Skip to main content
CVE-2019-25441 CRITICAL POC Act Now

Unauthenticated command injection in thesystem 1.0. EPSS 3.4%. PoC available.

Command Injection Thesystem
NVD GitHub Exploit-DB
CVSS 3.1
9.8
EPSS
3.4%
CVE-2026-26725 CRITICAL POC Act Now

Privilege escalation in Print Shop Pro WebDesk v.18.34 via AccessID parameter. PoC available.

Privilege Escalation Print Shop Pro Webdesk
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-26722 CRITICAL POC Act Now

Privilege escalation in Key Systems Global Facilities Management Software via PIN component. PoC available.

Privilege Escalation Global Facilities Management Software
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-26980 CRITICAL POC PATCH GHSA Act Now

SQL injection in Ghost CMS versions 3.24.0 through 6.19.0 allows unauthenticated attackers to read arbitrary database data. Patch available.

Node.js SQLi
NVD GitHub Exploit-DB VulDB
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-25896 CRITICAL POC PATCH Act Now

ReDoS in fast-xml-parser before fix via crafted XML. PoC and patch available.

XSS Fast Xml Parser
NVD GitHub VulDB
CVSS 3.1
9.3
EPSS
0.0%
CVE-2019-25444 CRITICAL POC Act Now

SQL injection in Fiverr Clone Script 1.2.2. PoC available.

SQLi Fiverr Clone Script
NVD Exploit-DB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-26747 CRITICAL POC Act Now

Host Header Poisoning in Monica 4.1.2 CRM. PoC available.

PHP Monica
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-26988 CRITICAL POC PATCH Act Now

SQL injection in LibreNMS 25.12.0 and below. PoC and patch available.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-26746 HIGH POC This Week

Open Source Point Of Sale versions up to 3.4.1 is affected by unrestricted upload of file with dangerous type (CVSS 8.8).

PHP RCE LFI Open Source Point Of Sale
NVD GitHub
CVSS 3.1
8.8
EPSS
0.3%
CVE-2018-25158 HIGH POC This Week

Chamilo LMS 1.11.8 contains an arbitrary file upload vulnerability that allows authenticated users to upload and execute PHP files through the elfinder filemanager module. [CVSS 8.8 HIGH]

PHP
NVD GitHub Exploit-DB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-26064 HIGH POC PATCH This Week

Remote code execution in Calibre 9.2.1 and earlier allows authenticated users to write arbitrary files via a path traversal flaw in the extract_pictures() function that fails to properly sanitize directory traversal sequences. On Windows systems, attackers can exploit this to write malicious payloads to the Startup folder, achieving code execution upon the next user login. Public exploit code exists for this vulnerability, and a patch is available in version 9.3.0.

Windows RCE Path Traversal Calibre Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2019-25451 HIGH POC This Week

phpMoAdmin 1.1.5 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized database operations by crafting malicious requests. [CVSS 8.8 HIGH]

PHP CSRF Phpmoadmin
NVD Exploit-DB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2857 HIGH POC This Week

Stack-based buffer overflow in D-Link DWR-M960 firmware version 1.01.07 allows authenticated remote attackers to achieve complete system compromise through the Port Forwarding Configuration endpoint. The vulnerability exists in the submit-url parameter processing and has public exploit code available. Affected devices are remotely exploitable by authenticated users with no user interaction required.

D-Link Buffer Overflow Stack Overflow Dwr M960 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2856 HIGH POC This Week

Stack-based buffer overflow in D-Link DWR-M960 firmware 1.01.07 Filter Configuration endpoint allows authenticated remote attackers to achieve full system compromise through a malicious submit-url parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but executes with no user interaction needed.

D-Link Buffer Overflow Stack Overflow Dwr M960 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2855 HIGH POC This Week

Stack-based buffer overflow in D-Link DWR-M960 firmware's DDNS settings handler allows authenticated remote attackers to achieve complete system compromise through a malicious submit-url parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects firmware version 1.01.07 and can be exploited without user interaction.

D-Link Buffer Overflow Stack Overflow Dwr M960 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2854 HIGH POC This Week

Stack-based buffer overflow in D-Link DWR-M960 firmware version 1.01.07 NTP configuration endpoint allows remote authenticated attackers to achieve complete system compromise through manipulation of the submit-url parameter. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw carries a high severity rating with CVSS score of 8.8 due to potential for remote code execution with minimal attack complexity.

D-Link Buffer Overflow Stack Overflow Dwr M960 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-2853 HIGH POC This Week

Stack-based buffer overflow in D-Link DWR-M960 firmware version 1.01.07 allows authenticated remote attackers to achieve full system compromise through manipulation of the submit-url parameter in the System Log Configuration endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with network access and valid credentials can trigger this flaw to execute arbitrary code with complete control over confidentiality, integrity, and availability.

D-Link Buffer Overflow Stack Overflow Dwr M960 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26065 HIGH POC PATCH This Week

Calibre versions 9.2.1 and below allow authenticated users to write arbitrary files with any extension to any writable location via path traversal in PDB file readers, potentially enabling code execution or system compromise through file overwriting. The vulnerability affects both 132-byte and 202-byte PDB header variants and silently overwrites existing files without warning. Public exploit code exists and patches are available in version 9.3.0 and later.

Denial Of Service Path Traversal Calibre Suse
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-26990 HIGH POC PATCH This Week

SQL injection in LibreNMS versions 25.12.0 and below allows authenticated users to extract sensitive database information through time-based blind SQL injection in the address-search function. An attacker with valid credentials can manipulate the subnet prefix parameter to bypass query logic and infer data through conditional timing responses. Public exploit code exists for this vulnerability; upgrade to version 26.2.0 or later to remediate.

PHP MySQL SNMP SQLi Librenms
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-27190 HIGH POC PATCH This Week

Command injection in Deno versions prior to 2.6.8 allows unauthenticated remote attackers to execute arbitrary commands through the node:child_process implementation. Public exploit code exists for this vulnerability, which carries a CVSS score of 8.1 and affects the confidentiality, integrity, and availability of affected systems. Users should upgrade to Deno 2.6.8 or later to remediate this risk.

Command Injection Deno Suse
NVD GitHub
CVSS 3.1
8.1
EPSS
0.8%
CVE-2019-25431 HIGH POC This Week

delpino73 Blue-Smiley-Organizer 1.32 contains an SQL injection vulnerability in the datetime parameter that allows unauthenticated attackers to manipulate database queries. [CVSS 8.2 HIGH]

SQLi
NVD GitHub Exploit-DB
CVSS 3.1
8.2
EPSS
0.1%
CVE-2026-26723 HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 8.2).

XSS Global Facilities Management Software
NVD GitHub
CVSS 3.1
8.2
EPSS
0.1%
CVE-2019-25435 HIGH POC This Week

Sricam DeviceViewer 3.12.0.1 contains a local buffer overflow vulnerability in the user management add user function that allows authenticated attackers to execute arbitrary code by bypassing data execution prevention. [CVSS 7.8 HIGH]

Buffer Overflow Stack Overflow Deviceviewer
NVD Exploit-DB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-26724 HIGH POC This Week

Global Facilities Management Software versions up to 20230721a is affected by cross-site scripting (xss) (CVSS 7.6).

XSS Global Facilities Management Software
NVD GitHub
CVSS 3.1
7.6
EPSS
0.1%
CVE-2026-24892 HIGH POC PATCH This Week

Unsafe PHP deserialization in openITCOCKPIT Community Edition 5.3.1 and earlier allows authenticated attackers to inject malicious serialized objects through changelog entries, with public exploit code available. While no current attack path has been identified, an unrestricted unserialize() call creates a latent remote code execution vulnerability that could be exploited if future code changes introduce exploitable object types into the deserialization path. Authenticated access is required, but the HIGH severity rating reflects the potential for complete system compromise if this latent flaw is activated.

PHP Prometheus RCE Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.5%
CVE-2019-25438 HIGH POC This Week

LabCollector 5.423 contains multiple SQL injection vulnerabilities that allow unauthenticated attackers to execute arbitrary SQL commands by injecting malicious code through POST parameters. [CVSS 7.5 HIGH]

PHP SQLi Labcollector
NVD Exploit-DB
CVSS 3.1
7.5
EPSS
0.3%
CVE-2019-25432 HIGH POC This Week

Part-DB 0.4 contains an authentication bypass vulnerability that allows unauthenticated attackers to login by injecting SQL syntax into authentication parameters. [CVSS 7.5 HIGH]

Authentication Bypass
NVD GitHub Exploit-DB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-24891 HIGH POC This Week

Remote code execution in openITCOCKPIT 5.3.1 and earlier via unsafe deserialization in the Gearman worker component, which calls unserialize() on untrusted job payloads without validation or class restrictions. Attackers can exploit this by submitting crafted serialized objects to trigger PHP Object Injection when Gearman is exposed to untrusted networks. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP Prometheus Deserialization Openitcockpit
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2026-26996 HIGH POC PATCH This Week

Minimatch versions 10.2.0 and below suffer from catastrophic backtracking in regular expression processing when glob patterns contain multiple consecutive wildcards, enabling denial of service attacks with exponential time complexity. Applications that process user-supplied glob patterns are vulnerable to CPU exhaustion, with worst-case scenarios causing indefinite hangs; public exploit code exists for this vulnerability. The issue is resolved in version 10.2.1.

Denial Of Service Minimatch Red Hat Suse
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-68043 HIGH POC This Week

Missing Authorization vulnerability in LottieFiles LottieFiles lottiefiles allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects LottieFiles: from n/a through <= 3.0.0. [CVSS 7.3 HIGH]

Authentication Bypass
NVD
CVSS 3.1
7.3
EPSS
0.0%
CVE-2026-2847 HIGH POC This Week

Remote code execution in UTT HiPER 520 Firmware 1.7.7-160105 allows unauthenticated attackers to inject arbitrary OS commands through the Isp_Name parameter in the web management interface. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker can achieve full system compromise by sending a specially crafted request to the /goform/formReleaseConnect endpoint.

Command Injection 520 Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-2846 HIGH POC This Week

Remote command injection in UTT HiPer 520 Firmware 1.7.7-160105 web management interface allows unauthenticated attackers to execute arbitrary OS commands through the policyNames parameter. Public exploit code exists for this vulnerability, increasing risk of active exploitation. No patch is currently available.

Command Injection 520 Firmware
NVD GitHub VulDB
CVSS 3.1
7.2
EPSS
0.5%
CVE-2026-26721 HIGH POC This Week

Global Facilities Management Software versions up to 20230721a contains a security vulnerability (CVSS 7.1).

Information Disclosure Global Facilities Management Software
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2026-26960 HIGH POC PATCH This Week

Path traversal in node-tar versions 7.5.7 and earlier allows local attackers to read and write arbitrary files outside the extraction directory by crafting malicious tar archives containing hardlinks that bypass extraction path validation. Public exploit code exists for this vulnerability, which affects default extraction configurations in Node.js and related Tar implementations. The vulnerability has been patched in node-tar 7.5.8.

D-Link Node.js Tar Red Hat Suse
NVD GitHub
CVSS 3.1
7.1
EPSS
0.0%
CVE-2019-25434 MEDIUM POC This Month

SpotAuditor 5.3.1.0 contains a denial of service vulnerability that allows unauthenticated attackers to crash the application by submitting excessive data in the registration name field. [CVSS 7.5 HIGH]

Denial Of Service Spotauditor Buffer Overflow Stack Overflow
NVD Exploit-DB VulDB
CVSS 4.0
6.7
EPSS
0.1%
CVE-2019-25436 MEDIUM POC This Month

Deviceviewer versions up to 3.12.0.1 contains a vulnerability that allows attackers to change passwords without proper validation of the old password field (CVSS 6.5).

Authentication Bypass Deviceviewer
NVD Exploit-DB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-2033 HIGH PATCH Act Now

Remote code execution in the MLflow Tracking Server allows unauthenticated attackers (PR:N) to abuse the artifact handler's path processing to read or write files outside the intended artifact root and ultimately run code as the server's service account. The flaw is a CWE-22 path traversal in artifact file-path handling reachable over the network with low complexity. No public exploit is identified at time of analysis, but the EPSS score of 15.58% (95th percentile) signals notably elevated near-term exploitation likelihood for an MLOps component frequently exposed on internal and cloud networks.

RCE Path Traversal
NVD GitHub VulDB
CVSS 3.1
7.3
EPSS
15.6%
CVE-2019-25448 MEDIUM POC This Month

OrientDB 3.0.17 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating users with script payloads in the name parameter. [CVSS 6.4 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2019-25437 MEDIUM POC This Month

Foscam Video Management System 1.1.6.6 contains a buffer overflow vulnerability in the UID field that allows local attackers to crash the application by supplying an excessively long string. [CVSS 6.2 MEDIUM]

Buffer Overflow Denial Of Service
NVD Exploit-DB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2019-25453 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a reflected cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the newdb parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25454 MEDIUM POC This Month

phpMoAdmin 1.1.5 contains a stored cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the collection parameter. [CVSS 6.1 MEDIUM]

PHP XSS Phpmoadmin
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2019-25445 MEDIUM POC This Month

Fiverr Clone Script 1.2.2 contains a cross-site scripting vulnerability that allows unauthenticated attackers to inject malicious scripts by manipulating the keyword parameter. [CVSS 6.1 MEDIUM]

PHP XSS Fiverr Clone Script
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-27120 MEDIUM POC PATCH This Month

Leafkit versions up to 1.4.1 contains a vulnerability that allows attackers to XSS if there is a leaf variable in the attribute that is user controlled (CVSS 6.1).

XSS Leafkit
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2019-25449 MEDIUM POC This Month

OrientDB 3.0.17 contains a reflected cross-site scripting vulnerability that allows attackers to inject malicious scripts by submitting crafted JSON payloads to the document endpoint. [CVSS 6.1 MEDIUM]

XSS Orientdb
NVD Exploit-DB
CVSS 3.1
6.1
EPSS
0.0%
CVE-2026-26987 MEDIUM POC PATCH This Month

Reflected cross-site scripting in LibreNMS versions 25.12.0 and earlier allows unauthenticated remote attackers to inject malicious scripts via the email field, potentially compromising user sessions and enabling credential theft or malware distribution. Public exploit code exists for this vulnerability, and affected organizations should upgrade to version 26.2.0 or later immediately.

MySQL SNMP XSS Librenms
NVD GitHub
CVSS 3.1
6.1
EPSS
0.0%
CVE-2021-35402 CRITICAL Act Now

Unauthenticated OS command injection in PROLiNK PRC2402M router via ip parameter. EPSS 0.39%.

Command Injection
NVD
CVSS 3.1
10.0
EPSS
0.4%
CVE-2025-30412 CRITICAL Act Now

Second improper authentication in Acronis Cyber Protect 16. CVSS 10.0.

Linux Windows Cyber Protect
NVD
CVSS 3.0
10.0
EPSS
0.0%
CVE-2025-30411 CRITICAL Act Now

Improper authentication in Acronis Cyber Protect 16. CVSS 10.0.

Linux Windows Cyber Protect
NVD
CVSS 3.0
10.0
EPSS
0.0%
CVE-2025-30416 CRITICAL Act Now

Missing authorization in Acronis Cyber Protect 16 allows sensitive data access. CVSS 10.0.

Linux Windows Cyber Protect
NVD
CVSS 3.0
10.0
EPSS
0.0%
CVE-2026-27112 CRITICAL PATCH Act Now

Authorization bypass in Kargo Kubernetes promotion tool from 1.7.0 before 1.7.8/1.8.11/1.9.3. Batch resource creation bypasses authorization checks. Patch available.

Golang Kubernetes RCE Kargo Suse
NVD GitHub
CVSS 3.1
9.9
EPSS
0.2%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy