Skip to main content
CVE-2026-33659 LOW POC PATCH Monitor

EspoCRM is an open source customer relationship management application. In versions 9.3.3 and below, the POST /api/v1/Attachment/fromImageUrl endpoint is vulnerable to Server-Side Request Forgery (SSRF) via a DNS rebinding (TOCTOU) condition. Host validation uses dns_get_record() but the actual HTTP request resolves hostnames through curl's internal resolver (gethostbyname()), allowing the two lookups to return different IP addresses for the same hostname. A secondary issue exists where an empty DNS result (due to DNS failure, IPv6-only domains, or non-existent hostnames) causes the validation to implicitly allow the host without further checks. An authenticated attacker with default attachment creation access can exploit this gap to bypass internal IP restrictions and scan internal network ports, confirm the existence of internal hosts, and interact with internal HTTP-based services, though data extraction from binary protocol services and remote code execution are not possible through this endpoint. This issue has been fixed in version 9.3.4.

RCE SSRF Espocrm
NVD GitHub
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-6201 LOW POC Monitor

A vulnerability was identified in CodeAstro Online Job Portal 1.0. The impacted element is an unknown function of the file /jobs/job-delete.php of the component Delete Job Posting Handler. Such manipulation of the argument ID leads to improper access controls. The attack can be launched remotely. The exploit is publicly available and might be used.

Authentication Bypass PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6159 LOW POC Monitor

Cross-site scripting (XSS) in Simple ChatBox up to version 1.0 allows remote attackers to inject malicious scripts via the msg parameter in the /chatbox/insert.php endpoint, with user interaction required. The vulnerability has publicly available exploit code and affects the PHP-based chat application component. Impact is limited to integrity of user sessions, but the attack vector is remote and requires no authentication.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6150 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Simple Laundry System 1.0 allows remote attackers to inject arbitrary scripts via the serviceId parameter in /checkupdatestatus.php. The vulnerability requires user interaction (UI:R) and results in low integrity impact, but is publicly available with exploit code and has been disclosed. CVSS base score is 4.3 with relatively low real-world risk due to UI requirement and limited impact scope, though the presence of public POC increases adoption likelihood among less-skilled attackers.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6202 LOW POC Monitor

A security flaw has been discovered in code-projects Easy Blog Site 1.0. This affects an unknown function of the file post.php. Performing a manipulation of the argument tags results in sql injection. The attack may be initiated remotely. The exploit has been released to the public and may be used for attacks.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6191 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter in /equipments.php, leading to unauthorized data access or modification. The CVSS score of 5.3 reflects low confidentiality and integrity impact, and the extremely low EPSS score (0.03%, 8th percentile) indicates minimal real-world exploitation likelihood despite publicly available exploit code.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6190 LOW POC Monitor

SQL injection in itsourcecode Construction Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the Name parameter in /employees.php, resulting in confidentiality, integrity, and authenticity breaches. The vulnerability requires low-privilege authentication and has publicly available exploit code, elevating practical risk despite the moderate CVSS score of 6.3.

SQLi PHP
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6143 LOW POC PATCH Monitor

Permissive cross-domain policy in farion1231 cc-switch up to version 3.12.3 allows authenticated remote attackers to access sensitive information and modify data across untrusted domains via misconfigured CORS headers in the ProxyServer component. Publicly available exploit code exists, and vendor patches are available; this represents a moderate but actively exploitable configuration flaw affecting networked deployments.

Cors Misconfiguration Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6220 LOW POC Monitor

A vulnerability was identified in HummerRisk up to 1.5.0. This vulnerability affects the function ServerService.addServer of the file ServerService.java of the component Video File Download URL Handler. Such manipulation of the argument streamIp leads to server-side request forgery. It is possible to launch the attack remotely. The exploit is publicly available and might be used. The vendor was contacted early about this disclosure but did not respond in any way.

Java SSRF
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2025-15632 LOW POC PATCH Monitor

Cross-site scripting (XSS) in 1Panel-dev MaxKB up to version 2.4.2 allows authenticated remote attackers to inject malicious scripts via the MdPreview component in ui/src/chat.ts, requiring user interaction to execute. Publicly available exploit code exists for this vulnerability. The vendor released patched version 2.5.0 addressing the flaw with commit 7230daa5ec3e6574b6ede83dd48a4fbc0e70b8d8.

XSS Maxkb
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6162 LOW POC Monitor

Reflected cross-site scripting (XSS) in PHPGurukul Company Visitor Management System 2.0 allows authenticated remote attackers to inject malicious scripts via the fromdate parameter in /bwdates-reports-details.php. The vulnerability requires user interaction (UI:P) and authenticated access (PR:L), but publicly available exploit code exists, elevating practical risk despite the moderate CVSS score of 5.1.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6219 LOW POC Monitor

A vulnerability was determined in aandrew-me ytDownloader up to 3.20.2. This affects the function child_process.exec of the file src/compressor.js of the component Compressor Feature. This manipulation causes command injection. The attack can only be executed locally. The exploit has been publicly disclosed and may be utilized. The vendor was contacted early about this disclosure.

Command Injection Ytdownloader
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-6184 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Simple Content Management System 1.0 allows authenticated high-privilege attackers to inject malicious scripts via the News Title parameter in /web/admin/welcome.php, affecting all versions of the product. The vulnerability requires user interaction (UI:R) to execute but has publicly available exploit code and a low CVSS score (2.4) due to high privilege requirements and limited impact scope.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6192 LOW POC PATCH Monitor

Integer overflow in OpenJPEG's opj_pi_initialise_encode function (versions 2.5.0-2.5.4) allows authenticated local attackers to trigger availability impact via crafted input to the pi.c library module. The vulnerability has a publicly available proof-of-concept and carries an EPSS score of 0.01% (2nd percentile), reflecting minimal real-world exploitation likelihood despite the presence of exploit code. Patch commit 839936aa33eb8899bbbd80fda02796bb65068951 is available from the vendor.

Buffer Overflow Integer Overflow Openjpeg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-40263 LOW PATCH GHSA Monitor

{ return ErrUnauthorized } err = bcrypt.CompareHashAndPassword(user.PasswordHash, []byte(password)) ``` This creates a measurable timing discrepancy between: - **existing username + wrong password** requests, which incur bcrypt cost - **nonexistent username + any password** requests, which avoid bcrypt entirely Because no constant-time equalization is performed, the endpoint leaks account existence through timing behavior. The measurements provided show a large and consistent gap between the two cases across repeated trials, making the difference distinguishable without requiring especially high request volume. In the supplied test results: - existing user requests averaged about `0.0616s` - nonexistent user requests averaged about `0.0027s` That gap is large enough to support reliable username enumeration under typical testing conditions. The issue can be reproduced by sending repeated authentication attempts to the login endpoint using the same invalid password while alternating between a known valid username and a nonexistent username, then comparing average response times. Valid usernames consistently take longer because bcrypt verification is performed. - **Type:** Timing side-channel / username enumeration - **Who is impacted:** Any deployment exposing the affected login endpoint - **Security impact:** Unauthenticated attackers can confirm valid usernames one at a time, improving the effectiveness of credential stuffing, password spraying, phishing, and other targeted account attacks - **Attack preconditions:** None beyond network access to the login endpoint - **Confidentiality impact:** Low to moderate, depending on the sensitivity of account existence in the target environment

Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-36943 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/repairs/manage_repair.php allows authenticated administrators to extract or modify limited database information. The attack requires high-level administrative privileges and produces only confidentiality impact; EPSS probability is minimal (0.02%), and CISA SSVC assessment indicates no evidence of real-world exploitation.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36944 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated high-privilege users to read sensitive database content via crafted input in the repairs details viewer. The vulnerability requires admin-level authentication and carries minimal real-world risk given the CVSS 2.7 score, EPSS 0.02% exploitation probability, and CISA SSVC assessment indicating no known exploitation, non-automatable attack, and only partial technical impact (confidentiality). No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36945 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 allows authenticated administrators to execute arbitrary SQL queries via the /rsms/admin/clients/manage_client.php endpoint, potentially exposing sensitive data with low confidentiality impact. The vulnerability requires high-privilege administrator authentication and carries minimal real-world risk (EPSS 0.02%, SSVC indicates no exploitation activity), but represents a common code quality issue in open-source PHP applications that warrants remediation during security updates.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36941 LOW Monitor

SQL Injection in Sourcecodester Online Resort Management System v1.0 allows authenticated administrators to extract or modify database contents via the /orms/admin/rooms/manage_room.php endpoint. The vulnerability requires high-privilege administrative access and has minimal real-world impact given the CVSS score of 2.7, EPSS exploitation probability of 0.02%, and CISA SSVC determination of non-exploitable status with only partial technical impact. No active exploitation has been confirmed.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36937 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows authenticated high-privilege users to execute arbitrary SQL queries via the /orms/admin/reservations/view_details.php endpoint, resulting in limited information disclosure. The vulnerability requires administrative access and carries minimal real-world risk due to CVSS 2.7, EPSS 0.02% (6th percentile), and SSVC framework assessment indicating no active exploitation and non-automatable attack requirements.

SQLi PHP
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36938 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privileged authenticated attackers to query the database with limited confidentiality impact via the /orms/admin/rooms/view_room.php endpoint. The CVSS score of 2.7 and EPSS percentile of 6% reflect low real-world exploitation probability; SSVC assessment confirms no known automated exploit path and only partial technical impact (information disclosure). No public exploit code or active exploitation has been identified.

SQLi PHP
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36872 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract limited information from the database via crafted input to /librarysystem/load_book.php. The vulnerability requires administrative credentials and has very low real-world risk (EPSS 0.02%, CVSS 2.7) with no public exploit code identified; CISA does not list it as actively exploited.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36947 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/services/view_service.php allows authenticated administrators to extract sensitive database information with low complexity. The vulnerability requires high-privilege (admin) access and does not enable data modification or denial of service, limiting real-world impact despite the unauthenticated attack vector network availability. No active exploitation or public proof-of-concept tools have been confirmed; EPSS score of 0.02% and SSVC framework rating 'none' exploitation status indicate minimal practical risk despite CVSS 2.7 rating.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36923 LOW Monitor

SQL Injection in Sourcecodester Cab Management System 1.0 allows high-privilege administrators to extract limited database information via the /cms/admin/bookings/view_booking.php endpoint. The vulnerability requires authenticated admin access and carries minimal real-world risk given its low EPSS score (0.02%) and CISA SSVC assessment indicating no exploitation status, non-automatable exploitation, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36873 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /librarysystem/load_admin.php endpoint. The vulnerability requires administrative authentication, limiting exposure to compromised or malicious admin accounts. EPSS exploitation probability is minimal at 0.02% (6th percentile), and no public exploit code has been identified, making this a low-priority issue despite the SQL injection vector.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36922 LOW Monitor

SQL injection in Sourcecodester Cab Management System v1.0 allows high-privilege authenticated attackers to extract sensitive data via the /cms/admin/categories/view_category.php endpoint. The vulnerability requires administrative credentials and has minimal real-world impact (CVSS 2.7, EPSS 0.02%), with no evidence of active exploitation or public exploit code.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36874 LOW Monitor

SQL injection in Sourcecodester Basic Library System v1.0 at /librarysystem/load_student.php allows high-privilege authenticated attackers to read sensitive database information. The vulnerability requires administrative-level privileges and manual user interaction is absent, but real-world risk is minimal due to extremely low EPSS score (0.02%), CVSS severity of 2.7, and CISA SSVC assessment indicating no exploitation activity, non-automatable conditions, and only partial technical impact.

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36919 LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated attackers to conduct limited information disclosure through the exam update functionality at /system/system/admins/assessments/examproper/exam-update.php. The vulnerability carries minimal real-world risk due to required administrative privileges (PR:H), low EPSS exploitation probability (0.02%), and CISA SSVC assessment indicating no exploitation trend, non-automatable attack, and only partial technical impact.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36920 LOW Monitor

SQL injection in Sourcecodester Online Reviewer System v1.0 allows high-privileged authenticated users to extract limited data via a crafted SQL query in the questions-view.php endpoint. The vulnerability requires administrator-level credentials and lacks evidence of active exploitation or public exploit tooling, resulting in a minimal real-world risk profile despite confirmed SQL injection capability.

SQLi PHP N A
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36946 LOW Monitor

SQL injection in Sourcecodester Computer and Mobile Repair Shop Management System v1.0 at /rsms/admin/inquiries/view_details.php allows high-privileged authenticated administrators to extract limited data via crafted SQL queries. The vulnerability requires admin-level access and produces only confidentiality impact with minimal real-world exploitation likelihood (EPSS 0.02%, CVSS 2.7, SSVC framework indicates no practical exploitation path).

SQLi PHP
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36942 LOW Monitor

SQL injection in Sourcecodester Online Resort Management System v1.0 allows high-privilege authenticated attackers to read sensitive application data via crafted input to the /orms/admin/activities/manage_activity.php endpoint. The vulnerability requires administrator-level credentials and produces only confidentiality impact with negligible real-world exploitation risk, as indicated by 0.02% EPSS score and CISA SSVC partial technical impact assessment.

PHP SQLi
NVD GitHub VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36950 LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 allows high-privilege authenticated attackers to extract sensitive information via the /otas/projects_per_department.php endpoint. The vulnerability requires admin-level credentials (PR:H per CVSS) and has minimal confidentiality impact with an EPSS score of 0.01%, indicating very low real-world exploitation probability despite public disclosure on GitHub.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-36952 LOW Monitor

SQL injection in Sourcecodester Online Thesis Archiving System v1.0 at /otas/admin/curriculum/manage_curriculum.php allows authenticated high-privileged administrators to extract sensitive database information through unsanitized query parameters. With a CVSS score of 2.7 and EPSS of 0.01% (2nd percentile), this vulnerability presents minimal real-world risk despite valid SQL injection mechanics, as exploitation requires admin-level credentials and yields only confidentiality impact. No public exploit code or active exploitation has been confirmed.

PHP SQLi
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-34849 LOW Monitor

Use-after-free vulnerability in HarmonyOS screen management module allows local, unauthenticated attackers with user interaction to cause denial of service through a race condition. CVSS score of 2.5 reflects low severity with availability impact only; no confidentiality or integrity compromise. No public exploit code or active exploitation confirmed at time of analysis.

Race Condition Information Disclosure
NVD
CVSS 3.1
2.5
EPSS
0.0%
CVE-2026-6141 LOW PATCH Monitor

OS command injection in danielmiessler Personal_AI_Infrastructure up to version 2.3.0 allows authenticated remote attackers to execute arbitrary system commands via a malicious URL parameter in the parse_url.ts parser tool. The vulnerability requires low-privilege authentication and has publicly available exploit code; the vendor released a patched version promptly after disclosure.

Command Injection Personal Ai Infrastructure
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-34851 LOW Monitor

Race condition in Huawei HarmonyOS event notification module allows local authenticated users with user interaction to cause denial of service through availability impact. The vulnerability requires local access, high attack complexity, and user interaction; with a CVSS score of 2.2, it represents minimal real-world risk. No public exploit code or active exploitation has been confirmed at this time.

Race Condition Information Disclosure
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-30812 LOW Monitor

Stored Cross-Site Scripting (XSS) in Pandora FMS versions 777 through 800 allows authenticated users with low privileges to inject malicious scripts via event comments, which execute in the browsers of other users viewing those comments. The vulnerability has a CVSS score of 2.1 with low confidentiality and integrity impact, requiring user interaction and attack preparation time to exploit. No public exploit code or active exploitation has been identified.

XSS Pandora Fms
NVD
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6215 LOW Monitor

A weakness has been identified in DbGate up to 7.1.4. The impacted element is the function apiServerUrl1 of the file packages/rest/src/openApiDriver.ts of the component REST/GraphQL. This manipulation causes server-side request forgery. The attack may be initiated remotely. The exploit has been made available to the public and could be used for attacks. The vendor was contacted early about this disclosure but did not respond in any way.

SSRF Dbgate
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6216 LOW PATCH Monitor

A security vulnerability has been detected in DbGate up to 7.1.4. This affects an unknown function of the file packages/web/src/icons/FontIcon.svelte of the component SVG Icon String Handler. Such manipulation of the argument applicationIcon leads to cross site scripting. The attack may be launched remotely. The exploit has been disclosed publicly and may be used. Upgrading to version 7.1.5 mitigates this issue. It is advisable to upgrade the affected component.

XSS Dbgate
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-0233 LOW PATCH NEWS Monitor

Remote code execution in Palo Alto Networks Autonomous Digital Experience Manager on Windows via certificate validation bypass allows unauthenticated attackers with adjacent network access to execute arbitrary code with NT AUTHORITY\SYSTEM privileges. CVSS score is 2.0 but reflects a physical adjacency attack vector (AV:P); real-world risk depends on network topology and whether the manager is exposed on trusted adjacent networks. No public exploit code or active exploitation has been confirmed at time of analysis.

Paloalto RCE Microsoft Autonomous Digital Experience Manager
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-34850 LOW Monitor

Race condition in Huawei HarmonyOS notification service allows local high-privilege attackers to cause limited availability impact through timing-dependent exploitation. CVSS 1.9 reflects minimal real-world risk due to high attack complexity, elevated privileges, and no confidentiality or integrity effects. No public exploit code or active exploitation confirmed.

Race Condition Information Disclosure
NVD
CVSS 3.1
1.9
EPSS
0.0%
CVE-2026-32270 LOW PATCH GHSA Monitor

Craft Commerce is an ecommerce platform for Craft CMS. In versions 4.0.0 through 4.10.2 and 5.0.0 through 5.5.4, the PaymentsController::actionPay discloses some order data to unauthenticated users when an order number is provided and the email check fails during an anonymous payment. The JSON error response includes the serialized order object (order), which contains some sensitive fields such as customer email, shipping address, and billing address. The frontend payment flow's actionPay() retrieves orders by number before authorization is fully enforcedLoad order by number. This issue has been fixed in versions 4.11.0 and 5.6.0.

Information Disclosure Commerce
NVD GitHub
CVSS 4.0
1.7
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy