Skip to main content
CVE-2026-6579 MEDIUM POC This Month

DjangoBlog up to version 2.1.0.0 contains an authentication bypass vulnerability in the blog/views.py Clean Endpoint that allows remote unauthenticated attackers to trigger cache purge or data manipulation operations. The vulnerability has a CVSS score of 6.5 (medium severity) with network-accessible attack vector and low complexity; publicly available exploit code exists, and the vendor has not responded to early disclosure.

Authentication Bypass Djangoblog
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-6568 MEDIUM POC This Month

Path traversal in kodcloud KodExplorer 4.52 and earlier allows unauthenticated remote attackers to access unauthorized files via the public share handler's path parameter. The vulnerability has publicly available exploit code (EPSS data not provided, not listed in CISA KEV). The vendor did not respond to responsible disclosure, leaving all versions through 4.52 unpatched at time of analysis.

PHP Path Traversal
NVD VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-6582 MEDIUM POC This Month

Remote unauthenticated access to vector database configurations in TransformerOptimus SuperAGI ≤0.0.14 allows attackers to retrieve, modify, or disrupt stored embeddings via the /vector_dbs endpoint. Missing authentication (CWE-306) in the get_vector_db_details function enables unauthorized manipulation of AI agent knowledge bases with CVSS 7.3. Publicly available exploit code exists (Proof-of-Concept published on GitHub Gist), but no active exploitation confirmed via CISA KEV. EPSS data not provided. Vendor unresponsive to early disclosure per VulDB report.

Authentication Bypass Superagi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-6577 MEDIUM POC This Month

Missing authentication in DjangoBlog 2.1.0.0 and prior allows remote unauthenticated attackers to inject GPS tracking data via the owntracks/views.py logtracks endpoint. Publicly available exploit code exists (GitHub POC). CVSS 7.3 with full network attack vector (AV:N/AC:L/PR:N/UI:N). EPSS and KEV status not provided, but POC availability indicates medium-to-high exploitation risk for internet-facing DjangoBlog instances with OwnTracks integration enabled. Vendor non-responsive to disclosure.

Authentication Bypass Djangoblog
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-6580 MEDIUM POC This Month

Hard-coded Amap API key exposure in DjangoBlog allows remote attackers to abuse geolocation services without authentication. DjangoBlog versions up to 2.1.0.0 embed a fixed cryptographic key in owntracks/views.py for Amap API calls, enabling unauthorized API usage with low confidentiality, integrity, and availability impact. Publicly available exploit code exists (POC=YES). EPSS data not provided. Not listed in CISA KEV. Vendor unresponsive to disclosure.

Information Disclosure Djangoblog
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6574 MEDIUM POC This Month

Hard-coded credentials in osuuu LightPicture versions up to 1.2.2 allow unauthenticated remote attackers to bypass authentication via the /public/install/lp.sql file at the API upload endpoint. The vulnerability enables unauthorized access with confidentiality, integrity, and availability impacts. A public exploit exists (CVSS:3.1 E:P), significantly lowering the attack barrier. The vendor was notified but has not responded or issued patches.

Authentication Bypass Lightpicture
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6562 MEDIUM POC This Month

SQL injection in dameng100 muucmf 1.9.5.20260309 allows remote unauthenticated attackers to compromise database confidentiality, integrity, and availability via the 'keyword' parameter in /index/Search/index.html. Public exploit code is available (thinhneee.github.io), increasing immediate exploitation risk. EPSS and KEV data not available, but CVSS 7.3 with network attack vector (AV:N), low complexity (AC:L), and no authentication required (PR:N) indicate high accessibility. Vendor (dameng100) has not responded to disclosure, suggesting no official patch timeline.

SQLi Muucmf
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-6569 MEDIUM This Month

Improper authentication in kodcloud KodExplorer versions up to 4.52 allows unauthenticated remote attackers to bypass access controls via the fileGet endpoint. The vulnerability resides in the fileGet function within /app/controller/share.class.php, exploitable by manipulating the fileUrl parameter. With CVSS 7.3 and network attack vector requiring no privileges or user interaction, this enables unauthorized file access and potential data manipulation. EPSS score unavailable; no CISA KEV listing indicates no confirmed widespread exploitation. Vendor non-responsive to disclosure attempts.

PHP Authentication Bypass
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-0868 MEDIUM This Month

Stored cross-site scripting (XSS) in EMC - Easily Embed Calendly Scheduling Features WordPress plugin versions 4.4 and earlier allows authenticated contributors and above to inject arbitrary JavaScript into pages via insufficiently sanitized shortcode attributes, executing malicious scripts whenever site visitors access the affected pages. No public exploit code or active exploitation has been confirmed at analysis time.

XSS WordPress
NVD VulDB
CVSS 3.1
6.4
EPSS
0.0%
CVE-2026-6559 MEDIUM PATCH This Month

Stored cross-site scripting (XSS) in Wavlink WL-WN579A3 wireless router allows remote unauthenticated attackers to inject malicious scripts via the Hostname parameter in /cgi-bin/login.cgi, affecting all firmware versions prior to 2026-03-10. The vulnerability requires user interaction (UI:R) to trigger payload execution in a victim's browser, limiting direct remote code execution but enabling credential theft, session hijacking, or malware distribution. A vendor patch was released promptly after responsible disclosure.

XSS Wl Wn579a3
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy