Skip to main content
CVE-2026-3749 LOW POC PATCH Monitor

Unrestricted file upload in Bytedesk versions up to 1.3.9 allows authenticated remote attackers to upload arbitrary SVG files through the handleFileUpload function in UploadRestService.java. Public exploit code exists for this vulnerability, and attackers can leverage it to bypass file upload restrictions and potentially execute malicious content. Upgrade to version 1.4.5.1 or apply patch 975e39e4dd527596987559f56c5f9f973f64eff7 to remediate.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3748 LOW POC PATCH Monitor

Unrestricted file upload in Bytedesk versions up to 1.3.9 allows authenticated remote attackers to upload malicious SVG files through the UploadRestController component. Public exploit code exists for this vulnerability, which could enable attackers to execute arbitrary code or compromise system integrity. Update to version 1.4.5.1 or later to remediate this issue.

Java Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3761 LOW POC Monitor

Client Database Management System versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 5.4).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3745 LOW POC Monitor

SQL injection in Student Web Portal 1.0's profile.php allows authenticated attackers to execute arbitrary SQL queries through improper input validation on the User parameter, potentially leading to unauthorized data access or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3738 LOW POC Monitor

Improper authorization in SourceCodester Pet Grooming Management Software 1.0 allows authenticated remote attackers to gain unauthorized access to the Financial Report Page, potentially viewing or modifying sensitive financial data. Public exploit code exists for this vulnerability, and no patch is currently available, leaving affected installations at risk of information disclosure and data manipulation.

Information Disclosure Pet Grooming Management Software
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3737 LOW POC Monitor

Pet Grooming Management Software versions up to 1.0 contains a vulnerability that allows attackers to improper authorization (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3724 LOW POC Monitor

Patients Waiting Area Queue Management System versions up to 1.0 contains a security vulnerability (CVSS 6.3).

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3770 LOW POC Monitor

Computer Laboratory Management System versions up to 1.0 is affected by cross-site request forgery (csrf) (CVSS 4.3).

CSRF Computer Laboratory Management System
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3763 LOW POC Monitor

Simple Flight Ticket Booking System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 4.3).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3702 LOW POC Monitor

Reflected cross-site scripting (XSS) in SourceCodester Loan Management System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the page parameter in /index.php. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability enables attackers to perform actions on behalf of victims or steal sensitive information, though no patch is currently available.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3771 LOW POC Monitor

SQL injection in SourceCodester Resort Reservation System 1.0 via the q parameter in /accommodation.php allows remote authenticated attackers to manipulate database queries. Public exploit code exists for this vulnerability, and no patch is currently available. An attacker with valid credentials could extract or modify sensitive reservation and user data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3767 LOW POC Monitor

College Management System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3756 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System up to version 1.0 allows authenticated remote attackers to manipulate the stock_name1 parameter in /check_item_details.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but could enable data disclosure, modification, or deletion within the affected system.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3755 LOW POC Monitor

Sales And Inventory System versions up to 1.0 contains a vulnerability that allows attackers to sql injection (CVSS 6.3).

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3754 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the cost parameter in /add_stock.php enables authenticated attackers to manipulate database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can result in unauthorized data access and modification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3753 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System versions up to 1.0 via the sid parameter in /add_sales_print.php allows authenticated attackers to execute arbitrary SQL queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers can leverage this to access, modify, or delete sensitive inventory and sales data.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3786 LOW POC Monitor

SQL injection in EasyCMS up to version 1.6 via the _order parameter in the Request Parameter Handler allows authenticated remote attackers to execute arbitrary SQL queries with medium impact on confidentiality, integrity, and availability. Public exploit code exists for this vulnerability, and the vendor has not provided a patch despite early notification.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3785 LOW POC Monitor

SQL injection in EasyCMS versions up to 1.6 via the _order parameter in the Request Parameter Handler allows remote attackers with valid credentials to execute arbitrary SQL queries. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early disclosure notification. The attack requires low complexity and can result in unauthorized data access, modification, and potential service disruption.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3704 LOW POC Monitor

Command injection in Wavlink NU516U1 firmware's firewall CGI component allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, which stems from an incomplete fix of a prior CVE. A patch is not currently available, though the vendor has been notified and indicated a fix is in development.

Command Injection Wl Nu516u1 Firmware
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-3766 LOW POC Monitor

Web-Based Pharmacy Product Management System versions up to 1.0 is affected by cross-site scripting (xss) (CVSS 3.5).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3711 LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's admin update function allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires administrative credentials but could enable data exfiltration or modification of flight booking records.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3710 LOW POC Monitor

SQL injection in Simple Flight Ticket Booking System 1.0's /Adminadd.php allows remote attackers with high privileges to manipulate flight parameters and execute arbitrary SQL queries, potentially compromising flight booking data. Public exploit code exists for this vulnerability, though patches are not yet available. The attack requires administrative credentials but can be exploited over the network without user interaction.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3750 LOW POC Monitor

ContiNew Admin up to version 4.2.0 contains a server-side request forgery vulnerability in its Storage Management Module that allows remote attackers to manipulate URI creation functions with high privileges. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Java SSRF
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3743 LOW POC Monitor

A flaw has been found in YiFang CMS 2.0.5. This affects the function update of the file app/db/admin/D_singlePageGroup.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3742 LOW POC Monitor

A vulnerability was detected in YiFang CMS 2.0.5. The impacted element is the function update of the file app/db/admin/D_singlePage.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3741 LOW POC Monitor

A security vulnerability has been detected in YiFang CMS 2.0.5. The affected element is the function update of the file app/db/admin/D_friendLink.php. [CVSS 3.5 LOW]

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3752 LOW POC Monitor

SourceCodester Employee Task Management System through version 1.0 contains a SQL injection vulnerability in the /daily-task-report.php GET parameter handler that allows remote attackers with high privileges to extract or manipulate database contents. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires network access but no user interaction, potentially compromising sensitive employee task data and system integrity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3751 LOW POC Monitor

SQL injection in SourceCodester Employee Task Management System 1.0 allows remote attackers to manipulate the Date parameter in /daily-attendance-report.php, enabling unauthorized database access and modification. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but can be executed over the network with minimal complexity.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3716 LOW POC Monitor

A vulnerability was determined in Wavlink WL-WN579X3-C 231124. This vulnerability affects the function sub_401AD4 of the file /cgi-bin/adm.cgi. [CVSS 2.4 LOW]

XSS Wl Wn579x3 C Firmware
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3713 LOW POC PATCH Monitor

Heap buffer overflow in libpng's pnm2png utility (versions up to 1.6.55) allows local attackers to corrupt memory and potentially execute code by supplying malicious width or height parameters. The vulnerability requires local access and public exploit code is available. The maintainers have not yet provided a patch despite early notification.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3739 LOW Monitor

Improper authentication in suitenumerique messages 0.2.0 allows authenticated remote attackers to bypass access controls on ThreadAccess objects via the ThreadAccessSerializer component, with public exploit code available. The vulnerability affects the serializer logic in src/backend/core/api/serializers.py and can be exploited by users with valid credentials to gain unauthorized access. Upgrading to version 0.3.0 resolves this issue.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-3733 LOW Monitor

XXL-Job versions up to 3.3.2 contain a server-side request forgery vulnerability in the JobInfoController that allows authenticated attackers to make arbitrary HTTP requests from the server due to insufficient access token validation. An attacker with valid credentials can exploit this remotely to conduct SSRF attacks against internal systems. Public exploit code exists for this vulnerability, and no patch is currently available.

Java SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3725 LOW Monitor

SmartAdmin versions up to 3.29 contain a template injection vulnerability in the FreeMarker template handler that allows authenticated remote attackers to manipulate template content and achieve code execution. The flaw exists in the MailService component's freemarkerResolverContent function and has a public exploit available. Since no patch is available and the vendor has not responded, organizations using affected versions should immediately assess exposure and consider alternative solutions.

Java Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3697 LOW Monitor

Stack Overflow's Language Package Configuration Handler contains a stack-based buffer overflow in the httpd component that can be triggered by manipulating the Language parameter, allowing authenticated remote attackers to achieve code execution. The vulnerability affects Planet ICG-2510 1.0_20250811 and currently lacks an available patch. An attacker with valid credentials can exploit this remotely without user interaction to potentially compromise the affected system.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3682 LOW Monitor

Argument injection in welovemedia FFmate versions up to 2.0.15 allows authenticated attackers to manipulate the FFmpeg execution function in /internal/service/ffmpeg/ffmpeg.go, potentially leading to unauthorized command execution. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3683 LOW Monitor

Server-side request forgery in bufanyun HotGo's ImageTransferStorage endpoint allows authenticated attackers to initiate arbitrary outbound requests from the vulnerable server. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-3720 LOW Monitor

A security flaw has been discovered in 1024-lab/lab1024 SmartAdmin up to 3.29. Impacted is an unknown function of the file smart-admin-web-javascript/src/views/business/oa/notice/components/notice-form-drawer.vue of the component Notice Module. The manipulation results in cross site scripting. The attack can be launched remotely. The exploit has been released to the public and may be used for a...

XSS Smartadmin
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3721 LOW Monitor

A weakness has been identified in 1024-lab/lab1024 SmartAdmin versions up to 3.29. is affected by cross-site scripting (xss) (CVSS 3.5).

Java XSS
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-3707 LOW Monitor

Integer overflow in MrNanko webp4j versions up to 1.3.x within the GIF decoder's DecodeGifFromMemory function allows local attackers to trigger memory corruption through manipulation of the canvas_height parameter. Public exploit code exists for this vulnerability, and no patch is currently available. Affected users should restrict local access to the application until an update is released.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-3706 LOW Monitor

A vulnerability was determined in mkj Dropbear up to 2025.89. Impacted is the function unpackneg of the file src/curve25519.c of the component S Range Check. This manipulation causes improper verification of cryptographic signature. The attack can be initiated remotely. The attack is considered to have high complexity. The exploitability is considered difficult. The exploit has been publicly di...

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.7
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy