Skip to main content
CVE-2026-30533 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30532 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30530 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34205 CRITICAL POC PATCH Act Now

Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-5027 HIGH POC This Week

Arbitrary file write vulnerability in an API endpoint (POST /api/v2/files) enables authenticated remote attackers to overwrite critical system files or place malicious executables in startup directories through unvalidated filename parameters containing path traversal sequences. The vulnerability carries a CVSS score of 8.8 (High) with network-accessible attack vector requiring low-level privileges and no user interaction. No public exploit identified at time of analysis, though the straightforward nature of path traversal exploitation increases risk. Research disclosed by Tenable Security Research (TRA-2026-26).

Path Traversal
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-30531 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to inject arbitrary SQL commands through the unvalidated 'name' parameter in the save_category action of Actions.php. The vulnerability affects the application's category management functionality and enables data exfiltration, modification, or deletion. Publicly available exploit code exists demonstrating the vulnerability, increasing practical exploitation risk despite authentication requirement.

SQLi PHP
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30529 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows authenticated attackers to execute arbitrary SQL commands via the username parameter in Actions.php (save_user action), due to improper input sanitization. Publicly available exploit code exists demonstrating this vulnerability. While CVSS and EPSS scores are unavailable, the authenticated requirement and public POC availability indicate moderate real-world risk for deployments with user account access.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30534 HIGH POC This Week

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to manipulate database queries through the 'id' parameter in admin/manage_category.php, enabling unauthorized data extraction, modification, or deletion. The vulnerability affects the administrative interface and has publicly available exploit code, presenting immediate risk to deployed instances of this e-commerce platform.

PHP SQLi
NVD GitHub
CVSS 3.1
8.3
EPSS
0.0%
CVE-2026-34040 HIGH POC PATCH GHSA This Week

Authorization bypass in Docker Engine (moby) allows API clients to evade AuthZ plugin policy decisions by issuing requests whose body is not forwarded to the plugin, causing it to approve operations it would otherwise deny. This is an incomplete-fix regression of CVE-2024-41110 affecting deployments that rely on AuthZ plugins inspecting request bodies; publicly available exploit code exists but EPSS is 0.01% and SSVC exploitation status is 'none'.

Docker Authentication Bypass
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.0%
CVE-2026-30575 HIGH POC This Week

Inventory depletion in SourceCodester Pharmacy Product Management System 1.0 allows remote attackers to corrupt stock records by submitting negative values through the add-stock.php 'txtqty' parameter, causing the system to decrease inventory instead of increasing it and enabling denial of service via stock exhaustion. Publicly available exploit code exists demonstrating this business logic flaw, and the affected product lacks CVSS severity quantification despite the demonstrated impact on system integrity and availability.

PHP Denial Of Service
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30576 HIGH POC This Week

Pharmacy Product Management System 1.0 fails to validate financial input parameters in the add-stock.php file, permitting attackers to submit negative values for product prices and total costs. This business logic vulnerability corrupts financial records and allows manipulation of inventory asset valuations and procurement cost tracking. Publicly available exploit code exists; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation frequency.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-30574 HIGH POC This Week

SourceCodester Pharmacy Product Management System 1.0 fails to enforce inventory constraints in the add-sales.php module, allowing attackers to create sales transactions for quantities that exceed available stock levels. This business logic flaw enables overselling scenarios where the system processes orders without validating stock availability, potentially leading to negative inventory records and operational disruption. Publicly available exploit code exists demonstrating the vulnerability, though no CVSS scoring or active exploitation via CISA KEV has been confirmed.

PHP Information Disclosure
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-4976 HIGH POC This Week

Buffer overflow in Totolink LR350 router firmware 9.3.5u.6369_B20220309 allows remote authenticated attackers to execute arbitrary code via crafted SSID input to the setWiFiGuestCfg function in /cgi-bin/cstecgi.cgi. The vulnerability has a publicly available exploit code and affects the web management interface. CVSS 7.4 (High) with low attack complexity indicates significant risk, though exploitation requires low-privilege authentication (PR:L). No CISA KEV listing indicates no confirmed widespread exploitation at time of analysis.

Buffer Overflow Lr350
NVD VulDB
CVSS 4.0
7.4
EPSS
0.1%
CVE-2026-4961 HIGH POC This Week

Remote attackers with low-level authentication can execute arbitrary code on Tenda AC6 routers running firmware version 15.03.05.16 by exploiting a stack-based buffer overflow in the formQuickIndex function via crafted PPPOEPassword parameters in POST requests to /goform/QuickIndex. Publicly available exploit code exists, demonstrating practical exploitation of this critical vulnerability with CVSS 8.8 (High severity, network-accessible, low complexity). The vulnerability is tracked as CWE-121 and poses immediate risk to exposed devices.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4960 HIGH POC This Week

Stack-based buffer overflow in Tenda AC6 router firmware version 15.03.05.16 enables authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromWizardHandle function handling POST requests to /goform/WizardHandle, exploitable by manipulating WANT/WANS parameters. Publicly available exploit code exists, demonstrating the attack technique via a detailed proof-of-concept published on Notion. With a CVSS score of 8.8 and low attack complexity, this represents a significant risk to affected devices despite requiring low-privilege authentication.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4906 HIGH POC This Week

Remote attackers with low-level authentication can trigger stack-based buffer overflow in Tenda AC5 router firmware version 15.03.06.47 via the WizardHandle POST request handler, potentially achieving arbitrary code execution with high impact to confidentiality, integrity, and availability. Publicly available exploit code exists, as confirmed by multiple references including a detailed proof-of-concept document on Notion. The CVSS score of 8.8 reflects network-based attack vector with low complexity and no user interaction required, while the temporal score indicates proof-of-concept exploitation capability.

Tenda Buffer Overflow Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-4962 MEDIUM POC This Month

UltraVNC versions up to 1.6.4.0 suffer from an uncontrolled search path vulnerability in version.dll loaded by the Service component, enabling local attackers with low privileges to achieve code execution with elevated privileges through DLL hijacking. Publicly available exploit code exists (Google Drive link in references), and the vendor has not responded to disclosure attempts. While the CVSS score is 7.3, exploitation requires local access, high attack complexity, and is considered difficult to execute, tempering immediate risk for most deployments.

Information Disclosure Ultravnc
NVD VulDB
CVSS 4.0
6.4
EPSS
0.0%
CVE-2026-30567 MEDIUM POC This Month

Reflected XSS in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript via the unvalidated 'limit' parameter in view_product.php. The vulnerability affects the web application without authentication requirements, and publicly available exploit code has been disclosed. While CVSS scoring data is unavailable, the combination of reflected XSS execution context, public POC availability, and lack of input sanitization indicates meaningful risk to deployments of this legacy system.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30569 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_stock_availability.php file's 'limit' parameter that permits remote attackers to inject arbitrary HTML and JavaScript through a crafted URL. Publicly available exploit code has been disclosed via GitHub, enabling attackers without authentication to execute malicious scripts in the context of victim browsers. The vulnerability affects an unspecified version range of the Inventory System application with no CVSS scoring or patch availability data currently confirmed.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30571 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting vulnerability in the view_category.php file where the 'limit' parameter is not sanitized, enabling remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. Publicly available exploit code exists for this vulnerability, affecting the PHP-based Inventory System application. Remote attackers can execute client-side scripts in the context of authenticated user sessions without requiring elevated privileges.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30570 MEDIUM POC This Month

SourceCodester Inventory System 1.0 contains a reflected cross-site scripting (XSS) vulnerability in the view_sales.php file's 'limit' parameter that allows remote attackers to inject arbitrary JavaScript or HTML through a crafted URL. The vulnerability stems from insufficient input sanitization and publicly available exploit code has been disclosed. Authentication requirements are not confirmed from available CVSS data.

PHP XSS
NVD GitHub
CVSS 3.1
6.1
EPSS
0.1%
CVE-2026-30302 CRITICAL Act Now

CodeRider-Kilo's command auto-approval module fails to correctly parse Windows CMD escape sequences (^), allowing attackers to bypass its Git command whitelist and achieve arbitrary remote code execution. The vulnerability exploits a mismatch between the Unix-based shell-quote parser used for validation and the actual Windows CMD interpreter behavior, enabling attackers to inject malicious commands through crafted payloads such as git log ^" & malicious_command ^". No public exploit code or active exploitation has been confirmed at the time of analysis.

RCE Microsoft Command Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-30303 CRITICAL Act Now

A command injection vulnerability in command auto-approval module in Axon Code (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

RCE Command Injection Microsoft
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-33937 CRITICAL PATCH Act Now

Remote code execution in Handlebars.js npm package allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by injecting malicious payloads through crafted AST objects passed to Handlebars.compile(). The vulnerability (CWE-94 code injection) affects applications that accept user-controlled JSON and deserialize it as template input. A detailed proof-of-concept exploit demonstrates command execution via process.getBuiltinModule. Vendor patch is available in version 4.7.9 per GitHub advisory GHSA-2w6w-674q-4c4q. CVSS score 9.8 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-22738 CRITICAL PATCH NEWS GHSA Act Now

Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction according to the CVSS vector (AV:N/AC:L/PR:N/UI:N).

Java RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33976 CRITICAL PATCH Act Now

Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.

XSS RCE Apple Google
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-30304 CRITICAL Act Now

Prompt injection attacks in AI Code's automatic command execution feature allow remote attackers to bypass the model-based safety classification system and achieve arbitrary command execution without user approval. The vulnerability affects AI Code extensions (notably the Claude Dev China variant available on the Visual Studio Code Marketplace) by exploiting the model's susceptibility to crafted prompts that misclassify destructive commands as safe. No public exploit code or confirmed active exploitation has been identified at the time of analysis, but the attack requires no authentication and can be triggered by any user with access to the extension's command execution interface.

RCE
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-4959 MEDIUM POC This Month

OpenBMB XAgent 1.0.0 ShareServer WebSocket endpoint allows remote authentication bypass through manipulation of the interaction_id parameter in the check_user function, enabling unauthenticated attackers to access protected resources with low confidentiality, integrity, and availability impact. Publicly available exploit code exists, the vendor was contacted but did not respond, and active exploitation remains possible.

Authentication Bypass Xagent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-4953 MEDIUM POC This Month

Server-side request forgery in mingSoft MCMS versions through 5.5.0 enables remote unauthenticated attackers to force the application server to make arbitrary HTTP requests to internal or external systems via the catchimage parameter in the Editor Endpoint's catchImage function. Publicly available exploit code exists (GitHub POC published), increasing immediate risk. The CVSS score of 7.3 reflects network-based attack vector with no authentication required and impacts to confidentiality, integrity, and availability.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4908 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the userid parameter in /modstaffinfo.php. Publicly available exploit code exists on GitHub, significantly lowering the barrier to exploitation. The CVSS score of 7.3 reflects network accessibility without authentication requirements (PR:N), though impact is rated as Low across confidentiality, integrity, and availability.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4910 MEDIUM POC This Month

SQL injection in Shenzhen Ruiming Technology Streamax Crocus bis version 1.3.44 allows unauthenticated remote attackers to execute arbitrary SQL commands via the State parameter in the /RemoteFormat.do endpoint. Publicly available exploit code exists, as documented in a Feishu document linked in VulDB disclosure 353661. The vendor was notified but has not responded, leaving users without a vendor-acknowledged remediation path. With a CVSS score of 7.3 and network-accessible attack vector requiring no privileges, this represents a significant risk to exposed systems.

SQLi Streamax Crocus
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-4965 MEDIUM POC This Month

Improper neutralization of directives in dynamically evaluated code within letta-ai letta 0.16.4 allows remote attackers without authentication to manipulate the resolve_type function in letta/functions/ast_parsers.py, resulting in code injection and information disclosure. This vulnerability represents an incomplete fix for CVE-2025-6101, and publicly available exploit code exists that demonstrates remote exploitation with low attack complexity.

Code Injection Information Disclosure Letta
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-30527 MEDIUM POC This Month

Stored XSS in SourceCodester Online Food Ordering System v1.0 allows authenticated administrators to inject malicious JavaScript via the Category Name field in the admin panel, with payloads executing in the browsers of any user viewing the Category list. Publicly available exploit code exists; the vulnerability stems from insufficient input sanitization on a critical administrative function that affects all downstream users who access affected categories.

XSS Online Food Ordering System
NVD GitHub VulDB
CVSS 3.1
5.4
EPSS
0.0%
CVE-2026-33992 CRITICAL PATCH GHSA Act Now

PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.

SSRF Microsoft Python Google
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-1496 CRITICAL PATCH Act Now

Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass Coverity
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-33875 CRITICAL PATCH Act Now

Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.

Information Disclosure App Authenticator
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-34202 CRITICAL PATCH GHSA Act Now

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

Denial Of Service Deserialization Code Injection RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-28369 CRITICAL GHSA Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28368 CRITICAL GHSA Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27876 CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection Grafana Enterprise
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28367 CRITICAL GHSA Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34374 CRITICAL Act Now

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

SQLi Avideo
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-33765 HIGH PATCH This Week

Remote code execution with root privileges in Pi-hole Admin Interface versions prior to 6.0 allows unauthenticated attackers to execute arbitrary system commands. The vulnerability stems from unsanitized user input in the 'webtheme' parameter being concatenated directly into sudo-privileged exec() calls in savesettings.php. With CVSS 8.9 (Critical), network-accessible attack vector, and low complexity, this represents a severe compromise risk for Pi-hole deployments exposed to untrusted networks. Proof-of-concept code exists (CVSS E:P metric indicates exploitation proof available).

PHP Command Injection
NVD GitHub
CVSS 4.0
8.9
EPSS
0.6%
CVE-2019-25651 CRITICAL PATCH Act Now

Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.

Authentication Bypass Ubiquiti
NVD VulDB
CVSS 4.0
9.0
EPSS
0.0%
CVE-2026-33890 HIGH PATCH This Week

MyTube versions prior to 1.8.71 allow unauthenticated remote attackers to register arbitrary passkeys and obtain full administrator access without any existing credentials. The vulnerability stems from exposed passkey registration endpoints that lack authentication checks and automatically grant admin tokens to any successfully registered passkey, enabling complete application compromise. Vendor-released patch version 1.8.71 addresses this flaw.

Authentication Bypass Mytube
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-33654 HIGH PATCH This Week

Remote code execution in nanobot personal AI assistant (versions prior to 0.1.6) allows unauthenticated attackers to execute arbitrary LLM instructions and system tools via malicious email content. The vulnerability exploits the email channel processing module's lack of input validation, enabling zero-click, indirect prompt injection attacks without bot owner interaction. Publicly available exploit code exists. With CVSS 8.9 (Critical) and network-accessible attack vector requiring no privileges, this represents a severe security risk for deployed nanobot instances monitoring email.

RCE Code Injection Nanobot
NVD GitHub
CVSS 4.0
8.9
EPSS
0.1%
CVE-2026-33991 HIGH PATCH This Week

SQL injection in WeGIA charitable institution management software allows authenticated remote attackers to execute arbitrary database queries with high impact to confidentiality, integrity, and availability. The vulnerability stems from unsafe use of extract($_REQUEST) combined with unsanitized SQL concatenation in the tag deletion module (deletar_tag.php), affecting all versions prior to 3.6.7. No public exploit identified at time of analysis, with EPSS probability data not available for this recent CVE.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-30568 MEDIUM POC This Month

Reflected cross-site scripting (XSS) in SourceCodester Inventory System 1.0 allows remote attackers to inject arbitrary JavaScript or HTML through an unsanitized 'limit' parameter in the view_purchase.php file. The vulnerability affects unauthenticated users who click a malicious link, enabling session hijacking, credential theft, or malware distribution. Publicly available exploit code exists, elevating practical exploitation risk despite the absence of CVSS scoring data.

PHP XSS
NVD GitHub
CVSS 3.1
4.8
EPSS
0.0%
CVE-2026-27893 HIGH PATCH This Week

Remote code execution is possible in vLLM inference and serving engine versions 0.10.1 through 0.17.x due to hardcoded trust_remote_code=True settings in two model implementation files that override users' explicit --trust-remote-code=False security configuration. Attackers can exploit this by hosting malicious model repositories that execute arbitrary code when loaded by vLLM, even when users have intentionally disabled remote code trust for security. Version 0.18.0 patches this vulnerability, with no public exploit identified at time of analysis and a CVSS score of 8.8 requiring user interaction to trigger.

RCE Vllm
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.0%
CVE-2026-33755 HIGH PATCH This Week

Authenticated SQL injection in Group-Office's JMAP Contact/query endpoint allows any user with basic addressbook permissions to extract database contents, including active session tokens, enabling full account takeover of any user including System Administrators. Affects Group-Office versions before 6.8.158, 25.0.92, and 26.0.17. EPSS exploitation probability is low (0.03%, 9th percentile) with no public exploit or active exploitation confirmed. Despite 8.8 CVSS score, real-world risk depends heavily on whether attackers can obtain valid low-privilege credentials first.

SQLi Microsoft
NVD GitHub
CVSS 3.1
8.8
EPSS
0.0%
Page 1 of 5 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy