VYPR
AI Brief2026-07-07· generated Jul 7, 2026

What you need to know today.

Critical vulnerabilities in NVK iBSG, Vinchin Backup, and Pentaminds CuroVMS expose systems to command injection, default credentials, and data leaks.

N.V.K.INTER CO., LTD. (NVK) iBSG v3.5 is affected by multiple critical vulnerabilities, including OS command injection (CVE-2023-39809), a hardcoded root password (CVE-2023-39808), and SQL injection (CVE-2023-39807). These flaws allow for unauthorized access and potential system compromise. The default credentials in Vinchin Backup & Recovery v7.2 (CVE-2024-22902) also present a critical risk, enabling attackers to gain root access. Additionally, Pentaminds CuroVMS v2.0.1 suffers from exposed credentials (CVE-2024-40583) and sensitive information disclosure (CVE-2024-40582), further increasing the attack surface for organizations using these products.

Tinxy WiFi Lock Controller v1 RF has a critical vulnerability (CVE-2025-44619) where it transmits on an open Wi-Fi network, allowing unauthenticated access. Phpgurukul Bus Pass Management System 1.0 is impacted by a critical SQL injection flaw (CVE-2022-35156) and a medium-severity reflected XSS vulnerability (CVE-2022-35155), both related to the searchdata parameter. OpenWRT's LuCI web interface (versions 19.07 and lower) has a medium-severity XSS vulnerability (CVE-2021-27821). StackRox is affected by an important denial-of-service vulnerability (CVE-2026-9165) due to unbounded GraphQL query depth, impacting authenticated users. Several low-risk vulnerabilities were also identified in HdrHistogram (CVE-2026-14683, CVE-2026-14684, CVE-2026-14685, CVE-2026-14686) and GPAC (CVE-2026-14790) related to buffer overflows and null pointer dereferences.

Synthesized by Vypr AI
NVK iBSG, Vinchin Backup Face Critical Flaws · VYPR