Skip to main content
CVE-2026-30532 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL queries through the 'id' parameter in admin/view_product.php, enabling unauthorized database access and potential data exfiltration. The vulnerability affects the administrative interface and publicly available exploit code exists, increasing real-world exploitation risk despite the absence of formal CVSS scoring.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30533 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands through the 'id' parameter in admin/manage_product.php, enabling unauthorized database access and data exfiltration. Publicly available exploit code exists for this vulnerability; however, no CVSS score, EPSS data, or CISA KEV confirmation is available to assess active exploitation at scale.

SQLi PHP
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30530 CRITICAL POC Act Now

SQL injection in SourceCodester Online Food Ordering System v1.0 allows remote attackers to execute arbitrary SQL commands through unsanitized input in the save_customer action's username parameter. The application fails to implement proper input validation or prepared statements, enabling attackers to manipulate database queries directly. Publicly available exploit code exists, and this vulnerability affects the PHP-based web application with no confirmed patch status at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34205 CRITICAL POC PATCH Act Now

Unauthenticated network access to Home Assistant apps bypasses intended Docker isolation on Linux systems, exposing internal services to any device on the local network. Apps configured with host network mode inadvertently bind internal Docker bridge endpoints to the broader LAN without authentication controls, enabling unauthorized access with high confidentiality, integrity, and availability impact (CVSS 9.6). Vendor-released patch available in Home Assistant Supervisor 2026.03.02. No public exploit identified at time of analysis, though exploitation requires only adjacent network access with low attack complexity.

Docker Information Disclosure
NVD GitHub
CVSS 3.1
9.6
EPSS
0.0%
CVE-2026-30302 CRITICAL Act Now

CodeRider-Kilo's command auto-approval module fails to correctly parse Windows CMD escape sequences (^), allowing attackers to bypass its Git command whitelist and achieve arbitrary remote code execution. The vulnerability exploits a mismatch between the Unix-based shell-quote parser used for validation and the actual Windows CMD interpreter behavior, enabling attackers to inject malicious commands through crafted payloads such as git log ^" & malicious_command ^". No public exploit code or active exploitation has been confirmed at the time of analysis.

RCE Microsoft Command Injection
NVD GitHub
CVSS 3.1
10.0
EPSS
0.4%
CVE-2026-30303 CRITICAL Act Now

A command injection vulnerability in command auto-approval module in Axon Code (CVSS 9.8). Critical severity with potential for significant impact on affected systems.

RCE Command Injection Microsoft
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-33937 CRITICAL PATCH Act Now

Remote code execution in Handlebars.js npm package allows unauthenticated attackers to execute arbitrary JavaScript on Node.js servers by injecting malicious payloads through crafted AST objects passed to Handlebars.compile(). The vulnerability (CWE-94 code injection) affects applications that accept user-controlled JSON and deserialize it as template input. A detailed proof-of-concept exploit demonstrates command execution via process.getBuiltinModule. Vendor patch is available in version 4.7.9 per GitHub advisory GHSA-2w6w-674q-4c4q. CVSS score 9.8 (Critical) reflects network-accessible attack requiring no privileges or user interaction.

RCE Code Injection
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-22738 CRITICAL PATCH NEWS GHSA Act Now

Spring AI versions 1.0.0 through 1.0.4 and 1.1.0 through 1.1.3 allow unauthenticated remote code execution through Spring Expression Language (SpEL) injection in the SimpleVectorStore component when user-supplied input is incorporated into filter expression keys. This critical vulnerability (CVSS 9.8) enables attackers to execute arbitrary code without authentication on applications using SimpleVectorStore with untrusted filter input. No public exploit identified at time of analysis, though the attack complexity is low and requires no user interaction according to the CVSS vector (AV:N/AC:L/PR:N/UI:N).

Java RCE
NVD VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33976 CRITICAL PATCH Act Now

Remote code execution via stored XSS in Notesnook Web Clipper affects all platforms prior to version 3.3.11 (Web/Desktop) and 3.3.17 (Android/iOS). Attackers can inject malicious HTML attributes into clipped web content that execute JavaScript in the application's security context when victims open the clip. On Electron desktop builds, unsafe Node.js integration (nodeIntegration: true, contextIsolation: false) escalates this XSS to full RCE with system-level access. CVSS 9.6 (Critical) reflects network-based attack requiring no authentication but user interaction. No public exploit identified at time of analysis, though attack methodology is detailed in vendor advisory.

XSS RCE Apple Google
NVD GitHub VulDB
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-30304 CRITICAL Act Now

Prompt injection attacks in AI Code's automatic command execution feature allow remote attackers to bypass the model-based safety classification system and achieve arbitrary command execution without user approval. The vulnerability affects AI Code extensions (notably the Claude Dev China variant available on the Visual Studio Code Marketplace) by exploiting the model's susceptibility to crafted prompts that misclassify destructive commands as safe. No public exploit code or confirmed active exploitation has been identified at the time of analysis, but the attack requires no authentication and can be triggered by any user with access to the extension's command execution interface.

RCE
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-33992 CRITICAL PATCH GHSA Act Now

PyLoad download manager (version 0.5.0 and potentially earlier, distributed via pip as pyload-ng) allows authenticated users to perform Server-Side Request Forgery attacks by submitting arbitrary URLs through the /api/addPackage endpoint without validation. Attackers with valid credentials can exfiltrate cloud provider metadata from AWS EC2, DigitalOcean, Google Cloud, and Azure instances, exposing IAM credentials, SSH keys, API tokens, and internal network topology. A proof-of-concept demonstration is documented with live instance credentials, and upstream fix available (PR/commit); released patched version not independently confirmed based on GitHub commit reference b76b6d4ee5e32d2118d26afdee1d0a9e57d4bfe8.

SSRF Microsoft Python Google
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-1496 CRITICAL PATCH Act Now

Coverity Connect command-line tooling authentication bypass via /token API endpoint allows remote attackers to assume valid user credentials and privileges without proper authentication when a username is known or guessed. The vulnerability stems from missing error handling in authentication logic, enabling attackers to craft specialized HTTP requests that circumvent normal access controls and grant full role-based privileges of the compromised account. No public exploit code or active exploitation has been confirmed at this time.

Authentication Bypass Coverity
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-33875 CRITICAL PATCH Act Now

Authentication flow hijacking in Gematik Authenticator (versions <4.16.0) enables remote attackers to impersonate victim users through malicious deep links. This affects a critical healthcare identity provider used across Germany's digital health infrastructure. The vulnerability requires user interaction (clicking a crafted link) but requires no attacker authentication (CVSS AV:N/PR:N/UI:R), enabling complete account takeover with high confidentiality and integrity impact. EPSS data not available; no public exploit identified at time of analysis, though the attack vector's social engineering component makes weaponization straightforward once technical details become public.

Information Disclosure App Authenticator
NVD GitHub
CVSS 3.1
9.3
EPSS
0.1%
CVE-2026-34202 CRITICAL PATCH GHSA Act Now

Remote attackers can crash Zebra cryptocurrency nodes (versions <4.3.0) by sending malformed V5 transactions that pass initial deserialization but trigger panics during transaction ID calculation. The vulnerability requires no authentication and can be exploited via a single crafted network message to the P2P port (8233) or through the sendrawtransaction RPC method. No public exploit code has been identified at time of analysis, though the attack mechanism is well-documented in the vendor advisory. EPSS data not available for this CVE.

Denial Of Service Deserialization Code Injection RCE
NVD GitHub
CVSS 4.0
9.2
EPSS
0.2%
CVE-2026-28369 CRITICAL GHSA Act Now

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel for Spring Boot) allows remote unauthenticated attackers to bypass front-end security controls by prepending whitespace to header lines. Undertow strips leading spaces from the first header line in violation of RFC 7230, creating a parser discrepancy between upstream proxies and the application server. No public exploit identified at time of analysis, and EPSS sits at 0.13% (32nd percentile), but the CVSS 9.1 and broad Red Hat middleware exposure make this a high-value target for chained attacks.

Information Disclosure Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28368 CRITICAL GHSA Act Now

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls by exploiting parsing discrepancies between Undertow and upstream proxies when handling crafted header names. The flaw (CWE-444) affects Undertow embedded in multiple Red Hat products including JBoss EAP 7/8, Data Grid 8, Fuse 7, and Apache Camel for Spring Boot 4, with Red Hat issuing patches via RHSA-2026:25125 and RHSA-2026:25126. There is no public exploit identified at time of analysis and EPSS is low (0.10%), but CVSS 9.1 and SSVC 'total' technical impact warrant prompt patching of internet-facing deployments.

Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 Red Hat Build Of Apache Camel Hawtio 4 Red Hat Data Grid 8 +9
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-27876 CRITICAL PATCH Act Now

Remote code execution is achievable in Grafana installations through a chained attack combining SQL Expressions with a Grafana Enterprise plugin, affecting both open-source and Enterprise deployments. The vulnerability requires high-privilege authenticated access (PR:H) but enables cross-scope impact with complete system compromise once exploited. Only instances with the sqlExpressions feature toggle enabled are vulnerable, though Grafana recommends all users update to prevent future exploitation paths using this attack vector. No public exploit identified at time of analysis, and authentication as a high-privilege user is required per CVSS vector.

Grafana RCE Code Injection Grafana Enterprise
NVD VulDB
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-28367 CRITICAL GHSA Act Now

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator, which can desynchronize parsing when Undertow sits behind specific intermediaries such as older Apache Traffic Server or Google Cloud Classic Application Load Balancer. The flaw affects numerous Red Hat distributions of Undertow (JBoss EAP 7/8, Data Grid 8, Fuse 7, Camel for Spring Boot 4, RHEL 8/9/10) and carries a CVSS 9.1, though EPSS is only 0.04% and there is no public exploit identified at time of analysis.

Apache Google Authentication Bypass Request Smuggling Red Hat Build Of Apache Camel For Spring Boot 4 +11
NVD VulDB
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34374 CRITICAL Act Now

SQL injection in WWBN AVideo versions up to 26.0 allows unauthenticated remote attackers to extract sensitive database contents and modify data through the RTMP publish authentication stream key validation mechanism. The vulnerability (CVSS 9.1 Critical) arises from unsanitized string interpolation in Live_schedule::keyExists() fallback logic, affecting the open-source video platform's live streaming infrastructure. No vendor-released patch identified at time of analysis, and no public exploit identified at time of analysis.

SQLi Avideo
NVD GitHub
CVSS 3.1
9.1
EPSS
0.0%
CVE-2019-25651 CRITICAL PATCH Act Now

Adjacent attackers can decrypt device-to-controller traffic in Ubiquiti UniFi Network deployments and gain unauthorized control of network infrastructure by exploiting cryptographic weaknesses in AES-CBC implementation. Affected products include UniFi Network Controller (pre-5.10.12), UAP access points (pre-4.0.6/3.8.17 depending on model), UniFi switches (pre-4.0.6), and UniFi gateways (pre-4.4.34). While EPSS risk is minimal at 0.01% and no active exploitation is confirmed (SSVC: exploitation=none), the vulnerability enables complete compromise of network device management once sufficient traffic is captured, warranting attention in environments where adjacent network access is plausible.

Authentication Bypass Ubiquiti
NVD VulDB
CVSS 4.0
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy