Skip to main content
CVE-2026-4115 LOW POC PATCH Monitor

PuTTY versions up to 0.83 contain a weak authentication vulnerability in the Ed25519 signature verification function (eddsa_verify in crypto/ecc-ssh.c) that allows remote attackers to potentially forge or manipulate digital signatures due to improper validation of Ed25519 signature components. While a public proof-of-concept exploit exists and the vulnerability affects signature verification, the real-world impact remains unproven, with CVSS 3.7 (low severity) and EPSS probability indicating exploitation is difficult and requires high complexity. The vendor (PuTTY developers) has already released a patch addressing this issue.

Jwt Attack Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-4554 LOW POC Monitor

Unauthenticated attackers can execute arbitrary commands on Tenda F453 routers (version 1.0.0.3) by injecting malicious input through the mac parameter in the /goform/WriteFacMac endpoint. Public exploit code exists for this vulnerability, enabling remote code execution with minimal attack complexity. A patch is not currently available.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-4543 LOW POC Monitor

Wavlink WL-WN578W2 routers contain a command injection vulnerability in the /cgi-bin/firewall.cgi POST handler that allows authenticated attackers to execute arbitrary commands by manipulating the dmz_flag or del_flag parameters. The vulnerability is remotely exploitable and has public exploit code available, though no patch has been released. An attacker with network access and valid credentials could achieve code execution with the privileges of the web service.

Command Injection Wl Wn578w2
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-4542 LOW POC Monitor

SSCMS 4.7.0's layerImage endpoint allows authenticated attackers to manipulate the filePaths parameter in LayerImageController.Submit.cs, enabling path traversal attacks that can modify or delete arbitrary files on the server. Public exploit code exists for this vulnerability, and no patch is currently available.

Path Traversal Sscms
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4557 LOW POC Monitor

A Stored Cross-Site Scripting (XSS) vulnerability exists in code-projects Exam Form Submission version 1.0, affecting the /admin/update_s1.php file where the 'sname' parameter is not properly sanitized. An unauthenticated attacker can remotely inject malicious JavaScript by manipulating this parameter, which will execute in the browsers of administrators or other users who view the affected page. A public proof-of-concept exploit is available on GitHub, and the vulnerability has an EPSS score indicating probable exploitation likelihood.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4533 LOW POC Monitor

SQL injection in Simple Food Ordering System 1.0 allows authenticated remote attackers to manipulate the Status parameter in all-tickets.php and execute arbitrary SQL queries. Public exploit code exists for this vulnerability, enabling attackers with valid credentials to read, modify, or delete database contents. The affected PHP application currently lacks a security patch.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4537 LOW POC Monitor

Command injection in the IPSec controller of Cudy TR1200 routers (R46-2.4.15-20250721-164017) allows remote attackers with administrative privileges to execute arbitrary commands through the action_ipsec_conn function. Public exploit code is available for this vulnerability, and the vendor has not released a patch despite early notification. The attack requires high-level access but involves minimal complexity and affects confidentiality, integrity, and availability.

Command Injection Tr1200
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-4550 LOW POC Monitor

SQL injection in Simple Gym Management System up to version 1.0 allows remote attackers with high privileges to manipulate the Trainer_id and fname parameters in /gym/func.php, enabling unauthorized database queries and potential data exfiltration or modification. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4544 LOW POC Monitor

A Stored/Reflected Cross-Site Scripting (XSS) vulnerability exists in the Wavlink WL-WN578W2 wireless router (firmware version 221110 and potentially others) within the POST request handler of /cgi-bin/login.cgi. An attacker with high privileges can manipulate the homepage, hostname, or login_page parameters to inject malicious JavaScript that executes in the context of other users' browsers. A proof-of-concept has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure notifications, leaving affected devices unpatched.

XSS Wl Wn578w2
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4538 LOW POC Monitor

A deserialization vulnerability exists in PyTorch 2.10.0 within the pt2 Loading Handler component, allowing local attackers with low privileges to achieve confidentiality, integrity, and availability impacts through untrusted data processing. The vulnerability (CWE-502) is confirmed to have a publicly available exploit and has been reported to the project via pull request PR#176791, though remediation status remains unclear. With a CVSS score of 5.3 and exploitation probability marked as probable (E:P), this represents a moderate real-world risk primarily affecting local development and deployment environments.

Deserialization Pytorch
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4539 LOW POC PATCH Monitor

A regular expression denial-of-service (ReDoS) vulnerability exists in Pygments up to version 2.19.2, specifically in the AdlLexer component within pygments/lexers/archetype.py. An attacker with local access can craft malicious input that triggers inefficient regex pattern matching, causing high CPU consumption and service degradation. A public proof-of-concept exploit is available, though the vulnerability requires local access and low privileges to exploit, resulting in a CVSS score of 3.3 with Proof-of-Concept availability (CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L/E:P).

Denial Of Service Pygments
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-4541 LOW POC PATCH Monitor

A cryptographic signature verification flaw exists in tinyssh's Ed25519 signature handler (crypto_sign_ed25519_tinyssh.c) that allows improper validation of signatures, potentially enabling an attacker to forge or bypass signature checks. Affected versions of janmojzis tinyssh up to 20250501 are impacted, with the vulnerability requiring local execution and high attack complexity. A public exploit has been disclosed, and vendor patches are available in version 20260301.

Jwt Attack Information Disclosure
NVD VulDB GitHub
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-4549 LOW Monitor

An authorization bypass vulnerability exists in mickasmt next-saas-stripe-starter version 1.0.0 within the openCustomerPortal function of the Stripe API integration component. Authenticated users with low privileges can bypass authorization controls to access Stripe customer portal functionality they should not be permitted to access, potentially gaining unauthorized view access to sensitive customer data. While the vulnerability requires authentication and has high attack complexity, exploitation is considered difficult but possible; no evidence of active exploitation in the wild or public proof-of-concept code has been reported.

Authentication Bypass Next Saas Stripe Starter
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-33550 LOW PATCH Monitor

SOGo versions prior to 5.12.5 contain two related one-time password (OTP) implementation weaknesses: the OTP is not regenerated when users disable and re-enable two-factor authentication, and the OTP length is only 12 digits instead of the cryptographically recommended 20 digits. While the CVSS score is low (2.0) due to high attack complexity and privileges required, this vulnerability could allow authenticated administrators or high-privilege users with social engineering capability to bypass or weaken OTP protections. No known active exploitation or public proof-of-concept exists, but the issue has been acknowledged and patched by the vendor.

Information Disclosure Sogo
NVD GitHub VulDB
CVSS 3.1
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy