Skip to main content
CVE-2026-5251 LOW POC Monitor

Privilege escalation in z-9527 admin 1.0/2.0 allows authenticated users to manipulate the isAdmin parameter in the User Update Endpoint (/server/routes/user.js) to gain administrative privileges through dynamically-determined object attributes. The vulnerability requires network access and valid credentials (PR:L per CVSS vector) but no user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving all versions in the 1.x and 2.x branches unpatched.

Information Disclosure Admin
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5248 LOW POC Monitor

Authenticated remote code execution via mass assignment in GougoCMS 4.08.18 User Registration Handler allows attackers with valid credentials to manipulate the 'level' parameter during registration, exploiting dynamically-determined object attributes to escalate privileges or modify sensitive user properties. The vulnerability affects the reg_submit function in Login.php and has publicly available exploit code; however, the vendor has not responded to early disclosure notification.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5259 LOW POC Monitor

Server-side request forgery in AutohomeCorp frostmourne up to version 1.0 allows authenticated remote attackers to manipulate the Alarm Preview component via an unknown function in AlarmController.java, enabling arbitrary HTTP requests from the vulnerable server with potential to access internal resources, leak sensitive data, or interact with backend systems. Publicly available exploit code exists; CVSS 6.3 reflects moderate severity with low attack complexity and limited impact scope.

SSRF Java
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5314 LOW POC Monitor

Out-of-bounds read in Nothings stb library up to version 1.26 allows remote attackers to trigger information disclosure via a crafted TTF file processed by the stbtt_InitFont_internal function in stb_truetype.h. Exploitation requires user interaction (opening a malicious font file) and publicly available exploit code exists; however, the vendor has not responded to early disclosure notification.

Information Disclosure Buffer Overflow Stb
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5255 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the userid parameter in /delstaffinfo.php, with public exploit code available. The vulnerability requires user interaction (clicking a crafted link) and has low confidentiality impact but can enable session hijacking, credential theft, or malware distribution.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5253 LOW POC Monitor

Stored cross-site scripting (XSS) in bufanyun HotGo 1.0/2.0 allows authenticated remote attackers to inject malicious scripts via the editNotice endpoint in the MessageList.vue component, affecting the application's message handling functionality. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (3.5) due to limited attack complexity and minimal impact scope. The vendor has not responded to early disclosure attempts.

XSS Hotgo
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5249 LOW POC Monitor

Stored cross-site scripting (XSS) in GouguCMS 4.08.18 allows authenticated remote attackers to inject malicious scripts via the value.content parameter in the Record Endpoint (\gougucms-master\app\admin\view\user\record.html), which are executed in the context of other users' browsers. The vulnerability has a publicly available exploit and affects user record management functionality with low CVSS score (3.5) due to requirement for user interaction and authenticated access, though the vendor has not responded to disclosure.

XSS Gougucms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5252 LOW POC Monitor

Stored cross-site scripting (XSS) in z-9527 admin 1.0 and 2.0 allows authenticated remote attackers to inject malicious scripts via the Message Create Endpoint (/server/routes/message.js), affecting message content with user interaction required. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts, leaving affected installations without an official patch.

XSS Admin
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5254 LOW POC Monitor

Stored cross-site scripting (XSS) in welovemedia FFmate up to version 2.0.15 allows authenticated remote attackers to inject malicious scripts via the Webhook Handler component's AppJsonTreeView.vue file. The vulnerability requires user interaction to trigger payload execution and has been publicly disclosed with exploit code available on GitHub. The vendor has not responded to early disclosure notifications, leaving users without an official patch.

XSS Ffmate
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5310 LOW POC PATCH Monitor

Iperius Backup versions up to 8.7.2 use a hard-coded cryptographic key for IperiusAccounts.ini file encryption, allowing local authenticated attackers with low privileges to decrypt stored credentials and extract sensitive account information. The vulnerability requires high attack complexity and local access, resulting in a CVSS 2.0 score with low confidentiality impact; a publicly available proof-of-concept exploit exists, and vendor-released patch version 8.7.4 fixes the issue.

Information Disclosure Iperius Backup
NVD VulDB GitHub
CVSS 4.0
1.1
EPSS
0.0%
CVE-2025-67806 LOW Monitor

Sage DPW versions before 2021_06_000 leak valid username existence through differential login response timing and messaging, enabling account enumeration without authentication. The vulnerability has a low CVSS score (3.7) reflecting limited confidentiality impact and high attack complexity, though it reduces the security barrier for subsequent targeted attacks against known valid accounts. No active exploitation has been confirmed.

Information Disclosure
NVD
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-35094 LOW Monitor

Libinput versions prior to 1.26.0 contain a dangling pointer vulnerability in Lua plugin garbage collection that allows local authenticated attackers to read sensitive data from system logs, requiring the ability to deploy malicious Lua plugin files to system directories and Lua plugin support to be enabled in the compositor. The vulnerability has a CVSS score of 3.3 (low severity) with confirmed patch availability, and poses minimal real-world risk due to high prerequisites including local file write access and plugin enablement.

Information Disclosure Libinput Fedora
NVD VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-2475 LOW PATCH Monitor

Open redirect vulnerability in IBM Verify Identity Access Container versions 11.0-11.0.2 and 10.0-10.0.9.1, and IBM Security Verify Access Container and non-container variants across the same version ranges, enables remote phishing attacks via specially crafted requests that redirect users to arbitrary websites. The attack requires user interaction (UI:R) and unusual network or exploitation circumstances (AC:H), limiting real-world impact; no public exploit code or confirmed active exploitation has been identified.

IBM Open Redirect
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-34520 LOW PATCH GHSA Monitor

AIOHTTP's C parser accepts null bytes and control characters in HTTP response headers prior to version 3.13.4, allowing remote attackers to inject malformed headers that bypass validation and cause information disclosure. This vulnerability affects all versions before 3.13.4 and has been patched upstream; exploitation requires no authentication or user interaction but results in limited integrity impact to response headers rather than confidentiality breach.

Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34519 LOW PATCH GHSA Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows remote attackers to inject arbitrary HTTP headers or conduct similar exploits by controlling the reason parameter when creating a Response object. The vulnerability has low real-world impact (CVSS 2.7, EPSS not available) and requires the attacker to control application-level input that directly influences the reason parameter; no public exploit code or active exploitation has been identified. A vendor-released patch is available in version 3.13.4.

Python Code Injection
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34514 LOW PATCH GHSA Monitor

Header injection in AIOHTTP prior to version 3.13.4 allows unauthenticated remote attackers to inject arbitrary headers by controlling the content_type parameter, potentially enabling HTTP response splitting or cache poisoning attacks. The vulnerability has a low CVSS score (2.7) reflecting limited integrity impact, but affects all versions before the patched release 3.13.4.

Python Code Injection
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34518 LOW PATCH GHSA Monitor

AIOHTTP prior to version 3.13.4 leaks sensitive authentication credentials across origin boundaries during HTTP redirects by failing to drop Cookie and Proxy-Authorization headers while inconsistently removing the Authorization header. This information disclosure vulnerability affects all Python applications using vulnerable AIOHTTP versions when following cross-origin redirects, potentially exposing session tokens and proxy credentials to untrusted origins. No public exploit code or active exploitation has been identified, and the EPSS score of 2.7 indicates low exploitation probability despite the low CVSS score reflecting confidentiality impact.

Python Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34517 LOW PATCH GHSA Monitor

Aiohttp prior to version 3.13.4 allocates entire multipart form fields into memory before validating against the client_max_size limit, enabling unauthenticated remote attackers to cause denial of service through memory exhaustion. The vulnerability affects all versions before 3.13.4 and carries a low CVSS score (2.7) reflecting limited availability impact, with no public exploit code or active exploitation confirmed at time of analysis.

Python Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34513 LOW PATCH GHSA Monitor

Unbounded DNS cache in AIOHTTP prior to version 3.13.4 allows remote attackers to cause denial of service through excessive memory consumption. An attacker can trigger repeated DNS lookups with unique hostnames to grow the in-memory cache without bounds, eventually exhausting available system memory. AIOHTTP 3.13.4 and later include a patch that implements cache limits. This is a network-accessible vulnerability requiring no authentication or user interaction, but exploitation requires deliberate attack traffic and does not result in data compromise or system takeover.

Python Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34762 LOW PATCH GHSA Monitor

{imsi} endpoint, allowing authenticated NetworkManagers to modify any subscriber's QoS policy while spoofing audit trail entries. This authentication-required vulnerability (PR:H per CVSS) creates forensic evasion-the audit log attributes changes to fabricated or unrelated subscriber identifiers, preventing post-incident investigation of the actual affected subscriber. CVSS 2.7 reflects the limited scope (no confidentiality impact, low integrity impact, no availability impact), though the audit trail manipulation represents meaningful security degradation for compliance and incident response.

Information Disclosure
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2025-66487 LOW PATCH Monitor

IBM Aspera Shares 1.9.9 through 1.11.0 lacks proper rate limiting on authenticated user email submissions, allowing high-privilege users to trigger email flooding or denial of service conditions. The vulnerability requires authentication at the admin or high-privilege level and results in service availability degradation rather than data compromise. EPSS exploitation probability is low (2.7 CVSS, high privilege requirement), and no public exploit code or active exploitation has been identified at time of analysis.

IBM Denial Of Service
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-34969 LOW PATCH GHSA Monitor

Nhost auth service exposes OAuth refresh tokens in redirect URL query parameters, allowing access to browser history, server logs, and proxy logs on owned infrastructure. While refresh tokens are single-use and leak vectors are primarily confined to developer-controlled systems, the vulnerability violates RFC 6749 token transport requirements and enables session hijacking if logs are accessed before the token is legitimately consumed. All OAuth providers (GitHub, Google, Apple) are affected equally through the same vulnerable callback handler.

Information Disclosure Apple Microsoft Google
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-5199 LOW PATCH Monitor

Temporal Server versions 1.29.0 through 1.30.2 allow a writer role user in one namespace to manipulate workflows and activities in arbitrary victim namespaces on the same cluster via namespace name spoofing in batch activity operations. The vulnerability stems from improper namespace validation introduced in v1.29.0, where batch activity code accepts attacker-controlled namespace names instead of enforcing the worker's bound namespace. Exploitation requires knowledge of target workflow IDs, cross-namespace authorization enabled in the server configuration (such as internal-frontend service deployment), and shared cluster placement. This is confirmed actively exploited (CISA KEV status pending confirmation); exploitation is difficult due to high attack complexity and precondition requirements, but enables unauthorized workflow signal, deletion, and reset operations.

Authentication Bypass Temporal
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-1879 LOW Monitor

Unrestricted file upload in Harvard IQSS Dataverse versions up to 6.8 allows authenticated users to bypass theme customization controls via manipulation of the uploadLogo parameter in /ThemeAndWidgets.xhtml, enabling arbitrary file upload with low confidentiality, integrity, and availability impact. The vulnerability is publicly exploitable with proof-of-concept code available; CVSS 5.3 reflects the authenticated attack vector and limited scope, though the ease of exploitation (Attack Complexity Low, Exploitation proven) combined with public POC increases practical risk. Vendor released patched version 6.10 and responded swiftly to early disclosure.

File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5240 LOW Monitor

Stored cross-site scripting (XSS) in code-projects BloodBank Managing System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the statename parameter in /admin_state.php, affecting user sessions and administrative functions with user interaction required. The vulnerability carries a CVSS score of 5.3 (medium severity) with low integrity impact, and publicly available exploit code exists according to disclosed documentation.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5313 LOW PATCH Monitor

Denial of service vulnerability in Nothings stb image library (stb_image.h) affecting GIF decoder function stbi__gif_load_next allows remote attackers to trigger application crashes through specially crafted GIF files. The vulnerability impacts stb versions up to 2.30, requires user interaction to open a malicious GIF, and has publicly available exploit code with no vendor patch available despite early disclosure.

Denial Of Service Stb
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy