QSearchQSearch
A vertical stack of five horizontal severity-tier bars rendered with Swiss tabular precision, descending in opacity from a hot volt-lime upper bar through a cooler signal-blue lower bar, evoking vulnerability severity stratification

CVE Watch

Every published CVE, mapped to engagement reality.

Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.

Tracking 10103 CVEsUpdated dailyLatest entry 2026-06-16
Subscribe via RSSWeekly digest by email
  • CVE-2026-105142.4 LOW2026-06-02

    A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2

    A vulnerability has been found in 1Panel-dev CordysCRM up to 1.6.2. This affects an unknown function of the file backend/framework/src/main/java/cn/cordys/config/RequestParamTrimConfig.java. The manipulation leads to cross site scripting. Remote exploitation of the attack is possible. The exploit has been disclosed to the public and may be used. Upgrading to version 1.7.0 mitigates this issue. The identifier of the patch is c87682afa8df79853299f75489c9d333f7bc5fce. It is suggested to upgrade the affected component.

    CWE-79CWE-94
  • CVE-2026-103026.3 MEDIUM2026-06-02

    A flaw has been found in itsourcecode Fees Management System 1.0

    A flaw has been found in itsourcecode Fees Management System 1.0. The impacted element is an unknown function of the file /manage_fee.php. Executing a manipulation of the argument ID can lead to sql injection. The attack may be launched remotely. The exploit has been published and may be used.

    CWE-74CWE-89
  • CVE-2026-103014.3 MEDIUM2026-06-02

    A vulnerability was detected in itsourcecode Fees Management System 1.0

    A vulnerability was detected in itsourcecode Fees Management System 1.0. The affected element is an unknown function of the file index.php. Performing a manipulation of the argument page results in cross site scripting. The attack may be initiated remotely. The exploit is now public and may be used.

    CWE-79CWE-94
  • CVE-2026-285114.3 MEDIUM2026-06-01

    eLabFTW is an open source electronic lab notebook

    eLabFTW is an open source electronic lab notebook. Prior to version 5.4.2, in certain cases, an authenticated user performing a numeric reference/search can return results that include resources the requesting user is not authorized to view. The exposed information is limited (only the title). Attempts to access the underlying protected resource content remain blocked by authorization checks. Version 5.4.2 fixes the issue. # Affected Scope Cross-scope visibility of titles. No confirmed bypass of content-level access controls # Preconditions An authenticated user account No special privileges required beyond standard access # Impact This may enable unauthorized disclosure of sensitive information if confidential data is included in resource titles. Examples could include project names, patient identifiers, or other regulated information embedded in titles.

    elabftwCWE-200
  • CVE-2026-258799.8 CRITICAL2026-06-01

    Langroid is a framework for building large-language-model-powered applications

    Langroid is a framework for building large-language-model-powered applications. Prior to version 0.63.0, SQLChatAgent executes SQL produced by an LLM, which is influenceable by prompt injection. When configured with a database role that has privileges enabling code execution or filesystem access (e.g., PostgreSQL pg_execute_server_program, MySQL FILE, MSSQL xp_cmdshell), an attacker who can shape the agent's input — including indirectly via data returned to the LLM — can coerce execution of dialect-specific primitives such as `COPY ... FROM PROGRAM`, achieving RCE on the database host. Fixed in v0.63.0 by defaulting SQLChatAgent to a SELECT-only sqlglot-parsed statement allowlist with a dialect-aware dangerous-pattern blocklist; allow_dangerous_operations=True restores the previous unrestricted behavior for trusted deployments.

    CWE-89CWE-94
  • CVE-2026-252778.8 HIGH2026-06-01

    Memory corruption while using Strongbox due to buffer overflow

    Memory corruption while using Strongbox due to buffer overflow.

    qualcommCWE-120
  • CVE-2026-252768.8 HIGH2026-06-01

    Memory corruption while using Strongbox due to missing bounds check

    Memory corruption while using Strongbox due to missing bounds check.

    qualcommCWE-129
  • CVE-2026-252607.8 HIGH2026-06-01

    Memory Corruption when accessing shared buffers without validation of concurrent user-mode input modifications

    Memory Corruption when accessing shared buffers without validation of concurrent user-mode input modifications.

    qualcommCWE-367
  • CVE-2026-252597.8 HIGH2026-06-01

    Memory corruption while processing multiple IOCTL command for escape operations

    Memory corruption while processing multiple IOCTL command for escape operations.

    qualcommCWE-787
  • CVE-2026-252587.8 HIGH2026-06-01

    Memory corruption while processing IOCTL calls for escape operations

    Memory corruption while processing IOCTL calls for escape operations.

    qualcommCWE-125
  • CVE-2026-247827.6 HIGH2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0,ultiple SQL Injection vulnerabilities in Kiteworks Secure Data Forms could be exploited by an authenticated attacker with the FormBuilder role to retrieve information on or modify other users' form definitions and some global configuration parameters. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-89
  • CVE-2026-247613.7 LOW2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to access metadata of resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-639
  • CVE-2026-247564.3 MEDIUM2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-639
  • CVE-2026-247555.4 MEDIUM2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify permissions on resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-639
  • CVE-2026-247545.4 MEDIUM2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a stored XSS vulnerability in Kiteworks Secure Data Forms could allow an authenticated attacker to execute arbitrary JavaScript code in other users' sessions. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-79
  • CVE-2026-247536.5 MEDIUM2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, an Insecure Direct Object Reference (IDOR) vulnerability in Kiteworks Secure Data Forms allows an authenticated user to modify resources belonging to other users due to insufficient authorization checks on resource ownership. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-639
  • CVE-2026-247528.2 HIGH2026-06-01

    Kiteworks is a private data network (PDN)

    Kiteworks is a private data network (PDN). Prior to version 9.3.0, a reflected XSS vulnerability in Kiteworks Secure Data Forms could allow an external attacker to trick a user into executing arbitrary JavaScript code. Upgrade Kiteworks to version 9.3.0 or later to receive a patch.

    accellionCWE-79
  • CVE-2026-240927.2 HIGH2026-06-01

    Memory Corruption when processing fastboot commands to set display mode

    Memory Corruption when processing fastboot commands to set display mode.

    qualcommCWE-1286
  • CVE-2026-240917.2 HIGH2026-06-01

    Memory corruption while processing fastboot commands with improperly formatted input

    Memory corruption while processing fastboot commands with improperly formatted input.

    qualcommCWE-1286
  • CVE-2026-240907.1 HIGH2026-06-01

    Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow

    Cryptographic issue while processing partition table entries allows unauthorized modification of boot flow.

    qualcommCWE-306

Weekly digest

Get the curated CVE digest every Monday

One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.

Pipe the CVE feed into your stack.

CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.

RSS feedAtom feedJSON feed