Skip to main content
CVE-2025-69749 MEDIUM POC This Month

Cross Site Scripting vulnerability in tale v.2.0.5 allows an attacker to execute arbitrary code. [CVSS 6.1 MEDIUM]

XSS Tale
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-1453 CRITICAL Act Now

Missing authentication in KiloView Encoder Series allows unauthenticated attackers to create or delete admin accounts on video encoding equipment.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-1188 CRITICAL PATCH Act Now

Buffer size miscalculation in Eclipse OMR port library since 0.2.0. An API function returning processor feature names has incorrect size allocation. Patch available.

Buffer Overflow Omr Suse
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-1595 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0 allows unauthenticated remote attackers to manipulate the student_id parameter in /admin/edit_student_query.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available, increasing the risk of active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1590 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the ID parameter in /ramonsys/faculty/index.php enables unauthenticated remote attackers to read, modify, or delete database contents. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1589 MEDIUM POC This Month

SQL injection in itsourcecode School Management System 1.0 via the txtsearch parameter in /ramonsys/inquiry/index.php enables unauthenticated remote attackers to execute arbitrary SQL queries with limited impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1594 MEDIUM POC This Month

SQL injection in itsourcecode Society Management System 1.0's expense administration interface allows unauthenticated remote attackers to manipulate the detail parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems expose confidentiality, integrity, and availability of underlying data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1593 MEDIUM POC This Month

Society Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-1587 MEDIUM POC This Month

Denial of service in Open5GS up to version 2.7.6 allows remote attackers to crash the SGWC service by manipulating the Modify Bearer Request handler in s11-handler.c. Public exploit code exists for this vulnerability and no patch is currently available. Organizations running affected versions should apply updates as they become available and consider network-level mitigations to restrict access to the S11 interface.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-1586 MEDIUM POC This Month

Remote denial of service in Open5GS up to version 2.7.5 affects the SGWC component's TEID-to-IP conversion function, allowing unauthenticated attackers to crash the service over the network. Public exploit code exists for this vulnerability, and while a fix has been developed, no official patch is currently available for affected deployments.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-24904 MEDIUM POC PATCH This Month

TrustTunnel VPN protocol versions prior to 0.9.115 contain a rule bypass vulnerability where fragmented TLS ClientHello messages fail to extract the client random value, causing the rules engine to skip client_random_prefix matching conditions and allow traffic that should be blocked. Public exploit code exists for this medium-severity network-accessible vulnerability affecting Industrial and TrustTunnel products. A patch is available for affected versions.

Industrial Trusttunnel
NVD GitHub
CVSS 3.1
5.3
EPSS
0.1%
CVE-2020-37007 MEDIUM POC This Month

Liman 0.7 contains a cross-site request forgery vulnerability that allows attackers to manipulate user account settings without proper request validation. [CVSS 5.3 MEDIUM]

CSRF Liman
NVD GitHub Exploit-DB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-22806 CRITICAL Act Now

Authorization bypass in vCluster Platform Kubernetes virtual cluster management before 4.6.0/4.5.4/4.4.4. Users can access resources outside their authorized virtual cluster scope.

Kubernetes
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-1457 HIGH This Week

Remote code execution in TP-Link VIGI C385 cameras results from improper input validation in the Web API that allows authenticated attackers to trigger buffer overflows and corrupt memory. An attacker with valid credentials can exploit this vulnerability to execute arbitrary code with elevated privileges on affected devices. No patch is currently available for this high-severity issue.

TP-Link RCE Buffer Overflow Memory Corruption Vigi C385 Firmware
NVD
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-1637 HIGH This Week

Tenda AC21 firmware versions up to 16.03.08.16 contain a stack-based buffer overflow in the /goform/AdvSetMacMtuWan endpoint that can be exploited remotely by authenticated attackers to achieve arbitrary code execution. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score (8.8) reflects the severity of this flaw affecting device confidentiality, integrity, and availability.

Buffer Overflow Stack Overflow Ac21 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2025-15549 MEDIUM POC This Month

FluentCMS 2026 contains a stored cross-site scripting vulnerability that allows authenticated administrators to upload SVG files with embedded JavaScript via the File Management module. [CVSS 4.8 MEDIUM]

XSS Fluentcms
NVD GitHub VulDB
CVSS 4.0
4.8
EPSS
0.0%
CVE-2025-13399 HIGH This Week

Vx800V Firmware contains a vulnerability that allows attackers to high impact to confidentiality, integrity, and availability of transmitted data (CVSS 8.8).

Information Disclosure Vx800v Firmware
NVD
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-1610 HIGH This Week

Ax12 Pro Firmware versions up to 16.03.49.24_cn is affected by use of hard-coded password (CVSS 8.1).

Authentication Bypass Ax12 Pro Firmware
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-14975 HIGH This Week

Custom Login Page Customizer WordPre versions up to 2.5.4 is affected by improper privilege management (CVSS 8.1).

WordPress PHP
NVD WPScan
CVSS 3.1
8.1
EPSS
0.0%
CVE-2025-7016 HIGH This Week

Improper Access Control vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Authentication Abuse.This issue affects QR Menu: before s1.05.12. [CVSS 8.0 HIGH]

Authentication Bypass Qr Menu
NVD VulDB
CVSS 3.1
8.0
EPSS
0.1%
CVE-2026-25063 HIGH PATCH This Week

Arbitrary code execution in gradle-completion versions up to 9.3.0 occurs when users perform Bash tab completion in directories with malicious Gradle build files, as the script fails to sanitize task names and descriptions. A local attacker can inject shell commands through backticks in task descriptions, which are executed automatically during completion without requiring the user to run any Gradle tasks. The vulnerability affects developers using Gradle with bash completion enabled.

Command Injection Gradle Completion
NVD GitHub
CVSS 3.1
7.8
EPSS
0.1%
CVE-2025-69604 HIGH This Week

An issue in Shirt Pocket's SuperDuper! 3.11 and earlier allow a local attacker to modify the default task template to install an arbitrary package that can run shell scripts with root privileges and Full Disk Access, thus bypassing macOS privacy controls. [CVSS 7.8 HIGH]

Privilege Escalation Apple Superduper
NVD
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-1601 LOW POC Monitor

A7000R Firmware versions up to 4.1cu.4154 contains a vulnerability that allows attackers to command injection (CVSS 6.3).

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
8.3%
CVE-2025-7714 HIGH This Week

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Global Interactive Design Media Software Inc. [CVSS 7.5 HIGH]

SQLi Content Management System
NVD VulDB
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-7713 HIGH This Week

Improper Neutralization of Input During Web Page Generation (XSS or 'Cross-site Scripting') vulnerability in Global Interactive Design Media Software Inc. Content Management System (CMS) allows XSS Through HTTP Headers.This issue affects Content Management System (CMS): through 21072025. [CVSS 7.5 HIGH]

XSS Content Management System
NVD VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-1616 HIGH PATCH This Week

Open Security Issue Management (OSIM) prior to v2025.9.0 contains a path traversal vulnerability in its nginx configuration that improperly concatenates URI and query string parameters, allowing unauthenticated remote attackers to access unauthorized files and directories. The vulnerability affects both OSIM and Nginx deployments using vulnerable configurations, enabling information disclosure through crafted query parameters. A patch is available for affected versions.

Nginx Path Traversal Open Security Issue Management
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-23571 MEDIUM This Month

TeamViewer DEX versions below 24.5 allow authenticated users with actioner privileges to execute arbitrary elevated commands on connected hosts through inadequate input validation in the 1E-Nomad-RunPkgStatusRequest instruction. An attacker with these credentials could inject malicious commands to gain unauthorized system access and control. The vulnerability requires user interaction and high-level privileges but carries a significant risk due to the potential for complete system compromise.

Command Injection Digital Employee Experience
NVD
CVSS 3.1
6.8
EPSS
0.1%
CVE-2026-1623 LOW POC Monitor

Command injection in Totolik A7000R firmware through the setUpgradeFW function allows unauthenticated remote attackers to execute arbitrary commands via a malicious FileName parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The device remains vulnerable as no patch is currently available.

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.1%
CVE-2026-23570 MEDIUM This Month

Log timestamp tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject malicious UDP Sync commands that corrupt event timestamps, undermining log integrity and forensic investigation capabilities. This input validation flaw affects Windows deployments of the NomadBranch service and could enable attackers to obscure the timeline of malicious activities or create misleading audit trails. No patch is currently available for this medium-severity vulnerability.

Windows Digital Employee Experience
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23566 MEDIUM This Month

Log tampering in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to inject, modify, or forge entries in the NomadBranch.log file through the UDP network handler, compromising log integrity and audit trail reliability. An attacker with network access can send crafted packets to the Content Distribution Service to manipulate logging records without authentication, potentially obscuring malicious activity or creating false audit entries.

Windows Digital Employee Experience
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23565 MEDIUM This Month

TeamViewer DEX Client versions prior to 26.1 contain a null pointer dereference in the NomadBranch.exe Content Distribution Service that allows adjacent network attackers to crash the process without authentication. An attacker can exploit this vulnerability to disable the Content Distribution Service, causing a denial-of-service condition on affected Windows systems. No patch is currently available.

Windows Digital Employee Experience
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-23569 MEDIUM This Month

TeamViewer DEX Client versions before 26.1 contain an out-of-bounds read in the Content Distribution Service that enables remote attackers to leak stack memory and trigger denial of service without authentication. Successful exploitation could disclose memory contents useful for bypassing address space layout randomization and chaining with other vulnerabilities. No patch is currently available for this medium-severity flaw affecting Windows deployments.

Windows Denial Of Service Digital Employee Experience
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-24845 MEDIUM PATCH This Month

malcontent discovers supply-chain compromises through. context, differential analysis, and YARA. [CVSS 6.5 MEDIUM]

Docker Malcontent Suse
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-24687 MEDIUM PATCH This Month

Authenticated users in Umbraco Forms versions 16 and 17 can exploit a path traversal vulnerability to read arbitrary files on Mac and Linux systems running the CMS. An attacker with backoffice access can enumerate and access sensitive files through the export endpoint by manipulating the fileName parameter. No patch is currently available, though the vulnerability is mitigated by restricting backoffice access and blocking path traversal sequences at the WAF level.

Linux Path Traversal Umbraco Forms
NVD GitHub
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23567 MEDIUM This Month

Denial-of-service in TeamViewer DEX Client versions prior to 26.1 allows adjacent network attackers to crash the NomadBranch.exe service by sending specially crafted UDP packets that trigger a heap buffer overflow. The vulnerability stems from an integer underflow in the UDP command handler that can be exploited without authentication or user interaction. Currently, no patch is available and the attack requires network adjacency to the affected system.

Windows Buffer Overflow Heap Overflow Integer Overflow Denial Of Service +1
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-23564 MEDIUM This Month

Digital Employee Experience is affected by cleartext transmission of sensitive information (CVSS 6.5).

Windows Digital Employee Experience
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15548 MEDIUM This Month

Some VX800v v1.0 web interface endpoints transmit sensitive information over unencrypted HTTP due to missing application layer encryption, allowing a network adjacent attacker to intercept this traffic and compromise its confidentiality. [CVSS 6.5 MEDIUM]

Information Disclosure Vx800v Firmware
NVD
CVSS 3.1
6.5
EPSS
0.0%
CVE-2025-15344 MEDIUM This Month

Tanium addressed a SQL injection vulnerability in Asset. [CVSS 6.3 MEDIUM]

SQLi Asset
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2025-15541 MEDIUM This Month

Improper link resolution in the VX800v v1.0 SFTP service allows authenticated adjacent attackers to use crafted symbolic links to access system files, resulting in high confidentiality impact and limited integrity risk. [CVSS 6.3 MEDIUM]

Path Traversal Vx800v Firmware
NVD
CVSS 3.1
6.3
EPSS
0.0%
CVE-2026-1600 LOW POC Monitor

Bhojon Restaurant Management System versions up to 20260116 contain a price manipulation vulnerability in the add-to-cart endpoint that allows authenticated attackers to bypass business logic controls. Public exploit code exists for this issue, and the vendor has not provided a patch despite early notification. While the direct impact is limited to price modification, this could enable financial fraud through order manipulation.

Information Disclosure Bhojon
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1597 LOW POC Monitor

Improper authorization in Bdtask SalesERP's administrative endpoint allows authenticated attackers to manipulate the ci_session parameter and gain unauthorized access to restricted functions. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. Affected versions through January 16, 2026 enable remote exploitation by any user with valid credentials.

Information Disclosure Saleserp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1552 LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1551 LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1599 LOW POC Monitor

Bhojon versions up to 20260116. contains a vulnerability that allows attackers to business logic errors (CVSS 4.3).

Information Disclosure Bhojon
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1588 LOW POC Monitor

A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. [CVSS 2.7 LOW]

Path Traversal Jsherp
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-1598 LOW POC Monitor

A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. [CVSS 3.5 LOW]

XSS Bhojon
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-7015 MEDIUM This Month

Session Fixation vulnerability in Akın Software Computer Import Export Industry and Trade Ltd. QR Menu allows Session Fixation.This issue affects QR Menu: before s1.05.12. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-23563 MEDIUM This Month

Digital Employee Experience versions up to 26.1 is affected by improper link resolution before file access (CVSS 5.7).

Windows Digital Employee Experience
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-7014 MEDIUM This Month

Session Fixation vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Session Hijacking.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Information Disclosure Session Fixation
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
CVE-2025-7013 MEDIUM This Month

Authorization Bypass Through User-Controlled Key vulnerability in QR Menu Pro Smart Menu Systems Menu Panel allows Exploitation of Trusted Identifiers.This issue affects Menu Panel: through 29012026. NOTE: The vendor was contacted early about this disclosure but did not respond in any way. [CVSS 5.7 MEDIUM]

Authentication Bypass Menu Panel
NVD VulDB
CVSS 3.1
5.7
EPSS
0.0%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy