Skip to main content
CVE-2026-3300 CRITICAL POC Act Now

Remote code execution in Everest Forms Pro plugin for WordPress ≤1.9.12 allows unauthenticated attackers to execute arbitrary PHP code on the server via the Complex Calculation feature. Attackers can inject malicious PHP through any string-type form field (text, email, URL, select, radio) due to unsafe concatenation into eval() without proper escaping. This vulnerability carries a 9.8 CVSS score with maximum impact (confidentiality, integrity, availability) and requires no authentication or user interaction, representing a critical immediate threat to all installations using the affected plugin versions.

WordPress PHP RCE Code Injection
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-4800 CRITICAL POC PATCH NEWS GHSA Act Now

Server-side code injection in Lodash's _.template function (lodash, lodash-es, lodash-amd and lodash.template, versions 4.0.0 to <4.18.0) lets an attacker execute arbitrary JavaScript at template-compilation time when an application passes untrusted input as options.imports key names. This is an incomplete-fix follow-on to CVE-2021-23337/GHSA-35jh-r3h4-6jhm: the original patch validated the variable option but left the imports key path flowing unchecked into the same Function() sink, and assignInWith's for..in merge also pulls in any prototype-polluted keys. Publicly available exploit code exists, but EPSS is only 0.07% (21st percentile) and CISA SSVC rates exploitation as none, reflecting that the dangerous pattern is uncommon in real deployments.

Code Injection RCE Lodash Lodash Es Lodash Amd +1
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-33579 CRITICAL POC PATCH GHSA Act Now

Privilege escalation in OpenClaw (pre-2026.3.28) allows unauthenticated remote attackers to gain administrative access by exploiting missing scope validation in the device pairing approval workflow. The /pair approve command fails to forward caller scopes during approval checks, enabling attackers with basic pairing privileges-or potentially no privileges given the CVSS PR:N vector-to approve device requests with elevated admin scopes. EPSS data not available; no public exploit identified at time of analysis, though the CVSS 9.8 reflects trivial exploitation due to network accessibility, low complexity, and no authentication barrier. Vendor-released patch: commit e403dec (2026.3.28+).

Privilege Escalation Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.0%
CVE-2026-1579 CRITICAL CISA NEWS Emergency

Unauthenticated remote code execution in PX4 Autopilot via MAVLink protocol allows network attackers to execute arbitrary commands through SERIAL_CONTROL messages when message signing is disabled. The MAVLink 2.0 protocol in PX4 accepts unsigned messages by default, enabling any party with network access to the MAVLink interface to send interactive shell commands without cryptographic authentication. EPSS data not provided; no KEV status confirmed; reported by ICS-CERT indicating potential operational technology impact.

Authentication Bypass Autopilot
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-3356 CRITICAL CISA NEWS Emergency

Anritsu MS27100A/MS27101A/MS27102A/MS27103A Remote Spectrum Monitors contain a design-level authentication bypass allowing unauthenticated remote attackers to fully access and manipulate the management interface. This is not a configuration weakness but an inherent architectural flaw (CWE-306: Missing Authentication) with CVSS 9.3 critical severity. No public exploit identified at time of analysis, but trivial exploitation is expected given the complete absence of authentication mechanisms. ICS-CERT advisory confirms the vulnerability affects operational technology environments.

Authentication Bypass Remote Spectrum Monitor Ms27100A Remote Spectrum Monitor Ms27101A Remote Spectrum Monitor Ms27102A Remote Spectrum Monitor Ms27103A
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-32871 CRITICAL PATCH GHSA Act Now

Server-Side Request Forgery (SSRF) in FastMCP's OpenAPIProvider allows authenticated attackers to access arbitrary backend endpoints through path traversal injection in OpenAPI path parameters. The vulnerability arises from improper URL encoding in the RequestDirector._build_url() method, enabling attackers to escape intended API prefixes using '../' sequences and reach internal administrative or sensitive endpoints while inheriting the MCP provider's authentication context. This affects the fastmcp Python package and enables privilege escalation beyond the OpenAPI specification's intended API surface. No public exploit identified at time of analysis, though detailed proof-of-concept code exists in the GitHub advisory demonstrating traversal to /admin endpoints.

SSRF Path Traversal Authentication Bypass Privilege Escalation Python
NVD GitHub VulDB
CVSS 4.0
10.0
EPSS
0.3%
CVE-2026-34162 CRITICAL PATCH Act Now

Unauthenticated HTTP proxy abuse in FastGPT (AI Agent platform) prior to v4.14.9.5 allows remote attackers to relay arbitrary HTTP requests through the server. The /api/core/app/httpTools/runTool endpoint accepts user-controlled URLs, methods, headers, and body parameters without authentication, functioning as an open proxy for network pivoting, credential theft, and internal network reconnaissance. CVSS 10.0 (Critical) with network attack vector and no privileges required. No public exploit identified at time of analysis, though exploitation is trivial given the exposed endpoint design. EPSS data not available.

Authentication Bypass Fastgpt
NVD GitHub VulDB
CVSS 3.1
10.0
EPSS
0.1%
CVE-2026-30312 CRITICAL Act Now

Remote code execution in DSAI-Cline's command auto-approval module allows unauthenticated attackers to bypass whitelist validation by embedding literal newline characters within command payloads, forcing the system to execute arbitrary OS commands without user interaction. The vulnerability exploits ineffective string-based parsing that fails to sanitize newline separators, enabling attackers to chain whitelisted commands (e.g., git log) with malicious code that PowerShell interprets as sequential commands. No CVSS score, EPSS data, or KEV confirmation available; exploitation status and real-world impact remain unconfirmed.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-30314 CRITICAL Act Now

Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist security controls via shell command substitution syntax (e.g., $(...) or backticks) embedded in command arguments. The vulnerability stems from insufficient regular expression validation that fails to detect command injection payloads, permitting an attacker to execute arbitrary OS commands with automatic approval. No user interaction is required; a crafted command such as git log --grep="$(malicious_command)" will be misidentified as safe and executed by the underlying shell, resulting in remote code execution.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-30311 CRITICAL Act Now

Remote code execution in Ridvay Code's command auto-approval module allows unauthenticated attackers to bypass whitelist protections via shell command substitution syntax ($(…) and backticks) embedded in seemingly benign git commands, achieving code execution without user interaction. The vulnerability exploits inadequate regular expression validation that fails to detect shell metacharacters in command arguments, enabling attackers to inject arbitrary commands that execute with the privileges of the Ridvay Code process.

RCE Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-32714 CRITICAL PATCH GHSA Act Now

SQL injection in SciTokens Python library allows unauthenticated remote code execution against the local SQLite database. The KeyCache class improperly uses str.format() to construct SQL queries with attacker-controlled issuer and key_id parameters, enabling arbitrary SQL command execution. Affects all versions prior to 1.9.6. CVSS 9.8 (Critical) with network attack vector, low complexity, and no privileges required. No CISA KEV listing indicates no confirmed active exploitation at time of analysis, though the straightforward nature of SQL injection and public patch details increase exploitation risk.

Python SQLi
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30286 CRITICAL Act Now

Arbitrary file overwrite in Funambol Zefiro Cloud v32.0.2026011614 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or information disclosure. The vulnerability affects the cloud application and its associated mobile client. No CVSS score or official vendor patch has been assigned as of analysis time, though the reported impact (RCE/information exposure) is severe.

Path Traversal RCE Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30281 CRITICAL Act Now

Arbitrary file overwrite in MaruNuri LLC v2.0.23 allows remote attackers to overwrite critical internal files during the file import process, enabling arbitrary code execution or information exposure. No CVSS score, exploit code availability, or active exploitation status is documented in available sources.

RCE Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30283 CRITICAL Act Now

Arbitrary file overwrite in PEAKSEL D.O.O. NIS Animal Sounds and Ringtones v1.3.0 allows attackers to overwrite critical internal files during the file import process, enabling remote code execution or sensitive information exposure. The vulnerability affects the application's import functionality without requiring authentication. No public exploit code or active exploitation has been independently confirmed at the time of analysis.

Path Traversal RCE Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30276 CRITICAL Act Now

Arbitrary file overwrite in DeftPDF Document Translator v54.0 permits attackers to overwrite critical internal files through the file import mechanism, potentially enabling remote code execution or sensitive information exposure. The vulnerability affects DeftPDF Document Translator specifically at version 54.0 and is documented by academic researchers at Fudan University's security systems group. Attack complexity and authentication requirements cannot be definitively assessed due to missing CVSS vector data, though the file import process suggests user interaction may be required.

RCE Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30278 CRITICAL Act Now

Arbitrary file overwrite in FLY is FUN Aviation Navigation v35.33 permits attackers to overwrite critical internal files through the file import process, enabling remote code execution or information disclosure. No CVSS score, CVE severity classification, or patch status has been established. The vulnerability affects a niche aviation navigation software product with limited public disclosure.

Path Traversal RCE Information Disclosure N A
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30285 CRITICAL Act Now

Arbitrary file overwrite in Zora: Post, Trade, Earn Crypto v2.60.0 enables attackers to overwrite critical internal files through the file import process, resulting in remote code execution or information exposure. The vulnerability affects the cryptocurrency trading application's file handling mechanism, allowing unauthenticated remote attackers to inject malicious content into system-critical files. No active exploitation has been confirmed at time of analysis, though the attack vector and impact severity warrant immediate investigation by affected users.

Path Traversal RCE Information Disclosure
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-30310 CRITICAL Act Now

Prompt injection attacks in Sixth's automatic terminal command execution feature bypass the model-based safety classification system, allowing attackers to execute arbitrary commands without user approval by wrapping malicious payloads in templates that mislead the AI into treating them as safe operations.

Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-34449 CRITICAL PATCH GHSA Act Now

Remote code execution in SiYuan desktop application (versions prior to 3.6.2) allows unauthenticated remote attackers to execute arbitrary code with full operating system privileges through CORS misconfiguration. A malicious website can inject JavaScript into the Electron-based application's Node.js context via the permissive API (Access-Control-Allow-Origin: * with Access-Control-Allow-Private-Network: true), which executes with OS-level access when the user next opens SiYuan's interface. No public exploit identified at time of analysis, though CVSS 9.6 (Critical) reflects network-accessible attack vector with low complexity requiring only user interaction (visiting malicious site while SiYuan runs). EPSS data not provided, but the combination of Electron framework exploitation, RCE impact, and trivial attack complexity suggests elevated real-world risk for desktop users.

RCE Cors Misconfiguration Node.js
NVD GitHub
CVSS 3.1
9.6
EPSS
0.1%
CVE-2026-34406 CRITICAL PATCH Act Now

Privilege escalation in APTRS (Automated Penetration Testing Reporting System) prior to version 2.0.1 allows any user to escalate their own account or modify any other user account to superuser status by submitting a crafted POST request to /api/auth/edituser/<pk> with an is_superuser field set to true. The CustomUserSerializer fails to mark is_superuser as read-only despite including it in serializer fields, and the edit_user view lacks validation to prevent non-superusers from modifying this critical field. No public exploit code or active exploitation has been identified at time of analysis, but the vulnerability is trivial to exploit given basic HTTP client access to the endpoint.

Python Privilege Escalation
NVD GitHub
CVSS 4.0
9.4
EPSS
0.1%
CVE-2026-3106 CRITICAL PATCH Act Now

Blind Cross-Site Scripting in Teampass password manager versions prior to 3.1.5.16 allows unauthenticated remote attackers to execute arbitrary JavaScript in administrator browsers via malicious username input during failed login attempts. The vulnerability achieves high confidentiality and integrity impact (CVSS 9.3) because malicious code is stored and automatically executed when administrators review failed authentication logs, enabling potential session hijacking, credential theft, or administrative account compromise. No active exploitation confirmed via CISA KEV, though the attack requires no authentication and minimal complexity.

XSS PHP
NVD
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-4317 CRITICAL PATCH Act Now

SQL injection in Umami Software's web analytics application allows authenticated attackers with low privileges to execute arbitrary SQL commands via unsanitized timezone parameter. The vulnerability affects raw query implementations (prisma.rawQuery, $queryRawUnsafe, ClickHouse raw queries) with CVSS 9.3 severity. Successful exploitation enables database compromise and execution of dangerous functions. Patch available per vendor advisory; no public exploit identified at time of analysis, though the straightforward attack vector (network-accessible, low complexity, low privileges required) presents significant risk for deployments with untrusted authenticated users.

SQLi Umami Software
NVD VulDB
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-3107 CRITICAL PATCH Act Now

Stored cross-site scripting in Teampass password manager versions before 3.1.5.16 enables unauthenticated remote attackers to inject malicious JavaScript through the password import functionality, achieving persistent code execution in victims' browsers including administrators. CVSS 9.3 (Critical) with EPSS data unavailable, no KEV listing, and patch available per vendor advisory. Attack requires no authentication (PR:N) and low complexity (AC:L), creating significant risk for organizational password compromise and lateral movement.

XSS PHP
NVD
CVSS 4.0
9.3
EPSS
0.0%
CVE-2026-32917 CRITICAL PATCH Act Now

Remote command injection in OpenClaw's iMessage attachment staging mechanism (versions prior to 2026.3.13) allows unauthenticated network attackers to execute arbitrary commands on configured remote hosts via malicious attachment paths. The critical flaw stems from unsanitized shell metacharacters passed directly to SCP operations, achieving full system compromise (CVSS 9.8) when remote attachment staging is enabled. EPSS data and KEV status not provided; publicly available exploit code exists (GitHub commit demonstrates the fix, implying POC-level understanding in security community).

Command Injection Openclaw
NVD GitHub
CVSS 4.0
9.2
EPSS
0.5%
CVE-2026-30880 CRITICAL PATCH GHSA Act Now

OS command injection in baserCMS installer prior to version 5.2.3 allows remote attackers to execute arbitrary system commands during the installation process. The vulnerability exists in the installer component and has been patched in version 5.2.3. Attack complexity appears low given the installer context, though CVSS metrics are unavailable for detailed severity assessment.

Command Injection Basercms
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-32916 CRITICAL PATCH GHSA Act Now

Authorization bypass in OpenClaw 2026.3.7 through 2026.3.10 enables remote unauthenticated attackers to execute privileged gateway operations through plugin subagent routes. The vulnerability exploits synthetic operator clients with excessive administrative scopes, allowing attackers to delete sessions and execute agent commands without authentication. CVSS 7.7 (High) with network attack vector but high complexity (AC:H). No public exploit identified at time of analysis, though technical details are available via GitHub security advisory and VulnCheck analysis.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
9.2
EPSS
0.1%
CVE-2026-30877 CRITICAL PATCH GHSA Act Now

OS command injection in baserCMS update functionality allows authenticated administrators to execute arbitrary commands on the server with application privileges. Affects baserCMS versions prior to 5.2.3. Vendor-released patch available in version 5.2.3. CVSS 9.1 reflects high impact with changed scope, though exploitation requires high-privilege administrator access (PR:H). No public exploit identified at time of analysis. EPSS data not provided, but attack complexity is low (AC:L) once admin credentials are obtained.

Command Injection Basercms
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-21861 CRITICAL PATCH GHSA Act Now

OS command injection in baserCMS core update functionality allows authenticated administrators to execute arbitrary system commands on the server. The vulnerability affects baserCMS versions prior to 5.2.3, stemming from improper sanitization of user-controlled input passed directly to exec() functions. With CVSS 9.1 (Critical) due to network accessibility, low complexity, and cross-scope impact, this represents a severe risk in multi-tenant or managed hosting environments where administrative boundaries must be enforced. EPSS data not available, no CISA KEV listing confirmed, and authentication requirements (PR:H) limit exploit surface to compromised or malicious administrator accounts.

Command Injection Basercms
NVD GitHub VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-34532 CRITICAL PATCH GHSA Act Now

Parse Server Cloud Function validator bypass allows unauthenticated remote attackers to execute protected server-side functions by exploiting prototype chain traversal. Attackers append 'prototype.constructor' to Cloud Function URLs to circumvent access controls (requireUser, requireMaster, custom validators), enabling unauthorized execution of backend business logic. Affects Parse Server versions prior to 8.6.67 and 9.7.0-alpha.11. No public exploit identified at time of analysis, though the attack vector is network-accessible with low complexity (CVSS:4.0 AV:N/AC:L/PR:N). The vulnerability stems from inconsistent prototype chain resolution between handler and validator stores (CWE-863: Incorrect Authorization).

Node.js Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
9.1
EPSS
0.0%
CVE-2025-15618 CRITICAL Act Now

Business::OnlinePayment::StoredTransaction through version 0.01 uses cryptographically weak secret key generation based on MD5 hashing of a single rand() call, exposing encrypted credit card transaction data to key recovery attacks. The vulnerability affects Perl module users who rely on this library for payment processing, allowing attackers to potentially decrypt stored transaction records. No CVSS score was assigned, but the direct compromise of payment card encryption represents critical risk to financial data confidentiality.

Information Disclosure Business
NVD
CVSS 3.1
9.1
EPSS
0.0%
CVE-2026-34448 CRITICAL PATCH GHSA Act Now

Stored cross-site scripting (XSS) in SiYuan personal knowledge management system escalates to arbitrary operating system command execution on desktop clients. Authenticated attackers with low privileges can inject malicious URLs into Attribute View asset fields that execute JavaScript when victims view Gallery or Kanban layouts with "Cover From -> Asset Field" enabled. The Electron desktop client's configuration (nodeIntegration enabled, contextIsolation disabled) allows the XSS payload to break sandbox boundaries and execute arbitrary commands under the victim's OS account. CVSS 9.0 (Critical) with network attack vector, low complexity, and cross-scope impact. Vendor-released patch: version 3.6.2. No public exploit identified at time of analysis, though technical details are disclosed in GitHub advisory GHSA-rx4h-526q-4458.

XSS Command Injection Siyuan
NVD GitHub
CVSS 3.1
9.0
EPSS
0.0%
CVE-2026-30282 CRITICAL Act Now

Arbitrary file overwrite in UXGROUP LLC Cast to TV Screen Mirroring v2.2.77 enables remote attackers to overwrite critical application files through a malicious file import process, resulting in remote code execution or information disclosure. No CVSS score, exploit code availability, or active exploitation status confirmed from available data.

Path Traversal RCE Information Disclosure N A
NVD GitHub VulDB
CVSS 3.1
9.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy