CVE Watch
Every published CVE, mapped to engagement reality.
Crawled from cve.org every day. Each entry annotated with the QSearch coverage signal — how many of our agents, skills, and playbooks address the technique. Subscribe via RSS for SIEM pipe, or get the weekly digest by email.
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-B...
External Control of File Name or Path, : Incorrect Permission Assignment for Critical Resource vulnerability in Olgu Computer Systems e-Belediye allows Manipulating Web Input to File System Calls. This issue affects e-Belediye: before 2.0.642.
CWE-73CWE-732Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows R...
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows Reflected XSS. This issue affects Panel: before v2.3.24.
elizsoftwareCWE-79Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials
Plaintext Storage of a Password vulnerability in Eliz Software Panel allows : Use of Known Domain Credentials. This issue affects Panel: before v2.3.24.
elizsoftwareCWE-256Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows S...
Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Eliz Software Panel allows Stored XSS. This issue affects Panel: before v2.3.24.
elizsoftwareCWE-79Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System...
Improper Restriction of Excessive Authentication Attempts vulnerability in Yordam Information Technology Yordam Library Automation System allows Interface Manipulation. This issue affects Yordam Library Automation System: before 20.1.
CWE-307In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool call...
In the Linux kernel, the following vulnerability has been resolved: ice: Add netif_device_attach/detach into PF reset flow Ethtool callbacks can be executed while reset is in progress and try to access deleted resources, e.g. getting coalesce settings can result in a NULL pointer dereference seen below. Reproduction steps: Once the driver is fully initialized, trigger reset: # echo 1 > /sys/class/net/<interface>/device/reset when reset is in progress try to get coalesce settings using ethtool: # ethtool -c <interface> BUG: kernel NULL pointer dereference, address: 0000000000000020 PGD 0 P4D 0 Oops: Oops: 0000 [#1] PREEMPT SMP PTI CPU: 11 PID: 19713 Comm: ethtool Tainted: G S 6.10.0-rc7+ #7 RIP: 0010:ice_get_q_coalesce+0x2e/0xa0 [ice] RSP: 0018:ffffbab1e9bcf6a8 EFLAGS: 00010206 RAX: 000000000000000c RBX: ffff94512305b028 RCX: 0000000000000000 RDX: 0000000000000000 RSI: ffff9451c3f2e588 RDI: ffff9451c3f2e588 RBP: 0000000000000000 R08: 0000000000000000 R09: 0000000000000000 R10: ffff9451c3f2e580 R11: 000000000000001f R12: ffff945121fa9000 R13: ffffbab1e9bcf760 R14: 0000000000000013 R15: ffffffff9e65dd40 FS: 00007faee5fbe740(0000) GS:ffff94546fd80000(0000) knlGS:0000000000000000 CS: 0010 DS: 0000 ES: 0000 CR0: 0000000080050033 CR2: 0000000000000020 CR3: 0000000106c2e005 CR4: 00000000001706f0 Call Trace: <TASK> ice_get_coalesce+0x17/0x30 [ice] coalesce_prepare_data+0x61/0x80 ethnl_default_doit+0xde/0x340 genl_family_rcv_msg_doit+0xf2/0x150 genl_rcv_msg+0x1b3/0x2c0 netlink_rcv_skb+0x5b/0x110 genl_rcv+0x28/0x40 netlink_unicast+0x19c/0x290 netlink_sendmsg+0x222/0x490 __sys_sendto+0x1df/0x1f0 __x64_sys_sendto+0x24/0x30 do_syscall_64+0x82/0x160 entry_SYSCALL_64_after_hwframe+0x76/0x7e RIP: 0033:0x7faee60d8e27 Calling netif_device_detach() before reset makes the net core not call the driver when ethtool command is issued, the attempt to execute an ethtool command during reset will result in the following message: netlink error: No such device instead of NULL pointer dereference. Once reset is done and ice_rebuild() is executing, the netif_device_attach() is called to allow for ethtool operations to occur again in a safe manner.
linuxCWE-476Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection
Improper Control of Generation of Code ('Code Injection') vulnerability in SFS Consulting ww.Winsure allows Code Injection. This issue affects ww.Winsure: before 4.6.2.
sfsCWE-94Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection
Improper Restriction of XML External Entity Reference vulnerability in SFS Consulting ww.Winsure allows XML Injection. This issue affects ww.Winsure: before 4.6.2.
sfsCWE-611Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQ...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in SFS Consulting InsureE GL allows SQL Injection. This issue affects InsureE GL: before 4.6.2.
sfsCWE-89Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable
Use of Hard-coded Credentials vulnerability in TNB Mobile Solutions Cockpit Software allows Read Sensitive Strings Within an Executable. This issue affects Cockpit Software: before v2.13.
tnbmobilCWE-798Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS
Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) vulnerability in TE Informatics V5 allows Reflected XSS. This issue affects V5: before 6.2.
tebilisimCWE-79CWE-80Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse
Missing Authentication for Critical Function vulnerability in Profelis Informatics and Consulting PassBox allows Authentication Abuse. This issue affects PassBox: before v1.2.
profelisCWE-306An issue was discovered in Mbed TLS 3.x before 3.6.1
An issue was discovered in Mbed TLS 3.x before 3.6.1. With TLS 1.3, when a server enables optional authentication of the client, if the client-provided certificate does not have appropriate values in if keyUsage or extKeyUsage extensions, then the return value of mbedtls_ssl_get_verify_result() would incorrectly have the MBEDTLS_X509_BADCERT_KEY_USAGE and MBEDTLS_X509_BADCERT_KEY_USAGE bits clear. As a result, an attacker that had a certificate valid for uses other than TLS client authentication would nonetheless be able to use it for TLS client authentication. Only TLS 1.3 servers were affected, and only with optional authentication (with required authentication, the handshake would be aborted with a fatal alert).
trustedfirmwareCWE-295An issue was discovered in Mbed TLS 3.6 before 3.6.1
An issue was discovered in Mbed TLS 3.6 before 3.6.1. A stack buffer overflow in mbedtls_ecdsa_der_to_raw() and mbedtls_ecdsa_raw_to_der() can occur when the bits parameter is larger than the largest supported curve. In some configurations with PSA disabled, all values of bits are affected. (This never happens in internal library calls, but can affect applications that call these functions directly.)
trustedfirmwareCWE-121An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used
An issue was discovered in Mbed TLS before 2.28.9 and 3.x before 3.6.1, in which the user-selected algorithm is not used. Unlike previously documented, enabling MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not cause the PSA subsystem to use HMAC_DRBG: it uses HMAC_DRBG only when MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG and MBEDTLS_CTR_DRBG_C are disabled.
trustedfirmwareCWE-696An issue was discovered in Trusted Firmware-M through 2.0.0
An issue was discovered in Trusted Firmware-M through 2.0.0. The lack of argument verification in the logging subsystem allows attackers to read sensitive data via the login function.
trustedfirmwareImproper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consult...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows SQL Injection. This issue affects Semtek Sempos: through 31072024.
semtekyazilimCWE-89Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Semtek Informatics Software Consult...
Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Reflected XSS. This issue affects Semtek Sempos: through 31072024.
semtekyazilimCWE-79Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consult...
Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Semtek Informatics Software Consulting Inc. Semtek Sempos allows Blind SQL Injection. This issue affects Semtek Sempos: through 31072024.
semtekyazilimCWE-89Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect...
Missing Authorization vulnerability in SAMPAŞ Holding AKOS (AkosCepVatandasService), SAMPAŞ Holding AKOS (TahsilatService) allows Collect Data as Provided by Users. This issue affects AKOS (AkosCepVatandasService): before V2.0; AKOS (TahsilatService): before V1.0.7.
sambasCWE-862
9.8 CRITICAL
6.1 MEDIUMWeekly digest
Get the curated CVE digest every Monday
One email a week, sent Monday morning CET. The CVEs published or modified in the last seven days, severity-ordered, with the QSearch coverage signal. Unsubscribe with one click — included in every send.
Pipe the CVE feed into your stack.
CVE Watch publishes RSS, Atom, and JSON feeds — wire them into your SIEM, Slack, Discord, or your RSS reader of choice. Or get the curated weekly digest by email.