New
CVE-2026-15493: Akpali9 Attendance-Management-System absent.php cross site scripting: A vulnerability was detected in Akpali9 Attendance-Management-System up to 70b91fe38f4195b701a45f0edcd4f42d5f64aeee. This issue affects some unknown processing of the file absent.php. Performing a manipulation of the argument export_date results in cross site scripting. It is possible to initiate the attack remotely. This pro...
CVE-2026-15492: igweze wizgrade studentConductManager.php cross site scripting: A security vulnerability has been detected in igweze wizgrade up to b1d55f22b90cd7e7a6e5002f006d7c649e8086d6. This vulnerability affects unknown code of the file dashboard/studentConductManager.php. Such manipulation leads to cross site scripting. The attack may be performed from remote. The exploit has been disclosed publicly and ...
CVE-2026-15491: RafyMrX TOKO-ONLINE-ROTI missing authentication: A weakness has been identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. This affects an unknown part. This manipulation causes missing authentication. The attack is possible to be carried out remotely. This product adopts a rolling release strategy to maintain continuous delivery. Therefore, version details for ...
CVE-2026-15490: RafyMrX TOKO-ONLINE-ROTI add.php sql injection: A security flaw has been discovered in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this issue is some unknown functionality of the file proses/add.php. The manipulation of the argument kode_produk/kd_cs results in sql injection. The attack can be executed remotely. The exploit has been released to the publi...
CVE-2026-15489: RafyMrX TOKO-ONLINE-ROTI login.php sql injection: A vulnerability was identified in RafyMrX TOKO-ONLINE-ROTI up to ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99. Affected by this vulnerability is an unknown functionality of the file proses/login.php. The manipulation of the argument Username leads to sql injection. Remote exploitation of the attack is possible. The exploit is publicly available and ...
Updated
CVE-2025-5372: Libssh: incorrect return code handling in ssh_kdf() in libssh: A flaw was found in libssh versions built with OpenSSL versions older than 3.0, specifically in the ssh_kdf() function responsible for key derivation. Due to inconsistent interpretation of return values where OpenSSL uses 0 to indicate failure and libssh uses 0 for success—the function may mistakenly return a success status even whe...
CVE-2023-5574: Xorg-x11-server: use-after-free bug in damagedestroy: A use-after-free flaw was found in xorg-x11-server-Xvfb. This issue occurs in Xvfb with a very specific and legacy configuration (a multi-screen setup with multiple protocol screens, also known as Zaphod mode). If the pointer is warped from a screen 1 to a screen 0, a use-after-free issue may be triggered during shutdown or reset of the Xvfb...
CVE-2026-58525: Microsoft Edge (Chromium-based) Security Feature Bypass Vulnerability: Improper access control in Microsoft Edge (Chromium-based) allows an unauthorized attacker to bypass a security feature over a network.
CVE-2026-58291: Microsoft Edge (Chromium-based) Information Disclosure Vulnerability: Operation on a resource after expiration or release in Microsoft Edge (Chromium-based) allows an unauthorized attacker to disclose information over a network.
CVE-2026-45489: Microsoft Edge (Chromium-based) Spoofing Vulnerability: Microsoft Edge (Chromium-based) Spoofing Vulnerability
CISA Known Exploited Vulnerabilities
CVE-2026-56291 Balbooa Forms: Balbooa Forms contains an unrestricted upload of file with dangerous type vulnerability that allows an unauthenticated arbitrary file upload which could allow uploading of executable files leading to full RCE.
CVE-2026-48939 iCagenda iCagenda: iCagenda contains an unrestricted upload of file with dangerous type vulnerability that allows the upload of arbitrary files in the file attachment feature, ultimately resulting in PHP code upload and execution.
CVE-2026-48282 Adobe ColdFusion: Adobe ColdFusion contains a path traversal vulnerability that could lead to arbitrary code execution in the context of the current user.
CVE-2026-55255 Langflow Langflow: Langflow contains an authorization bypass through user-controlled key vulnerability which allows an authenticated attacker to execute any flow belonging to another user by specifying the victim's flow ID in the request.
CVE-2026-56290 Joomlack Page Builder: Joomlack Page Builder contains an improper access control vulnerability that could allow for remote code execution via unauthenticated arbitrary file upload.