Skip to main content
CVE-2026-6986 LOW POC PATCH Monitor

Improper verification of cryptographic signatures in Cesanta Mongoose versions up to 7.20 allows remote attackers to bypass GCM authentication tag validation in the mg_aes_gcm_decrypt function. The vulnerability has high attack complexity and requires no user interaction, but provides only integrity impact (not confidentiality or availability). Publicly available exploit code exists, and vendor has released patched version 7.21.

Jwt Attack Information Disclosure
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-6989 LOW POC Monitor

Command injection in Tenda F453 firmware up to version 1.0.0.3 allows authenticated remote attackers to execute arbitrary system commands via the TendaTelnet function in the /goform/telnet endpoint. The vulnerability has publicly available exploit code and may be actively used against deployed devices. Attack requires low-privilege authentication but carries significant risk due to the telnet service's direct command execution capability.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-6979 LOW POC Monitor

Server-side request forgery (SSRF) in devlikeapro WAHA up to version 2026.3.4 allows authenticated remote attackers to forge requests from the server via the media.controller.ts API endpoint, enabling potential reconnaissance, internal resource access, and lateral movement attacks. Publicly available exploit code exists and the vendor has not responded to disclosure efforts.

SSRF Waha
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6981 LOW POC Monitor

Server-side request forgery (SSRF) in AiraHub2 allows authenticated remote attackers to manipulate the connect_stream_endpoint and sync_agents functions in AiraHub.py, enabling arbitrary HTTP requests to internal or external systems. The vulnerability affects multiple endpoints and has publicly available exploit code; however, the vendor has not responded to disclosure attempts and uses a rolling release model, making patch status unclear.

SSRF Airahub2
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-6984 LOW POC Monitor

Server-side template injection in AstrBot Dashboard API (version 4.22.1 and earlier) allows remote authenticated attackers with high privileges to execute arbitrary template code via the create_template function, leading to information disclosure and potential code execution. Publicly available exploit code exists, and the vendor has not yet responded to disclosure despite early notification.

Information Disclosure Ssti
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6983 LOW POC Monitor

Server-side request forgery (SSRF) in Pagekit up to version 1.0.18 allows authenticated high-privilege administrators to manipulate the url parameter in the /index.php/admin/system/update/download endpoint, enabling them to force the server to make arbitrary HTTP requests to internal or external systems. Publicly available exploit code exists, and the vendor did not respond to early disclosure efforts.

PHP SSRF
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6978 LOW POC Monitor

SQL injection in JiZhiCMS up to version 2.5.6 allows authenticated high-privileged administrators to execute arbitrary SQL queries via the sqls parameter in the /index.php/admins/Sys/addcache.html endpoint. The vulnerability is remotely exploitable and publicly available exploit code exists, though the low CVSS score (4.7) reflects the requirement for high-level administrative authentication, limiting real-world attack surface.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6990 LOW POC Monitor

Stored cross-site scripting (XSS) in projeto-siga SIGA 11.0.3.18 allows authenticated remote attackers to inject malicious scripts via the Nome/Descrição parameter in the /sigawf/app/responsavel/novo endpoint. Successful exploitation requires user interaction (UI:R) and an authenticated session (PR:L), limiting impact to information disclosure (I:L). Public exploit code is available, though exploitation remains constrained by authentication and user interaction requirements.

XSS Siga
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-6991 LOW Monitor

SQL injection vulnerability in Zod CUID Data Type Handler affects versions up to 4.3.6, allowing authenticated remote attackers to manipulate input validation logic in the regex component and execute arbitrary SQL queries. The vulnerability has been publicly disclosed with proof-of-concept code available; the vendor was contacted early but provided no response, and no patch has been issued as of analysis time.

SQLi Zod
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7000 LOW Monitor

Reflected cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows remote attackers with high administrative privileges to inject malicious scripts via the VLAN Name parameter on the VLAN Page, exploitable only with user interaction. Public exploit code is available, and the vendor has not responded to early disclosure notifications.

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7001 LOW Monitor

Cross-site scripting (XSS) in Datacom DM4100 version 1.3.6.1.4.1.3709 allows authenticated remote attackers to inject malicious scripts via manipulation of the Name parameter in the Ethernet Configuration Page. The vulnerability requires high-privilege administrative access and user interaction to trigger, limiting real-world impact despite public exploit availability. Vendor has not responded to disclosure.

XSS Dm4100
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6999 LOW Monitor

Cross-site scripting (XSS) vulnerability in BIVOCOM TR321 version 21.1.1.50 allows authenticated remote attackers with high privileges to inject malicious scripts via manipulation of the Network Name SSID parameter in the Wireless Setting component. The vulnerability requires user interaction to trigger and has limited integrity impact. Exploit code has been publicly published, though the vendor has not responded to disclosure attempts.

XSS Tr321
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6998 LOW Monitor

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 Build 86345 via the Owner parameter on the New RMON Statistics Page allows authenticated remote attackers to inject malicious scripts. The vulnerability requires user interaction (clicking a crafted link) and high-privilege access to exploit, limiting real-world risk despite public exploit availability. The vendor has not responded to disclosure attempts.

XSS P3310D
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6997 LOW Monitor

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 10.1.0F-86345 allows authenticated remote attackers with high privileges to inject malicious scripts via the Owner parameter on the New RMON History Page, requiring user interaction to execute. Publicly available exploit code exists, and the vendor has not responded to early disclosure notification.

XSS P3310D
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6996 LOW Monitor

Stored cross-site scripting (XSS) in BDCOM P3310D 0.4.2 build 86345 allows authenticated remote attackers to inject malicious scripts via the Description parameter in the rmon event Tab component. The vulnerability requires high-privilege authentication and user interaction to trigger, limiting practical exploitation scope. Public exploit code is available; however, the low CVSS score (2.4) reflects the authentication barrier and limited confidentiality/availability impact.

XSS P3310D
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-6995 LOW Monitor

Reflected cross-site scripting (XSS) in BDCOM P3310D 0.4.2 10.1.0F Build 86345 allows high-privileged authenticated users to inject malicious scripts via the User name parameter in the New User Page (/index.asp), affecting only the injecting user's session due to session-scoped impact. Public exploit code is available, but exploitation requires administrative credentials and user interaction (form submission), significantly limiting real-world attack surface despite the remote attack vector.

XSS P3310D
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy