Skip to main content
CVE-2026-5573 MEDIUM POC This Month

Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

File Upload Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5569 MEDIUM POC This Month

Improper access controls in Technostrobe HI-LED-WR120-G2 firmware 5.5.0.1R6.03.30 enable unauthenticated remote attackers to bypass authentication mechanisms via the /Technostrobe/ endpoint, exposing multiple endpoints with low-level confidentiality, integrity, and availability impact. Publicly available exploit code exists demonstrating the authentication bypass (CVSS 7.3, EPSS data not provided). Vendor did not respond to coordinated disclosure attempts, leaving users at elevated risk without official remediation guidance.

Authentication Bypass Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5585 MEDIUM POC This Month

Tencent AI-Infra-Guard 4.0 discloses sensitive information through an unknown function in the Task Detail Endpoint (common/websocket/task_manager.go) that can be manipulated by remote, unauthenticated attackers. The vulnerability has a CVSS score of 5.5 with publicly available exploit code, though no patch has been released despite early vendor notification.

Information Disclosure Ai Infra Guard
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5571 MEDIUM POC This Month

Technostrobe HI-LED-WR120-G2 firmware versions up to 5.5.0.1R6.03.30 allow remote unauthenticated attackers to disclose sensitive information through manipulation of file path arguments in the Configuration Data Handler's /fs endpoint. The vulnerability has a publicly available exploit and low-to-moderate real-world risk profile (CVSS 5.3, EPSS context suggests opportunistic rather than widespread targeting), though vendor non-responsiveness limits confidence in patch availability.

Information Disclosure Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5565 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5564 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5555 MEDIUM POC This Month

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5554 MEDIUM POC This Month

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5551 MEDIUM POC This Month

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5540 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5534 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5577 MEDIUM POC This Month

SQL injection in Song-Li cross_browser application allows remote code execution via unsanitized ID parameter in the details endpoint of flask/uniquemachine_app.py. The vulnerability affects all versions up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a, requires no authentication, and has publicly available exploit code. The vendor has not responded to disclosure attempts, and the product's rolling-release model means no traditional patched version has been released.

Python SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5531 MEDIUM POC This Month

SourceCodester Student Result Management System 1.0 stores authentication credentials in cleartext within an HTTP-accessible file (/login_credentials.txt), allowing unauthenticated remote attackers to retrieve sensitive login information with low complexity. The vulnerability has publicly available exploit code and carries a CVSS 5.3 score reflecting confidentiality impact without integrity or availability compromise.

Information Disclosure Student Result Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5574 MEDIUM POC This Month

Remote unauthenticated attackers can bypass authorization checks in the FsBrowseClean component's deletefile function of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 by manipulating the dir/path argument, enabling unauthorized file deletion. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications. CVSS 6.9 reflects moderate integrity impact with network-accessible attack surface and low attack complexity.

Authentication Bypass Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2019-25682 MEDIUM POC This Month

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-5550 HIGH This Week

Stack-based buffer overflow in Tenda AC10 router firmware version 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve complete system compromise through the fromSysToolChangePwd function in /bin/httpd. The vulnerability requires only low-privilege authentication (CVSS PR:L) and has low attack complexity, enabling potential remote code execution with full confidentiality, integrity, and availability impact. No public exploit code identified at time of analysis, though detailed technical findings have been published on GitHub documenting multiple vulnerable endpoints.

Tenda Stack Overflow Buffer Overflow
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-5548 HIGH This Week

Stack-based buffer overflow in Tenda AC10 router firmware 16.03.10.10_multi_TDE01 allows authenticated remote attackers to achieve code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromSysToolChangePwd function within /bin/httpd, triggered by manipulating the sys.userpass parameter. Publicly available exploit code exists (GitHub repository documented), though no confirmed active exploitation (not in CISA KEV). CVSS 8.8 reflects network-accessible attack requiring only low-privilege authentication with low complexity, making this a realistic threat for internet-exposed routers with default or compromised credentials.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.0%
CVE-2026-4272 HIGH This Week

Remote unauthenticated command execution in Honeywell Handheld Scanner base stations (C1/D1/A1/B1 models) allows attackers within Bluetooth range to execute system commands on connected host systems without authentication. Affects C1 Base (Ingenic x1000) before GK000432BAA, D1 Base (Ingenic x1600) before HE000085BAA, and A1/B1 Base (IMX25) before BK000763BAA/BK000765BAA/CU000101BAA. CVSS 8.1 (High) reflects high confidentiality and integrity impact with network attack vector requiring user interaction. No public exploit identified at time of analysis, though the missing authentication (CWE-306) combined with proximity-based Bluetooth attack vector creates significant risk for environments using these industrial scanning devices.

Honeywell Authentication Bypass
NVD
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-5599 HIGH PATCH This Week

Cross-world user deletion in venueless allows authenticated API users with 'manage users' permission in one world to delete user accounts in completely separate worlds. Venueless versions prior to commit 02b9cbe5 are affected. The CVSS 7.3 rating reflects network-based attack requiring low-complexity exploitation by authenticated users with low privileges. No public exploit identified at time of analysis, though the vulnerability permits unauthorized data destruction across tenant boundaries in multi-tenant deployments.

Information Disclosure Venueless
NVD GitHub
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-5536 MEDIUM This Month

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Vendor unresponsive to coordinated disclosure attempts, raising concerns about patch availability and ongoing risk for production deployments of this federated machine learning framework.

Deserialization Fedml
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-5532 LOW POC Monitor

Remote code execution in ScrapeGraphAI scrapegraph-ai up to version 1.74.0 allows unauthenticated remote attackers to inject arbitrary operating system commands via the create_sandbox_and_execute function in GenerateCodeNode Component, with publicly available exploit code and vendor non-response confirming active real-world risk.

Command Injection Scrapegraph Ai
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-5595 LOW POC Monitor

Path traversal in griptape-ai griptape 0.19.4 FileManagerTool allows authenticated remote attackers to read, write, and delete arbitrary files on the server via specially crafted paths in load_files_from_disk, list_files_from_disk, save_content_to_file, and save_memory_artifacts_to_disk functions. Publicly available exploit code exists, CVSS 6.3 (medium), and the vendor has not responded to early disclosure notification.

Path Traversal Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5557 LOW POC Monitor

Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.

Authentication Bypass Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5559 LOW POC Monitor

Server-side template injection in PyBlade's AST validation function (_is_safe_ast in sandbox.py) allows authenticated remote attackers to bypass template safety checks and inject arbitrary template code, leading to information disclosure and potential code execution. Affected versions 0.1.8-alpha and 0.1.9-alpha contain improper neutralization of special template elements. Publicly available exploit code exists, though the vendor has not yet responded to disclosure.

Ssti Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5594 LOW POC Monitor

Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.

RCE Code Injection Premsql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5561 LOW POC Monitor

Campcodes Complete POS Management and Inventory System up to version 4.0.6 allows authenticated remote attackers to inject malicious input through the Environment Variable Handler in SettingsController.php, leading to information disclosure and potential system compromise. The vulnerability has publicly available exploit code and affects an undisclosed function handling environment variable manipulation, with moderate CVSS 6.3 severity driven by network-accessible attack surface and low attack complexity.

PHP Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5556 LOW POC Monitor

Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.

Code Injection RCE Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5535 LOW POC Monitor

Path traversal in FedML-AI FedML up to version 0.8.9 allows authenticated remote attackers to read arbitrary files via manipulation of the dataSet argument in the MQTT Message Handler (FileUtils.java component). The vulnerability has a CVSS score of 4.3 and publicly available exploit code exists; however, it requires low-privilege authentication and provides only information disclosure without modification or availability impact. The vendor did not respond to early disclosure efforts.

Path Traversal Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5542 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modstaffinfo.php, affecting confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a crafted link) and has a publicly available exploit (CVSS 4.3, EPSS signal: E:P indicates public exploit availability). This is a stored or reflected XSS vulnerability in a PHP-based application with low CVSS severity but non-negligible real-world risk due to ease of exploitation and public disclosure.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5541 LOW POC Monitor

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5539 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the firstName parameter in /modifymember.php, which are executed in the context of other users' browsers. The vulnerability has a CVSS score of 4.3 with low impact severity but publicly available exploit code, though exploitation requires user interaction (UI:R). This represents a typical reflected or stored XSS in a parameter handler with limited immediate risk due to no confidentiality or availability impact, though it enables session hijacking and credential theft.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5533 LOW POC Monitor

Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.

XSS Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5560 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5558 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5543 LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5596 LOW POC Monitor

SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.

SQLi Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5587 LOW POC Monitor

SQL injection in wbbeyourself MAC-SQL via the _execute_sql function in core/agents.py (Refiner Agent component) allows authenticated remote attackers to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability affects all versions up to commit 31a9df5e0d520be4769be57a4b9022e5e34a14f4, with publicly available exploit code and CVSS 6.3 (medium severity). The vendor has not responded to early disclosure attempts, and the product uses rolling releases making version tracking difficult.

SQLi Mac Sql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5563 LOW POC Monitor

SQL injection in AutohomeCorp Frostmourne up to version 1.0 allows authenticated remote attackers to execute arbitrary SQL queries through the /api/monitor-api/alarm/previewData endpoint's httpTest function, potentially leading to unauthorized data access, modification, or system compromise. Publicly available exploit code exists, elevating real-world risk despite the CVSS 6.3 (medium) rating.

SQLi Frostmourne
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5537 LOW POC Monitor

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5597 LOW POC Monitor

Remote path traversal in griptape-ai griptape 0.19.4 ComputerTool allows authenticated attackers to manipulate the filename argument in griptape/tools/computer/tool.py, enabling unauthorized file access with read, write, and limited availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notifications.

Path Traversal Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5546 LOW POC Monitor

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5583 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5580 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5578 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5553 LOW POC Monitor

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5552 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5529 LOW POC Monitor

Improper authorization in Dromara lamp-cloud up to version 5.8.1 allows authenticated remote attackers to bypass access controls in the DefUserController pageUser endpoint, gaining unauthorized read access to sensitive user information. The CVSS score of 4.3 reflects low confidentiality impact with network accessibility and low attack complexity; however, public exploit code availability and vendor non-responsiveness increase real-world risk despite the modest base score.

Authentication Bypass Lamp Cloud
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5576 LOW POC Monitor

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

File Upload PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5568 LOW POC Monitor

Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via the notes parameter in the Invoice/Billing component, potentially compromising other users' sessions when they view affected invoices. The vulnerability requires user interaction (UI:P) to trigger and has publicly available exploit code; however, vendor remediation response is unknown.

XSS Akaunting
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5603 LOW POC PATCH GHSA Monitor

OS command injection in elgentos magento2-dev-mcp up to version 1.0.2 allows local authenticated users to execute arbitrary system commands through the executeMagerun2Command function in src/index.ts. The vulnerability requires local access and valid user privileges but grants low-impact code execution capabilities. Publicly available exploit code exists, and vendor-released patch is available.

Command Injection Magento2 Dev Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
Prev Page 2 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy