Skip to main content
CVE-2026-5472 LOW POC Monitor

Unrestricted file upload in ProjectsAndPrograms School Management System up to commit 6b6fae5426044f89c08d0dd101c7fa71f9042a59 allows authenticated users to upload arbitrary files via the Profile Picture Handler in /admin_panel/settings.php, enabling remote code execution. The vulnerability affects the File parameter with low attack complexity and has publicly available exploit code; while CVSS 5.3 reflects moderate integrity and confidentiality impact, the low authentication requirement and network accessibility make this a practical privilege escalation and code execution vector for authenticated attackers.

File Upload PHP Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5470 LOW POC Monitor

Server-side request forgery in mixelpixx Google-Research-MCP allows authenticated remote attackers to craft malicious URLs passed to the extractContent function, enabling them to make arbitrary HTTP requests from the affected server. The vulnerability affects the Model Context Protocol Handler component, has a publicly available exploit, and receives a CVSS 5.3 score with moderate exploitation likelihood. The vendor has not responded to disclosure attempts, and the project uses rolling releases, making patch tracking difficult.

Google SSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5471 LOW POC Monitor

Hard-coded cryptographic key exposure in Investory Toy Planet Trouble App up to version 1.5.5 on Android allows local attackers with limited privileges to access the Firebase API key embedded in the assets/google-services-desktop.json file, potentially enabling unauthorized authentication and data access. The vulnerability has a CVSS score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists.

Google Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5462 LOW POC Monitor

Wahoo Fitness SYSTM App on Android up to version 7.2.1 exposes a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to manipulate app arguments and potentially inject malicious data or alter user profiles. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and has publicly available exploit code; however, the vendor has not responded to early disclosure notifications.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5458 LOW POC Monitor

Noelse Individuals & Pro App for Android versions up to 2.1.7 uses a hard-coded cryptographic key (SEGMENT_WRITE_KEY) in the BuildConfig.java component, allowing local authenticated attackers to perform information disclosure and potential data injection attacks. The vulnerability requires local access and authenticated user privileges on the device, with publicly available exploit code demonstrating the attack. Despite early vendor notification, no patch or response has been provided.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5457 LOW POC Monitor

PropertyGuru AgentNet Singapore App versions up to 23.7.10 on Android expose hard-coded cryptographic keys (SEGMENT_ANDROID_WRITE_KEY and SEGMENT_TOS_WRITE_KEY) in the BuildConfig component, allowing local authenticated attackers to conduct information disclosure and data injection attacks. The vulnerability carries a CVSS score of 1.9 with low confidentiality impact, requires local access and authenticated privileges, and publicly available exploit code exists; however, the vendor has not responded to early disclosure efforts.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5456 LOW POC Monitor

Align Technology My Invisalign App 3.12.4 on Android exposes a hard-coded cryptographic key in the BuildConfig.java component that can be extracted via manipulation of the CDAACCESS_TOKEN argument, allowing local attackers with limited user privileges to obtain sensitive credentials. The vulnerability carries a low CVSS score (1.9) due to local-only attack vector and minimal confidentiality impact, but publicly available exploit code exists and the vendor has not responded to disclosure attempts.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5454 LOW POC Monitor

GRID Organiser App versions 1.0.0 through 1.0.5 on Android expose a hard-coded cryptographic key used for the SegmentWriteKey parameter in the res/raw/app.json component file, enabling local attackers with user-level privileges to manipulate argument values and potentially perform data injection and user profile manipulation. The vulnerability has a CVSS v4.0 score of 1.9 with low confidentiality impact, requires local access and low privileges, and publicly available exploit code exists, though active exploitation has not been confirmed by CISA.

Google Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5453 LOW POC Monitor

Hard-coded cryptographic key in Rico's Só Vantagem Pra Investir Android app (version 4.58.32.12421 and earlier) allows local authenticated attackers to manipulate the SEGMENT_WRITE_KEY argument in br/com/rico/mobile/di/SegmentSettingsModule.java, enabling unauthorized data injection and user profile manipulation with low confidentiality impact. The vulnerability requires local access and authenticated privileges; publicly available exploit code exists, but the vendor has not responded to disclosure.

Google Java Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5452 LOW POC Monitor

UCC CampusConnect App for Android versions up to 14.3.5 expose hard-coded cryptographic keys in the BuildConfig.java file, allowing local attackers with limited privileges to access sensitive cryptographic material and potentially decrypt or forge authentication tokens. The vulnerability has a low CVSS score of 1.9 due to local-only attack vector and limited confidentiality impact, but publicly available exploit code exists, making it actionable for any user with app access on a shared device.

Information Disclosure Java Google
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5455 LOW POC Monitor

Dialogue App versions 4.3.0 through 4.3.2 on Android use a hard-coded cryptographic key in the SEGMENT_WRITE_KEY parameter within res/raw/config.json, allowing local authenticated attackers to perform unauthorized data injection and user profile manipulation on the device. The vulnerability has a CVSS score of 1.9 (minimal severity) but publicly available exploit code exists; however, the low CVSS score reflects the local-only attack vector and limited impact scope. The vendor has not responded to early disclosure notifications.

Google Information Disclosure
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-34768 LOW PATCH GHSA Monitor

Electron's setLoginItemSettings() function on Windows fails to quote executable paths in the Run registry key, allowing local attackers with write access to ancestor directories to execute arbitrary programs at login if the app is installed to a path containing spaces. The vulnerability affects Electron versions prior to 38.8.6, 39.8.1, 40.8.0, and 41.0.0-beta.8, and requires high-privilege access and unfavorable conditions (non-standard install paths) to exploit, making real-world impact limited to non-default Windows configurations.

Microsoft Authentication Bypass
NVD GitHub
CVSS 3.1
3.9
EPSS
0.0%
CVE-2026-3184 LOW Monitor

Improper hostname canonicalization in util-linux login(1) utility with the -h option allows remote attackers to bypass host-based PAM access control rules by supplying specially crafted hostnames that are modified before being passed to PAM_RHOST, potentially leading to unauthorized access. The vulnerability affects Red Hat Enterprise Linux 7 through 10 and related products; exploitation requires high attack complexity but no authentication or user interaction. No public exploit code has been identified, and this is not currently confirmed as actively exploited.

Authentication Bypass Red Hat Enterprise Linux 10 Red Hat Enterprise Linux 7 Red Hat Enterprise Linux 8 Red Hat Enterprise Linux 9 +2
NVD VulDB
CVSS 3.1
3.7
EPSS
0.1%
CVE-2026-35537 LOW PATCH GHSA Monitor

Unsafe deserialization in Roundcube Webmail's Redis/Memcache session handler allows unauthenticated remote attackers to write arbitrary files by crafting malicious session data. Affected versions include all 1.6.x before 1.6.14 and all 1.5.x before 1.5.14. While the CVSS score of 3.7 is low and attack complexity is high, the integrity impact (arbitrary file write) poses a real risk to instances using Redis or Memcache for session storage.

Deserialization Redis
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-34766 LOW PATCH GHSA Monitor

Electron's WebUSB device selection handler fails to validate chosen device IDs against renderer-requested filters, allowing authenticated local users with UI interaction to bypass intended device access restrictions and gain access to unfiltered USB devices. The vulnerability affects Electron versions prior to 38.8.6, 39.8.0, 40.7.0, and 41.0.0-beta.8, with CVSS 3.3 (low severity) due to local-only attack vector and UI interaction requirement; the WebUSB security blocklist remains enforced, limiting practical impact to applications with non-standard device selection logic.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-35538 LOW PATCH GHSA Monitor

Roundcube Webmail before versions 1.5.14 and 1.6.14 allows authenticated remote attackers to conduct IMAP injection attacks or bypass CSRF protections via unsanitized IMAP SEARCH command arguments. The vulnerability requires user interaction (high complexity) and authenticated access, resulting in limited integrity impact without confidentiality or availability compromise. No public exploit code or active exploitation has been confirmed at time of analysis.

CSRF Webmail
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-34947 LOW PATCH Monitor

Discourse versions 2026.1.0 through 2026.1.2, 2026.2.0 through 2026.2.1, and 2026.3.0-beta expose staged user custom fields and usernames on public invite pages without requiring email verification. An unauthenticated remote attacker can enumerate user information and custom field data by accessing public invitation links, potentially gathering sensitive user attributes before account activation. The vulnerability has been patched in versions 2026.1.3, 2026.2.2, and 2026.3.0, with no public exploit code or active exploitation confirmed at time of analysis.

Information Disclosure Discourse
NVD GitHub
CVSS 4.0
2.7
EPSS
0.0%
CVE-2026-34764 LOW PATCH GHSA Monitor

Use-after-free in Electron's offscreen rendering with GPU shared textures allows local attackers with high privileges to cause memory corruption or application crashes by invoking the texture release callback after its backing native state has been freed. The vulnerability affects Electron versions before 42.0.0-alpha.5, 41.1.0, 40.8.5, and 39.8.5, and only impacts applications explicitly enabling shared-texture offscreen rendering via webPreferences.offscreen.useSharedTexture: true.

Use After Free Memory Corruption Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
2.3
EPSS
0.0%
CVE-2026-5467 LOW Monitor

Open redirect vulnerability in Casdoor 2.356.0 OAuth Authorization Request Handler allows remote attackers to manipulate the redirect_uri parameter and redirect users to arbitrary external sites. The vulnerability requires user interaction (UI:R) but has low CVSS severity (4.3); however, publicly available exploit code exists and the vendor has not responded to disclosure attempts, leaving deployed instances unpatched.

Open Redirect
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5476 LOW Monitor

Integer overflow in NASA cFS CFE_TBL_ValidateCodecLoadSize function (cfe_tbl_passthru_codec.c) on 32-bit systems allows authenticated local attackers with low privileges to cause limited integrity and availability impact, though exploitation requires high attack complexity and no public exploit code has been identified; a fix is planned for an upcoming release milestone.

Integer Overflow Buffer Overflow Cfs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5468 LOW Monitor

Stored cross-site scripting (XSS) in Casdoor 2.356.0 via the dangerouslySetInnerHTML function allows authenticated remote attackers to inject malicious scripts through the formCss, formCssMobile, or formSideHtml parameters. An attacker with authenticated access can craft payloads that execute arbitrary JavaScript in the context of other users' browsers when they view affected forms. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, indicating no coordinated patch timeline.

XSS Casdoor
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5473 LOW Monitor

Unsafe deserialization in NASA cFS Pickle Module (versions up to 7.0.0) allows authenticated local attackers with low privileges to trigger remote code execution or information disclosure through the pickle.load() function. The vulnerability requires high attack complexity and local access, limiting its practical exploitation scope. Public exploit code is available, but the issue remains unpatched as of the last vendor update.

Deserialization Core Flight System
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy