Skip to main content
CVE-2026-2135 LOW POC Monitor

Command injection in UTT HiPER 810 Firmware version 1.7.4-141218 allows authenticated remote attackers to execute arbitrary commands through manipulation of the policyNames parameter in the /goform/formPdbUpConfig endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with login credentials can achieve code execution with minimal complexity.

Command Injection 810 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2131 LOW POC Monitor

OS command injection in XixianLiang HarmonyOS-mcp-server 0.1.0 allows authenticated remote attackers to execute arbitrary commands through unsanitized input to the input_text function. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials can exploit this over the network to achieve remote code execution with limited complexity.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2178 LOW POC PATCH Monitor

Command injection in Xcode MCP Server's LLDB integration allows authenticated network attackers to execute arbitrary commands by manipulating the args parameter in the registerXcodeTools function. Public exploit code exists for this vulnerability, increasing the practical risk to organizations using affected versions. Users should apply the available patch to remediate this medium-severity flaw affecting the AI/ML tooling component.

Command Injection Xcode Mcp Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2169 LOW POC Monitor

Command injection in D-Link DWR-M921 firmware via the fota_url parameter allows authenticated remote attackers to execute arbitrary commands with network access. The vulnerability affects firmware version 1.1.50 and has public exploit code available. A patch is not currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2168 LOW POC Monitor

D-Link DWR-M921 firmware versions up to 1.1.50 contain a command injection vulnerability in the LTE firmware update function that allows authenticated remote attackers to execute arbitrary commands via a manipulated fota_url parameter. Public exploit code is available for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials could achieve remote code execution on affected devices.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2159 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2154 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2160 LOW POC Monitor

Simple Responsive Tourism Website versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2153 LOW POC Monitor

Doorman versions up to 0.6. is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

Open Redirect
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2146 LOW POC Monitor

Unrestricted file upload in Yshopmall up to version 1.9.1 allows authenticated attackers to upload arbitrary files via manipulation of the updateAvatar function in the FileUtil component. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vendor has not yet released a patch despite early notification.

File Upload Authentication Bypass Yshopmall
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2141 LOW POC PATCH Monitor

Improper authorization in WukongCRM up to version 11.3.3 allows authenticated remote attackers to manipulate URL handling logic and bypass access controls. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification. The flaw affects the PermissionServiceImpl component and enables attackers to gain unauthorized access to restricted functionality.

Java Information Disclosure Wukongcrm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2150 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2149 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2163 LOW POC Monitor

Command injection in D-Link DIR-600 firmware through the ssdp.cgi file allows remote attackers to execute arbitrary commands by manipulating HTTP parameters (HTTP_ST, REMOTE_ADDR, REMOTE_PORT, SERVER_ID). Public exploit code exists for this vulnerability, though it affects only unsupported product versions. The attack requires high-level privileges but has low complexity and impacts confidentiality, integrity, and availability.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-2179 LOW POC Monitor

SQL injection in PHPGurukul Hospital Management System 4.0's user management interface allows remote attackers with administrative privileges to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, though no patch is currently available. The attack requires high-level credentials but poses risks to data confidentiality, integrity, and availability within affected hospital deployments.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2162 LOW POC Monitor

SQL injection in the News Portal Project 1.0 admin panel (/admin/aboutus.php) allows authenticated attackers with high privileges to manipulate the pagetitle parameter and execute arbitrary SQL queries, potentially compromising database integrity and confidentiality. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access and valid administrative credentials but no user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2134 LOW POC Monitor

PHPGurukul Hospital Management System 4.0 contains a SQL injection vulnerability in the doctor management interface that allows authenticated remote attackers to manipulate the ID parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with administrative credentials could potentially extract or modify sensitive hospital data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2145 LOW POC Monitor

A vulnerability was identified in cym1102 nginxWebUI up to 4.3.7. The impacted element is an unknown function of the file /adminPage/conf/check of the component Web Management Interface. [CVSS 3.5 LOW]

XSS Nginxwebui
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2156 LOW POC Monitor

Online Student Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 2.4).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-2172 MEDIUM This Month

Online Application System For Admission versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2171 MEDIUM This Month

SQL injection in the login function of code-projects Online Student Management System 1.0 allows unauthenticated attackers to manipulate username and password parameters in accounts.php, enabling unauthorized data access, modification, and potential service disruption. Public exploit code is available for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2207 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Activity Publication Handler that allows unauthenticated remote attackers to access sensitive data through manipulation of the activities.js file. The vulnerability requires no user interaction and can be exploited over the network with low complexity. Users should upgrade to version 8.21 or apply patch 91a936e07d2976d4246dfe834281c3aaa87f9503 to remediate this issue.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.1%
CVE-2026-2208 MEDIUM PATCH This Month

Wekan versions up to 8.20 contain an authorization bypass in the Rules Handler component that allows authenticated remote attackers to access unauthorized information through the rules.js file. The vulnerability requires valid credentials but no user interaction, enabling low-impact confidentiality breaches. Upgrading to version 8.21 resolves this issue.

Authentication Bypass Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2205 MEDIUM PATCH This Month

WeKan versions up to 8.20 contain an information disclosure vulnerability in the Meteor Publication Handler's card publication mechanism that allows authenticated remote attackers to access sensitive data. The vulnerability requires valid credentials but no user interaction to exploit, and is resolved in version 8.21.

Information Disclosure Wekan
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2122 LOW Monitor

SQL injection in Xiaopi Panel's WAF Firewall component (up to version 20260126) allows authenticated remote attackers to manipulate the ID parameter in /demo.php and execute arbitrary SQL queries. Public exploit code is available and the vendor has not provided a patch despite early notification. This vulnerability requires valid credentials to exploit but enables attackers to access or modify sensitive database information.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy