Skip to main content
CVE-2026-1505 HIGH POC This Week

Command injection in D-Link DIR-615 firmware via the /set_temp_nodes.php URL Filter component allows unauthenticated remote attackers to execute arbitrary OS commands. Public exploit code exists for this vulnerability, which affects legacy unsupported devices with a 7.2 CVSS score and no available patch.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.7%
CVE-2026-1506 HIGH POC This Week

Unauthenticated remote attackers can inject arbitrary OS commands through the MAC filter configuration parameter in D-Link DIR-615 firmware version 4.10 and potentially earlier versions. Public exploit code exists for this vulnerability, and affected devices are no longer receiving security updates from D-Link. Successful exploitation grants complete system compromise with high impact to confidentiality, integrity, and availability.

D-Link PHP Command Injection Dir 615 Firmware
NVD VulDB
CVSS 3.1
7.2
EPSS
0.1%
CVE-2026-24835 HIGH POC PATCH This Week

Podman Desktop versions prior to 1.25.1 contain an authentication bypass in the extension permission framework where the `isAccessAllowed()` function always returns true, allowing malicious extensions to hijack authentication sessions and access sensitive resources without authorization. Public exploit code exists for this vulnerability, affecting all current deployments of the affected product. Administrators should upgrade to version 1.25.1 or later immediately.

Kubernetes Authentication Bypass Podman Desktop Red Hat Podman
NVD GitHub
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-24888 MEDIUM POC PATCH This Month

Maker.js versions up to 0.19.1 improperly validate object properties in the `extendObject` function, allowing inherited and malicious properties to be copied to target objects without filtering. Applications using the library are vulnerable to property injection attacks, and public exploit code exists for this vulnerability. A patch is available in version 0.19.2.

Code Injection Maker.Js
NVD GitHub
CVSS 3.1
6.5
EPSS
0.6%
CVE-2020-36968 MEDIUM POC This Month

M/Monit 3.7.4 contains an authentication vulnerability that allows authenticated attackers to retrieve user password hashes through an administrative API endpoint. [CVSS 6.5 MEDIUM]

Authentication Bypass M Monit
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2025-69601 MEDIUM POC This Month

A directory traversal (Zip Slip) vulnerability exists in the “Static Sites” feature of 66biolinks v44.0.0 by AltumCode. Uploaded ZIP archives are automatically extracted without validating or sanitizing file paths. [CVSS 6.5 MEDIUM]

Path Traversal 66biolinks
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-65887 MEDIUM POC This Month

A division-by-zero vulnerability in the flow.floor_divide() component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input tensor with zero. [CVSS 6.5 MEDIUM]

Denial Of Service Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2020-36973 MEDIUM POC This Month

PDW File Browser 1.3 contains a remote code execution vulnerability that allows authenticated users to upload and rename webshell files to arbitrary web server locations. [CVSS 6.5 MEDIUM]

PHP RCE Path Traversal
NVD GitHub Exploit-DB
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-71004 MEDIUM POC This Month

A segmentation violation in the oneflow.logical_or component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-71005 MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.view component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-71002 MEDIUM POC This Month

A floating-point exception (FPE) in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.1%
CVE-2025-54373 MEDIUM POC PATCH This Month

OpenEMR is a free and open source electronic health records and medical practice management application. Versions prior to 7.0.4 have a vulnerability where sensitive data is unintentionally revealed to unauthorized parties. [CVSS 6.5 MEDIUM]

Information Disclosure Openemr
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-71006 MEDIUM POC This Month

A floating point exception (FPE) in the oneflow.reshape component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service AI / ML Oneflow
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-61728 MEDIUM POC PATCH This Month

archive/zip uses a super-linear file name indexing algorithm that is invoked the first time a file in an archive is opened. This can lead to a denial of service when consuming a maliciously constructed ZIP archive. [CVSS 6.5 MEDIUM]

Denial Of Service Go Red Hat Suse
NVD VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-71001 MEDIUM POC This Month

A segmentation violation in the flow.column_stack component of OneFlow v0.9.0 allows attackers to cause a Denial of Service (DoS) via a crafted input. [CVSS 6.5 MEDIUM]

Denial Of Service Oneflow Buffer Overflow Information Disclosure
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24739 MEDIUM POC PATCH This Month

Symfony versions up to 5.4.51 contains a vulnerability that allows attackers to operations being performed on an unintended path, up to and including deletion o (CVSS 6.3).

Windows PHP Symfony
NVD GitHub
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-24768 MEDIUM POC PATCH This Month

NocoDB versions prior to 0.301.0 contain an open redirect vulnerability in the login flow where the `continueAfterSignIn` parameter is not validated, allowing attackers to redirect authenticated users to arbitrary external websites. Public exploit code exists for this vulnerability, which enables phishing attacks by abusing user trust in the legitimate login process to facilitate credential theft through social engineering. Authenticated users are at risk of being redirected to attacker-controlled domains immediately after successful login.

Privilege Escalation Authentication Bypass Open Redirect Nocodb
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-0749 MEDIUM POC This Month

Cross-site scripting (XSS) in Drupal Form Builder 7.x versions 1.0 through 1.22 allows unauthenticated attackers to inject malicious scripts through improperly sanitized form inputs, affecting users who interact with compromised forms. Public exploit code exists for this vulnerability, and no patch is currently available, leaving vulnerable installations at active risk of session hijacking, credential theft, and defacement.

Drupal XSS Form Builder
NVD HeroDevs
CVSS 3.1
6.1
EPSS
0.0%
CVE-2025-57792 CRITICAL Act Now

Explorance Blue versions before 8.14.9 have a CVSS 10.0 SQL injection vulnerability enabling unauthenticated attackers to fully compromise the survey and assessment database.

SQLi Blue
NVD GitHub
CVSS 3.1
10.0
EPSS
0.1%
CVE-2025-57795 CRITICAL Act Now

Explorance Blue before 8.14.13 has an authenticated remote file download vulnerability in a web service that allows downloading arbitrary files from the server.

RCE Blue
NVD GitHub
CVSS 3.1
9.9
EPSS
0.3%
CVE-2026-1056 CRITICAL Act Now

Snow Monkey Forms WordPress plugin has an arbitrary file deletion vulnerability through insufficient path validation, enabling attackers to delete critical WordPress files.

WordPress PHP RCE
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-1536 MEDIUM POC PATCH This Month

HTTP header injection in libsoup through CRLF sequences in the Content-Disposition header allows unauthenticated remote attackers to inject arbitrary headers or split responses without user interaction. Public exploit code exists for this vulnerability. The flaw affects any application using vulnerable versions of libsoup to process untrusted HTTP headers, with no patch currently available.

Code Injection Red Hat Suse
NVD VulDB
CVSS 3.1
5.8
EPSS
0.1%
CVE-2025-61140 CRITICAL PATCH Act Now

jsonpath library 1.1.1 has a prototype pollution vulnerability in the value function that allows attackers to modify JavaScript object prototypes and potentially achieve RCE.

Jsonpath Information Disclosure Prototype Pollution
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1545 MEDIUM POC This Month

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1535 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminReply.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary SQL queries, potentially compromising database confidentiality and integrity. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1534 MEDIUM POC This Month

SQL injection in Online Music Site 1.0's AdminEditUser.php allows unauthenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, enabling potential data theft, modification, or service disruption. No patch is currently available, leaving affected installations vulnerable.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2020-36993 MEDIUM POC PATCH This Month

LimeSurvey 4.3.10 contains a stored cross-site scripting vulnerability in the Survey Menu functionality of the administration panel. [CVSS 5.4 MEDIUM]

XSS Limesurvey
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2020-36988 MEDIUM POC This Month

PDW File Browser version 1.3 contains stored and reflected cross-site scripting vulnerabilities that allow authenticated attackers to inject malicious scripts through file rename and path parameters. [CVSS 5.4 MEDIUM]

XSS
NVD GitHub Exploit-DB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-1521 MEDIUM POC PATCH This Month

Remote denial of service in Open5GS up to version 2.7.6 allows unauthenticated attackers to crash the SGWC component by manipulating bearer resource failure indication messages. Public exploit code exists for this vulnerability, and a patch is available in commit 69b53add90a9479d7960b822fc60601d659c328b.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1522 MEDIUM POC PATCH This Month

Remote denial of service in Open5GS up to version 2.7.6 affects the SGWC component's bearer response handler, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, though a patch (commit b19cf6a) is available to resolve it.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2025-57794 CRITICAL Act Now

Explorance Blue before 8.14.9 has an authenticated file upload vulnerability allowing administrators to upload executable files to the server.

RCE Blue
NVD GitHub
CVSS 3.1
9.1
EPSS
0.4%
CVE-2026-24838 CRITICAL PATCH Act Now

DNN (DotNetNuke) CMS has a stored XSS vulnerability (CVSS 9.1) allowing persistent script injection that executes for all users viewing the affected content.

.NET Dotnetnuke
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-24785 CRITICAL PATCH Act Now

Clatter Noise protocol library has a broken cryptographic algorithm implementation that weakens post-quantum security guarantees in encrypted communications.

Information Disclosure Clatter
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-24766 MEDIUM POC PATCH This Month

Prototype pollution in NocoDB's connection test endpoint allows authenticated org-level creators to disrupt all database write operations application-wide until server restart, with public exploit code available. Although the vulnerability can bypass SUPER_ADMIN authorization checks, the resulting denial of service prevents actual exploitation of elevated privileges. The issue affects versions prior to 0.301.0 with no patch currently available.

Code Injection Nocodb
NVD GitHub
CVSS 3.1
4.9
EPSS
0.2%
CVE-2026-24772 HIGH This Week

Token decryption in OpenProject 17.0 allows authenticated attackers to intercept and decrypt 24-hour authentication tokens by exploiting insufficient validation of backend URLs in the real-time collaboration synchronization server. An attacker with valid credentials could redirect the synchronization server to a controlled endpoint, forcing it to send the decrypted token and enabling unauthorized access to document collaboration features. No patch is currently available for this high-severity vulnerability affecting authenticated users.

Authentication Bypass Openproject
NVD GitHub
CVSS 3.1
8.9
EPSS
0.0%
CVE-2026-24767 MEDIUM POC PATCH This Month

NocoDB versions prior to 0.301.0 contain a blind SSRF vulnerability in the uploadViaURL feature where an unvalidated HEAD request allows authenticated attackers to probe arbitrary URLs and internal networks before SSRF protections are enforced. Public exploit code exists for this vulnerability, though it has limited impact due to the lack of response data exfiltration. Users should upgrade to version 0.301.0 or later, though no patch is currently available for older versions.

SSRF Nocodb Suse
NVD GitHub
CVSS 3.1
4.9
EPSS
0.0%
CVE-2025-14386 HIGH This Week

The Search Atlas SEO - Premier SEO Plugin for One-Click WP Publishing & Integrated AI Optimization plugin for WordPress is vulnerable to authentication bypass due to a missing capability check on the 'generate_sso_url' and 'validate_sso_token' functions in versions 2.4.4 to 2.5.12. [CVSS 8.8 HIGH]

WordPress Authentication Bypass PHP
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-24685 HIGH This Week

Arbitrary file write in OpenProject versions before 16.6.6 and 17.0.2 allows authenticated users with repository browse permissions to inject malicious git command options via a crafted rev parameter, enabling creation or overwriting of arbitrary files with the privileges of the OpenProject process. An attacker can exploit the `/projects/:project_id/repository/diff.diff` endpoint to write git show output to attacker-controlled file paths on the server. No patch is currently available for this high-severity vulnerability affecting the open-source project management platform.

Denial Of Service Openproject
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-0844 HIGH This Week

Simple User Registration (WordPress plugin) versions up to 6.7 is affected by improper access control (CVSS 8.8).

WordPress Privilege Escalation Authentication Bypass
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-69517 HIGH This Week

An HTML injection vulnerability in Amidaware Inc Tactical RMM v1.3.1 and earlier allows authenticated users to inject arbitrary HTML content during the creation of a new agent via the POST /api/v3/newagent/ endpoint. The agent_id parameter accepts up to 255 characters and is improperly sanitized using DOMPurify.sanitize() with the html: true option enabled, which fails to adequately filter HTML input. The injected HTML is rendered in the Tactical RMM management panel when an administrator att...

RCE Code Injection
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-58150 HIGH PATCH This Week

Shadow mode tracing code uses a set of per-CPU variables to avoid cumbersome parameter passing. Some of these variables are written to with guest controlled data, of guest controllable size. [CVSS 8.8 HIGH]

Buffer Overflow Xen Suse
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-24839 MEDIUM POC PATCH This Month

Dokploy versions up to 0.26.6 is affected by improper restriction of rendered ui layers or frames (CVSS 4.7).

XSS Dokploy
NVD GitHub
CVSS 3.1
4.7
EPSS
0.0%
CVE-2025-57793 HIGH This Week

Explorance Blue versions prior to 8.14.9 contain a SQL injection vulnerability caused by insufficient validation of user-supplied input in a web application component. Crafted input can be executed as part of backend database queries. [CVSS 8.6 HIGH]

SQLi Blue
NVD GitHub
CVSS 3.1
8.6
EPSS
0.1%
CVE-2025-13982 HIGH PATCH This Week

Login Time Restriction versions up to 1.0.3. is affected by cross-site request forgery (csrf) (CVSS 8.1).

Drupal CSRF Login Time Restriction
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14472 HIGH PATCH This Week

Cross-Site Request Forgery (CSRF) vulnerability in Drupal Acquia Content Hub allows Cross Site Request Forgery.This issue affects Acquia Content Hub: from 0.0.0 before 3.6.4, from 3.7.0 before 3.7.3. [CVSS 8.1 HIGH]

Drupal CSRF Acquia Content Hub
NVD
CVSS 3.1
8.1
EPSS
0.0%
CVE-2020-36944 MEDIUM POC This Month

ILIAS Learning Management System 4.3 contains a server-side request forgery vulnerability that allows attackers to read local files through portfolio PDF export functionality. [CVSS 4.0 MEDIUM]

SSRF Ilias
NVD GitHub Exploit-DB
CVSS 3.1
4.0
EPSS
0.0%
CVE-2025-59894 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59893 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Syncbreeze Diskpulse
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59892 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
CVSS 3.1
8.0
EPSS
0.0%
CVE-2025-59891 HIGH This Week

Cross-Site request forgery (CSRF) vulnerability in Sync Breeze Enterprise Server v10.4.18 and Disk Pulse Enterprise v10.4.18. An authenticated user could cause another user to perform unwanted actions within the application they are logged into. [CVSS 8.0 HIGH]

CSRF Diskpulse Syncbreeze
NVD
CVSS 3.1
8.0
EPSS
0.0%
Prev Page 2 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy