Skip to main content
CVE-2026-27838 LOW POC PATCH Monitor

wger is a free, open-source workout and fitness manager. Five routine detail action endpoints check a cache before calling `self.get_object()`. [CVSS 3.1 LOW]

Authentication Bypass Wger
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-3264 LOW POC Monitor

Unauthenticated attackers can manipulate the Administrative Interface in Free CRM to achieve code execution following a redirect attack. The vulnerability affects Free CRM up to commit b83c40a and requires only network access and low privileges, with public exploit code already available. No patch is currently available, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3262 LOW POC Monitor

Asp.Net-Core-Inventory-Order-Management-System versions up to 9.20250118. contains a security vulnerability (CVSS 6.3).

Information Disclosure Asp Net Core Inventory Order Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3265 LOW POC Monitor

Improper authorization in Free CRM's Security API endpoint allows authenticated remote attackers to bypass access controls and gain unauthorized access to sensitive data or functionality. The vulnerability affects an unknown component within /api/Security/ and has public exploit code available, though no patch is currently available from the vendor. Free CRM's rolling release model prevents specific version tracking, and the vendor has not responded to disclosure attempts.

Information Disclosure Free Crm
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3268 LOW POC Monitor

Improper access controls in PSI Probe up to version 5.3.0 allow authenticated remote attackers to manipulate session attributes through the RemoveSessAttributeController, enabling unauthorized modifications to application state. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Java Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27152 LOW Monitor

Discourse is an open source discussion platform. [CVSS 3.8 LOW]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-27150 LOW Monitor

Discourse is an open source discussion platform. [CVSS 3.8 LOW]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-28227 LOW Monitor

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users can publish topics into staff-only categories via the `publish_to_category` topic timer, bypassing authorization checks. [CVSS 2.7 LOW]

Industrial
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-26979 LOW Monitor

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, TL4 users are able to close, archive and pin topics in private categories they don't have access to. [CVSS 2.7 LOW]

Industrial
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-27153 LOW Monitor

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, moderators could export user Chat DMs via the CSV export endpoint by exploiting an overly permissive allowlist in `can_export_entity?`. [CVSS 2.7 LOW]

Authentication Bypass Discourse
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-27151 LOW Monitor

Discourse is an open source discussion platform. Prior to versions 2025.12.2, 2026.1.1, and 2026.2.0, the `move_posts` action only checked `can_move_posts?` on the source topic but never validated write permissions on the destination topic. [CVSS 2.7 LOW]

Industrial
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-1696 LOW Monitor

Pcvue's web server fails to set proper HTTP security headers in its responses, enabling cross-site scripting (XSS) attacks against users who interact with the application. An unauthenticated attacker can exploit this through a user interaction to execute malicious scripts, potentially compromising confidentiality and integrity. No patch is currently available.

XSS Pcvue
NVD
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-1694 LOW Monitor

PcVue versions 12.0.0 through 16.3.3 fail to remove default IIS and ASP.NET HTTP headers during deployment of WebVue, WebScheduler, TouchVue, and SnapVue features, allowing unauthenticated remote attackers to gather sensitive server configuration details through information disclosure. This vulnerability requires user interaction and has no available patch at this time.

Pcvue Information Disclosure
NVD
CVSS 4.0
2.3
EPSS
0.1%
CVE-2026-26228 LOW Monitor

Authenticated attackers can read arbitrary files from a VLC for Android device running versions before 3.7.0 by exploiting a path traversal flaw in the Remote Access Server's download endpoint. The vulnerability allows directory traversal through an unsanitized file parameter, though impact is limited to files accessible within the Android app's sandbox and storage permissions. No patch is currently available for this medium-severity vulnerability.

Path Traversal Google
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-23749 LOW Monitor

Golioth Firmware SDK version 0.19.1 prior to 0.22.0, fixed in commit 0e788217, contain an out-of-bounds read due to improper null termination of a blockwise transfer path. blockwise_transfer_init() accepts a path whose length equals CONFIG_GOLIOTH_COAP_MAX_PATH_LEN and copies it using strncpy() without guaranteeing a trailing NUL byte, leaving ctx->path unterminated. A later strlen() on this bu...

Denial Of Service Buffer Overflow
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy