Skip to main content
CVE-2019-25683 MEDIUM POC This Month

FileZilla 3.40.0 contains a denial of service vulnerability in the local search functionality that allows local attackers to crash the application by supplying a malformed path string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Filezilla
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25677 MEDIUM POC This Month

WinRAR 5.61 contains a denial of service vulnerability that allows local attackers to crash the application by placing a malformed winrar.lng language file in the installation directory. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Winrar
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25667 MEDIUM POC This Month

TaskInfo 8.2.0.280 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to registration fields. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Taskinfo
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25666 MEDIUM POC This Month

SpotAuditor 3.6.7 contains a local buffer overflow vulnerability in the Base64 Password Decoder component that allows attackers to crash the application. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Spotauditor
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25665 MEDIUM POC This Month

River Past Ringtone Converter 2.7.6.1601 contains a local buffer overflow vulnerability that allows attackers to crash the application by supplying oversized input to activation fields. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service River Past Ringtone Converter
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25661 MEDIUM POC This Month

Remote Process Explorer 1.0.0.16 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by sending a crafted payload to the Add Computer dialog. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Remote Process Explorer
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25660 MEDIUM POC This Month

LanHelper 1.74 contains a local buffer overflow vulnerability that allows attackers to crash the application by sending excessively long input strings. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Lanhelper
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25659 MEDIUM POC This Month

ASPRunner Professional 6.0.766 contains a local buffer overflow vulnerability that allows attackers to cause a denial of service by supplying an excessively long project name. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Asprunner Professional
NVD Exploit-DB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2019-25658 MEDIUM POC This Month

a-Mac Address Change 5.4 contains a local buffer overflow vulnerability that allows local attackers to crash the application by supplying oversized input to registration form fields. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Mac Address Change
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2019-25657 MEDIUM POC This Month

AnyBurn 4.3 x86 contains a denial of service vulnerability that allows local attackers to crash the application by supplying an excessively long string to the image conversion function. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Denial Of Service Anyburn X86
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2018-25256 MEDIUM POC This Month

IP TOOLS 2.50 contains a local buffer overflow vulnerability in the SNMP Scanner component that allows local attackers to crash the application by supplying oversized input. Rated medium severity (CVSS 6.8), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Memory Corruption Buffer Overflow Denial Of Service Ip Tools
NVD Exploit-DB
CVSS 4.0
6.8
EPSS
0.0%
CVE-2026-5570 MEDIUM POC This Month

Improper authentication in Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 allows unauthenticated remote attackers to bypass authentication controls via the index_config function in /LoginCB endpoint. Publicly available exploit code exists. With EPSS data unavailable and no CISA KEV listing, exploitation likelihood remains moderate, though the low attack complexity (CVSS AC:L) and network-accessible attack vector increase accessibility for opportunistic attacks against exposed industrial LED display controllers.

Authentication Bypass Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-5562 MEDIUM POC This Month

Code injection in Provectus kafka-ui up to version 0.7.2 allows unauthenticated remote attackers to execute arbitrary code via the validateAccess function in the /api/smartfilters/testexecutions endpoint. The vulnerability has publicly available exploit code and carries a CVSS 6.9 score reflecting moderate but meaningful real-world risk; the vendor was contacted early but provided no response, suggesting no patch is anticipated.

Code Injection RCE Kafka Ui
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-5584 MEDIUM POC This Month

Remote code execution in Fosowl agenticSeek 0.1.0 allows unauthenticated attackers to inject arbitrary Python code via the PyInterpreter.execute function in the query endpoint, enabling full system compromise. The vulnerability exploits unsafe code execution in the component responsible for interpreting user-supplied queries. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Code Injection RCE Agenticseek
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5549 MEDIUM POC This Month

Tenda AC10 router firmware 16.03.10.10_multi_TDE01 exposes a hard-coded RSA 2048-bit private key in the world-readable file /webroot_ro/pem/privkeySrv.pem, allowing unauthenticated remote attackers to retrieve sensitive cryptographic material and decrypt encrypted communications. With publicly available exploit code and an EPSS score indicating moderate but real-world feasibility, this vulnerability enables information disclosure attacks against affected router configurations.

Tenda Information Disclosure
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5573 MEDIUM POC This Month

Unrestricted file upload in Technostrobe HI-LED-WR120-G2 firmware version 5.5.0.1R6.03.30 allows remote unauthenticated attackers to upload arbitrary files by manipulating the cwd argument in the /fs endpoint. CVSS 6.9 reflects moderate confidentiality, integrity, and availability impact across local and remote boundaries. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts.

File Upload Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5569 MEDIUM POC This Month

Improper access controls in Technostrobe HI-LED-WR120-G2 firmware 5.5.0.1R6.03.30 enable unauthenticated remote attackers to bypass authentication mechanisms via the /Technostrobe/ endpoint, exposing multiple endpoints with low-level confidentiality, integrity, and availability impact. Publicly available exploit code exists demonstrating the authentication bypass (CVSS 7.3, EPSS data not provided). Vendor did not respond to coordinated disclosure attempts, leaving users at elevated risk without official remediation guidance.

Authentication Bypass Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5585 MEDIUM POC This Month

Tencent AI-Infra-Guard 4.0 discloses sensitive information through an unknown function in the Task Detail Endpoint (common/websocket/task_manager.go) that can be manipulated by remote, unauthenticated attackers. The vulnerability has a CVSS score of 5.5 with publicly available exploit code, though no patch has been released despite early vendor notification.

Information Disclosure Ai Infra Guard
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5571 MEDIUM POC This Month

Technostrobe HI-LED-WR120-G2 firmware versions up to 5.5.0.1R6.03.30 allow remote unauthenticated attackers to disclose sensitive information through manipulation of file path arguments in the Configuration Data Handler's /fs endpoint. The vulnerability has a publicly available exploit and low-to-moderate real-world risk profile (CVSS 5.3, EPSS context suggests opportunistic rather than widespread targeting), though vendor non-responsiveness limits confidence in patch availability.

Information Disclosure Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5565 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the userid parameter in /delmemberinfo.php. The vulnerability has publicly available exploit code (GitHub POC) and CVSS 7.3 severity with network-accessible attack vector requiring low complexity and no privileges. No vendor-released patch identified at time of analysis. EPSS data not provided, but public exploit availability increases likelihood of opportunistic scanning and exploitation.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5564 MEDIUM POC This Month

SQL injection in code-projects Simple Laundry System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database records via the searchServiceId parameter in /searchguest.php. CVSS 7.3 reflects network-accessible attack with low complexity requiring no privileges. Publicly available exploit code exists (GitHub PoC published), significantly lowering exploitation barrier. No vendor-released patch identified at time of analysis. EPSS data unavailable, but combination of remotely exploitable SQLi with public PoC against an unmaintained open-source project indicates elevated real-world risk for installations exposed to untrusted networks.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5555 MEDIUM POC This Month

SQL injection in code-projects Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the Email parameter in login.php. The vulnerability is trivially exploitable (CVSS AC:L, PR:N) with publicly available exploit code demonstrating the attack path. EPSS data not available, but the combination of remote exploitation without authentication, public POC, and database compromise capabilities indicates moderate real-world risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5554 MEDIUM POC This Month

SQL injection in Concert Ticket Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'searching' parameter in process_search.php. Publicly available exploit code exists (GitHub), enabling immediate weaponization. CVSS 7.3 reflects network-accessible attack with no complexity barriers, though EPSS data unavailable. Not confirmed as actively exploited (no CISA KEV listing), but POC publication significantly lowers exploitation threshold for opportunistic attackers targeting exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5551 MEDIUM POC This Month

SQL injection in itsourcecode Free Hotel Reservation System 1.0 allows unauthenticated remote attackers to extract, modify, or delete database contents via the 'email' parameter in /hotel/admin/login.php. The vulnerability is remotely exploitable with low attack complexity and no user interaction required. Publicly available exploit code exists (confirmed POC on GitHub), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of unauthenticated remote access, public exploit, and impact on confidentiality, integrity, and availability creates moderate-to-high real-world risk for exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5540 MEDIUM POC This Month

SQL injection in Simple Laundry System 1.0 allows unauthenticated remote attackers to execute arbitrary SQL commands via the firstName parameter in /modifymember.php. Publicly available exploit code exists (GitHub POC), enabling attackers to extract, modify, or delete database contents without authentication. CVSS 7.3 reflects network-based attack with low complexity and no privilege requirements. Not listed in CISA KEV, indicating no confirmed widespread exploitation despite public POC availability.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5534 MEDIUM POC This Month

SQL injection in itsourcecode Online Enrollment System 1.0 allows unauthenticated remote attackers to manipulate database queries via the USERID parameter in /sms/user/index.php. The CVSS 7.3 score reflects network-accessible exploitation with low complexity requiring no privileges. Publicly available exploit code exists on GitHub, elevating immediate risk. CVSS impact ratings indicate potential for limited confidentiality, integrity, and availability compromise across the database layer.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5577 MEDIUM POC This Month

SQL injection in Song-Li cross_browser application allows remote code execution via unsanitized ID parameter in the details endpoint of flask/uniquemachine_app.py. The vulnerability affects all versions up to commit ca690f0fe6954fd9bcda36d071b68ed8682a786a, requires no authentication, and has publicly available exploit code. The vendor has not responded to disclosure attempts, and the product's rolling-release model means no traditional patched version has been released.

Python SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5531 MEDIUM POC This Month

SourceCodester Student Result Management System 1.0 stores authentication credentials in cleartext within an HTTP-accessible file (/login_credentials.txt), allowing unauthenticated remote attackers to retrieve sensitive login information with low complexity. The vulnerability has publicly available exploit code and carries a CVSS 5.3 score reflecting confidentiality impact without integrity or availability compromise.

Information Disclosure Student Result Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5574 MEDIUM POC This Month

Remote unauthenticated attackers can bypass authorization checks in the FsBrowseClean component's deletefile function of Technostrobe HI-LED-WR120-G2 version 5.5.0.1R6.03.30 by manipulating the dir/path argument, enabling unauthorized file deletion. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications. CVSS 6.9 reflects moderate integrity impact with network-accessible attack surface and low attack complexity.

Authentication Bypass Hi Led Wr120 G2
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2019-25682 MEDIUM POC This Month

CMSsite 1.0 contains a cross-site request forgery vulnerability that allows attackers to perform unauthorized administrative actions by crafting malicious HTML forms. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

PHP CSRF
NVD Exploit-DB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-5536 MEDIUM This Month

Unsafe deserialization in FedML-AI FedML's gRPC server allows unauthenticated remote attackers to achieve confidentiality, integrity, and availability compromise through malicious payloads sent to the sendMessage function in versions up to 0.8.9. EPSS data not available; no CISA KEV listing indicates no confirmed active exploitation at time of analysis. Vendor unresponsive to coordinated disclosure attempts, raising concerns about patch availability and ongoing risk for production deployments of this federated machine learning framework.

Deserialization Fedml
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-5601 MEDIUM This Month

Remote information disclosure in Acrel Electrical Prepaid Cloud Platform 1.0 allows unauthenticated attackers to access sensitive data via the backup file handler component at /bin.rar with low attack complexity. Publicly available exploit code exists for this vulnerability, and the vendor did not respond to early disclosure notifications, leaving no patch available.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5575 MEDIUM This Month

SQL injection in SourceCodester jkev Record Management System 1.0 allows remote unauthenticated attackers to manipulate the Username parameter in the Login component (index.php) to execute arbitrary SQL queries, potentially leading to unauthorized data access or modification. The exploit code is publicly available, and the vulnerability carries a CVSS 4.0 base score of 6.9 with low confidentiality, integrity, and availability impact.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-5547 MEDIUM This Month

OS command injection in Tenda AC10 firmware 16.03.10.10_multi_TDE01 allows authenticated remote attackers to execute arbitrary system commands via the formAddMacfilterRule function in /bin/httpd. The vulnerability requires valid credentials (PR:L in CVSS vector) and affects multiple endpoints related to MAC filtering configuration. No public exploit code has been independently confirmed as actively exploited, though proof-of-concept documentation exists in public repositories.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.7%
CVE-2026-5590 MEDIUM This Month

Null pointer dereference in Zephyr RTOS TCP stack during connection teardown allows authenticated remote attackers to cause denial of service. A race condition in tcp_recv() processing of SYN packets causes tcp_conn_search() to return NULL on a released connection, which is then dereferenced without validation in tcp_backlog_is_full(), resulting in a crash. The vulnerability requires low-privilege authentication and is moderately complex to trigger due to timing constraints (AC:H), but results in high availability impact.

Null Pointer Dereference Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-5538 MEDIUM This Month

Server-side request forgery (SSRF) in QingdaoU OnlineJudge up to version 1.6.1 allows authenticated remote attackers to perform arbitrary HTTP requests via the judge_server_heartbeat endpoint's service_url parameter, enabling potential exfiltration of internal data, interaction with internal services, or lateral movement within the target network. The vendor has not responded to disclosure attempts, and no official patch has been released.

SSRF Onlinejudge
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%
CVE-2026-5530 MEDIUM This Month

Server-side request forgery in Ollama's Model Pull API (via server/download.go) allows authenticated remote attackers to manipulate file processing and trigger SSRF attacks, affecting Ollama versions up to 18.1. The vulnerability carries a CVSS score of 6.3 with moderate impact on confidentiality, integrity, and availability. No public exploit code or active exploitation has been confirmed, and the vendor has not responded to early disclosure attempts.

SSRF Ollama
NVD VulDB
CVSS 4.0
5.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy