Goal Reached Thanks to every supporter — we hit 100%!

Goal: 1000 CNY · Raised: 1336 CNY

100%

Core — Vulnerabilities & Security Advisories 88

All 88 CVE vulnerabilities found in Core, with AI-generated Chinese analysis, references, and POCs.

This page documents common vulnerabilities associated with core system components and libraries, categorized by vulnerability type and affected vendor. It aggregates security issues affecting fundamental operating system modules, kernel subsystems, and essential runtime environments across various software vendors. The collection includes disclosed weaknesses from the last three years, ensuring a comprehensive view of recent and historical security trends. Here, users can track vendor-specific advisories to stay informed about patches and mitigation strategies. You can also explore the characteristics and exploitability of specific weakness classes to better understand their impact on system integrity. Additionally, the page provides a detailed history of vulnerabilities linked to specific products, allowing for deeper analysis of recurring issues. This resource is designed for security professionals, developers, and system administrators seeking to assess risk and enhance defense postures. By consolidating data from multiple sources, it offers a unified perspective on core system security. The information is structured to facilitate easy navigation and thorough investigation. Whether you are auditing a system or developing secure code, this page serves as a vital reference for understanding the landscape of core vulnerabilities. It emphasizes the importance of keeping foundational software updated to prevent potential breaches. The data presented is strictly factual, focusing on technical details and remediation steps.

Vendor: Drupal

CVE IDTitleCVSSSeverityPublished
CVE-2026-48795 Incomplete fix for CVE-2026-25754 in @adonisjs/bodyparser CWE-1321 8.6 High2026-07-15
CVE-2026-49858 API Platform Core: Cross-user attribute leak in JSON:API and HAL item normalizers due to missing isCacheKeySafe gate CWE-524 5.9 Medium2026-07-01
CVE-2026-54164 API Platform Core: Missing IRI type check enables resource type confusion CWE-843 6.5 Medium2026-07-01
CVE-2026-55844 Home Assistant: iOS Companion App ignores internal SSID allowlist for connections – possible leak of access token and sensor data CWE-319 7.5 High2026-06-29
CVE-2026-54318 Home Assistant: Exported BroadcastReceiver allows local apps to spoof device location CWE-926 7.1 High2026-06-23
CVE-2026-54317 Home Assistant: Konnected alarm-panel switch state and zone topology disclosed to unauthenticated actors on the LAN CWE-200 7.6 High2026-06-23
CVE-2024-14036 Dräger Core 1.0.5 Denial of Service via Malformed SDC Message CWE-400 7.5 High2026-06-02
CVE-2026-44698 Home Assistant: Cross-origin iframe access token exfiltration via WebView JS bridge callback injection CWE-94 8.3 High2026-05-29
CVE-2026-44473 Ella Core: UE Downlink Redirection via Forged PDUSessionResourceSetupResponse CWE-358 7.1 High2026-05-27
CVE-2026-44475 Ella Core: UE Security Capability bypass on NGAP PathSwitchRequest CWE-358 6.1 Medium2026-05-27
CVE-2026-44474 Ella Core: Handover failures during concurrent Security Mode Command CWE-358 3.7 Low2026-05-27
CVE-2026-45158 OPNsense: Command Injection via Attacker-Controlled DHCP Config CWE-88 9.1 Critical2026-05-13
CVE-2026-44194 OPNsense: RCE on user managment CWE-78 9.1 Critical2026-05-13
CVE-2026-44195 OPNsense: Authentication lockout bypass CWE-307 5.3 Medium2026-05-13
CVE-2026-44193 OPNsense: RCE via XMLRPC endpoint using `opnsense.restore_config_section` method CWE-88 9.1 Critical2026-05-13
CVE-2026-42552 Flight: Sensitive information disclosure via default error handler in flightphp/core CWE-209 7.5 High2026-05-13
CVE-2026-42551 Flight: HTTP method override enabled by default enables CSRF escalation and middleware bypass in flightphp/core CWE-436 7.5 High2026-05-13
CVE-2026-42550 Flight: SQL Injection via unvalidated identifiers in SimplePdo::insert / update / delete CWE-89 8.8 High2026-05-13
CVE-2026-42549 Flight: Path traversal in `make:controller` CLI creates arbitrary directories outside project root CWE-22 4.4 Medium2026-05-13
CVE-2026-42548 Flight: Reflected XSS via unvalidated JSONP callback in Flight::jsonp() CWE-79--2026-05-13
CVE-2026-42278 UltraDAG: Smart Account Spending Policy Bypass via Pockets CWE-284 7.5AIHighAI2026-05-08
CVE-2026-40583 UltraDAG: SmartOp Vote Path Triggers Fatal Supply Invariant Halt CWE-460 9.1AICriticalAI2026-04-21
CVE-2026-34578 OPNsense has an LDAP Injection via Unsanitized Username in Authentication CWE-90 8.2 High2026-04-09
CVE-2026-34762 Ella Core Has Audit Log Falsification via Path/Body IMSI Mismatch in UpdateSubscriber CWE-20 2.7 Low2026-04-02
CVE-2026-34761 Ella Core Panics Upon NGAP handover failure CWE-476 5.8 Medium2026-04-02
CVE-2026-33907 Ella Core Panics during NAS Authentication Response/Failure with missing IEs CWE-476 6.5 Medium2026-03-27
CVE-2026-33906 Ella Core has Privilege Escalation via Database Restore by NetworkManager role CWE-269 7.2 High2026-03-27
CVE-2026-33904 Ella Core has a Denial of Service via SCTP connection cleanup deadlock CWE-833 6.5 Medium2026-03-27
CVE-2026-33903 Ella Core panics when processing a crafted NGAP LocationReport message CWE-476 6.5 Medium2026-03-27
CVE-2026-33045 Home Assistant has stored XSS in history-graphs CWE-79 6.1 -2026-03-27

All 88 known CVE vulnerabilities affecting Core with full Chinese analysis, references, and POCs where available.