Logo
Retour à la veille

CVE-2026-13514

Publié : 29 juin 2026
Modifié : 29 juin 2026
Lien officiel NVD
Score CVSS
2.4
LOW

Description détaillée

A weakness has been identified in Chess Play and Learn App up to 4.9.42 on Android. This issue affects some unknown processing of the file AndroidManifest.xml of the component com.chess. This manipulation causes exposure of backup file to an unauthorized control sphere. It is feasible to perform the attack on the physical device. The exploit has been made available to the public and could be used for attacks. Upgrading the affected component is advised. The vendor was informed early about this issue. They confirmed the existence and that they will address it. Furthermore, they explain that their bug bounty "explicitly excludes physical-access attacks". However, they appreciate the quality of the report and aim at making a goodwill payment to the researcher.

Vecteur d'attaque (CVSS)

Vecteur brut :CVSS:3.1/AV:P/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Références et Patchs

https://github.com/honestcorrupt/CHESS.COM-CVE-REQUESThttps://play.google.com/store/apps/details?id=com.chesshttps://vuldb.com/cve/CVE-2026-13514https://vuldb.com/submit/838880https://vuldb.com/vuln/374522https://vuldb.com/vuln/374522/cti

Dernières Vulnérabilités

CVE-2026-14160

Time-of-check time-of-use (TOCTOU) race condition vulnerability in Samsung Open Source Escargot allows Leveraging Race Conditions. This issue affects Escargot: bab3a5797557014ce3c2e28419a6310cfba90d0d.

VOIR DÉTAILS

CVE-2026-12114

The Team Members – Multi Language Supported Team Plugin plugin for WordPress is vulnerable to Stored Cross-Site Scripting via admin settings in all versions up to, and including, 8.7 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

VOIR DÉTAILS

CVE-2026-58302

rtapi_app in linuxcnc-uspace in LinuxCNC before 2.9.9 allows privilege escalation. It is installed SUID root and loads shared library modules via dlopen() by using a user-supplied module name. Insufficient validation of the module name allows path traversal, enabling an unprivileged local user to load an arbitrary shared library. Because the process retains elevated privileges during module loading, this results in local privilege escalation to root.

VOIR DÉTAILS