Liste Hebdomadaire des CVE Sévères

CVE-2026-7823 - Totolink A8000RU cstecgi.cgi setAppFilterCfg os command injection

CVE-2026-5294 - GeekyBot <= 1.2.2 - Missing Authorization to Unauthenticated Arbitrary Plugin Installation via 'geekybot_frontendajax' AJAX Action

CVE-2025-13618 - Mentoring <= 1.2.8 - Unauthenticated Privilege Escalation in mentoring_process_registration

CVE-2026-5722 - MoreConvert Pro <= 1.9.14 - Authentication Bypass via Waitlist Guest Verification Token Reuse

CVE-2026-42796 - Arelle < 2.39.10 Unauthenticated RCE via /rest/configure

CVE-2026-42088 - OpenC3 COSMOS: Administrative Actions via the Script Runner Tool

CVE-2026-42087 - OpenC3 COSMOS: SQL Injection in QuestDB Time-Series Data Base

CVE-2026-42232 - n8n: XML Node Prototype Pollution to RCE

CVE-2026-42231 - n8n: Prototype Pollution in XML Webhook Body Parser Leads to RCE

CVE-2026-40797 - WordPress WebinarIgnition plugin <= 4.08.253 - SQL Injection vulnerability

CVE-2026-41926 - WDR201A WiFi Extender OS Command Injection via firewall.cgi

CVE-2026-41925 - WDR201A WiFi Extender OS Command Injection via adm.cgi (reboot_time)

CVE-2026-41924 - WDR201A WiFi Extender OS Command Injection via makeRequest.cgi

CVE-2026-41923 - WDR201A WiFi Extender OS Command Injection via internet.cgi

CVE-2026-41922 - WDR201A WiFi Extender OS Command Injection via wireless.cgi

CVE-2026-42238 - Unauthenticated Remote Code Execution via Backup Restore in nginx-ui

CVE-2026-42235 - n8n: XSS via MCP OAuth client

CVE-2026-35228 - Oracle Open Source Projects Oracle MCP Server Helper Tool SQL Injection Vulnerability

CVE-2026-42236 - n8n: Unauthenticated Denial of Service via MCP Client Registration

CVE-2026-25863 - Conditional Fields for Contact Form 7 < 2.7.3 DoS via Uncontrolled Resource Consumption

CVE-2026-7791 - Amazon WorkSpaces for Windows Skylight Workspace Config Service Privilege Escalation

CVE-2026-41927 - WDR201A WiFi Extender Stack-Based Buffer Overflow via firewall.cgi

CVE-2026-42222 - nginx-ui: Unauthenticated first-boot instance claim via POST /api/install allows remote bootstrap takeover

CVE-2026-42221 - nginx-ui: Unauthenticated First-Run Installer Allows Remote Initial Admin Claim

CVE-2026-42084 - OpenC3 COSMOS: Hijacked session token can be used to reset password for persistence