Skip to main content
CVE-2026-31062 MEDIUM This Month

Buffer overflow in UTT Aggressive 520W v3 v1.7.7-180627 filename parameter of formFtpServerDirConfig function allows authenticated attackers with high privileges to cause denial of service. The vulnerability requires local network access and high-level administrative credentials; no public exploit code or active exploitation has been confirmed at time of analysis.

Denial Of Service Buffer Overflow 520w Firmware
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-31061 MEDIUM This Month

Buffer overflow in UTT Aggressive HiPER 810G v3 v1.7.7-171114 ConfigAdvideo function allows authenticated local attackers with high privileges to cause denial of service by crafting malicious input to the timestart parameter. The vulnerability scores low-to-moderate risk (CVSS 4.5) due to strict prerequisites: network access limited to adjacent network only, high privilege requirement, and impact restricted to availability.

Denial Of Service Buffer Overflow 810g Firmware
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-31060 MEDIUM This Month

Buffer overflow in UTT Aggressive HiPER 810G v3 version 1.7.7-171114 within the notes parameter of the formGroupConfig function enables authenticated administrators to trigger a denial of service condition through a crafted input. The vulnerability requires high-privilege access and cannot result in code execution, but represents a threat to device availability. No public exploit code has been independently confirmed, and this CVE does not appear on the CISA KEV catalog at time of analysis.

Denial Of Service Buffer Overflow 810g Firmware
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-31058 MEDIUM This Month

Buffer overflow in UTT Aggressive HiPER 1200GW v2.5.3-170306 timeRangeName parameter allows authenticated attackers with high privileges to cause denial of service through crafted input to the formConfigDnsFilterGlobal function. CVSS score of 4.5 reflects local/adjacent network attack vector and high-privilege requirement, with no confidentiality or integrity impact. No public exploit code or active exploitation confirmed at time of analysis.

Denial Of Service Buffer Overflow 1200Gw Firmware
NVD GitHub
CVSS 3.1
4.5
EPSS
0.0%
CVE-2026-31150 MEDIUM This Month

Incorrect access control in Kaleris YMS v7.2.2.1 allows authenticated users with the shipping/receiving role to access truck dashboard resources beyond their assigned permissions, resulting in unauthorized information disclosure. The vulnerability requires valid authentication credentials and affects a specific version of the Kaleris Yard Management System (YMS). Public exploit code is available, and CISA has identified this as exploitable through their SSVC framework, though technical impact is limited to confidentiality breach without integrity or availability consequences.

Authentication Bypass
NVD GitHub
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-35180 MEDIUM This Month

Cross-site request forgery in WWBN AVideo 26.0 and earlier allows unauthenticated remote attackers to overwrite the platform's logo file via a malicious cross-origin POST to the admin/customize_settings_nativeUpdate.json.php endpoint. The vulnerability exploits missing CSRF token validation combined with a SameSite=None cookie policy and a file-write-before-validation logic flaw, enabling integrity compromise of the site's branding. No public exploit code or active exploitation has been identified at the time of analysis.

CSRF PHP
NVD GitHub VulDB
CVSS 3.1
4.3
EPSS
0.0%
CVE-2026-32602 MEDIUM PATCH This Month

Homarr prior to version 1.57.0 contains a race condition in the user registration endpoint that allows authenticated attackers to bypass single-use invite token restrictions and create multiple user accounts with a single token. The vulnerability stems from non-atomic database operations (CHECK, CREATE, DELETE) that can be exploited through concurrent requests, enabling unauthorized account creation on instances with restrictive registration policies. The issue is patched in version 1.57.0.

Information Disclosure Homarr
NVD GitHub
CVSS 3.1
4.2
EPSS
0.0%
CVE-2026-35177 MEDIUM PATCH This Month

Vim 9.2.0279 and earlier contains a path traversal bypass in the zip.vim plugin that allows local attackers with user interaction to overwrite arbitrary files when opening specially crafted zip archives. This vulnerability circumvents a prior fix for CVE-2025-53906, affecting users who process untrusted ZIP files. The vulnerability requires local access and user interaction to trigger, with a CVSS score of 4.1 indicating low to moderate severity; no public exploit code or active exploitation has been identified at the time of analysis.

Path Traversal Vim
NVD GitHub VulDB
CVSS 3.1
4.1
EPSS
0.0%
CVE-2026-33404 LOW PATCH Monitor

Pi-hole Admin Interface versions 6.0 through 6.4 fail to escape client hostnames and IP addresses from the FTL database when rendering them into the DOM in the Network page and Dashboard chart tooltips, enabling stored cross-site scripting (XSS) attacks. An authenticated admin with high privileges can inject malicious scripts that execute in the context of other administrators' browsers, though the attack requires initial compromise of a DHCP/DNS client hostname field and circumvention of upstream validation in dnsmasq and FTL. This vulnerability is fixed in version 6.5, and no public exploit code or active exploitation has been identified at the time of analysis.

XSS Web Interface
NVD GitHub
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-33405 LOW PATCH Monitor

Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to inject unescaped HTML into query log details via the formatInfo() function, affecting the upstream, client IP, and error description fields. JavaScript execution is mitigated by Content Security Policy, limiting the practical impact to HTML-based attacks such as DOM manipulation or phishing content injection. The vulnerability is fixed in version 6.5.

XSS Web
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-5622 LOW Monitor

JWT token handling in hcengineering Huly Platform 0.7.382 uses hard-coded cryptographic keys in the token.ts component, allowing remote attackers to forge or manipulate authentication tokens with high attack complexity. The vulnerability affects confidentiality and integrity of token-based authentication but requires significant technical effort to exploit, reflected in a low CVSS score (3.7) and high attack complexity rating. No active exploitation has been confirmed, and the vendor has not responded to disclosure attempts.

Information Disclosure Huly Platform
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5682 LOW Monitor

Meesho Online Shopping App versions up to 27.3 on Android implement risky cryptographic algorithms in the /api/endpoint component (com.meesho.supply), enabling remote attackers to disclose sensitive information without authentication. The vulnerability has CVSS 6.3 severity with public exploit code availability, though exploitation requires high attack complexity. This impacts the confidentiality of user data processed through affected API endpoints.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5670 LOW Monitor

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5623 LOW Monitor

Server-side request forgery in hcengineering Huly Platform 0.7.382 allows authenticated remote attackers to make arbitrary HTTP requests from the affected server via manipulation of the Import Endpoint in server/front/src/index.ts, potentially enabling access to internal resources, metadata disclosure, or lateral movement within the infrastructure. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.

SSRF Huly Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5675 LOW Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the 'emp' parameter in /borrowed_tool.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid credentials (PR:L) but has publicly available exploit code, though exploitation probability remains moderate (EPSS indicates P:P status). This is a classic parameter injection flaw in a PHP application with real but constrained risk due to authentication requirements.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5624 LOW PATCH Monitor

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

CSRF PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5647 LOW Monitor

Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in the Add Product Page (/admin/admin_feature.php), which execute in the context of other users' browsers. The vulnerability requires high-privilege administrative access and user interaction (clicking a malicious link), limiting real-world impact, but publicly available exploit code exists.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 5 of 5

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy