Skip to main content
CVE-2026-5719 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the code parameter in /borrowedtool.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a CVSS score of 6.3 (Medium) with publicly available exploit code; exploitation requires valid user credentials but no user interaction.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5382 LOW PATCH Monitor

Incorrect authorization in runZero Platform MCP endpoints allows authenticated high-privilege users to access records outside their authorized organization scope, exposing sensitive data across organizational boundaries. The vulnerability affects runZero Platform versions prior to 4.0.260206.0 and requires high-privilege credentials to exploit, resulting in limited confidentiality impact. No public exploit code or active exploitation has been identified.

Authentication Bypass Platform
NVD
CVSS 3.1
3.0
EPSS
0.0%
CVE-2026-5379 LOW PATCH Monitor

runZero Platform versions prior to 4.0.260203.0 allow authenticated high-privilege MCP agents to access certificate information outside their authorized organization scope, enabling lateral information disclosure across organizational boundaries. The vulnerability stems from improper authorization checks (CWE-863) and carries a CVSS score of 3.0 (Low) due to high attack complexity and privilege requirements; no public exploit code or active exploitation has been identified.

Authentication Bypass Platform
NVD
CVSS 3.1
3.0
EPSS
0.0%
CVE-2026-34781 LOW PATCH GHSA Monitor

Denial of service in Electron's clipboard.readImage() allows local authenticated attackers to crash applications by supplying malformed image data on the system clipboard. The vulnerability affects Electron versions prior to 39.8.5, 40.8.5, 41.1.0, and 42.0.0-alpha.5, but only impacts apps that explicitly call clipboard.readImage(). No code execution or memory corruption is possible; the attack results in a controlled process abort when a null bitmap is passed unchecked to image construction. Vendor-released patches are available across all supported release lines.

Denial Of Service RCE Null Pointer Dereference Buffer Overflow
NVD GitHub
CVSS 3.1
2.8
EPSS
0.0%
CVE-2026-5375 LOW PATCH Monitor

runZero Platform API exposes sensitive credential fields to high-privilege users via unauthenticated remote requests, allowing information disclosure of confidential data. Affected versions prior to 4.0.260203.0 permit high-privilege account holders to retrieve sensitive fields through API responses that should be restricted. The vulnerability requires high privileges (PR:H) and has low real-world impact (CVSS 2.7), but affects the core credential management functionality of the runZero asset intelligence platform.

Information Disclosure Platform
NVD
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-4292 LOW PATCH GHSA Monitor

Django admin changelist forms with ModelAdmin.list_editable enabled allow high-privileged users to create new instances via forged POST requests, bypassing intended access controls. Affects Django 6.0 before 6.0.4, 5.2 before 5.2.13, and 4.2 before 4.2.30; unsupported versions 5.0.x, 4.1.x, and 3.2.x may also be vulnerable. The vulnerability requires admin-level privileges and results in unauthorized data modification rather than data exposure or availability impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass Python
NVD VulDB HeroDevs
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-5381 LOW PATCH Monitor

runZero Platform versions prior to 4.0.260205.0 contain an incorrect authorization flaw that allows authenticated high-privileged users to access task information outside their authorized organization scope via network-based vectors with high complexity. The vulnerability is low-severity (CVSS 2.2) and limited to confidentiality impact (information disclosure), with no public exploit identified at time of analysis.

Authentication Bypass Platform
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-39349 LOW PATCH Monitor

OrangeHRM 5.0 through 5.8 uses AES encryption in ECB mode for sensitive fields, allowing attackers with high-level privileges to infer patterns in encrypted data through block-aligned plaintext analysis. This cryptographic weakness does not enable direct decryption but permits pattern disclosure against stored sensitive information, classified as information disclosure with low confidentiality impact. The vulnerability is fixed in version 5.8.1, and exploitation requires network access, high administrative privileges, and specific timing conditions that make real-world exploitation unlikely despite the remotely accessible attack vector.

Information Disclosure Orangehrm
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-5705 LOW Monitor

Reflected cross-site scripting (XSS) in code-projects Online Hotel Booking 1.0 allows unauthenticated remote attackers to inject malicious scripts via the roomname parameter in the /booknow.php endpoint, exploitable through user interaction (UI:P). Publicly available exploit code exists for this vulnerability, which carries a moderate CVSS score of 5.3 but limited impact scope (information disclosure only, no integrity or availability impact).

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-27949 LOW PATCH Monitor

Plane project management tool versions prior to 1.3.0 leak user email addresses in authentication error URLs, transmitting personally identifiable information via unencrypted GET query parameters. The vulnerability requires high-privilege access and user interaction to trigger, exposing email disclosure with low confidentiality impact and no integrity or availability consequences. This is a low-severity information disclosure issue with CVSS 2.0, actively patched in version 1.3.0.

Information Disclosure Plane
NVD GitHub
CVSS 3.1
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy