_safe. Because project names are user-controlled and no escaping happens before calling html_safe, any HTML placed in a subproject name is injected verbatim into the page. The underlying issue is mitigated in versions 16.6.5 and 17.0.0 by setting a `X-Content-Type-Options: nosniff` header, which was in place until a refactoring move to Rails standard content-security policy, which did not properly apply this header in the new configuration since OpenProject 16.3.0. Those who cannot upgrade their installations should ensure that they add a X-Content-Type-Options: nosniff header in their proxying web application server.

Statistics

  • 1 Post
Last activity: 5 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-23625 - High (8.7)

OpenProject is an open-source, web-based project management software. Versions 16.3.0 through 16.6.4 are affected by a stored cross-site scripting vulnerability in the Roadmap view. OpenProjectโ€™s roadmap view renders the โ€œRelated work packages...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 5h ago

CVE-2026-1143

Overview

  • TOTOLINK
  • A3700R
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v4.0
HIGH (8.7)
EPSS
0.08%
KEV

Description

A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Statistics

  • 1 Post
Last activity: 16 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-1143 - High (8.8)

A weakness has been identified in TOTOLINK A3700R 9.1.2u.5822_B20200513. This affects the function setWiFiEasyGuestCfg of the file /cgi-bin/cstecgi.cgi. Executing a manipulation of the argument ssid can lead to buffer overflow. The attack may be l...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 16h ago

CVE-2026-23842

Overview

  • gunthercox
  • ChatterBot
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (7.5)
EPSS
Pending
KEV

Description

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent invocations of the get_response() method can exhaust the underlying SQLAlchemy connection pool, resulting in persistent service unavailability and requiring a manual restart to recover. Version 1.2.11 fixes the issue.

Statistics

  • 1 Post
Last activity: 4 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-23842 - High (7.5)

ChatterBot is a machine learning, conversational dialog engine for creating chat bots. ChatterBot versions up to 1.2.10 are vulnerable to a denial-of-service condition caused by improper database session and connection pool management. Concurrent ...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 4h ago

CVE-2026-22031

Overview

  • fastify
  • middie
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
HIGH (8.4)
EPSS
Pending
KEV

Description

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded characters (e.g., `/%61dmin` instead of `/admin`). While the middleware engine fails to match the encoded path and skips execution, the underlying Fastify router correctly decodes the path and matches the route handler, allowing attackers to access protected endpoints without the middleware constraints. Version 9.1.0 fixes the issue.

Statistics

  • 1 Post
Last activity: 7 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐ŸŸ  CVE-2026-22031 - High (8.4)

@fastify/middie is the plugin that adds middleware support on steroids to Fastify. A security vulnerability exists in @fastify/middie prior to version 9.1.0 where middleware registered with a specific path prefix can be bypassed using URL-encoded ...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 7h ago

CVE-2026-23837

Overview

  • franklioxygen
  • MyTube
19 Jan 2026
Published
19 Jan 2026
Updated
CVSS v3.1
CRITICAL (9.8)
EPSS
Pending
KEV

Description

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMiddleware. By simply not providing an authentication cookie (making req.user undefined), a request is incorrectly passed through to downstream handlers. All users running MyTube with loginEnabled: true are impacted. This flaw allows an attacker to access and modify application settings via /api/settings, change administrative and visitor passwords, and access other protected routes that rely on this specific middleware. The problem is patched in v1.7.66. MyTube maintainers recommend all users upgrade to at least version v1.7.64 immediately to secure their instances. The fix ensures that the middleware explicitly blocks requests if a user is not authenticated, rather than defaulting to next(). Those who cannot upgrade immediately can mitigate risk by restricting network access by usi a firewall or reverse proxy (like Nginx) to restrict access to the /api/ endpoints to trusted IP addresses only or, if they are comfortable editing the source code, manually patch by locating roleBasedAuthMiddleware and ensuring that the logic defaults to an error (401 Unauthorized) when req.user is undefined, instead of calling next().

Statistics

  • 1 Post
Last activity: 2 hours ago

Fediverse

Profile picture
TheHackerWire @thehackerwire

๐Ÿ”ด CVE-2026-23837 - Critical (9.8)

MyTube is a self-hosted downloader and player for several video websites. A vulnerability present in version 1.7.65 and poetntially earlier versions allows unauthenticated users to bypass the mandatory authentication check in the roleBasedAuthMidd...

๐Ÿ”— thehackerwire.com/vulnerabilit

#CVE #vulnerability #infosec #cybersecurity #security #Tenda #patchstack

  • 0
  • 0
  • 0
  • 2h ago
Showing 11 to 20 of 34 CVEs