Skip to main content
CVE-2026-28517 CRITICAL POC PATCH Act Now

Remote code execution in openDCIM 23.04 allows unauthenticated attackers to execute arbitrary OS commands as the web server user by poisoning the 'dot' configuration parameter in the database, then triggering execution via report_network_map.php. Public exploit code exists with a documented SQL injection to command injection attack chain. EPSS score of 0.57% (68th percentile) suggests moderate but not widespread exploitation probability, though the publicly available weaponized exploit significantly elevates real-world risk for exposed instances.

PHP Command Injection Opendcim
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-28515 CRITICAL POC PATCH Act Now

Missing authorization in openDCIM 23.04 (through commit 4467e9c4) lets any authenticated user — regardless of assigned role — reach LDAP configuration handling in install.php and container-install.php, and where REMOTE_USER is trusted without real authentication enforcement the endpoints may be reachable with no credentials at all. Because the same installer path also chains into a SQL injection in the configuration-update routine and a command injection in report_network_map.php (both fixed in the same PR), the broken access control is a stepping stone to full remote code execution. Publicly available exploit code exists (Chocapikk's 'SQLi to RCE' write-up and PoC); EPSS is low at 0.22% (44th percentile) and the CVE is not listed in CISA KEV, so no confirmed active exploitation.

PHP Opendcim Authentication Bypass
NVD GitHub
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-28516 CRITICAL POC PATCH Act Now

SQL injection in openDCIM 23.04 (up to commit 4467e9c4) lets attackers execute arbitrary SQL through the Config::UpdateParameter routine, which the install.php and container-install.php handlers reach with unsanitized, string-interpolated input. Publicly available exploit code exists (Chocapikk PoC and write-up) demonstrating a chain from SQLi to remote code execution, though it is not listed in CISA KEV and EPSS rates real-world exploitation probability at only 0.04%. Note a data conflict: the CVSS 4.0 vector encodes PR:N (unauthenticated) while the description states an authenticated user is required.

PHP SQLi Opendcim
NVD GitHub
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-3301 CRITICAL POC Act Now

Command injection in TOTOLINK N300RH router firmware 6.1c.1353 via setDiagnosisCfg handler. EPSS 4.0% with PoC available — high exploitation probability for consumer routers.

Command Injection N300rh Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
4.0%
CVE-2026-28409 CRITICAL POC Act Now

Critical RCE via OS command injection in WeGIA before 3.6.5. Unauthenticated attackers can execute arbitrary commands on the server. CVSS 10.0 with PoC available.

RCE Authentication Bypass Command Injection Wegia
NVD GitHub
CVSS 3.1
10.0
EPSS
0.3%
CVE-2026-28411 CRITICAL POC Act Now

Authentication bypass via unsafe extract() function in WeGIA before 3.6.5. The extract() call on user-controlled data allows overwriting authentication variables. EPSS 0.7% with PoC available.

PHP Authentication Bypass Wegia
NVD GitHub
CVSS 3.1
9.8
EPSS
0.7%
CVE-2026-28408 CRITICAL POC Act Now

Authentication bypass in WeGIA charitable institution management system before 3.6.5. The adicionar_tipo_docs_atendido.php script lacks authentication, allowing unauthorized access. PoC available.

PHP Golang Wegia
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-28370 CRITICAL POC PATCH Act Now

Code injection in OpenStack Vitrage query parser allows authenticated users to execute arbitrary Python code through crafted queries. Affects versions before 12.0.1, 13.0.0, 14.0.0, and 15.0.0. PoC available.

RCE Code Injection Authentication Bypass Vitrage
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28231 CRITICAL POC PATCH Act Now

Integer overflow in pillow_heif Python library before 1.3.0 leads to out-of-bounds read when processing HEIF images, potentially causing information disclosure or crashes. PoC and patch available.

Python Integer Overflow Denial Of Service Information Disclosure Pillow Heif +1
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-21718 CRITICAL Act Now

Authentication bypass in Copeland XWEB Pro HVAC controller version 1.12.1 and prior due to weak cryptographic algorithm. CVSS 10.0 — any unauthenticated attacker can gain full system access to building automation controllers.

Authentication Bypass Xweb 500d Pro Firmware Xweb 300d Pro Firmware Xweb 500b Pro Firmware
NVD GitHub
CVSS 3.1
10.0
EPSS
0.0%
CVE-2026-28363 CRITICAL PATCH Act Now

Validation bypass in OpenClaw tools.exec.safeBins allows shell command execution through GNU long-option abbreviation. Attackers can abuse the 'sort' binary whitelist entry to execute arbitrary commands via abbreviated flags. CVSS 9.9.

Authentication Bypass Privilege Escalation Openclaw
NVD GitHub
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-2749 CRITICAL Act Now

Path traversal in Centreon Open Tickets module allows authenticated attackers to read or write files outside intended directories. CVSS 9.9 with scope change indicates impact beyond the vulnerable component.

Path Traversal Open Tickets
NVD VulDB
CVSS 3.1
9.9
EPSS
0.0%
CVE-2026-21659 CRITICAL Act Now

Unauthenticated RCE and information disclosure via Local File Inclusion in Johnson Controls Frick Controls. Fifth critical vulnerability in the product line, enabling arbitrary file reads and code execution.

RCE LFI Information Disclosure Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-21658 CRITICAL Act Now

Unauthenticated remote code execution via code injection in Johnson Controls Frick Controls Quantum HD. Fourth critical vulnerability — this one explicitly noted as unauthenticated RCE.

RCE Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-21654 CRITICAL Act Now

OS command injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote attackers to execute arbitrary commands on industrial refrigeration control systems. CVSS 9.8.

Command Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-27755 CRITICAL Act Now

Weak session identifier generation in SODOLA SL902-SWTGW124AS network switch firmware allows attackers to predict session tokens and hijack administrative sessions.

Authentication Bypass Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21657 CRITICAL Act Now

Second code injection vulnerability in Johnson Controls Frick Controls Quantum HD. Separate attack vector from CVE-2026-21656, same critical impact on industrial refrigeration control.

Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21656 CRITICAL Act Now

Code injection in Johnson Controls Frick Controls Quantum HD allows unauthenticated remote code execution on industrial refrigeration systems. Second critical vulnerability in the Quantum HD product line.

Code Injection Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-2251 CRITICAL Act Now

Path traversal vulnerability in Xerox FreeFlow Core allows attackers to access files outside restricted directories, potentially exposing sensitive print job data and system configurations.

Path Traversal Freeflow Core
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-12981 CRITICAL Act Now

Privilege escalation in Listee WordPress theme allows unauthenticated attackers to gain administrator access. All versions up to 1.1.6 affected.

WordPress Privilege Escalation PHP
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-27751 CRITICAL Act Now

Default credentials in SODOLA SL902-SWTGW124AS network switch firmware allow unauthenticated remote access. Default credentials are publicly known, enabling complete device takeover.

Information Disclosure Sl902 Swtgw124as Firmware
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-21660 CRITICAL Act Now

Hardcoded email credentials stored as plaintext in Johnson Controls Frick Controls firmware. Sixth critical vulnerability — exposed credentials could enable account access and lateral movement.

Authentication Bypass Frick Controls Quantum Hd Firmware
NVD
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-11252 CRITICAL Act Now

SQL injection in Signum Technology application allows unauthenticated attackers to execute arbitrary SQL queries.

SQLi Windesk Fm
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-28268 CRITICAL PATCH Act Now

Business logic vulnerability in Vikunja task management platform before 2.1.0 allows incomplete resource cleanup, potentially enabling unauthorized access to shared resources after user removal.

Authentication Bypass Vikunja Suse
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-24497 CRITICAL Act Now

Stack-based buffer overflow in ThinkWise by SimTech Systems allows unauthenticated remote code execution via crafted network input.

Buffer Overflow Stack Overflow Thinkwise
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-11251 CRITICAL Act Now

SQL injection in Dayneks Software allows unauthenticated attackers to manipulate database queries and extract or modify data.

SQLi Woyio
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-27028 CRITICAL Act Now

Missing WebSocket authentication — sixth CVE in the industrial platform WebSocket family. Same pattern of unauthenticated access enabling station impersonation and data injection.

Authentication Bypass Mobility46.Se
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-27772 CRITICAL Act Now

Missing WebSocket authentication — fifth CVE in the industrial platform WebSocket family. Same CWE-306 pattern enabling unauthenticated access and station impersonation.

Authentication Bypass Ev.Energy
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-27767 CRITICAL Act Now

Missing WebSocket authentication — fourth CVE in the industrial platform WebSocket family. Same CWE-306 root cause enabling unauthenticated station impersonation.

Authentication Bypass Swtchenergy.Com
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-25851 CRITICAL Act Now

Missing WebSocket authentication vulnerability — same family as CVE-2026-20781 and CVE-2026-24731. Unauthenticated access to WebSocket endpoints enables station impersonation.

Authentication Bypass Chargemap.Com
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-24731 CRITICAL Act Now

Missing WebSocket authentication vulnerability identical to CVE-2026-20781. Unauthenticated attackers can perform station impersonation and data injection via unprotected WebSocket endpoints.

Authentication Bypass Ev2go.Io
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-20781 CRITICAL Act Now

Missing WebSocket authentication in industrial/IoT device management allows unauthenticated attackers to perform station impersonation, data injection, and denial of service. One of several related CVEs affecting the same WebSocket endpoints.

Authentication Bypass Cloudcharge.Se
NVD GitHub
CVSS 3.1
9.4
EPSS
0.1%
CVE-2026-24663 CRITICAL Act Now

Unauthenticated OS command injection in Copeland XWEB Pro HVAC controller version 1.12.1 and prior. EPSS 0.96% indicates real exploitation risk for internet-exposed building automation systems.

Command Injection Xweb 500b Pro Firmware Xweb 300d Pro Firmware Xweb 500d Pro Firmware
NVD GitHub
CVSS 3.1
9.0
EPSS
1.0%
CVE-2026-2750 CRITICAL Act Now

Input validation vulnerability in Centreon Open Tickets module allows authenticated attackers to manipulate ticket data, potentially affecting monitored infrastructure integrity.

Information Disclosure Web
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy