Skip to main content
CVE-2026-2528 LOW POC Monitor

Command injection in the Wavlink WL-WN579A3 wireless router firmware allows authenticated remote attackers to execute arbitrary commands through the delete_list parameter in the /cgi-bin/wireless.cgi endpoint. Public exploit code exists for this vulnerability, and no vendor patch is currently available. Affected devices running firmware versions up to 20210219 face risk of complete system compromise from authenticated network access.

Command Injection Wl Wn579a3 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2527 LOW POC Monitor

Wl-Wn579A3 Firmware versions up to 20210219. contains a vulnerability that allows attackers to command injection (CVSS 6.3).

Command Injection Wl Wn579a3 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2535 LOW POC Monitor

Command injection in Comfast CF-N1 V2 2.6.0.2 firmware allows authenticated remote attackers to execute arbitrary commands via the channel parameter in the /cgi-bin/mbox-config endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An attacker with valid credentials can achieve remote code execution with limited integrity and confidentiality impact.

Command Injection Cf N1 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2534 LOW POC Monitor

Command injection in Comfast CF-N1 V2 firmware version 2.6.0.2 allows authenticated remote attackers to execute arbitrary commands through the bandwidth parameter in the /cgi-bin/mbox-config endpoint. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Command Injection Cf N1 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2530 LOW POC Monitor

The WL-WN579A3 wireless router firmware contains a command injection vulnerability in the AddMac function of /cgi-bin/wireless.cgi that allows authenticated remote attackers to execute arbitrary commands with medium impact on confidentiality, integrity, and availability. Public exploit code is available for this vulnerability, and no patch has been released despite vendor notification. Affected systems running firmware versions up to 20210219 require immediate mitigation through network segmentation or device replacement.

Command Injection Wl Wn579a3 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2526 LOW POC Monitor

Command injection in Wavlink WL-WN579A3 firmware through the SSID2G2 parameter of /cgi-bin/wireless.cgi allows authenticated remote attackers to execute arbitrary commands with limited privileges. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor. The flaw affects confidentiality, integrity, and availability of affected devices.

Command Injection Wl Wn579a3 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-2560 LOW POC Monitor

OS command injection in Kodbox up to version 1.64.05 allows remote authenticated attackers to execute arbitrary commands through the localFile parameter in the Media File Preview Plugin's VideoResize class. Public exploit code exists for this vulnerability, and the vendor has not provided patches or responded to disclosure efforts. The attack requires valid credentials but does not need user interaction and can fully compromise affected systems through command execution.

PHP Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-2551 LOW POC Monitor

ZenTao versions up to 21.7.8 contain a path traversal vulnerability in the backup handler that allows authenticated attackers to manipulate file parameters and access or delete arbitrary files on the affected system. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can be executed remotely without user interaction.

PHP Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2531 LOW POC PATCH Monitor

MindsDB versions up to 25.14.1 contain a server-side request forgery vulnerability in the file upload functionality that allows authenticated remote attackers to forge requests to internal or external systems. Public exploit code exists for this vulnerability, and affected organizations should apply patch 74d6f0fd4b630218519a700fbee1c05c7fd4b1ed or upgrade to a patched version immediately.

SSRF File Upload Mindsdb
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2025-59905 MEDIUM This Month

Cross-Site Scripting (XSS) vulnerability reflected in Kubysoft, which occurs through multiple parameters within the endpoint ‘/node/kudaby/nodeFN/procedure’. [CVSS 6.1 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-2556 LOW POC Monitor

Server-side request forgery in Cskefu up to version 8.0.1 allows authenticated remote attackers to manipulate the URL parameter in the MediaController endpoint to perform arbitrary HTTP requests from the affected server. Public exploit code exists for this vulnerability and the vendor has not provided a patch despite early notification. The attack requires valid authentication credentials but can be executed remotely with low complexity.

Java SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2537 LOW POC Monitor

Command injection in Comfast CF-E4 2.6.0.1 firmware allows remote attackers with high privileges to execute arbitrary commands through the timestr parameter in the NTP timezone configuration endpoint. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early disclosure notification. The attack requires network access and high-level authentication but carries a low CVSS score due to limited scope of impact.

Command Injection Cf E4 Firmware
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-2546 LOW POC Monitor

A security vulnerability has been detected in LigeroSmart up to 6.1.26. The affected element is an unknown function of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2545 LOW POC Monitor

A weakness has been identified in LigeroSmart up to 6.1.26. Impacted is an unknown function of the file /otrs/index.pl?Action=AgentTicketSearch. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2557 LOW POC Monitor

A vulnerability was detected in cskefu up to 8.0.1. Impacted is the function Upload of the file com/cskefu/cc/controller/resource/MediaController.java of the component File Upload. [CVSS 3.5 LOW]

Java XSS File Upload
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2547 LOW POC Monitor

A vulnerability was detected in LigeroSmart up to 6.1.26. The impacted element is the function AgentDashboard of the file /otrs/index.pl. [CVSS 3.5 LOW]

XSS Ligerosmart
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-2533 MEDIUM This Month

Tosei Self-service Washing Machine 4.02 contains an unauthenticated command injection vulnerability in the adr_txt_1 parameter of /cgi-bin/tosei_datasend.php, allowing remote attackers to execute arbitrary commands with limited confidentiality, integrity, and availability impact. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

PHP Command Injection
NVD VulDB
CVSS 4.0
5.5
EPSS
2.1%
CVE-2026-2415 MEDIUM PATCH This Month

Pretix email template placeholder injection enables authenticated backend users to extract sensitive system information such as database credentials and API keys through specially crafted placeholder syntax that bypasses insufficient input validation. An attacker with backend access can leverage this vulnerability to enumerate system configuration details and potentially compromise infrastructure security. No patch is currently available for this medium-severity issue affecting Pretix installations.

Information Disclosure Pretix
NVD VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2025-13821 MEDIUM PATCH This Month

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to sanitize sensitive data in WebSocket messages which allows authenticated users to exfiltrate password hashes and MFA secrets via profile nickname updates or email verification events. [CVSS 5.7 MEDIUM]

Information Disclosure Mattermost Server Suse
NVD
CVSS 3.1
5.7
EPSS
0.0%
CVE-2026-2549 MEDIUM This Month

Improper access controls in LibrarySystem BookController.java (versions up to 1.1.1) allow unauthenticated remote attackers to gain unauthorized access and potentially modify or disable library system functions. Public exploit code exists for this vulnerability and the vendor has not yet provided a patch despite early notification.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-0999 MEDIUM PATCH This Month

Mattermost Server versions 11.1.x through 11.1.2, 10.11.x through 10.11.9, and 11.2.x through 11.2.1 inadequately enforce login method restrictions, permitting authenticated users to circumvent SSO-only requirements by authenticating with a userID instead. This allows an attacker with valid credentials to gain unauthorized access to accounts restricted to single sign-on authentication. No patch is currently available for this vulnerability.

Authentication Bypass Mattermost Server Suse
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59904 MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, which is triggered through multiple parameters in the '/kForms/app' endpoint. This issue allows malicious scripts to be injected and executed persistently in the context of users accessing the affected resource. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2025-59903 MEDIUM This Month

Stored Cross-Site Scripting (XSS) vulnerability in Kubysoft, where uploaded SVG images are not properly sanitized. [CVSS 5.4 MEDIUM]

XSS Kubysoft
NVD
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-0998 MEDIUM PATCH This Month

Insufficient identity validation in Mattermost Server (versions 11.1.x through 11.2.1 and earlier) and Zoom Plugin (versions up to 1.11.0) allows authenticated users to initiate Zoom meetings as arbitrary users and modify other users' posts through direct API manipulation. An attacker with valid credentials can exploit the /api/v1/askPMI endpoint to impersonate other users and alter post content without proper authorization checks. The vulnerability affects multiple Mattermost and plugin versions with no patch currently available.

Zoom Mattermost Server Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0997 MEDIUM PATCH This Month

Mattermost and Zoom plugin versions fail to properly authenticate users before allowing modifications to Zoom meeting restrictions, enabling any logged-in user to alter meeting settings across arbitrary channels. Affected versions include Mattermost 11.1.x through 11.1.2, 10.11.x through 10.11.9, 11.2.x through 11.2.1, and Zoom plugin versions up to 1.11.0. No patch is currently available for this privilege escalation vulnerability.

Zoom Mattermost Server Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-2032 MEDIUM This Month

Firefox for iOS before version 147.2.1 fails to properly synchronize the address bar with page content when malicious scripts interfere with new tab loading, enabling attackers to conduct HTML spoofing attacks under trusted domains. An attacker can exploit this through a malicious webpage to deceive users into believing they are viewing legitimate content from a trusted site. This vulnerability requires user interaction to trigger but has no patch currently available.

Mozilla Information Disclosure Apple
NVD VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14350 MEDIUM PATCH This Month

Mattermost versions 11.1.x <= 11.1.2, 10.11.x <= 10.11.9, 11.2.x <= 11.2.1 fail to properly validate team membership when processing channel mentions which allows authenticated users to determine the existence of teams and their URL names via posting channel shortlinks and observing the channel_mentions property in the API response. [CVSS 4.3 MEDIUM]

Authentication Bypass Mattermost Server Suse
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-0929 MEDIUM This Month

Insufficient capability checks in RegistrationMagic WordPress plugin versions before 6.0.7.2 allow subscriber-level users and above to create forms, enabling unauthorized form creation and potential site manipulation. This vulnerability affects WordPress sites running the affected plugin versions, with no patch currently available. The impact is limited to form creation without affecting confidentiality or system availability.

WordPress
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-2418 MEDIUM This Month

from 4.30 versions up to 16022026. is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

Open Redirect
NVD
CVSS 3.1
4.3
EPSS
0.0%
CVE-2025-14573 LOW PATCH Monitor

Mattermost versions 10.11.x <= 10.11.9 fail to enforce invite permissions when updating team settings, which allows team administrators without proper permissions to bypass restrictions and add users to their team via API requests. Mattermost Advisory ID: MMSA-2025-00561 [CVSS 3.8 LOW]

Authentication Bypass Mattermost Server
NVD
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-2543 LOW Monitor

A vulnerability was identified in vichan-devel vichan versions up to 5.1.5. contains a security vulnerability (CVSS 2.7).

PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-2548 LOW Monitor

Command injection in WAYOS FBM-220G 24.10.19 allows authenticated remote attackers to execute arbitrary commands by manipulating UPnP configuration parameters (upnp_waniface, upnp_ssdp_interval, upnp_max_age) in the rc file. No patch is currently available, and the vendor has not responded to disclosure attempts. This vulnerability carries a CVSS score of 6.3 with low complexity exploitation requirements.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
1.4%
CVE-2026-2563 LOW Monitor

Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware through improper access controls in the jdcapp_rpc service allows authenticated attackers to escalate privileges over the network. Public exploit code exists for this vulnerability, and the vendor has not responded to disclosure attempts. The issue affects firmware versions up to 4.5.1.r4533 with no patch currently available.

Privilege Escalation Ax6600 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2562 LOW Monitor

Ax6600 Firmware versions up to 4.5.1. contains a vulnerability that allows attackers to Remote Privilege Escalation (CVSS 6.3).

Privilege Escalation Ax6600 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2561 LOW Monitor

Remote privilege escalation in JingDong JD Cloud Box AX6600 firmware (up to version 4.5.1.r4533) allows authenticated remote attackers to escalate privileges through manipulation of the web_get_ddns_uptime function in the jdcweb_rpc component. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor.

Privilege Escalation Ax6600 Firmware
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2536 LOW Monitor

OpenCC JFlow versions up to 20260129 contain an XML External Entity (XXE) injection vulnerability in the Workflow Engine's file handling component that allows authenticated remote attackers to read sensitive files or perform denial of service attacks. Public exploit code exists for this vulnerability, and the vendor has not yet provided a patch. The issue affects Java-based deployments and requires valid credentials to exploit.

Java XXE
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-2558 LOW Monitor

Server-side request forgery in GeekAI versions up to 4.2.4 allows authenticated remote attackers to manipulate the Download function's URL parameter in api/handler/net_handler.go to access internal resources or perform unauthorized actions. Public exploit code exists for this vulnerability, and the vendor has not yet responded to disclosure. A patch is not currently available.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-2553 LOW Monitor

SQL injection in the Hotel-Management-System /home.php POST handler allows authenticated remote attackers to manipulate Name/Email parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, which affects PHP-based deployments with no available patch. An attacker with login credentials can leverage this flaw to read or modify sensitive database records.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy