Skip to main content
CVE-2026-24105 CRITICAL POC Act Now

Tenda AC15 router has a code injection in formsetUsbUnload (EPSS 1.7%) enabling unauthenticated remote code execution.

Command Injection Ac15 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.7%
CVE-2026-24101 CRITICAL POC Act Now

Tenda AC15 router has a command injection in formSetIptv (EPSS 1.1%) enabling unauthenticated root-level code execution.

Command Injection Ac15 Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2026-24107 CRITICAL POC Act Now

Tenda W20E router has a code injection vulnerability in usbPartitionName parameter allowing unauthenticated remote code execution with EPSS 1.1%.

Command Injection W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
1.1%
CVE-2025-50187 CRITICAL POC Act Now

Chamilo LMS prior to 1.11.28 has a code injection through SOAP request parameters enabling remote code execution.

RCE Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.4%
CVE-2026-26720 CRITICAL POC Act Now

Twenty CRM v1.15.0 has a code injection vulnerability enabling remote attackers to execute arbitrary code through the CRM platform.

RCE Code Injection Twenty
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-24112 CRITICAL POC Act Now

Tenda W20E has a ninth buffer overflow in yet another CGI endpoint.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24110 CRITICAL POC Act Now

Tenda W20E has an eighth buffer overflow in addDhcpRules parameter.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24115 CRITICAL POC Act Now

Tenda W20E has a seventh buffer overflow in gstup parameter handling.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24114 CRITICAL POC Act Now

Tenda W20E has a sixth buffer overflow in pPortMapIndex parameter validation.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24113 CRITICAL POC Act Now

Tenda W20E has a fifth buffer overflow.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24111 CRITICAL POC Act Now

Tenda W20E has a fourth buffer overflow vulnerability.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24109 CRITICAL POC Act Now

Tenda W20E has a third buffer overflow in a different CGI parameter.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-24108 CRITICAL POC Act Now

Tenda W20E has a buffer overflow — second of eight critical vulnerabilities in this router firmware.

Buffer Overflow W20e Firmware
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-26713 CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in cancel-order.

PHP SQLi Simple Food Order System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26712 CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in view-ticket-admin.

PHP SQLi Simple Food Order System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26711 CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in view-ticket.

PHP SQLi Simple Food Order System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26710 CRITICAL POC Act Now

Simple Food Order System v1.0 has SQL injection in edit-order.

PHP SQLi Simple Food Order System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26709 CRITICAL POC Act Now

Simple Gym Management System v1.0 has SQL injection in trainer search.

PHP SQLi Simple Gym Management System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26707 CRITICAL POC Act Now

Pharmacy POS has a fifth SQL injection in view_sales.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26706 CRITICAL POC Act Now

Pharmacy POS has a fourth SQL injection in view_reports.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26705 CRITICAL POC Act Now

Pharmacy POS has a third SQL injection in view_products.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26704 CRITICAL POC Act Now

Pharmacy POS has a second SQL injection in view_categories.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26708 CRITICAL POC Act Now

Pharmacy Point of Sale System v1.0 has SQL injection in manage endpoints.

PHP SQLi Pharmacy Point Of Sale System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26700 CRITICAL POC Act Now

Personnel Property Equipment System has a fourth SQL injection.

PHP SQLi Personnel Property Equipment System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26701 CRITICAL POC Act Now

Personnel Property Equipment System v1.0 has a third SQL injection.

PHP SQLi Personnel Property Equipment System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26703 CRITICAL POC Act Now

Personnel Property Equipment System v1.0 has a second SQL injection in a different admin endpoint.

PHP SQLi Personnel Property Equipment System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26702 CRITICAL POC Act Now

Personnel Property Equipment System v1.0 has SQL injection in admin panel.

PHP SQLi Personnel Property Equipment System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26696 CRITICAL POC Act Now

Simple Student Alumni System v1.0 has a third SQL injection.

PHP SQLi Simple Student Alumni System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26695 CRITICAL POC Act Now

Simple Student Alumni System v1.0 has SQL injection in record_search.php.

PHP SQLi Simple Student Alumni System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-26694 CRITICAL POC Act Now

Simple Student Alumni System v1.0 has SQL injection in modal_view.php.

PHP SQLi Simple Student Alumni System
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-50192 CRITICAL POC PATCH Act Now

Chamilo LMS prior to 1.11.30 has a time-based SQL injection in a different endpoint, providing an additional database extraction vector.

PHP SQLi Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-50190 CRITICAL POC PATCH Act Now

Chamilo LMS prior to 1.11.30 has an error-based SQL injection enabling database extraction.

PHP SQLi Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2025-50199 CRITICAL POC Act Now

Chamilo LMS prior to 1.11.30 has a blind SSRF vulnerability enabling internal network reconnaissance from the learning platform.

PHP SSRF Chamilo Lms
NVD GitHub
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-3422 CRITICAL Act Now

U-Office Force by e-Excellence has an insecure deserialization vulnerability allowing unauthenticated remote code execution.

Deserialization U Office Force
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2025-14532 CRITICAL Act Now

DobryCMS has an unauthenticated file upload vulnerability allowing remote attackers to upload and execute arbitrary files on the web server.

RCE Dorbycms
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-3000 CRITICAL PATCH Act Now

IDExpert Windows Logon Agent has a second RCE vulnerability through another unsigned code download path.

Windows RCE Idexpert
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-2999 CRITICAL PATCH Act Now

IDExpert Windows Logon Agent by Changing has an RCE vulnerability through download of code without integrity check, allowing malicious update injection.

Windows RCE Idexpert
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2025-52998 CRITICAL PATCH Act Now

Chamilo LMS prior to 1.11.30 has an insecure deserialization vulnerability enabling remote code execution through crafted serialized data.

Deserialization Chamilo Lms
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-0006 CRITICAL Act Now

Android has a heap buffer overflow in multiple locations enabling privilege escalation through out-of-bounds read and write operations.

RCE Buffer Overflow Android Google
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3431 CRITICAL Act Now

SimStudio below 0.5.74 has a missing authorization on MongoDB tool endpoints that allows attackers to execute arbitrary MongoDB operations.

MongoDB Sim
NVD
CVSS 3.1
9.8
EPSS
0.1%
CVE-2025-30044 CRITICAL Act Now

In the endpoints "/cgi-bin/CliniNET.prd/utils/usrlogstat_simple.pl", "/cgi-bin/CliniNET.prd/utils/usrlogstat.pl", "/cgi-bin/CliniNET.prd/utils/userlogstat2.pl", and "/cgi-bin/CliniNET.prd/utils/dblogstat.pl", the parameters are not sufficiently normalized, which enables code injection.

Command Injection
NVD
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-2584 CRITICAL Act Now

SQL injection in the authentication module of CISER System SL firmware allows unauthenticated remote attackers to compromise stored configuration data by submitting crafted SQL through the login interface. The CVSS 4.0 base score of 9.3 reflects network-reachable, no-privilege, no-interaction exploitation with high confidentiality and integrity impact, though EPSS remains low at 0.36% and no public exploit identified at time of analysis. The advisory was coordinated by INCIBE-CERT (Spain).

SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2025-12462 CRITICAL Act Now

A Blind SQL injection vulnerability has been identified in DobryCMS. A remote unauthenticated attacker is able to inject SQL syntax into URL path resulting in Blind SQL Injection.

SQLi
NVD VulDB
CVSS 4.0
9.3
EPSS
0.2%
CVE-2026-3432 CRITICAL Act Now

SimStudio has a second authorization flaw in the OAuth token endpoint that allows privilege escalation through crafted token requests.

Authentication Bypass Sim
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-48609 CRITICAL Act Now

Android MmsProvider has a vulnerability allowing arbitrary file deletion through improper handling of MMS data, potentially causing data loss on mobile devices.

Denial Of Service Path Traversal Android Google
NVD
CVSS 3.1
9.1
EPSS
0.1%
CVE-2025-30035 CRITICAL Act Now

The vulnerability enables an attacker to fully bypass authentication in CGM CLININET and gain access to any active user account by supplying only the username, without requiring a password or any other credentials.

Authentication Bypass
NVD
CVSS 4.0
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy