Skip to main content
CVE-2026-4781 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to manipulate the sid parameter in update_purchase.php, enabling unauthorized database queries and potential data exfiltration. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4780 LOW POC Monitor

SourceCodester Sales and Inventory System 1.0 contains a SQL injection vulnerability in the update_out_standing.php file's sid parameter that allows authenticated remote attackers to execute arbitrary database queries. Public exploit code exists for this vulnerability, and no patch is currently available. The vulnerability affects PHP-based deployments and has a CVSS score of 5.3.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4779 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 via the sid parameter in update_customer_details.php allows authenticated remote attackers to execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available. Affected organizations using PHP-based deployments of this system should restrict access to the vulnerable component until a fix is released.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4778 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the sid parameter in update_category.php. Public exploit code exists for this vulnerability, and no patch is currently available. Attackers with valid credentials can leverage this weakness to compromise database integrity and extract sensitive information.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4777 LOW POC Monitor

SQL injection in SourceCodester Sales and Inventory System 1.0's view_supplier.php POST parameter handler allows authenticated attackers to execute arbitrary SQL queries through the searchtxt parameter. Public exploit code exists for this vulnerability, increasing the risk of active exploitation. The vulnerability affects PHP-based installations and currently lacks an available patch.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4626 LOW POC Monitor

A stored cross-site scripting (XSS) vulnerability exists in projectworlds Lawyer Management System version 1.0 within the /lawyer_booking.php file, where the Description parameter fails to sanitize user input before rendering. An authenticated attacker can inject malicious JavaScript that executes in the context of other users' browsers, potentially leading to session hijacking, credential theft, or unauthorized actions. A proof-of-concept exploit has been publicly disclosed on GitHub, and the vulnerability carries a CVSS score of 3.5 with evidence of public exploitation.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-4616 LOW POC Monitor

A cross-site scripting (XSS) vulnerability exists in bolo-blog version 2.6.4 in the Article Title Handler component at /console/article/, where the articleTitle parameter is not properly sanitized before being rendered. An authenticated attacker with high privileges can inject malicious JavaScript through the articleTitle argument, resulting in stored or reflected XSS that compromises the integrity of the application. A proof-of-concept exploit has been publicly released on GitHub, and the vendor has not yet responded to early disclosure notifications.

XSS Bolo Blog
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-33769 LOW PATCH Monitor

Astro's remotePatterns path enforcement contains a logic flaw where wildcard matching for /* is unanchored, allowing attackers to bypass path restrictions and access unintended resources on allowed hosts. Versions 2.10.10 through 5.18.0 are affected, enabling information disclosure through server-side image optimization endpoints and other remote fetchers. The vulnerability has been patched in version 5.18.1, and while no public exploit code or active exploitation has been reported in KEV databases, the straightforward nature of the bypass makes this a moderate to high priority for affected deployments.

Information Disclosure Astro
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-4742 LOW PATCH Monitor

An HTTP Request/Response Smuggling vulnerability exists in visualfc liteide due to inconsistent interpretation of HTTP requests in the HTTP parser component (http_parser.C), classified under CWE-444. This affects liteide versions before x38.4, allowing attackers to exploit the qjsonrpc HTTP parser module to smuggle malicious requests. An attacker could leverage this vulnerability to perform request smuggling attacks, potentially leading to cache poisoning, session hijacking, or information disclosure depending on the deployment context and HTTP intermediaries involved.

Information Disclosure Request Smuggling Liteide
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-33160 LOW PATCH Monitor

An unauthenticated user can exploit the `/assets/generate-transform` endpoint in Craft CMS to generate valid transform URLs for private assets without authorization checks, allowing anonymous access to transformed image content that should be restricted. This authentication bypass affects Craft CMS versions prior to 4.17.8 and 5.9.14, enabling attackers to derive and view content from private assets through the publicly accessible transform endpoint. The vulnerability has a published patch and advisory available from the vendor.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-32642 LOW PATCH Monitor

An incorrect authorization vulnerability exists in Apache Artemis and Apache ActiveMQ Artemis where the OpenWire protocol fails to properly enforce permission checks when creating non-durable JMS topic subscriptions on non-existent addresses. A user with only 'createDurableQueue' permission but lacking 'createAddress' permission can bypass authorization controls to create temporary addresses that should be denied, circumventing the intended security model when address auto-creation is disabled. This authentication bypass persists until the OpenWire connection closes and the temporary address is cleaned up.

Apache Authentication Bypass Apache Artemis Apache Activemq Artemis
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2025-11571 LOW Monitor

A command injection vulnerability exists in Silicon Labs Simplicity Studio V5 and Simplicity Installer Tool for Simplicity Studio V6, where vulnerable endpoints accept user-controlled input through URLs in JSON format, enabling arbitrary command execution. An attacker on the same network can exploit this to execute system commands, though parameter passing is restricted. While CVSS scoring is unavailable, the vulnerability represents a significant local network threat to development environments using these tools.

Command Injection Simplicity Studio V5 Simplicity Installer Tool Silicon Labs Tool Slt For Simplicity Studio V6
NVD VulDB
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-33624 LOW PATCH Monitor

Parse Server versions prior to 8.6.60 and 9.6.0-alpha.54 contain a race condition vulnerability that allows attackers to reuse single-use MFA recovery codes an unlimited number of times through concurrent login requests. An attacker with knowledge of a user's password and possession of one valid recovery code can bypass the intended single-use restriction by sending multiple authentication attempts simultaneously within milliseconds, effectively defeating the multi-factor authentication protection mechanism. This vulnerability is tracked as CWE-367 (TOCTOU race condition) and has been patched in the aforementioned versions with fixes available via pull requests 10275 and 10276.

Information Disclosure Node.js
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4614 LOW Monitor

SQL injection in the Parameter Handler of itsourcecode sanitize or validate this input 1.0 allows authenticated remote attackers to manipulate the subject_code argument in /admin/subjects.php and execute arbitrary SQL commands. Public exploit code exists for this vulnerability, and no patch is currently available.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-4433 LOW Monitor

Tenable OT contains an SSH misconfiguration that permits unauthorized disclosure of socket, port, and service information through the ostunnel user account and improper GatewayPorts settings. This vulnerability affects Tenable Operation Technology across multiple versions and allows attackers to enumerate underlying system architecture and network configuration without requiring high privileges or complex exploitation. While no CVSS score, EPSS data, or confirmed active exploitation is publicly documented, the information disclosure nature of this vulnerability enables reconnaissance for subsequent targeted attacks.

Information Disclosure Tenable Operation Technology
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-33161 LOW PATCH Monitor

An authorization bypass vulnerability in Craft CMS allows low-privileged authenticated users to extract private asset editing metadata, including focal point data, from assets they do not have permission to view. The vulnerability affects Craft CMS versions prior to 4.17.8 and 5.9.14, where the actionImageEditor endpoint fails to perform per-asset authorization checks before returning sensitive editor context. While no CVSS score or EPSS metric is currently published, this information disclosure vulnerability enables attackers to gain unauthorized insight into restricted asset configurations.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.0%
CVE-2026-33525 LOW PATCH Monitor

A stored cross-site scripting (XSS) vulnerability exists in Authelia version 4.39.15 due to improper neutralization of the language cookie value when rendering HTML templates. This vulnerability only affects users who have deliberately disabled or modified the default Content Security Policy with unsafe directives (such as unsafe-inline scripts or arbitrary domain connections); default installations are completely protected. An attacker could potentially inject malicious JavaScript into the Authelia login page if multiple preconditions are met, including a secondary application vulnerability on the same domain, CSP misconfiguration, and the ability to manipulate cookies.

XSS
NVD GitHub
CVSS 4.0
0.5
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy