Skip to main content
CVE-2026-6572 LOW POC Monitor

Improper authorization in Collabora KodExplorer up to version 4.52 allows remote unauthenticated attackers to bypass authentication via manipulation of the fileUpload parameter in the /app/controller/share.class.php endpoint, potentially enabling unauthorized file access or modification with low confidentiality, integrity, and availability impact. Publicly available exploit code exists; however, the attack requires high complexity and is described as difficult to execute in practice, limiting real-world exploitation despite public disclosure and vendor non-responsiveness.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-6578 LOW POC Monitor

Liangliangyy DjangoBlog up to version 2.1.0.0 contains hard-coded credentials in the SECRET_KEY parameter within djangoblog/settings.py, allowing remote unauthenticated attackers to bypass authentication and encrypt/decrypt sensitive session data. The vulnerability has been publicly disclosed with exploit code available on GitHub, though the vendor did not respond to early disclosure notification. With a CVSS score of 5.6 and AC:H rating, practical exploitation requires moderate technical effort but affects confidentiality, integrity, and availability.

Authentication Bypass Djangoblog
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-6576 LOW POC Monitor

Command injection in DjangoBlog WeChat Bot Interface allows authenticated remote attackers to execute arbitrary system commands by manipulating the Source argument in the CommandHandler function. Affected versions up to 2.1.0.0 are vulnerable. The exploit has been publicly disclosed on GitHub, and the vendor has not responded to early disclosure attempts. CVSS score of 6.3 reflects moderate severity with network-accessible attack vector requiring authentication.

Command Injection Djangoblog
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-6573 LOW POC Monitor

Server-side request forgery in PHPEMS 11.0 allows authenticated remote attackers to manipulate the uploadfile parameter in the Instant Exam Creation Handler component, enabling SSRF attacks that can access internal resources or perform unauthorized requests from the server. The vulnerability affects the temppage function in /app/exam/controller/exams.master.php and has public exploit code available, though exploitation requires valid user credentials (PR:L).

PHP SSRF
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6571 LOW POC Monitor

Kodcloud KodExplorer up to version 4.52 contains an authorization bypass vulnerability in the roleGroupAction function that allows authenticated remote attackers to manipulate the group_role parameter and gain unauthorized access to sensitive information and system modification capabilities. The vulnerability has a CVSS score of 6.3 with public exploit code available, and the vendor has not responded to early disclosure notifications, leaving deployed instances without official patching options.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6564 LOW POC Monitor

Improper authorization in EMQ EMQX Enterprise 6.0-6.1.0 allows authenticated remote attackers to trigger a denial-of-service condition via unspecified manipulation of the Session Handling component. CVSS 4.3 with attack vector AV:N/AC:L/PR:L reflects network-exploitable impact limited to availability; publicly available exploit code exists but active exploitation has not been confirmed by CISA KEV. The vendor has not responded to early disclosure notification.

Authentication Bypass Emqx Enterprise
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6585 LOW POC Monitor

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated users to modify arbitrary organizations by manipulating the organisation_id parameter in the Organisation Update Endpoint, causing integrity and availability impact. Remote exploitation requires valid credentials and is limited to authenticated users (CVSS PR:L), but publicly available exploit code exists and the vendor has not responded to disclosure.

Authentication Bypass Superagi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6584 LOW POC Monitor

Authorization bypass in TransformerOptimus SuperAGI up to version 0.0.14 allows authenticated remote attackers to modify user accounts by manipulating the user_id parameter in the User Update Endpoint (superagi/controllers/user.py), enabling unauthorized data modification and availability impact. Publicly available exploit code exists; the vendor has not responded to disclosure efforts.

Authentication Bypass Superagi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6583 LOW POC Monitor

Authorization bypass in TransformerOptimus SuperAGI API Key Management allows authenticated users to delete or edit arbitrary API keys beyond their own permissions, affecting versions up to 0.0.14. The vulnerability exists in the delete_api_key and edit_api_key endpoints and enables authenticated attackers to manipulate other users' credentials remotely with low complexity. Publicly available exploit code exists, and the vendor has not responded to early disclosure.

Authentication Bypass Superagi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6570 LOW POC Monitor

Remote authorization bypass in KodCloud KodExplorer up to version 4.52 allows high-privileged authenticated attackers to manipulate the path argument in the initInstall function (/app/controller/systemMember.class.php), resulting in integrity compromise. The exploit code is publicly available, and the vendor has not responded to early disclosure notifications, leaving deployed instances vulnerable without official remediation guidance.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6561 LOW POC Monitor

EyouCMS versions up to 1.7.1 allow high-privileged attackers to upload arbitrary files via manipulation of the filename parameter in the edit_adminlogo function, leading to information disclosure and potential code execution. The vulnerability requires authenticated admin access and is publicly exploitable with proof-of-concept code available on GitHub; the vendor has not responded to disclosure attempts.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy