phpMyFAQ versions prior to 4.1.3 contain a critical Insecure Direct Object Reference (IDOR) vulnerability within the administration API. An authenticated attacker with basic user-edit privileges can exploit this flaw to overwrite the password of any higher-privileged user, including the SuperAdmin account. This leads to complete application compromise.
phpMyFAQ contains an authentication bypass vulnerability within its REST API architecture introduced in version 4.0. The vulnerability stems from insecure default initialization of the API client token to an empty string, coupled with flawed comparative logic in the authentication controller. This allows unauthenticated remote attackers to bypass authorization checks and interact with administrative API endpoints.
phpMyFAQ versions prior to 4.1.3 contain a critical authentication bypass and account takeover vulnerability due to a flawed password recovery mechanism. The application processes password reset requests without requiring cryptographic token verification, allowing unauthenticated attackers to arbitrarily change passwords and lock out legitimate users.
CVE-2026-40370 is a high-severity Remote Code Execution (RCE) vulnerability affecting Microsoft SQL Server versions 2016 through 2025. It stems from improper path validation (CWE-73) in internal stored procedures, allowing an authenticated user with low privileges to execute arbitrary code within the context of the SQL Server service account.
CVE-2026-32175 is a high-severity tampering vulnerability affecting .NET Core versions 8.0, 9.0, and 10.0 on Windows platforms. The vulnerability stems from an Absolute Path Traversal (CWE-36) flaw in the extraction mechanisms handling NuGet packages and application bundles. An unauthenticated remote attacker can exploit this weakness by providing a specially crafted archive file. The extraction logic fails to sanitize archive entry names containing absolute paths, leading to arbitrary file writes on the host system. Successful exploitation allows the attacker to compromise application integrity by overwriting critical system files or planting malicious executables.
The camofox-mcp package prior to version 1.13.2 contains a critical access control vulnerability on its Model Context Protocol (MCP) HTTP transport layer. The server fails to authenticate inbound requests while simultaneously appending an administrative API key to outbound backend requests. This Confused Deputy flaw allows unauthenticated clients to exercise full administrative control over the backend headless browser environment.
Vercel Turborepo CLI versions prior to 2.9.14 are vulnerable to Cross-Site Request Forgery (CSRF) and Session Fixation during self-hosted remote cache authentication. The local callback server fails to validate the OAuth2 state parameter, allowing malicious websites to inject attacker-controlled tokens and compromise build environments.
The libcrux-chacha20poly1305 cryptographic crate contains a Denial of Service vulnerability triggered by providing an overlong ciphertext buffer during encryption. This flaw manifests as a runtime panic due to an improper slice conversion, allowing attackers to terminate the application if buffer sizes are user-influenced.
A critical logic vulnerability in the libcrux-ml-dsa library allows cryptographic signature forgery on x86_64 architectures using the AVX2 backend. The flaw originates from an incorrect SIMD implementation of the ML-DSA use_hint function, violating FIPS 204 specifications and allowing attackers to bypass signature verification.
An uncontrolled recursion vulnerability exists in the protobufjs library prior to versions 7.5.8 and 8.2.0. The lack of depth limits in the JSON descriptor parsing logic allows attackers to cause a stack overflow and crash the Node.js process via deeply nested payloads.
CVE-2026-32177 is a high-severity heap-based buffer overflow affecting multiple versions of Microsoft .NET and Visual Studio. Triggered by insufficient input validation during file processing, the vulnerability permits local privilege escalation when a user opens a specially crafted file.
CVE-2026-42899 is a high-severity Denial of Service (DoS) vulnerability in the Microsoft ASP.NET Core framework, characterized by multiple instances of a 'Loop with Unreachable Exit Condition' (CWE-835). An unauthenticated remote attacker can trigger 100% CPU utilization by supplying specially crafted requests that exploit logic errors in request parsing, data protection, minimal APIs, and caching subsystems.
Or generate a custom report
Search for a CVE ID (e.g. CVE-2024-1234) to generate an AI-powered vulnerability analysis
Automated vulnerability intelligence. 1,766+ reports.