Skip to main content
CVE-2026-5618 LOW POC Monitor

Server-side request forgery (SSRF) in Kalcaddle Kodbox up to version 1.64 allows unauthenticated remote attackers to perform arbitrary network requests via manipulation of the siteFrom/siteTo parameters in the shareMake/shareCheck component, with publicly available exploit code and high attack complexity. The vendor has not responded to disclosure efforts, leaving affected installations vulnerable to information disclosure and potential lateral network attacks.

SSRF Kodbox
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5679 LOW POC Monitor

OS command injection in Totolink A3300R firmware version 17.0.0cu.557_B20221024 allows authenticated local attackers to execute arbitrary commands via the stun_pass parameter in the vsetTr069Cfg function of /cgi-bin/cstecgi.cgi. The vulnerability has a CVSS score of 5.1 (medium severity) with CVSS:4.0/AV:A/AC:L/PR:L vector indicating adjacent network access and low authentication requirements. Publicly available exploit code exists, though active exploitation status (CISA KEV) is not confirmed.

Command Injection A3300R
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.9%
CVE-2026-5659 LOW POC PATCH Monitor

Unsafe deserialization in pytries datrie through version 0.8.3 enables remote code execution when loading untrusted trie files via Trie.load(), Trie.read(), or Trie.__setstate__(). Unauthenticated remote attackers can exploit this vulnerability by crafting malicious serialized trie objects; publicly available exploit code exists, and the maintainers have not yet addressed the issue despite early notification.

Deserialization Datrie
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5615 LOW POC PATCH Monitor

Cross-site scripting (XSS) in givanz Vvvebjs file upload endpoint allows unauthenticated remote attackers to inject malicious scripts via the uploadAllowExtensions parameter in upload.php. The vulnerability affects Vvvebjs versions up to 2.0.5 and requires user interaction (UI:R). A publicly available exploit exists and a patch (commit 8cac22cff99b8bc701c408aa8e887fa702755336) has been released by the vendor; EPSS exploitation likelihood is indicated as probable (E:P) with a CVSS score of 4.3.

XSS PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5607 LOW POC Monitor

Server-side request forgery (SSRF) in imprvhub mcp-browser-agent through version 0.8.0 allows authenticated remote attackers to manipulate URL parameters in the CallToolRequestSchema handler, enabling them to forge requests to arbitrary servers. Publicly available exploit code exists, and the vendor has not responded to early disclosure attempts, creating unmitigated exposure for users of affected versions.

SSRF Mcp Browser Agent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5671 LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows unauthenticated remote attackers to inject malicious scripts via the batch parameter in the /admin/class%20schedule/delete_batch.php endpoint, compromised by improper input validation. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f and has publicly available exploit code disclosed on GitHub; the vendor has not responded to early notification.

XSS PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5625 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in assafelovic gpt-researcher up to version 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via manipulation of the task argument in the WebSocket Interface component. Publicly available exploit code exists, and the vulnerability affects the file gpt_researcher/skills/researcher.py with low CVSS severity (4.3) but confirmed proof-of-concept availability indicating active technical feasibility.

XSS Gpt Researcher
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5620 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Home parameter in /borrowed_equip_report.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has been publicly disclosed with exploit code available, and demonstrates low attack complexity with network-based delivery requiring valid credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5681 LOW POC Monitor

SQL injection in itsourcecode's 'sanitize or validate this input' application allows authenticated remote attackers to execute arbitrary SQL queries via the emp_id parameter in /borrowedequip.php, potentially compromising data confidentiality and integrity. The vulnerability affects version 1.0 and has publicly available exploit code; exploitation requires valid login credentials but carries low-to-moderate real-world risk given the CVSS 5.3 score and authenticated attack requirement.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5660 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the emp parameter in /borrowed_equip.php, potentially compromising data confidentiality and integrity. The vulnerability has a CVSS score of 5.3 with publicly available exploit code; however, exploitation requires valid authentication credentials and does not grant administrative privileges or enable denial of service.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5649 LOW POC Monitor

SQL injection in code-projects Online Application System for Admission 1.0 allows authenticated remote attackers to execute arbitrary SQL commands via the /enrollment/admsnform.php endpoint, enabling data exfiltration and database manipulation. The vulnerability has a CVSS score of 6.3 (medium severity) with public exploit code disclosed; exploitation requires valid user credentials but no special complexity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5641 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image1.php, potentially compromising data confidentiality, integrity, and availability. Publicly available exploit code exists, elevating real-world risk despite the moderate CVSS score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5640 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the filename parameter in /admin/update-image2.php. The vulnerability affects the parameter handling mechanism and has publicly available exploit code; attackers with administrative credentials can manipulate the filename argument to inject SQL commands, potentially leading to data exfiltration or modification with limited direct impact to confidentiality and integrity of the application layer.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5630 LOW POC Monitor

Stored cross-site scripting (XSS) in assafelovic gpt-researcher versions up to 3.4.3 allows unauthenticated remote attackers to inject malicious scripts via the Report API in backend/server/app.py. The vulnerability requires user interaction (report viewing) to trigger payload execution and carries low integrity impact (CVSS 4.3). Publicly available exploit code exists, and the vendor has not addressed the issue despite early notification.

XSS Gpt Researcher
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5639 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to manipulate the filename parameter in /admin/update-image3.php, leading to database query manipulation with limited confidentiality and integrity impact. The vulnerability carries a CVSS score of 5.3 (medium severity) and requires valid admin credentials to exploit; publicly available exploit code exists but the vulnerability is not confirmed as actively exploited in CISA KEV.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5636 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL queries via the oid parameter in /cancelorder.php, potentially enabling unauthorized data access or modification. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component and carries a CVSS score of 5.3 with confirmed exploitation feasibility.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5635 LOW POC Monitor

SQL injection in PHPGurukul Online Shopping Portal Project 2.1 allows authenticated remote attackers to execute arbitrary SQL commands via the cid parameter in /categorywise-products.php. Publicly available exploit code exists for this vulnerability, which affects the parameter handler component. The attack requires valid user credentials but carries low impact, affecting confidentiality, integrity, and availability of data at limited scope.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5683 LOW POC Monitor

Stack-based buffer overflow in Tenda CX12L firmware version 16.03.53.12 allows authenticated local network attackers to cause memory corruption via manipulation of the page parameter in the P2pListFilter function. The vulnerability requires local network access and authenticated privileges but carries publicly available exploit code, elevating practical risk despite the moderate CVSS score of 5.1.

Tenda Buffer Overflow Stack Overflow
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-5621 LOW POC Monitor

Local command injection in ChrisChinchilla Vale-MCP up to version 0.1.0 allows authenticated local attackers to execute arbitrary OS commands via manipulation of the config_path argument in the HTTP Interface component (src/index.ts). The vulnerability requires local access and valid user privileges, with publicly available exploit code disclosed after vendor non-response, representing a moderate-risk issue in environments where the MCP tool is deployed with local user access.

Command Injection Vale Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.3%
CVE-2026-5619 LOW POC Monitor

OS command injection in Braffolk mcp-summarization-functions through version 0.1.5 allows local attackers with user-level privileges to execute arbitrary system commands by manipulating the command argument in the summarize_command function. The vulnerability affects the src/server/mcp-server.ts component and requires local access; publicly available exploit code exists, and the vendor has not responded to disclosure attempts.

Command Injection Mcp Summarization Functions
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.3%
CVE-2026-5668 LOW POC Monitor

Cross-site scripting (XSS) in Cyber-III Student-Management-System allows high-privileged authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the /admin/Add%20notice/add%20notice.php endpoint. The vulnerability requires user interaction (UI:P) to trigger and is confirmed by publicly available exploit code, though real-world risk is mitigated by high privilege requirements (PR:H) and limited technical impact (integrity only). The product uses rolling releases with no versioning, and the vendor has not responded to early disclosure.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5644 LOW POC Monitor

Stored cross-site scripting (XSS) in Cyber-III Student-Management-System via manipulation of the $_SERVER['PHP_SELF'] variable in the batch-notice.php admin file allows authenticated attackers with high privileges to inject malicious scripts. The vulnerability affects all versions up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f, exploitable remotely with user interaction, and publicly available exploit code exists. CVSS score of 4.8 reflects moderate risk constrained by authentication and interaction requirements, though the integrity impact and active public disclosure elevate operational concern.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-5643 LOW POC Monitor

Reflected cross-site scripting in Cyber-III Student-Management-System up to commit 1a938fa61e9f735078e9b291d2e6215b4942af3f allows high-privilege authenticated attackers to inject malicious scripts via the $_SERVER['PHP_SELF'] parameter in the admin notice endpoint (/admin/Add%20notice/notice.php). Publicly available exploit code exists, and the vulnerability requires user interaction (UI) to trigger, limiting practical impact despite remote accessibility.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-33404 LOW PATCH Monitor

Pi-hole Admin Interface versions 6.0 through 6.4 fail to escape client hostnames and IP addresses from the FTL database when rendering them into the DOM in the Network page and Dashboard chart tooltips, enabling stored cross-site scripting (XSS) attacks. An authenticated admin with high privileges can inject malicious scripts that execute in the context of other administrators' browsers, though the attack requires initial compromise of a DHCP/DNS client hostname field and circumvention of upstream validation in dnsmasq and FTL. This vulnerability is fixed in version 6.5, and no public exploit code or active exploitation has been identified at the time of analysis.

XSS Web Interface
NVD GitHub
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-33405 LOW PATCH Monitor

Stored HTML injection in Pi-hole Admin Interface versions 6.0 through 6.4 allows authenticated high-privilege users to inject unescaped HTML into query log details via the formatInfo() function, affecting the upstream, client IP, and error description fields. JavaScript execution is mitigated by Content Security Policy, limiting the practical impact to HTML-based attacks such as DOM manipulation or phishing content injection. The vulnerability is fixed in version 6.5.

XSS Web
NVD GitHub
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-5622 LOW Monitor

JWT token handling in hcengineering Huly Platform 0.7.382 uses hard-coded cryptographic keys in the token.ts component, allowing remote attackers to forge or manipulate authentication tokens with high attack complexity. The vulnerability affects confidentiality and integrity of token-based authentication but requires significant technical effort to exploit, reflected in a low CVSS score (3.7) and high attack complexity rating. No active exploitation has been confirmed, and the vendor has not responded to disclosure attempts.

Information Disclosure Huly Platform
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5682 LOW Monitor

Meesho Online Shopping App versions up to 27.3 on Android implement risky cryptographic algorithms in the /api/endpoint component (com.meesho.supply), enabling remote attackers to disclose sensitive information without authentication. The vulnerability has CVSS 6.3 severity with public exploit code availability, though exploitation requires high attack complexity. This impacts the confidentiality of user data processed through affected API endpoints.

Google Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-5670 LOW Monitor

Unrestricted file upload in Cyber-III Student-Management-System allows authenticated remote attackers to upload arbitrary files via manipulation of the File parameter in /AssignmentSection/submission/upload.php, leading to potential remote code execution or data exfiltration. The vulnerability affects the move_uploaded_file function and has publicly available exploit code; the vendor has not responded to early disclosure notification. CVSS 5.3 reflects low confidentiality and integrity impact within an authenticated context, though real-world risk depends on file execution permissions and web server configuration.

PHP File Upload Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5623 LOW Monitor

Server-side request forgery in hcengineering Huly Platform 0.7.382 allows authenticated remote attackers to make arbitrary HTTP requests from the affected server via manipulation of the Import Endpoint in server/front/src/index.ts, potentially enabling access to internal resources, metadata disclosure, or lateral movement within the infrastructure. Publicly available exploit code exists, and the vendor has not responded to disclosure attempts.

SSRF Huly Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5675 LOW Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the 'emp' parameter in /borrowed_tool.php, resulting in limited confidentiality, integrity, and availability impact. The vulnerability requires valid credentials (PR:L) but has publicly available exploit code, though exploitation probability remains moderate (EPSS indicates P:P status). This is a classic parameter injection flaw in a PHP application with real but constrained risk due to authentication requirements.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5624 LOW PATCH Monitor

Cross-site request forgery (CSRF) in ProjectSend r2002 allows unauthenticated remote attackers to perform unauthorized file upload operations via the upload.php endpoint with user interaction (UI:R). The vulnerability has been publicly disclosed with exploit code available, and ProjectSend has released patched version r2029 with commit 2c0d25824ab571b6c219ac1a188ad9350149661b to remediate the issue. While the CVSS score of 4.3 indicates low-to-moderate severity, the presence of public exploit code and lack of authentication requirements elevates the real-world risk for unpatched instances.

CSRF PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5647 LOW Monitor

Stored cross-site scripting (XSS) in code-projects Online Shoe Store 1.0 allows authenticated administrators to inject malicious scripts via the product_name parameter in the Add Product Page (/admin/admin_feature.php), which execute in the context of other users' browsers. The vulnerability requires high-privilege administrative access and user interaction (clicking a malicious link), limiting real-world impact, but publicly available exploit code exists.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy