Skip to main content
CVE-2026-1601 LOW POC Monitor

A7000R Firmware versions up to 4.1cu.4154 contains a vulnerability that allows attackers to command injection (CVSS 6.3).

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
8.3%
CVE-2026-1623 LOW POC Monitor

Command injection in Totolik A7000R firmware through the setUpgradeFW function allows unauthenticated remote attackers to execute arbitrary commands via a malicious FileName parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The device remains vulnerable as no patch is currently available.

Command Injection A7000r Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.1%
CVE-2026-1600 LOW POC Monitor

Bhojon Restaurant Management System versions up to 20260116 contain a price manipulation vulnerability in the add-to-cart endpoint that allows authenticated attackers to bypass business logic controls. Public exploit code exists for this issue, and the vendor has not provided a patch despite early notification. While the direct impact is limited to price modification, this could enable financial fraud through order manipulation.

Information Disclosure Bhojon
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1597 LOW POC Monitor

Improper authorization in Bdtask SalesERP's administrative endpoint allows authenticated attackers to manipulate the ci_session parameter and gain unauthorized access to restricted functions. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. Affected versions through January 16, 2026 enable remote exploitation by any user with valid credentials.

Information Disclosure Saleserp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1552 LOW POC Monitor

SQL injection in SEMCMS 5.0 via the searchml parameter in /SEMCMS_Info.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1551 LOW POC Monitor

School Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1599 LOW POC Monitor

Bhojon versions up to 20260116. contains a vulnerability that allows attackers to business logic errors (CVSS 4.3).

Information Disclosure Bhojon
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1588 LOW POC Monitor

A vulnerability was found in jishenghua jshERP up to 3.6. The impacted element is the function install of the file /jshERP-boot/plugin/installByPath of the component com.gitee.starblues.integration.operator.DefaultPluginOperator. [CVSS 2.7 LOW]

Path Traversal Jsherp
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-1598 LOW POC Monitor

A vulnerability was found in Bdtask Bhojon All-In-One Restaurant Management System up to 20260116. Impacted is an unknown function of the file /dashboard/home/profile of the component User Information Module. [CVSS 3.5 LOW]

XSS Bhojon
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-53869 LOW Monitor

Multiple MFPs provided by Brother Industries, Ltd. does not properly validate server certificates, which may allow a man-in-the-middle attacker to replace the set of root certificates used by the product with a set of arbitrary certificates. [CVSS 3.7 LOW]

Authentication Bypass
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2025-15288 LOW Monitor

Tanium addressed an improper access controls vulnerability in Interact. [CVSS 3.1 LOW]

Authentication Bypass Interact
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-25046 LOW Monitor

Kimi Agent SDK is a set of libraries that expose the Kimi Code (Kimi CLI) agent runtime in applications. The vsix-publish.js and ovsx-publish.js scripts pass filenames to execSync() as shell command strings. [CVSS 2.9 LOW]

Command Injection RCE
NVD GitHub
CVSS 3.1
2.9
EPSS
0.0%
CVE-2026-1596 LOW Monitor

Command injection in D-Link DWR-M961 firmware (version 1.1.47) allows unauthenticated remote attackers to execute arbitrary commands through the fota_url parameter in the LTE firmware upgrade function. Public exploit code exists for this vulnerability, which requires low privileges but no user interaction to exploit. No patch is currently available for affected devices.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-1625 LOW Monitor

Command injection in D-Link DWR-M961 firmware version 1.1.47 allows authenticated remote attackers to execute arbitrary commands via manipulation of the action_value parameter in the SMS message handling function. The vulnerability requires valid credentials but no user interaction, and public exploit code is available. Affected systems can suffer unauthorized command execution, data theft, and potential device compromise.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-1624 LOW Monitor

Command injection in D-Link DWR-M961 firmware through the /boafrm/formLtefotaUpgradeFibocom endpoint allows authenticated remote attackers to execute arbitrary commands by manipulating the fota_url parameter. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy