Skip to main content
CVE-2026-2952 MEDIUM POC This Month

Remote code execution in Vaelsys 4.1.0 allows unauthenticated attackers to execute arbitrary OS commands via malicious xajaxargs parameters sent to the /tree/tree_server.php endpoint. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. This network-accessible flaw poses immediate risk to exposed Vaelsys installations.

PHP Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-2944 MEDIUM POC This Month

Remote code execution in Tosei Online Store Management System 1.01 allows unauthenticated attackers to execute arbitrary OS commands through the DevId parameter in /cgi-bin/monitor.php. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires no user interaction and is exploitable over the network.

PHP Command Injection
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-2938 MEDIUM POC This Month

Improper access control in SourceCodester Student Result Management System 1.0 allows unauthenticated remote attackers to manipulate the SMTP configuration through the update_smtp.php endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations running vulnerable PHP-based installations face potential compromise of email settings and system integrity.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2912 MEDIUM POC This Month

SQL injection in Online Reviewer System 1.0 allows unauthenticated remote attackers to manipulate the test_id parameter in the student results view functionality, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2896 MEDIUM POC This Month

Funadmin versions up to 7.1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 7.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-2940 MEDIUM This Month

Out-of-bounds write in the URL handler of Zaher1307's tiny_web_server allows remote attackers to achieve code execution, information disclosure, or denial of service without authentication. Public exploit code exists for this vulnerability, and the maintainers have not yet released a patch despite early notification. Users of tiny_web_server should implement network segmentation or disable this service until a fix becomes available.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-2385 MEDIUM This Month

Unauthenticated attackers can manipulate email routing and redirection in The Plus Addons for Elementor plugin for WordPress versions up to 6.4.7 by tampering with the 'email_data' parameter in an AJAX handler that lacks proper cryptographic verification. This allows attackers to trigger unauthorized email relay and redirect users to attacker-controlled sites without authentication. No patch is currently available for this medium-severity vulnerability.

WordPress
NVD
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-1369 MEDIUM This Month

Conditional CAPTCHA WordPre versions up to 4.0.0 is affected by url redirection to untrusted site (open redirect) (CVSS 4.3).

WordPress Open Redirect
NVD WPScan
CVSS 3.1
4.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy