Skip to main content
CVE-2026-7018 LOW POC PATCH Monitor

Datavane Datavines up to commit 13607645e14a4982468cfdbcf75c85cde63bae71 uses a hard-coded cryptographic key in the JWT Token Handler component, allowing remote attackers to manipulate the tokenSecret parameter and bypass authentication or forge tokens. The vulnerability requires high attack complexity but has publicly available exploit code; the vendor has been informed via pull request but has not yet merged the fix.

Information Disclosure Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7041 LOW POC Monitor

Information disclosure in MiroFish up to version 0.1.2 allows remote attackers to leak sensitive data through manipulation of the SECRET argument in the Werkzeug Debugger PIN Handler at the /console endpoint. The vulnerability requires high attack complexity and has a low CVSS score (3.7) indicating limited confidentiality impact, but publicly available exploit code exists and the vendor has not responded to early notification.

Information Disclosure Mirofish
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7024 LOW POC Monitor

Path traversal in rawchen sims DeleteFileServlet endpoint allows authenticated remote attackers to manipulate the filename parameter and access arbitrary files on the system, potentially leading to information disclosure or file modification. The vulnerability affects all versions up to commit 004f783b1db5ecdfad81c8fdc3b34171211112de, with publicly available exploit code and no vendor response to early disclosure notification.

Java Path Traversal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-7044 LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 allows authenticated remote attackers to upload arbitrary files via the themeadd function in the custom admin module, potentially enabling remote code execution or content manipulation. Publicly available exploit code exists and the vulnerability affects only end-of-life versions of the product.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7043 LOW POC Monitor

Unrestricted file upload in GreenCMS up to version 2.3 via the pluginAddLocal function in /index.php?m=admin&c=custom&a=pluginadd allows authenticated remote attackers to upload arbitrary files, leading to potential remote code execution. The vulnerability affects only unsupported legacy versions. Publicly available exploit code exists, and the CVSS vector confirms network-accessible exploitation requiring low privileges.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7023 LOW POC Monitor

SQL injection in ByteDance coze-studio up to version 0.5.1 allows authenticated remote attackers to manipulate the ExecuteSQL function in the databaseTool component, enabling arbitrary SQL query execution with limited confidentiality and integrity impact. The vulnerability has a publicly available exploit and affects the backend database service layer; the vendor has not responded to disclosure efforts.

SQLi Coze Studio
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7028 LOW POC Monitor

SQL injection in CodeAstro Online Job Portal 1.0 allows authenticated admin users to manipulate the ID parameter in /admin/jobs-admins/delete-jobs.php, enabling remote SQL injection attacks against the database. The vulnerability requires high-level admin privileges (PR:H) but has a publicly available exploit and low attack complexity (AC:L), permitting remote attackers with admin access to read, modify, or delete sensitive database records. Exploitation is confirmed by public proof-of-concept code.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7016 LOW POC PATCH Monitor

Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the ushki Plugin's f_ushka_new or f_ushk parameters. The vulnerability requires user interaction to trigger, but publicly available exploit code exists. Vendor classified this as self-XSS and fixed the root cause (missing htmlspecialchars() filtering) in version 109.4.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7015 LOW POC PATCH Monitor

Cross-site scripting (XSS) in MaxSite CMS Guestbook Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_text, f_slug, f_limit, or f_email parameters due to missing htmlspecialchars() output filtering. The vulnerability requires high-privilege authentication and user interaction (UI:P), limiting it to trusted administrators, but publicly available exploit code exists. Upgrading to version 109.4 resolves the issue by implementing proper output encoding.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7013 LOW POC PATCH Monitor

Cross-site scripting (XSS) in MaxSite CMS mail_send plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_subject, f_files, or f_from parameters, resulting in stored XSS that can affect other users. The vulnerability stems from missing input sanitization via htmlspecialchars() and is classified by the vendor as self-XSS. Publicly available exploit code exists, and a patch is available in version 109.4.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7014 LOW POC PATCH Monitor

Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 affects the down_count plugin, where unsanitized input in the f_file and f_prefix parameters allows authenticated high-privilege users to inject malicious scripts via remote network access with user interaction. The vendor classifies this as self-XSS due to high privilege requirements (PR:H) and user interaction (UI:P), but the lack of output encoding via htmlspecialchars() represents a secure coding violation. Publicly available exploit code exists, and a patch is available in version 109.4.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7012 LOW POC PATCH Monitor

Cross-site scripting vulnerability in MaxSite CMS Redirect Plugin up to version 109.3 allows authenticated high-privilege users to inject malicious scripts via the f_all or f_all404 parameters due to missing output encoding with htmlspecialchars(). The vulnerability requires high-privilege authentication and user interaction to execute, resulting in low impact (integrity only); however, publicly available exploit code exists and the vendor has classified this as a self-XSS violation of secure coding standards. Upgrade to version 109.4 or later to remediate.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7011 LOW POC PATCH Monitor

Cross-site scripting (XSS) in MaxSite CMS up to version 109.3 allows authenticated administrators to inject malicious scripts via the f_logging_file parameter in the Antispam Plugin admin interface, leading to stored XSS with user interaction required. The vulnerability affects the /admin/plugin_antispam endpoint and results from insufficient output encoding. Vendor-released patch version 109.4 addresses the issue by implementing htmlspecialchars() filtering; publicly available exploit code exists.

XSS Cms
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7020 LOW Monitor

Path traversal vulnerability in Ollama up to version 0.20.2 affects the digestToPath function in the Tensor Model Transfer Handler, allowing remote attackers with high complexity to manipulate digest arguments and traverse the filesystem. Public exploit code exists, though the vendor has not acknowledged disclosure attempts. CVSS 6.3 reflects low confidentiality, integrity, and availability impact limited by high attack complexity and no scope change.

Path Traversal Ollama
NVD VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7021 LOW Monitor

SmythOS sre versions up to 0.0.15 expose sensitive information through improper validation of the baseURL argument in the Connector Service's LLM utilities component. An authenticated remote attacker with user interaction can manipulate the baseURL parameter to disclose confidential data. Public exploit code exists, and the vendor has not responded to early disclosure notifications.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7027 LOW Monitor

Cross-site scripting (XSS) in D-Link DSL-2740R EU_01.15 allows authenticated remote attackers with high privileges to inject malicious scripts via the Wireless Network Name parameter in the Wireless Setup Section, affecting data integrity when a user views the compromised configuration. The vulnerability requires user interaction and administrative credentials, limiting its real-world exploitation scope despite publicly available exploit code.

XSS D-Link
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7038 LOW Monitor

Insufficient credential protection in tufantunc ssh-mcp up to version 1.5.0 allows local authenticated users to disclose sensitive credentials through the Command Line Handler component. The vulnerability affects src/index.ts and has a publicly available exploit, though the low CVSS score of 1.9 reflects limited scope (confidentiality impact only, no integrity or availability effects) and requirement for local authenticated access.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy