Skip to main content
CVE-2026-1150 LOW POC Monitor

Command injection in Totolik LR350 firmware through the setTracerouteCfg function allows authenticated remote attackers to execute arbitrary system commands via a malicious POST request to /cgi-bin/cstecgi.cgi. Public exploit code is available and the vulnerability remains unpatched, creating immediate risk for deployed devices. An attacker with network access and valid credentials can achieve code execution with full device compromise potential.

Command Injection Lr350 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-1149 LOW POC Monitor

Command injection in Totolink LR350 firmware allows authenticated remote attackers to execute arbitrary commands through the ip parameter in the setDiagnosisCfg function. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should restrict access to the affected device until a fix is released.

Command Injection Lr350 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-1144 LOW POC PATCH Monitor

Use-after-free in QuickJS up to version 0.11.0 within the Atomics Ops Handler allows remote attackers to trigger memory corruption without authentication. Public exploit code exists for this vulnerability, enabling potential information disclosure or denial of service. A patch is available and should be applied immediately.

Buffer Overflow Denial Of Service Quickjs
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1145 LOW POC PATCH Monitor

Heap-based buffer overflow in QuickJS up to version 0.11.0 within the js_typed_array_constructor_ta function allows remote attackers to corrupt memory and potentially achieve code execution with user interaction. Public exploit code exists for this vulnerability, increasing practical attack risk. A patch is available and should be applied immediately.

Buffer Overflow Quickjs
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1141 LOW POC Monitor

PHPGurukul News Portal 1.0 contains an authorization bypass in the /admin/add-subadmins.php component that allows authenticated attackers to gain unauthorized access and modify system data. Public exploit code exists for this vulnerability, making it readily exploitable by remote actors. A patch is not currently available, leaving installations vulnerable until an update is released.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1142 LOW POC Monitor

PHPGurukul News Portal 1.0 contains a cross-site request forgery vulnerability that allows unauthenticated attackers to perform unauthorized actions on behalf of authenticated users through crafted requests. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The flaw affects the integrity of user actions but does not compromise confidentiality or availability.

CSRF News Portal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1193 LOW POC Monitor

Improper authorization in MineAdmin 1.x/2.x allows authenticated remote attackers to gain unauthorized access through the View Interface cache component. Public exploit code exists for this vulnerability, and the vendor has not provided a patch or response to disclosure requests. An attacker with valid credentials can exploit this to read, modify, or disrupt system operations.

Information Disclosure Mineadmin
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1135 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the Title parameter in /admin/activity.php. Public exploit code exists for this vulnerability, enabling potential attacks against affected deployments. A security patch is not currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1134 LOW POC Monitor

Reflected cross-site scripting in itsourcecode Society Management System 1.0 allows remote attackers to inject malicious scripts through the detail parameter in /admin/expenses.php, potentially compromising administrator sessions and data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving deployed instances at risk of client-side attacks.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1153 LOW POC Monitor

Cross-site request forgery in Mpay up to version 1.2.4 allows unauthenticated remote attackers to perform unauthorized actions via a crafted request. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to attack.

CSRF Mpay
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1154 LOW POC Monitor

E-Learning System versions up to 1.0 contains a vulnerability that allows attackers to basic cross site scripting (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1169 LOW POC Monitor

Cross-site request forgery (CSRF) in Birkir Prime through version 0.4.0.beta.0 allows remote attackers to perform unauthorized actions on behalf of authenticated users through malicious web requests. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch has been released as of this advisory.

CSRF Prime
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1152 LOW POC Monitor

Mpay versions up to 1.2.4 contain an unrestricted file upload vulnerability in the QR Code Image Handler component via the codeimg parameter, allowing remote attackers with high privileges to upload arbitrary files. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires administrative credentials but carries moderate risk with potential impacts to confidentiality, integrity, and availability.

File Upload Authentication Bypass Mpay
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-1151 LOW POC Monitor

A weakness has been identified in technical-laohu mpay up to 1.2.4. The affected element is an unknown function of the component User Center. [CVSS 2.4 LOW]

XSS Mpay
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-23522 LOW Monitor

LobeChat is an open source chat application platform. Prior to version 2.0.0-next.193, `knowledgeBase.removeFilesFromKnowledgeBase` tRPC ep allows authenticated users to delete files from any knowledge base without verifying ownership. `userId` filter in the database query is commented out, so it's enabling attackers to delete other users' KB files if they know the knowledge base ID and file ID...

Authentication Bypass
NVD GitHub
CVSS 3.1
3.7
EPSS
0.1%
CVE-2025-55249 LOW Monitor

HCL AION is affected by a Missing Security Response Headers vulnerability. The absence of standard security headers may weaken the application’s overall security posture and increase its susceptibility to common web-based attacks. [CVSS 3.5 LOW]

Information Disclosure Aion
NVD
CVSS 3.1
3.5
EPSS
0.1%
CVE-2025-55251 LOW Monitor

HCL AION is affected by an Unrestricted File Upload vulnerability. This can allow malicious file uploads, potentially resulting in unauthorized code execution or system compromise. [CVSS 3.1 LOW]

File Upload RCE Aion
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-55252 LOW Monitor

Aion versions up to 2.0 contains a vulnerability that allows attackers to the use of easily guessable passwords, potentially resulting in unauthorized acc (CVSS 3.1).

Authentication Bypass Brute Force
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2025-52659 LOW Monitor

Aion versions up to 2.0 contains a vulnerability that allows attackers to unintended storage of sensitive or dynamic content, potentially resulting in una (CVSS 2.8).

Information Disclosure Authentication Bypass Aion
NVD
CVSS 3.1
2.8
EPSS
0.0%
CVE-2025-52660 LOW Monitor

Aion versions up to 2.0 contains a vulnerability that allows attackers to malicious file uploads, potentially resulting in unauthorized code execution or (CVSS 2.7).

File Upload RCE Aion
NVD
CVSS 3.1
2.7
EPSS
0.1%
CVE-2025-52661 LOW Monitor

HCL AION version 2 is affected by a JWT Token Expiry Too Long vulnerability. This may increase the risk of token misuse, potentially resulting in unauthorized access if the token is compromised. [CVSS 2.4 LOW]

Authentication Bypass Aion
NVD
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-1161 LOW Monitor

A vulnerability was detected in pbrong hrms 1.0.1. The affected element is the function UpdateRecruitmentById of the file /handler/recruitment.go. [CVSS 3.5 LOW]

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1136 LOW Monitor

A weakness has been identified in lcg0124 BootDo up to e93dd428ef6f5c881aa74d49a2099ab0cf1e0fcb. Affected is the function Save of the file /blog/bContent/save of the component ContentController. [CVSS 3.5 LOW]

XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1147 LOW Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-1146 LOW Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-55250 LOW Monitor

HCL AION version 2 is affected by a Technical Error Disclosure vulnerability. This can expose sensitive technical details, potentially resulting in information disclosure or aiding further attacks. [CVSS 1.8 LOW]

Information Disclosure Aion
NVD
CVSS 3.1
1.8
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy