Skip to main content
CVE-2026-4228 LOW POC Monitor

Command injection in LB-LINK BL-WR9000 2.4.9 via the /goform/set_wifi endpoint allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code is available for this vulnerability, and no patch has been released by the vendor despite early disclosure notification.

Command Injection Bl Wr9000
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-4210 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-327L, DNS-345 and others) through the time_machine.cgi script allows authenticated remote attackers to execute arbitrary commands with network access. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4204 LOW POC Monitor

A security vulnerability in A flaw (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4206 LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4205 LOW POC Monitor

A security vulnerability in A vulnerability (CVSS 6.3). Risk factors: public PoC available.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4207 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-320, DNS-325, DNS-343, DNR-322L and others) through the /cgi-bin/system_mgr.cgi interface allows authenticated remote attackers to execute arbitrary commands. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4209 LOW POC Monitor

Command injection in D-Link NAS devices (DNS-120, DNS-325, DNR-322L, DNS-327L and others) allows authenticated remote attackers to execute arbitrary commands through multiple user and group management CGI functions. Public exploit code exists for this vulnerability, and patches are not currently available. An attacker with valid credentials could leverage this to compromise the NAS system and potentially access or manipulate stored data.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4203 LOW POC Monitor

Command injection in D-Link DNS and DNR network attached storage devices allows authenticated remote attackers to execute arbitrary commands through multiple CGI functions in the network management interface. The vulnerability affects numerous models up to firmware version 20260205, and public exploit code is available. An attacker with valid credentials can leverage this to compromise device integrity and potentially access the network.

Command Injection D-Link
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4253 LOW POC Monitor

OS command injection in Tenda AC8 16.03.50.11 web interface allows authenticated remote attackers to execute arbitrary commands through the wans.policy.list1 parameter in the /cgi-bin/UploadCfg endpoint. Public exploit code exists for this vulnerability and no patch is currently available.

Tenda Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.6%
CVE-2026-4233 LOW POC Monitor

Path traversal in ThingsGateway 12's /api/file/download endpoint allows authenticated users to read arbitrary files through manipulation of the fileName parameter. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early notification.

Path Traversal Thingsgateway
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4215 LOW POC Monitor

Server-side request forgery in FlowCI flow-core-x up to version 1.23.01 allows authenticated remote attackers to conduct SSRF attacks through the SMTP Host Handler configuration function. Public exploit code exists for this vulnerability and the vendor has not released a patch. An attacker with valid credentials can manipulate the system to make arbitrary outbound requests from the affected server.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4234 LOW POC Monitor

SQL injection in SSCMS 7.4.0 via the tableHandWrite parameter in SitesAddController.Submit.cs allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available from the vendor despite early disclosure notification.

SQLi Sscms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4230 LOW POC Monitor

SQL injection in Vanna up to version 2.0.2 allows authenticated remote attackers to execute arbitrary SQL queries through the update_sql endpoint function. Public exploit code exists for this vulnerability, and the vendor has not released a patch despite early notification. An authenticated attacker can leverage this to read, modify, or delete database contents depending on the application's database permissions.

Python SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4222 LOW POC Monitor

A path traversal vulnerability exists in SSCMS versions up to 7.4.0 within the PathUtils.RemoveParentPath function of the plugin download API endpoint (/api/admin/plugins/install/actions/download). An authenticated administrator with high privileges can manipulate the path argument to traverse the file system and access or modify files outside the intended directory, potentially leading to information disclosure or system compromise. The vulnerability has public proof-of-concept code available, though the CVSS score of 3.8 is relatively low due to the requirement for authenticated administrative access, making this a lower-priority but still exploitable issue in environments where admin credentials may be compromised.

Path Traversal Sscms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-4239 LOW POC Monitor

A vulnerability was found in Lagom WHMCS Template up to 2.3.7.

Information Disclosure Prototype Pollution
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4238 LOW POC Monitor

SQL injection in itsourcecode College Management System 1.0 via the course_code parameter in /admin/courses.php allows authenticated administrators to execute arbitrary database queries remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires high-level privileges but could enable data exfiltration or manipulation.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4199 LOW POC PATCH Monitor

Command injection in bazinga012 mcp_code_executor up to version 0.3.0 allows local attackers with user-level privileges to execute arbitrary commands through the installDependencies function in src/index.ts. Public exploit code exists for this vulnerability, affecting Python and Node.js environments. A patch is available and should be applied to remediate this local privilege escalation risk.

Command Injection Mcp Code Executor
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-4225 LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in CMS Made Simple versions up to 2.2.21 affecting the User Management Module's admin/listusers.php file. An attacker with high-level privileges can inject malicious JavaScript through the Message parameter to compromise other users' sessions or steal sensitive data. Public exploit code is available and the vulnerability has been actively exploited, making this a tangible threat despite its low CVSS score of 2.4.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4216 LOW POC Monitor

Hard-coded credentials exist in the i-SENS SmartLog Android application (versions up to 2.6.8) within a developer mode function used for Bluetooth pairing configuration between blood glucose meters and the mobile app. An attacker with local access and low privileges can exploit this to obtain credentials, potentially compromising the integrity and confidentiality of health data. A public proof-of-concept is available, though the CVSS 5.3 score and local-only attack vector limit immediate widespread exploitation risk.

Google Authentication Bypass
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4219 LOW POC Monitor

A hard-coded credentials vulnerability exists in the INDEX Conferences & Exhibitions Organization YWF BPOF APGCS Android application (versions up to 1.0.2) where attackers can manipulate ACCESS_KEY and HASH_KEY arguments in the BuildConfig.java component to extract embedded credentials. The vulnerability requires local execution on the device and grants only confidentiality impact (CWE-798: Use of Hard-Coded Credentials), but the existence of a published exploit and vendor non-responsiveness elevate practical risk despite the low CVSS score of 3.3.

Google Authentication Bypass Java
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4251 LOW POC Monitor

A remote code execution vulnerability in CityData CityChat (CVSS 2.5). Risk factors: public PoC available.

Information Disclosure Google
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4250 LOW POC Monitor

A remote code execution vulnerability in Albert Sağlık Hizmetleri ve Ticaret Albert Health (CVSS 2.5). Risk factors: public PoC available.

Google Information Disclosure
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4242 LOW POC Monitor

A security vulnerability in A security flaw (CVSS 2.5). Risk factors: public PoC available.

Google Information Disclosure Java
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4218 LOW POC Monitor

A local information disclosure vulnerability exists in myAEDES App versions up to 1.18.4 on Android, stemming from improper handling of the AUTH_KEY argument in the EngageBayUtils.java component. An authenticated local attacker with high complexity can manipulate this parameter to disclose sensitive information, though the attack requires local device access and significant technical effort. A public proof-of-concept exploit is now available, and the vendor has not responded to early disclosure attempts.

Information Disclosure Java Google
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4217 LOW POC Monitor

A key management error exists in the XREAL Nebula App (Android) up to version 3.2.1, specifically in the CloudStoragePlugin.java component where accessKey, secretAccessKey, and securityToken arguments are improperly handled. An attacker with local access and moderate privileges can manipulate these credentials to bypass authentication controls, resulting in unauthorized information disclosure. A proof-of-concept has been publicly disclosed, though the vulnerability requires high complexity to exploit and the vendor has not responded to early notification.

Java Google Information Disclosure
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-26230 LOW Monitor

Mattermost versions 10.11.x <= 10.11.10 fail to properly validate permission requirements in the team member roles API endpoint which allows team administrators to demote members to guest role.

Authentication Bypass Mattermost
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2025-71264 LOW PATCH Monitor

Mumble before version 1.6.870 contains an out-of-bounds array access vulnerability (CWE-125) that allows remote attackers to crash the client application, resulting in denial of service. The vulnerability requires network access but no authentication or user interaction, affecting all users of vulnerable Mumble client versions. While the CVSS score of 3.7 is relatively low and only impacts availability with no confidentiality or integrity compromise, this vulnerability poses a practical risk to voice communication availability in production deployments.

Buffer Overflow Denial Of Service Information Disclosure Mumble
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-32722 LOW PATCH Monitor

Python XSS
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.0%
CVE-2025-26474 LOW Monitor

OpenHarmony v5.0.3 and prior versions contain an improper input validation vulnerability (CWE-20) that allows a local attacker with limited privileges to read sensitive information from the system. The vulnerability carries a CVSS score of 3.3 with low attack complexity and requires local access and low privileges, indicating a confined risk profile suitable only for restricted exploitation scenarios. While the CVSS vector does not indicate active exploitation or widespread POC availability based on the provided data, the information disclosure impact warrants attention in environments where local privilege escalation chains may amplify the risk.

Information Disclosure Openharmony
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-0639 LOW Monitor

This vulnerability is a memory leak in OpenHarmony v6.0 and prior versions that allows a local, low-privileged attacker to trigger a denial-of-service condition by preventing proper memory release during runtime operations. An authenticated local user without special privileges can exhaust system memory through repeated triggering of the affected code path, causing application or system instability. The low CVSS score of 3.3 reflects the limited scope (local access only, no confidentiality or integrity impact), but the underlying memory management flaw (CWE-401: Missing Release of Memory) is a classic stability threat in systems software.

Information Disclosure Openharmony
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-20992 LOW Monitor

An improper authorization vulnerability in Samsung Settings allows a local attacker with low privileges to disable configuration of background data usage for applications prior to the SMR Mar-2026 Release 1 patch. While the CVSS score of 4.8 is moderate, the vulnerability has limited impact as it only affects the integrity of data usage settings without enabling data exfiltration or system compromise. The local attack vector and requirement for user-level privileges significantly reduce real-world exploitation likelihood compared to remote or privilege-escalation vulnerabilities.

Authentication Bypass Samsung Mobile Devices
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2025-52642 LOW Monitor

HCL AION is affected by a vulnerability where internal filesystem paths may be exposed through application responses or system behaviour.

Information Disclosure Aion
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-22545 LOW PATCH Monitor

CVE-2026-22545 is a security vulnerability (CVSS 3.1) that allows an authenticated attacker. Remediation should follow standard vulnerability management procedures.

Authentication Bypass Mattermost Server
NVD VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-32638 LOW PATCH Monitor

CVE-2026-32638 is a security vulnerability (CVSS 2.7). Remediation should follow standard vulnerability management procedures. Vendor patch is available.

Authentication Bypass
NVD VulDB GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-32266 LOW PATCH Monitor

Unauthenticated users can view a list of buckets the plugin has access to.

CSRF Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.4
EPSS
0.0%
CVE-2026-20989 LOW Monitor

This vulnerability involves improper cryptographic signature verification in the Font Settings component of Samsung devices prior to the March 2026 Security Update Release 1. A physical attacker can bypass signature validation to install custom fonts, potentially leading to integrity compromise of system font resources. While the CVSS score is moderate at 5.1, the attack requires physical access and user interaction, limiting real-world exploitation frequency.

Information Disclosure Jwt Attack
NVD VulDB
CVSS 3.1
2.4
EPSS
0.0%
CVE-2025-52646 LOW Monitor

HCL AION is affected by a vulnerability where certain offering configurations may permit execution of potentially harmful SQL queries.

Information Disclosure SQLi Aion
NVD VulDB
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-4195 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323 through DNS-1550-04 with firmware prior to 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/wizard_mgr.cgi endpoint. Public exploit code is available and no patch is currently available for affected users.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-4196 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-323-327L, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, DNS-1550-04 through firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands via the /cgi-bin/remote_backup.cgi backup scheduling functions. Public exploit code exists for this vulnerability and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4197 LOW Monitor

Command injection in D-Link NAS devices (DNS-120, DNR-202L, DNS-315L, DNS-320 series, DNS-325 series, DNS-326, DNS-327L, DNR-326, DNS-340L, DNS-343, DNS-345, DNS-726-4, DNS-1100-4, DNS-1200-05, and DNS-1550-04 up to firmware version 20260205) allows authenticated remote attackers to execute arbitrary commands through the /cgi-bin/download_mgr.cgi file's RSS management functions. Public exploit code exists for this vulnerability, and no patch is currently available.

D-Link Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-4241 LOW Monitor

SQL injection in itsourcecode College Management System 1.0 allows authenticated attackers to manipulate the course_code parameter in /admin/time-table.php and execute arbitrary SQL commands remotely. Public exploit code exists for this vulnerability, and no patch is currently available. The attack requires valid credentials but can lead to unauthorized data access, modification, or deletion within the application database.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4284 LOW Monitor

The PPT File Handler in taoofagi easegen-admin contains a server-side request forgery vulnerability in the downloadFile function that allows authenticated remote attackers to manipulate file URLs and access arbitrary network resources. Public exploit code exists for this vulnerability, and the vendor has not provided patches or updates despite notification. The flaw affects Java-based deployments using the affected rolling release version.

SSRF Java
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4198 LOW Monitor

Local command injection in hypermodel-labs mcp-server-auto-commit 1.0.0 via the getGitChanges function in index.ts allows authenticated local attackers to execute arbitrary commands with the privileges of the affected process. Public exploit code exists for this vulnerability, and the vendor has not yet released a patch despite early notification.

Command Injection
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2025-52645 LOW Monitor

A security vulnerability in HCL AION (CVSS 1.9). Remediation should follow standard vulnerability management procedures.

Information Disclosure Aion
NVD VulDB
CVSS 3.1
1.9
EPSS
0.0%
CVE-2025-52636 LOW Monitor

A remote code execution vulnerability in HCL AION (CVSS 1.8). Remediation should follow standard vulnerability management procedures.

Denial Of Service Aion
NVD VulDB
CVSS 3.1
1.8
EPSS
0.0%
CVE-2025-52649 LOW Monitor

HCL AION is affected by a vulnerability where certain identifiers may be predictable in nature.

Information Disclosure Aion
NVD VulDB
CVSS 3.1
1.8
EPSS
0.0%
CVE-2026-4243 LOW Monitor

A weakness has been identified in La Nacion App 10.2.25 on Android.

Java Authentication Bypass Google
NVD VulDB
CVSS 4.0
1.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy