Security Vulnerabilities
sourcecodester Pharmacy Point of Sale System v1.0 is vulnerable to SQL Injection in /pharmacy/manage_user.php.
CVSS Score
9.8
EPSS Score
0.0
Published
2026-03-02
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.2-beta3, the application enforces restrictions in the frontend/UI to prevent users from creating files or folders in internal OS paths. However, when interacting directly with the API, the restrictions are bypass-able. By sending a crafted request targeting paths like /etc, /usr, or other sensitive system directories, the API successfully creates files or directories in locations where normal users should have no write access. This indicates that the API does not properly validate the target path, allowing unauthorized operations on critical system directories. No known patch is publicly available.
CVSS Score
8.5
EPSS Score
0.001
Published
2026-03-02
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, a stored XSS vulnerability exists in the Formula virtual cell. Formula results containing URI::() patterns are rendered via v-html without sanitization, allowing injected HTML to execute. This issue has been patched in version 0.301.3.
CVSS Score
5.4
EPSS Score
0.0
Published
2026-03-02
NocoDB is software for building databases as spreadsheets. Prior to version 0.301.3, the password forgot endpoint returned different responses for registered and unregistered emails, allowing user enumeration. This issue has been patched in version 0.301.3.
CVSS Score
5.3
EPSS Score
0.0
Published
2026-03-02
An issue was discovered in goform/formsetUsbUnload in Tenda AC15V1.0 V15.03.05.18_multi. The value of `v1` was not checked, potentially leading to a command injection vulnerability if injected into doSystemCmd.
CVSS Score
9.8
EPSS Score
0.017
Published
2026-03-02
CVE-2026-21385
Memory corruption while using alignments for memory allocation.
Known exploited
CVSS Score
7.8
EPSS Score
0.004
Published
2026-03-02
Memory Corruption when adding user-supplied data without checking available buffer space.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-03-02
Memory Corruption when processing invalid user address with nonstandard buffer address.
CVSS Score
7.8
EPSS Score
0.0
Published
2026-03-02
ZimaOS is a fork of CasaOS, an operating system for Zima devices and x86-64 systems with UEFI. In version 1.5.0 and prior, due to insufficient validation or restriction of target URLs, an authenticated local user can craft requests that target internal IP addresses (e.g., 127.0.0.1, localhost, or private network ranges). This allows the attacker to interact with internal HTTP/HTTPS services that are not intended to be exposed externally or to local users. No known patch is publicly available.
CVSS Score
7.1
EPSS Score
0.0
Published
2026-03-02
An issue was discovered in /goform/WifiWpsStart in Tenda AC6V2.0 V15.03.06.23_multi. The index and mode are controllable. If the conditions are met to sprintf, they will be spliced into tmp. It is worth noting that there is no size check,which leads to a stack overflow vulnerability.
CVSS Score
7.5
EPSS Score
0.001
Published
2026-03-02