Skip to main content
CVE-2026-5532 LOW POC Monitor

Remote code execution in ScrapeGraphAI scrapegraph-ai up to version 1.74.0 allows unauthenticated remote attackers to inject arbitrary operating system commands via the create_sandbox_and_execute function in GenerateCodeNode Component, with publicly available exploit code and vendor non-response confirming active real-world risk.

Command Injection Scrapegraph Ai
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-5595 LOW POC Monitor

Path traversal in griptape-ai griptape 0.19.4 FileManagerTool allows authenticated remote attackers to read, write, and delete arbitrary files on the server via specially crafted paths in load_files_from_disk, list_files_from_disk, save_content_to_file, and save_memory_artifacts_to_disk functions. Publicly available exploit code exists, CVSS 6.3 (medium), and the vendor has not responded to early disclosure notification.

Path Traversal Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5557 LOW POC Monitor

Authentication bypass in badlogic pi-mono up to version 0.58.4 allows authenticated attackers to escalate privileges or access unauthorized Slack channels via the pi-mom Slack Bot component. The vulnerability stems from improper authentication validation in the Slack channel routing logic and can be exploited remotely by users with existing access to the system. Public exploit code is available, and the vendor has not responded to disclosure attempts, making this an active security concern for deployed instances.

Authentication Bypass Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5559 LOW POC Monitor

Server-side template injection in PyBlade's AST validation function (_is_safe_ast in sandbox.py) allows authenticated remote attackers to bypass template safety checks and inject arbitrary template code, leading to information disclosure and potential code execution. Affected versions 0.1.8-alpha and 0.1.9-alpha contain improper neutralization of special template elements. Publicly available exploit code exists, though the vendor has not yet responded to disclosure.

Ssti Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-5594 LOW POC Monitor

Remote code execution in premAI-io premsql up to version 0.2.1 allows authenticated remote attackers to achieve arbitrary code execution through code injection via manipulation of the result argument in the eval function located in premsql/agents/baseline/workers/followup.py. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure attempts, leaving affected deployments without an official patch.

RCE Code Injection Premsql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5561 LOW POC Monitor

Campcodes Complete POS Management and Inventory System up to version 4.0.6 allows authenticated remote attackers to inject malicious input through the Environment Variable Handler in SettingsController.php, leading to information disclosure and potential system compromise. The vulnerability has publicly available exploit code and affects an undisclosed function handling environment variable manipulation, with moderate CVSS 6.3 severity driven by network-accessible attack surface and low attack complexity.

PHP Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5556 LOW POC Monitor

Code injection in badlogic pi-mono up to version 0.58.4 allows authenticated remote attackers to achieve remote code execution through the discoverAndLoadExtensions function in the extension loader module. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications despite contact attempts. The vulnerability carries moderate CVSS scoring (6.3) but represents a significant risk due to public exploit availability and lack of vendor engagement.

Code Injection RCE Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5535 LOW POC Monitor

Path traversal in FedML-AI FedML up to version 0.8.9 allows authenticated remote attackers to read arbitrary files via manipulation of the dataSet argument in the MQTT Message Handler (FileUtils.java component). The vulnerability has a CVSS score of 4.3 and publicly available exploit code exists; however, it requires low-privilege authentication and provides only information disclosure without modification or availability impact. The vendor did not respond to early disclosure efforts.

Path Traversal Java
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5542 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modstaffinfo.php, affecting confidentiality and integrity of user sessions. The vulnerability requires user interaction (clicking a crafted link) and has a publicly available exploit (CVSS 4.3, EPSS signal: E:P indicates public exploit availability). This is a stored or reflected XSS vulnerability in a PHP-based application with low CVSS severity but non-negligible real-world risk due to ease of exploitation and public disclosure.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5541 LOW POC Monitor

Stored or reflected cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject malicious scripts via the userid parameter in /modmemberinfo.php, potentially compromising user sessions or stealing sensitive data. The vulnerability requires user interaction (UI:R) and publicly available exploit code exists, elevating the practical risk despite the moderate CVSS 4.3 score.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5539 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to inject malicious scripts via the firstName parameter in /modifymember.php, which are executed in the context of other users' browsers. The vulnerability has a CVSS score of 4.3 with low impact severity but publicly available exploit code, though exploitation requires user interaction (UI:R). This represents a typical reflected or stored XSS in a parameter handler with limited immediate risk due to no confidentiality or availability impact, though it enables session hijacking and credential theft.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5533 LOW POC Monitor

Cross-site scripting (XSS) in badlogic pi-mono 0.58.4 SVG Artifact Handler allows unauthenticated remote attackers to inject malicious scripts via the SvgArtifact.ts component, affecting application integrity when users interact with crafted SVG artifacts. Publicly available exploit code exists, and the vendor has not responded to disclosure despite early notification.

XSS Pi Mono
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5560 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the paymethod parameter in /payment-method.php, enabling database query execution with limited confidentiality, integrity, and availability impact. The vulnerability is publicly documented with exploit code available, presenting moderate real-world risk despite the CVSS 6.3 score, as exploitation requires valid authentication credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5558 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project up to version 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the ID parameter in /pending-orders.php, potentially leading to unauthorized data access or modification. The vulnerability has a published proof-of-concept exploit available and carries a CVSS score of 5.3 with moderate real-world impact due to authentication requirements.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5543 LOW POC Monitor

SQL injection in PHPGurukul User Registration & Login and User Management System 3.3 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /admin/yesterday-reg-users.php, potentially leading to unauthorized data access, modification, or deletion. Publicly available exploit code exists; CVSS 6.3 reflects moderate impact with low attack complexity and authenticated access requirement.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5596 LOW POC Monitor

SQL injection in griptape-ai griptape 0.19.4 SqlTool allows authenticated remote attackers to manipulate SQL queries via the griptape/tools/sql/tool.py component, potentially accessing or modifying database contents. The exploit is publicly available, and the vendor has not responded to early disclosure notification.

SQLi Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5587 LOW POC Monitor

SQL injection in wbbeyourself MAC-SQL via the _execute_sql function in core/agents.py (Refiner Agent component) allows authenticated remote attackers to execute arbitrary SQL queries, potentially compromising data confidentiality, integrity, and availability. The vulnerability affects all versions up to commit 31a9df5e0d520be4769be57a4b9022e5e34a14f4, with publicly available exploit code and CVSS 6.3 (medium severity). The vendor has not responded to early disclosure attempts, and the product uses rolling releases making version tracking difficult.

SQLi Mac Sql
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5563 LOW POC Monitor

SQL injection in AutohomeCorp Frostmourne up to version 1.0 allows authenticated remote attackers to execute arbitrary SQL queries through the /api/monitor-api/alarm/previewData endpoint's httpTest function, potentially leading to unauthorized data access, modification, or system compromise. Publicly available exploit code exists, elevating real-world risk despite the CVSS 6.3 (medium) rating.

SQLi Frostmourne
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5537 LOW POC Monitor

SQL injection in halex CourseSEL up to version 1.1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the seid parameter in the HTTP GET request handler, potentially leading to unauthorized data access, modification, and denial of service. The vulnerability affects the check_sel function in IndexController.class.php and has publicly available exploit code; the vendor has not responded to early disclosure notifications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5597 LOW POC Monitor

Remote path traversal in griptape-ai griptape 0.19.4 ComputerTool allows authenticated attackers to manipulate the filename argument in griptape/tools/computer/tool.py, enabling unauthorized file access with read, write, and limited availability impact. Publicly available exploit code exists; the vendor has not responded to early disclosure notifications.

Path Traversal Griptape
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5546 LOW POC Monitor

Unrestricted file upload in Campcodes Complete Online Learning Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the add_lesson function in /application/models/Crud_model.php, enabling potential remote code execution or malware deployment. The vulnerability requires low-privilege authentication, carries a CVSS score of 6.3 (medium), and publicly available exploit code exists.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5583 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fullname parameter in /my-profile.php. The vulnerability has a publicly disclosed exploit and CVSS 5.3 score reflecting low confidentiality and integrity impact; however, the moderate real-world risk is elevated by public exploit availability and the authentication-required nature suggesting insider or credential-based attack scenarios.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5580 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the videotitle parameter in /OnlineClassroom/addvideos.php. Publicly available exploit code exists, enabling database manipulation with low complexity. CVSS 6.3 (Medium) reflects authentication requirement and limited scope, though exploitation is straightforward and could lead to unauthorized data access or modification.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5578 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 via the deleteid parameter in /OnlineClassroom/addassessment.php allows authenticated remote attackers to manipulate database queries with low impact to confidentiality, integrity, and availability. Public exploit code is available, increasing practical risk despite the moderate CVSS 5.3 score. The vulnerability requires valid authentication (PR:L) but uses a common attack vector (AV:N, AC:L) typical of parameter validation flaws in PHP web applications.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5553 LOW POC Monitor

SQL injection in itsourcecode Online Cellphone System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /cp/available.php, potentially compromising confidentiality, integrity, and availability of the application database. Publicly available exploit code exists and the vulnerability has moderate exploitability signals (CVSS 6.3, EPSS evidence of public tools), though no CISA KEV confirmation of active exploitation is present.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5552 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the pid parameter in /sub-category.php, enabling information disclosure and potential data modification. Publicly available exploit code exists for this vulnerability, which carries a CVSS score of 6.3 with confirmed exploitation feasibility.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5529 LOW POC Monitor

Improper authorization in Dromara lamp-cloud up to version 5.8.1 allows authenticated remote attackers to bypass access controls in the DefUserController pageUser endpoint, gaining unauthorized read access to sensitive user information. The CVSS score of 4.3 reflects low confidentiality impact with network accessibility and low attack complexity; however, public exploit code availability and vendor non-responsiveness increase real-world risk despite the modest base score.

Authentication Bypass Lamp Cloud
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5576 LOW POC Monitor

Unrestricted file upload in SourceCodester/jkev Record Management System 1.0 allows authenticated remote attackers to upload arbitrary files via the save_emp.php Add Employee Page component, potentially enabling remote code execution. The vulnerability requires high-privilege authentication and has publicly available exploit code, though real-world risk remains limited by the authentication barrier and moderate CVSS score of 4.7.

File Upload PHP
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5568 LOW POC Monitor

Cross-site scripting (XSS) in Akaunting up to version 3.1.21 allows authenticated users to inject malicious scripts via the notes parameter in the Invoice/Billing component, potentially compromising other users' sessions when they view affected invoices. The vulnerability requires user interaction (UI:P) to trigger and has publicly available exploit code; however, vendor remediation response is unknown.

XSS Akaunting
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5603 LOW POC PATCH GHSA Monitor

OS command injection in elgentos magento2-dev-mcp up to version 1.0.2 allows local authenticated users to execute arbitrary system commands through the executeMagerun2Command function in src/index.ts. The vulnerability requires local access and valid user privileges but grants low-impact code execution capabilities. Publicly available exploit code exists, and vendor-released patch is available.

Command Injection Magento2 Dev Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-5602 LOW POC PATCH GHSA Monitor

OS command injection in Nor2-io heim-mcp up to version 0.1.3 allows authenticated local attackers to execute arbitrary system commands via the registerTools function in src/tools.ts, affecting cloud deployment operations. Publicly available exploit code exists, and the vendor released a patched version promptly after disclosure.

Command Injection Heim Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-35679 LOW PATCH Monitor

Zcash zcashd before version 6.12.0 fails to properly verify Sprout zero-knowledge proofs under certain conditions, allowing authenticated attackers to submit invalid transactions that could drain funds from the Sprout shielded pool. The vulnerability requires authenticated access and complex conditions to exploit, resulting in a low CVSS score of 3.5 despite the potential financial impact. No public exploit code or active exploitation has been confirmed.

Information Disclosure Zcashd
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-5528 LOW Monitor

OS command injection in MoussaabBadla code-screenshot-mcp HTTP interface (versions up to 0.1.0) allows authenticated remote attackers to execute arbitrary system commands with limited confidentiality, integrity, and availability impact. Public exploit code has been disclosed, and the vendor did not respond to early disclosure attempts, leaving affected deployments without vendor-provided patches.

Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-5586 LOW Monitor

SQL injection in zhongyu09 openchatbi up to version 0.2.1 allows authenticated remote attackers to manipulate the keywords argument in the Multi-stage Text2SQL Workflow component, leading to unauthorized database access with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5579 LOW Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via manipulation of the fname parameter in the /OnlineClassroom/updatedetailsfromfaculty.php endpoint. The vulnerability has been publicly disclosed with exploit code available, presenting moderate real-world risk due to required authentication (PR:L) but low technical impact (VC:L, VI:L, VA:L) per CVSS 4.0 scoring.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5572 LOW Monitor

Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 is vulnerable to cross-site request forgery (CSRF) in an unknown function, allowing remote attackers to perform unauthorized actions via a specially crafted request requiring user interaction. Public exploit code is available, and the vendor has not responded to early disclosure attempts, leaving deployed devices potentially at risk.

CSRF Hi Led Wr120 G2 Firmware
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy