Skip to main content
CVE-2026-33453 CRITICAL POC PATCH GHSA Act Now

Improperly Controlled Modification of Dynamically-Determined Object Attributes vulnerability in Apache Camel Camel-Coap component. Apache Camel's camel-coap component is vulnerable to Camel message header injection, leading to remote code execution when routes forward CoAP requests to header-sensitive producers (e.g. camel-exec) The camel-coap component maps incoming CoAP request URI query parameters directly into Camel Exchange In message headers without applying any HeaderFilterStrategy.   Specifically, CamelCoapResource.handleRequest() iterates over OptionSet.getUriQuery() and calls camelExchange.getIn().setHeader(...) for every query parameter. CoAPEndpoint extends DefaultEndpoint rather than DefaultHeaderFilterStrategyEndpoint, and CoAPComponent does not implement HeaderFilterStrategyComponent; the component contains no references to HeaderFilterStrategy at all. As a result, an unauthenticated attacker who can send a single CoAP UDP packet to a Camel route consuming from coap:// can inject arbitrary Camel internal headers (those prefixed with Camel*) into the Exchange. When the route delivers the message to a header-sensitive producer such as camel-exec, camel-sql, camel-bean, camel-file, or template components (camel-freemarker, camel-velocity), the injected headers can alter the producer's behavior. In the case of camel-exec, the CamelExecCommandExecutable and CamelExecCommandArgs headers override the executable and arguments configured on the endpoint, resulting in arbitrary OS command execution under the privileges of the Camel process. The producer's output is written back to the Exchange body and returned in the CoAP response payload by CamelCoapResource, giving the attacker an interactive RCE channel without any need for out-of-band exfiltration.                                                                                                                                                                         Exploitation prerequisites are minimal: a single unauthenticated UDP datagram to the CoAP port (default 5683). CoAP (RFC 7252) has no built-in authentication, and DTLS is optional and disabled by default. Because the protocol is UDP-based, HTTP-layer WAF/IDS controls do not apply. This issue affects Apache Camel: from 4.14.0 through 4.14.5, from 4.18.0 before 4.18.1, 4.19.0. Users are recommended to upgrade to version 4.18.1 or 4.19.0, fixing the issue.

RCE Microsoft Command Injection Apache Apache Camel
NVD VulDB GitHub
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-41462 CRITICAL POC Act Now

ProjeQtor versions 7.0 through 12.4.3 contain an unauthenticated SQL injection vulnerability in the login functionality where the login variable is directly concatenated into a SQL query without parameterization or sanitization. Attackers can inject arbitrary SQL expressions through the username field at the authentication endpoint to create privileged accounts, read sensitive data, and execute operating system commands if the database user has elevated permissions.

Information Disclosure SQLi Projeqtor
NVD GitHub
CVSS 4.0
9.3
EPSS
0.1%
CVE-2026-7155 HIGH POC This Week

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This impacts the function setLoginPasswordCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument admpass leads to os command injection. The attack may be initiated remotely. The exploit has been disclosed publicly and may be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7154 HIGH POC This Week

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setAdvancedInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument tty_server can lead to os command injection. The attack can be launched remotely. The exploit has been made available to the public and could be used for attacks.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7153 HIGH POC This Week

A security flaw has been discovered in Totolink A8000RU 7.1cu.643_b20200521. The impacted element is the function setMiniuiHomeInfoShow of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Performing a manipulation of the argument sys_info results in os command injection. The attack can be initiated remotely. The exploit has been released to the public and may be used for attacks.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7152 HIGH POC This Week

A vulnerability was identified in Totolink A8000RU 7.1cu.643_b20200521. The affected element is the function setTelnetCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument telnet_enabled leads to os command injection. It is possible to launch the attack remotely. The exploit is publicly available and might be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7140 HIGH POC This Week

A vulnerability has been found in Totolink A8000RU 7.1cu.643_b20200521. Impacted is the function CsteSystem of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Such manipulation of the argument HTTP leads to os command injection. The attack may be performed from remote. The exploit has been disclosed to the public and may be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7139 HIGH POC This Week

A flaw has been found in Totolink A8000RU 7.1cu.643_b20200521. This issue affects the function setWiFiAclRules of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. This manipulation of the argument mode causes os command injection. The attack is possible to be carried out remotely. The exploit has been published and may be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7138 HIGH POC This Week

A vulnerability was detected in Totolink A8000RU 7.1cu.643_b20200521. This vulnerability affects the function setNtpCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument tz results in os command injection. The attack can be executed remotely. The exploit is now public and may be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7137 HIGH POC This Week

A security vulnerability has been detected in Totolink A8000RU 7.1cu.643_b20200521. This affects the function setStorageCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. The manipulation of the argument sambaEnabled leads to os command injection. Remote exploitation of the attack is possible. The exploit has been disclosed publicly and may be used.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7136 HIGH POC This Week

A weakness has been identified in Totolink A8000RU 7.1cu.643_b20200521. Affected by this issue is the function setDmzCfg of the file /cgi-bin/cstecgi.cgi of the component CGI Handler. Executing a manipulation of the argument wanIdx can lead to os command injection. The attack may be launched remotely. The exploit has been made available to the public and could be used for attacks.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7125 HIGH POC This Week

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the 'merge' parameter in the setWiFiEasyCfg function of /cgi-bin/cstecgi.cgi. Publicly available exploit code exists on GitHub (Litengzheng/vuldb_new2), enabling trivial exploitation against internet-facing devices. CVSS 8.9 reflects network attack vector with no authentication required (AV:N/PR:N), and EPSS data suggests moderate real-world exploitation probability given the POC availability and low attack complexity.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7124 HIGH POC This Week

OS command injection in Totolink A8000RU 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via crafted addrPrefixLen parameter to the setIpv6LanCfg function in /cgi-bin/cstecgi.cgi. CVSS 8.9 (High) with CVSS:4.0 vector indicating network-accessible, low-complexity attack requiring no privileges or user interaction. Publicly available exploit code exists (GitHub POC), enabling weaponization by threat actors. Not currently listed in CISA KEV, suggesting limited observed exploitation despite public disclosure and high severity scoring.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-7123 HIGH POC This Week

OS command injection in Totolink A8000RU router firmware 7.1cu.643_b20200521 allows remote unauthenticated attackers to execute arbitrary system commands via the setIptvCfg parameter in /cgi-bin/cstecgi.cgi. CVSS 8.9 (Critical) with network attack vector and no authentication required. Public exploit code available on GitHub since disclosure, significantly lowering exploitation barrier for attackers targeting internet-facing consumer routers. No vendor patch identified for this end-of-life device at time of analysis.

Command Injection A8000Ru
NVD VulDB GitHub
CVSS 4.0
8.9
EPSS
0.9%
CVE-2026-40858 HIGH POC PATCH GHSA This Week

The camel-infinispan component's ProtoStream-based remote aggregation repository deserializes data read from a remote Infinispan cache using java.io.ObjectInputStream without applying any ObjectInputFilter. An attacker who can write to the Infinispan cache used by a Camel application can inject a crafted serialized Java object that, when read during normal aggregation repository operations such as get or recover, results in arbitrary code execution in the context of the application. This issue affects Apache Camel: from 4.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2. The JIRA ticket: https://issues.apache.org/jira/browse/CAMEL-23322 refers to the various commits that resolved the issue, and have more details. This issue follows the same class of vulnerability previously addressed in CVE-2024-22369, CVE-2024-23114 and CVE-2026-25747.

RCE Java Atlassian Deserialization Apache +1
NVD VulDB GitHub
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-40473 HIGH POC PATCH GHSA This Week

The camel-mina component's MinaConverter.toObjectInput(IoBuffer) type converter wraps an IoBuffer in a java.io.ObjectInputStream without applying any ObjectInputFilter or class-loading restrictions. When a Camel route uses camel-mina as a TCP or UDP consumer and requests conversion to ObjectInput (for example via getBody(ObjectInput.class) or @Body ObjectInput), an attacker sending a crafted serialized Java object over the network to the MINA consumer port can trigger arbitrary code execution in the context of the application during readObject(). This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

RCE Java Deserialization Apache Camel
NVD GitHub VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-41463 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a ZipSlip path traversal vulnerability in the plugin upload functionality that allows authenticated attackers with upload permissions to write files outside the intended extraction directory by crafting ZIP archives with directory traversal sequences. Attackers can exploit unvalidated archive extraction to write a PHP webshell to a web-accessible directory and achieve remote code execution with the privileges of the web server process.

RCE PHP Path Traversal
NVD
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-7160 HIGH POC This Week

A vulnerability was determined in Tenda HG3 2.0. This vulnerability affects the function formTracert of the file /boaform/formTracert. Executing a manipulation of the argument datasize can lead to command injection. The attack may be performed from remote. The exploit has been publicly disclosed and may be utilized.

Tenda Command Injection
NVD VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-7096 HIGH POC This Week

OS command injection in Tenda HG3 router version 2.0 (build 300003070) allows authenticated remote attackers to execute arbitrary system commands with router privileges via the fmgpon_loid parameter in the formgponConf administrative function. Public exploit code is available and confirmed usable for attacks per VulDB reporting, significantly lowering the skill barrier for exploitation despite requiring valid administrative credentials.

Tenda Command Injection
NVD VulDB
CVSS 4.0
7.4
EPSS
0.3%
CVE-2026-7151 HIGH POC This Week

A vulnerability was determined in Tenda HG3 2.0. Impacted is the function formUploadConfig of the file /boaform/formIPv6Routing. This manipulation of the argument destNet causes stack-based buffer overflow. It is possible to initiate the attack remotely. The exploit has been publicly disclosed and may be utilized.

Buffer Overflow Tenda Stack Overflow
NVD VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7097 HIGH POC This Week

Remote code execution in Tenda F456 router firmware 1.0.0.5 allows authenticated attackers to compromise the device via buffer overflow in the httpd web management interface. Exploitation requires low-privilege credentials but enables complete device takeover (CVSS 7.4). A public proof-of-concept exploit exists on GitHub, significantly lowering the barrier to active exploitation despite requiring authentication.

Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7080 HIGH POC This Week

Buffer overflow in Tenda F456 router firmware 1.0.0.5 allows authenticated remote attackers to achieve full device compromise through the PPTP user management interface. The vulnerability exists in the fromPPTPUserSetting function within the httpd component, exploitable via manipulation of the 'delno' parameter sent to /goform/PPTPUserSetting. Public exploit code is available on GitHub, significantly lowering the barrier to exploitation, though no CISA KEV listing or widespread exploitation has been confirmed at time of analysis.

Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7079 HIGH POC This Week

Remote code execution in Tenda F456 router firmware 1.0.0.5 allows authenticated attackers to compromise device integrity and confidentiality via buffer overflow in the WAN configuration interface. The vulnerability exploits the fromAdvSetWan function's improper handling of the wanmode parameter, enabling complete device takeover. Public exploit code exists on GitHub (Litengzheng/vuldb_new), significantly lowering the barrier to exploitation. EPSS data not available, but the combination of network attack vector, low complexity (AC:L), and publicly available POC makes this a realistic threat to exposed management interfaces.

Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7078 HIGH POC This Week

Buffer overflow in Tenda F456 router version 1.0.0.5 allows authenticated remote attackers to achieve arbitrary code execution with high impact to confidentiality, integrity, and availability. The vulnerability resides in the fromSetIpBind function of the httpd daemon's /goform/SetIpBind endpoint, exploitable via malformed 'page' parameter input. Public exploit code exists on GitHub (Litengzheng/vuldb_new), elevating real-world risk despite requiring low-privilege authentication (CVSS 7.4, EPSS data not provided, not in CISA KEV at time of analysis).

Buffer Overflow Tenda
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-7069 HIGH POC Monitor

Buffer overflow in D-Link DIR-825 router's miniupnpd service allows authenticated adjacent network attackers to achieve complete device compromise through malicious UPnP SOAP requests. Affects DIR-825 firmware versions up to 3.00b32, which D-Link no longer supports. Public exploit code exists (CVSS:4.0 7.3 High), but EPSS probability remains low at 0.03% (7th percentile), suggesting limited real-world exploitation activity. Remediation options are constrained as the product has reached end-of-life status.

Buffer Overflow D-Link
NVD VulDB
CVSS 4.0
7.3
EPSS
0.0%
CVE-2026-41465 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contains a path traversal vulnerability in the log file viewer at dynamicDialog.php where the logname parameter is not validated against directory traversal sequences before constructing file paths. Authenticated attackers can inject directory traversal sequences ../ into the logname parameter to read arbitrary .log files accessible to the web server process on the filesystem.

PHP Path Traversal
NVD
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-41464 HIGH POC This Week

ProjeQtor versions 7.0 through 12.4.3 contain a missing authorization vulnerability in the objectDetail.php endpoint that allows authenticated users with guest-level privileges to retrieve sensitive data belonging to other users including password hashes and API keys. Attackers can bypass access controls by directly accessing the endpoint without ownership or role-based validation to extract administrator credentials and perform privilege escalation.

PHP Information Disclosure Authentication Bypass Privilege Escalation
NVD
CVSS 4.0
7.1
EPSS
0.1%
CVE-2026-3008 MEDIUM POC NEWS This Month

String injection in Notepad++ 8.9.3 leads to memory address disclosure or application crash when processing maliciously crafted input. Attackers can leverage this remotely without authentication (CVSS 4.0 score 10.0, AV:N/PR:N), though desktop application context suggests user interaction required despite UI:N in vector. Publicly available exploit code exists per GitHub repository llgsjsm/cve-2026-3008. Fixed in version 8.9.4 release candidate per community forum discussion. EPSS data not available for 2026 CVE.

Denial Of Service Notepad
NVD GitHub VulDB
CVSS 3.1
6.6
EPSS
0.0%
CVE-2026-40453 CRITICAL PATCH GHSA Act Now

The fix for CVE-2025-27636 added setLowerCase(true) to HttpHeaderFilterStrategy so that case-variant header names such as 'CAmelExecCommandExecutable' are filtered out alongside 'CamelExecCommandExecutable'. The same setLowerCase(true) call was not applied to five non-HTTP HeaderFilterStrategy implementations: JmsHeaderFilterStrategy and ClassicJmsHeaderFilterStrategy in camel-jms, SjmsHeaderFilterStrategy in camel-sjms, CoAPHeaderFilterStrategy in camel-coap, and GooglePubsubHeaderFilterStrategy in camel-google-pubsub. Because those strategies use case-sensitive String.startsWith('Camel'/'camel') filtering while the Camel Exchange stores headers in a case-insensitive map, an attacker with JMS (or equivalent) producer access to the broker consumed by a Camel route can inject case-variant Camel internal headers, which are then resolved by downstream components such as camel-exec and camel-file using their canonical casing. This enables remote code execution and arbitrary file write on routes that forward JMS messages to header-driven components. This issue affects Apache Camel: from 3.0.0 before 4.14.6, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.6. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

Microsoft RCE Google Canonical Apache +1
NVD VulDB
CVSS 3.1
9.9
EPSS
0.1%
CVE-2026-40860 CRITICAL PATCH Act Now

JmsBinding.extractBodyFromJms() in camel-jms, and the equivalent JmsBinding class in camel-sjms, deserialized the payload of incoming JMS ObjectMessage values via javax.jms.ObjectMessage.getObject() without applying any ObjectInputFilter, class allowlist or class denylist. Because this code path is reached whenever the mapJmsMessage option is enabled (the default) and Camel acts as a JMS consumer, an attacker able to publish a crafted ObjectMessage to a queue or topic consumed by a Camel application could achieve remote code execution when a deserialization gadget chain was present on the classpath. The same handling was reached transitively through camel-sjms2 (whose Sjms2Endpoint extends SjmsEndpoint) and through camel-amqp (whose AMQPJmsBinding extends JmsBinding), and by other JMS-family components built on JmsComponent such as camel-activemq and camel-activemq6. This issue affects Apache Camel: from 3.0.0 before 4.14.7, from 4.15.0 before 4.18.2, from 4.19.0 before 4.20.0. Users are recommended to upgrade to version 4.20.0, which fixes the issue. If users are on the 4.14.x LTS releases stream, then they are suggested to upgrade to 4.14.7. If users are on the 4.18.x releases stream, then they are suggested to upgrade to 4.18.2.

RCE Deserialization Apache Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-30352 CRITICAL Act Now

A remote code execution (RCE) vulnerability in the /devserver/start endpoint of leonvanzyl autocoder commit 79d02a allows attackers to execute arbitrary code via providing a crafted command parameter.

Command Injection RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-31255 CRITICAL Act Now

Remote unauthenticated command injection in Tenda AC18 router firmware V15.03.05.05_multi allows complete device compromise via the SetSambaCfg interface. Attackers can execute arbitrary system commands by manipulating the guestuser parameter in HTTP requests to /goform/SetSambaCfg. CVSS 9.8 critical severity with network attack vector and no authentication required. EPSS score of 0.06% (19th percentile) suggests low observed exploitation despite extreme technical severity. Publicly documented exploit proof-of-concept exists on GitHub.

Tenda Command Injection
NVD GitHub
CVSS 3.1
9.8
EPSS
0.1%
CVE-2026-41409 CRITICAL PATCH GHSA Act Now

Remote unauthenticated attackers can execute arbitrary code in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 through unsafe deserialization in AbstractIoBuffer.getObject(). This is an incomplete fix bypass for CVE-2024-52046 where the classname allowlist validation occurs after static initializers execute, enabling attackers to trigger malicious code execution before security controls engage. Apache confirmed the flaw affects applications calling IoBuffer.getObject() and released patches in versions 2.0.28, 2.1.11, and 2.2.6. CVSS 9.8 critical score reflects network-accessible unauthenticated exploitation with complete system compromise potential.

Deserialization Apache Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-41635 CRITICAL PATCH GHSA Act Now

Remote code execution in Apache MINA 2.0.0-2.0.27, 2.1.0-2.1.10, and 2.2.0-2.2.5 allows unauthenticated network attackers to execute arbitrary code by exploiting unsafe deserialization in AbstractIoBuffer.resolveClass(). The vulnerability bypasses classname allowlist protections due to incomplete validation of static classes and primitive types. CVSS 9.8 critical severity reflects trivial network-based exploitation requiring no authentication or user interaction. Applications using IoBuffer.getObject() are affected. Vendor-released patches available in versions 2.0.28, 2.1.11, and 2.2.6.

RCE Deserialization Apache Red Hat
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-22337 CRITICAL PATCH Act Now

Remote unauthenticated attackers can escalate privileges to administrator level in Directorist Social Login WordPress plugin versions prior to 2.1.4 through incorrect privilege assignment during social authentication flows. Exploitation requires no authentication or user interaction, enabling complete site takeover via social login mechanisms. CVSS 9.8 (Critical) reflects network-based attack vector with no complexity barriers. No public exploit code or CISA KEV listing identified at time of analysis, but Patchstack reporting suggests vulnerability may be under researcher scrutiny.

Privilege Escalation Directorist Social Login
NVD VulDB
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-35903 CRITICAL Act Now

Authentication bypass in MERCURY MIPC252W IP camera 1.0.5 allows remote unauthenticated attackers to hijack authenticated RTSP sessions and execute unauthorized camera control commands. After an initial valid Digest authentication in a DESCRIBE request, the device fails to validate subsequent RTSP request credentials (SETUP, PLAY, TEARDOWN), accepting empty or invalid Authorization headers as long as session parameters match. This enables complete camera takeover including video stream access, configuration changes, and service disruption without credential brute-forcing. EPSS score of 0.01% suggests minimal observed exploitation activity, though the attack complexity is low (AV:N/AC:L/PR:N) and public PoC exists on GitHub.

Authentication Bypass
NVD GitHub
CVSS 3.1
9.8
EPSS
0.0%
CVE-2026-7159 MEDIUM POC This Month

A vulnerability was found in douinc mkdocs-mcp-plugin up to 0.4.1. This affects the function read_document/list_documents of the file server.py. Performing a manipulation of the argument docs_dir/file_path results in path traversal. The attack is possible to be carried out remotely. The exploit has been made public and could be used. The vendor confirms, that the "fix will be published within a few days."

Path Traversal Mkdocs Mcp Plugin
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7177 MEDIUM POC This Month

A security flaw has been discovered in ChatGPTNextWeb NextChat up to 2.16.1. Affected by this issue is the function proxyHandler of the file app/api/[provider]/[...path]/route.ts. The manipulation results in server-side request forgery. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Nextchat
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7094 MEDIUM POC This Month

Server-side request forgery in ShadowCloneLabs GlutamateMCPServers allows remote unauthenticated attackers to manipulate the 'url' parameter in the puppeteer_navigate component (src/puppeteer/index.ts), potentially accessing internal resources or conducting network reconnaissance. A publicly available proof-of-concept exploit exists (GitHub). EPSS data not available, but CVSS 7.3 (High) with network vector, low complexity, and no authentication requirements indicates significant accessibility. The vendor has not responded to early disclosure via GitHub issue #8, and no patch timeline exists due to the project's rolling release model.

SSRF Glutamatemcpservers
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7147 MEDIUM POC This Month

A vulnerability was detected in JoeCastrom mcp-chat-studio up to 1.5.0. Affected by this issue is some unknown functionality of the file server/routes/llm.js of the component LLM Models API. Performing a manipulation of the argument req.query.base_url results in server-side request forgery. Remote exploitation of the attack is possible. The exploit is now public and may be used. The project was informed of the problem early through an issue report but has not responded yet.

SSRF Mcp Chat Studio
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7109 MEDIUM POC This Month

Improper authorization in code-projects Invoice System in Laravel 1.0 allows remote unauthenticated attackers to bypass authentication and access the /item API endpoint, resulting in limited confidentiality impact. The vulnerability has a CVSS score of 5.5 (network-accessible, low attack complexity, no privileges required), and publicly available exploit code exists, increasing real-world risk despite the moderate base score.

Authentication Bypass Invoice System In Laravel
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7071 MEDIUM POC This Month

CodeAstro Online Job Portal 1.0 exposes file and directory information through the /users/user-cvs/ endpoint via remote unauthenticated access, allowing attackers to enumerate and retrieve sensitive resume and user data. The vulnerability has publicly available exploit code and affects all versions of the application via the CPE cpe:2.3:a:codeastro:online_job_portal:*:*:*:*:*:*:*:*. CVSS 5.5 with confirmed public exploit availability and EPSS exploitation probability indicates moderate real-world risk for deployments accessible over the network.

Information Disclosure Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7199 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary database queries via the ID parameter in /ajax.php?action=delete_product. Publicly available exploit code exists (GitHub POC), enabling unauthorized data access, modification, or deletion without authentication. EPSS data not available, but the combination of network attack vector, no authentication requirement, and public exploit significantly elevates real-world exploitation risk for internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7194 MEDIUM POC This Month

A weakness has been identified in SourceCodester Pharmacy Sales and Inventory System 1.0. This impacts an unknown function of the file /ajax.php?action=save_product. This manipulation of the argument ID causes sql injection. The attack is possible to be carried out remotely. The exploit has been made available to the public and could be used for attacks.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7131 MEDIUM POC This Month

A vulnerability has been found in code-projects Online Lot Reservation System up to 1.0. The impacted element is an unknown function of the file /loginuser.php. The manipulation of the argument email/password leads to sql injection. It is possible to initiate the attack remotely. The exploit has been disclosed to the public and may be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7127 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to read, modify, or delete database records via the ID parameter in /ajax.php?action=delete_receiving. Publicly available exploit code (GitHub POC) demonstrates working attack against default installations with no authentication required (CVSS AV:N/AC:L/PR:N). EPSS data not available, but POC publication significantly lowers exploitation barrier for opportunistic attacks against internet-exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7126 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_category. Public exploit code exists on GitHub (y1shiny1shin/vuldb-project), enabling immediate weaponization against unpatched systems. CVSS 7.3 reflects potential for confidentiality, integrity, and availability compromise through database manipulation. No remediation release identified at time of analysis.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7088 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to execute arbitrary SQL commands via the ID parameter in /ajax.php?action=save_receiving. Publicly available exploit code (GitHub PoC) enables immediate weaponization. CVSS 7.3 reflects network-accessible attack with no authentication required, enabling confidentiality/integrity/availability impact across database operations. EPSS data not provided, but public exploit availability significantly elevates real-world risk for unpatched installations of this open-source PHP application.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7087 MEDIUM POC This Month

SQL injection in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote unauthenticated attackers to extract, modify, or delete database contents via the ID parameter in /ajax.php?action=save_sales endpoint. Publicly available exploit code exists (GitHub POC), enabling low-complexity attacks with no authentication barriers. EPSS data not available, but public exploit significantly lowers attacker skill threshold. CVSS 7.3 reflects network-exploitable vulnerability with moderate confidentiality, integrity, and availability impacts.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7077 MEDIUM POC This Month

SQL injection in itsourcecode Courier Management System 1.0 via the ID parameter in /edit_parcel.php allows remote unauthenticated attackers to query, modify, or delete database contents. The CVSS 6.9 score reflects low confidentiality and integrity impact; however, the vulnerability is remotely exploitable with no authentication required and publicly available exploit code exists, making it a practical attack vector against exposed instances.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
Page 1 of 4 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy