Skip to main content
CVE-2026-3703 CRITICAL POC Act Now

Wavlink NU516U1 firmware 251208 has a buffer overflow enabling remote code execution through crafted HTTP requests to the CGI interface.

Buffer Overflow Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-3726 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 1.0.0.3 firmware allows authenticated remote attackers to achieve full system compromise through a malicious page parameter in the webExcptypemanFilter function. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but no user interaction, making it a significant risk for affected devices.

Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3769 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 firmware 1.0.0.3 allows remote attackers with valid credentials to achieve unauthenticated code execution through a malformed GO parameter in the WrlclientSet function. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using vulnerable F453 devices should implement network segmentation and access controls to mitigate exploitation risk.

Golang Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3768 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 firmware version 1.0.0.3 allows authenticated remote attackers to achieve complete system compromise through a malformed GO parameter in the WrlExtraSet function. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems face high risk of unauthorized code execution, data theft, and service disruption.

Golang Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3732 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 firmware allows unauthenticated remote attackers to execute arbitrary code through the cmdinput parameter in the /goform/exeCommand function, with public exploit code already available. The vulnerability affects F453 firmware version 1.0.0.3 and has a CVSS score of 8.8, enabling complete compromise of affected devices without requiring user interaction. No patch is currently available.

Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3729 HIGH POC This Week

Remote code execution in Tenda F453 firmware versions 1.0.0.3 and 3.As via stack-based buffer overflow in the PPTP client configuration endpoint allows unauthenticated network attackers to achieve full system compromise. Public exploit code exists for this vulnerability, and no patch is currently available, creating significant risk for affected devices.

Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3728 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 firmware versions 1.0.0.3/1.1f allows authenticated remote attackers to execute arbitrary code through malformed funcname/funcpara1 parameters in the /goform/setcfm endpoint. Public exploit code exists for this vulnerability, and no patch is currently available. The high CVSS score of 8.8 reflects the complete compromise potential of affected devices.

Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3715 HIGH POC This Week

Remote code execution in Wavlink WL-WN579X3-C firmware through stack-based buffer overflow in the firewall.cgi module allows unauthenticated attackers to achieve complete system compromise via manipulation of the del_flag parameter. Public exploit code exists for this vulnerability, and no patch is currently available despite vendor notification. Affected users should immediately restrict network access to the affected device until a firmware update becomes available.

Buffer Overflow Stack Overflow Wl Wn579x3 C Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3701 HIGH POC This Week

Remote code execution in H3C Magic B1 firmware through a buffer overflow in the SSID configuration function allows unauthenticated attackers to gain complete system compromise over the network. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification. The flaw affects firmware versions up to 100R004 and requires only low complexity to exploit with valid credentials.

Buffer Overflow Magic B1 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3700 HIGH POC This Week

Remote code execution in UTT HiPER 810G firmware up to version 1.7.7-171114 through a stack buffer overflow in the DNS filter configuration function allows authenticated attackers to execute arbitrary commands with full system privileges. Public exploit code is available for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement network-level mitigations or device replacement until a fix is released.

Buffer Overflow 810g Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3699 HIGH POC This Week

Remote code execution in UTT HiPER 810G firmware through version 1.7.7-171114 stems from an unsafe strcpy operation in the /goform/formRemoteControl function that enables unauthenticated attackers to trigger a buffer overflow. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at immediate risk.

Buffer Overflow 810g Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3698 HIGH POC This Week

A buffer overflow in the NTP configuration handler of UTT HiPER 810G firmware versions up to 1.7.7-171114 enables authenticated remote attackers to achieve complete system compromise through memory corruption. Public exploit code exists for this vulnerability, and no patch is currently available. Affected devices face immediate risk of remote code execution with high privileges from any authenticated user.

Buffer Overflow 810g Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-3727 HIGH POC This Week

Stack-based buffer overflow in Tenda F453 1.0.0.3 firmware allows authenticated attackers to achieve remote code execution through improper input validation in the QuickIndex handler. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected devices at significant risk of compromise.

Buffer Overflow Stack Overflow F453 Firmware
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30909 CRITICAL Act Now

Perl Crypt::NaCl::Sodium module through 2.002 has potential integer overflows in cryptographic operations that could weaken security guarantees.

Integer Overflow Buffer Overflow Crypt
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-3696 MEDIUM POC This Month

OS command injection in Totolink N300RH firmware allows unauthenticated remote attackers to execute arbitrary commands through the setWiFiWpsConfig function in the CGI handler. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should restrict network access to the device's management interface until a fix is released.

Command Injection N300rh Firmware
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
1.4%
CVE-2026-3746 MEDIUM POC This Month

SQL injection in SourceCodester Simple Responsive Tourism Website 1.0 via the Username parameter in the Login.php component enables unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify application state. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected systems exposed to active exploitation.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-3730 MEDIUM POC This Month

SQL injection in Free Hotel Reservation System 1.0 allows remote attackers to manipulate the amen_id and rmtype_id parameters in the amenities management interface, enabling unauthorized database access and potential data modification. Public exploit code exists for this vulnerability, and no patch is currently available. The flaw affects PHP-based installations and requires no authentication or user interaction to exploit.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3744 MEDIUM POC This Month

SQL injection in Student Web Portal 1.0's signup.php password validation function allows unauthenticated remote attackers to manipulate database queries through the reg_passwd parameter. Public exploit code exists for this vulnerability, and no patch is currently available. Successful exploitation could enable unauthorized data access, modification, or deletion.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3764 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows unauthenticated remote attackers to manipulate the /superadmin_user_update.php file, potentially gaining unauthorized access to sensitive functionality. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3734 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0 allows remote attackers to manipulate the manager_id parameter in /fetch_manager_details.php to access unauthorized data. Public exploit code exists for this vulnerability, and no patch is currently available. Affected systems can be compromised over the network without authentication or user interaction.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3723 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's /Admindelete.php endpoint allows unauthenticated remote attackers to manipulate the flightno parameter and execute arbitrary database queries, potentially leading to data theft or modification. Public exploit code is available for this vulnerability, and no patch has been released as of now.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3709 MEDIUM POC This Month

Simple Flight Ticket Booking System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 7.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3705 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 via the flightno parameter in /Adminsearch.php allows unauthenticated remote attackers to query or modify database contents. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should immediately restrict access to the admin search functionality or upgrade if a patched version becomes available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3762 MEDIUM POC This Month

Improper authorization in SourceCodester Client Database Management System 1.0/3.1 allows unauthenticated remote attackers to manipulate the manager_id parameter in the /superadmin_delete_manager.php endpoint to bypass access controls. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to gain unauthorized access with limited confidentiality, integrity, and availability impact.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3708 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's login functionality allows unauthenticated attackers to manipulate the Username parameter and execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. PHP installations running the affected application should be isolated until a security patch becomes available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3736 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0's SearchResultRoundtrip.php parameter handling enables unauthenticated remote attackers to manipulate database queries and potentially extract, modify, or delete sensitive data. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3735 MEDIUM POC This Month

SQL injection in Simple Flight Ticket Booking System 1.0 allows unauthenticated remote attackers to manipulate the SearchResultOneway.php input parameter and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires no user interaction and can be executed over the network, enabling attackers to read, modify, or delete sensitive flight booking data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3695 MEDIUM POC This Month

SourceCodester Modern Image Gallery App 1.0 contains a path traversal vulnerability in the /delete.php file that allows unauthenticated remote attackers to manipulate the filename parameter and access or delete arbitrary files. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability can lead to information disclosure or file deletion on affected systems.

PHP Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3759 MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 via the reach_nm parameter in /admin/adminHome.php allows unauthenticated remote attackers to manipulate database queries and potentially extract sensitive data or modify database contents. Public exploit code exists for this vulnerability, increasing exploitation risk. No patch is currently available for affected installations.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3758 MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate the Info parameter in /admin/adminHome.php, potentially enabling unauthorized database access and data theft. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available, requiring organizations to implement compensating controls or upgrade to a patched version when released.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3765 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the dt parameter in /att_single_view.php enables remote attackers to execute arbitrary SQL queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. The attack affects data confidentiality, integrity, and availability with a CVSS score of 7.3.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3760 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the seme parameter in /view_result.php allows unauthenticated remote attackers to manipulate database queries and potentially access or modify sensitive data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3757 MEDIUM POC This Month

SQL injection in projectworlds Online Art Gallery Shop 1.0 allows unauthenticated remote attackers to manipulate the fnm parameter via the /?pass=1 endpoint, potentially enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at immediate risk.

SQLi Online Art Gallery Shop
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3747 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 via the subject parameter in /add_result.php enables remote attackers to execute arbitrary database queries without authentication. Public exploit code exists for this vulnerability, and no patch is currently available. Affected installations face potential data exfiltration, modification, or deletion through unauthenticated network-based attacks.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-3740 MEDIUM POC This Month

SQL injection in itsourcecode University Management System 1.0 allows remote attackers to manipulate the admin_search_student parameter in /admin_search_student.php without authentication, potentially leading to unauthorized data access, modification, or deletion. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. No patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-30910 HIGH This Week

Crypt::Sodium::XS versions through 0.001000 for Perl has potential integer overflows. Combined aead encryption, combined signature creation, and bin2hex functions do not check that output size will be less than SIZE_MAX, which could lead to integer wraparound causing an undersized output buffer. [CVSS 7.5 HIGH]

Buffer Overflow Integer Overflow Denial Of Service Crypt
NVD
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-3787 MEDIUM This Month

UltraVNC 1.6.4.0 on Windows contains an uncontrolled search path vulnerability in cryptbase.dll that allows local authenticated attackers with low privileges to achieve arbitrary code execution through DLL hijacking. Successful exploitation requires local access and considerable technical complexity, though the vendor has not provided a patch despite early disclosure notification. This vulnerability carries a high impact rating with potential for complete system compromise (confidentiality, integrity, and availability).

Information Disclosure Microsoft
NVD VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-3749 LOW POC PATCH Monitor

Unrestricted file upload in Bytedesk versions up to 1.3.9 allows authenticated remote attackers to upload arbitrary SVG files through the handleFileUpload function in UploadRestService.java. Public exploit code exists for this vulnerability, and attackers can leverage it to bypass file upload restrictions and potentially execute malicious content. Upgrade to version 1.4.5.1 or apply patch 975e39e4dd527596987559f56c5f9f973f64eff7 to remediate.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3748 LOW POC PATCH Monitor

Unrestricted file upload in Bytedesk versions up to 1.3.9 allows authenticated remote attackers to upload malicious SVG files through the UploadRestController component. Public exploit code exists for this vulnerability, which could enable attackers to execute arbitrary code or compromise system integrity. Update to version 1.4.5.1 or later to remediate this issue.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3761 LOW POC Monitor

Client Database Management System versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 5.4).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3745 LOW POC Monitor

SQL injection in Student Web Portal 1.0's profile.php allows authenticated attackers to execute arbitrary SQL queries through improper input validation on the User parameter, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3738 LOW POC Monitor

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to gain unauthorized access to the Financial Report Page, potentially viewing or modifying sensitive financial data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at risk of information disclosure and data manipulation.

Information Disclosure Pet Grooming Management Software
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3737 LOW POC Monitor

Pet Grooming Management Software versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3724 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3770 LOW POC Monitor

Computer Laboratory Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Computer Laboratory Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3763 LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3702 LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3771 LOW POC Monitor

SQL injection in SourceCodester Resort Reservation System 1.0 via the q parameter in /accommodation.php allows remote authenticated attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could extract or modify sensitive reservation and user data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3767 LOW POC Monitor

College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3756 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System up to version 1.0 allows authenticated remote attackers to manipulate the stock_name1 parameter in /check_item_details.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but could enable data disclosure, modification, or deletion within the affected system.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy