Skip to main content
CVE-2026-7113 LOW POC PATCH Monitor

Authentication bypass in hermes-agent 0.8.0 webhook endpoint allows remote attackers to bypass authentication controls via manipulation of the _INSECURE_NO_AUTH parameter, resulting in limited confidentiality and integrity impact. The vulnerability requires high attack complexity and has publicly available exploit code; vendor patch is available but the project has not yet merged the fix despite early notification.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-7112 LOW POC PATCH Monitor

Improper authentication in the API_SERVER_KEY handler of NousResearch hermes-agent 0.8.0 allows remote attackers to bypass authentication checks in the _check_auth function via the API server component. The vulnerability has a CVSS score of 6.3 with high attack complexity, and publicly available exploit code exists. The project has not yet responded to early notification via pull request.

Authentication Bypass Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.1%
CVE-2026-7116 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote attackers to inject malicious scripts via manipulation of the file 370project/mark.php. The vulnerability requires user interaction (UI:R) but can be exploited over the network without authentication. Publicly available exploit code exists and the flaw has moderate impact on integrity (CVSS 4.3).

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7095 LOW POC Monitor

Reflected cross-site scripting (XSS) in code-projects Employee Management System 1.0 allows remote unauthenticated attackers to inject malicious scripts via the ID parameter in 370project/edit.php. The vulnerability requires user interaction (link click) but has publicly available exploit code and a moderate CVSS score of 4.3, indicating limited but real integrity impact through client-side script execution.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7093 LOW POC Monitor

Code-Projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass authorization controls via manipulation of the ID parameter in the /invoice/ endpoint, enabling unauthorized access to invoice data with potential for modification and denial of service. The vulnerability has publicly available exploit code and is actively exploitable against default configurations.

Authentication Bypass Invoice System In Laravel
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7092 LOW POC Monitor

Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls via manipulation of the ID parameter in the Profile Handler (/profile/ endpoint), leading to unauthorized read, modification, and denial of service impacts. Public exploit code is available, elevating real-world exploitation risk despite the moderate CVSS score of 6.3.

Authentication Bypass Invoice System In Laravel
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7091 LOW POC Monitor

Improper authorization in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to bypass access controls on the User Management Handler (/user endpoint), gaining unauthorized read, write, and availability impact. The vulnerability has a published exploit available and affects all versions of the affected product line.

Authentication Bypass Invoice System In Laravel
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7196 LOW POC Monitor

SQL injection in CodeAstro Online Classroom 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the deleteid parameter in the /guestdetails endpoint, enabling unauthorized data access, modification, or deletion. The vulnerability has publicly available exploit code and a CVSS score of 6.3 reflecting moderate risk with low attack complexity.

SQLi Online Classroom
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7143 LOW POC Monitor

A vulnerability was identified in 1000 Projects Portfolio Management System MCA up to 1.0. This affects an unknown function of the file /admin/block_status.php. The manipulation of the argument q leads to sql injection. The attack can be initiated remotely. The exploit is publicly available and might be used.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7118 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the id or token parameter in 370project/cancel.php, potentially leading to unauthorized data access, modification, or deletion. The vulnerability has a publicly available proof-of-concept and CVSS score of 6.3 (medium severity) with low attack complexity, though exploitation requires valid user credentials.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7117 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the id and token parameters in 370project/approve.php, enabling unauthorized database queries with low confidentiality, integrity, and availability impact. Publicly available exploit code exists and CVSS score of 6.3 reflects the attack's network accessibility despite requiring low-level authentication.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7115 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to manipulate the ID argument in 370project/delete.php, leading to unauthorized database queries with limited confidentiality and integrity impact. Publicly available exploit code exists; CVSS 5.3 reflects moderate risk limited by authentication requirement and restricted data access scope.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7114 LOW POC Monitor

SQL injection in code-projects Employee Management System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in 370project/edit.php, potentially leading to unauthorized data access or modification. The vulnerability requires valid user credentials (PR:L per CVSS vector) and has publicly available exploit code; however, the limited scope (VC:L, VI:L, VA:L) and requirement for authentication reduce real-world risk compared to the base CVSS score of 5.3.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7144 LOW POC Monitor

A security flaw has been discovered in 1000 Projects Portfolio Management System MCA 1.0. This impacts an unknown function of the file update_passwd_process.php. The manipulation of the argument temp_user results in authorization bypass. The attack can be launched remotely. The exploit has been released to the public and may be used for attacks.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7086 LOW POC Monitor

Path traversal in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to read arbitrary files via manipulation of the url argument in the updateStoryboardUrl function of the Storyboard Export component. The vulnerability has a publicly available exploit, though the vendor disputes its practical exploitability, arguing the affected interface is designed to accept only local or trusted Docker-configured addresses. CVSS 4.3 reflects low confidence (RC:C) and unconfirmed exploitation probability (E:P).

Docker Path Traversal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7089 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in code-projects Home Service System 1.0 allows remote attackers to inject malicious scripts via the fname and lname parameters in the /booking.php Appointment Booking component. User interaction is required for exploitation. A public exploit is available, and the vulnerability carries moderate risk (CVSS 4.3) with integrity impact through malicious script execution in victim browsers.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7148 LOW POC Monitor

A flaw has been found in CodeAstro Online Classroom 1.0. This affects an unknown part of the file /addnewfaculty. Executing a manipulation of the argument fname can lead to sql injection. The attack can be executed remotely. The exploit has been published and may be used.

SQLi Online Classroom
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7134 LOW POC Monitor

A vulnerability was identified in code-projects Online Lot Reservation System 1.0. Affected is an unknown function of the file /edithousepic.php. Such manipulation of the argument image leads to unrestricted upload. The attack can be launched remotely. The exploit is publicly available and might be used.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7133 LOW POC Monitor

A vulnerability was determined in code-projects Online Lot Reservation System 1.0. This impacts an unknown function of the file /activity.php. This manipulation of the argument directory causes unrestricted upload. The attack can be initiated remotely. The exploit has been publicly disclosed and may be utilized.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7110 LOW POC Monitor

Cross-site scripting (XSS) in code-projects Invoice System in Laravel 1.0 allows authenticated remote attackers to inject malicious scripts via the item name/description parameter in the /item endpoint. The vulnerability requires user interaction (UI:P) and affects only the integrity of victim data (VI:L), but publicly available exploit code exists and the attack vector is network-accessible.

XSS Invoice System In Laravel
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7090 LOW POC Monitor

Stored cross-site scripting (XSS) in code-projects Chat System 1.0 allows high-privilege remote attackers to inject malicious scripts via the msg parameter in /admin/send_message.php, affecting the Chat Interface component. The vulnerability requires admin-level authentication and user interaction (viewing the crafted message), but publicly available exploit code exists and the issue is actively being leveraged. With a CVSS score of 2.4, the impact is limited to integrity violations with no confidentiality or availability loss, but the presence of public POC and active exploitation elevates practical risk despite low severity metrics.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7179 LOW POC Monitor

A security vulnerability has been detected in OSPG binwalk up to 2.4.3. This vulnerability affects the function read_null_terminated_string of the file src/binwalk/plugins/winceextract.py of the component WinCE Extraction Plugin. Such manipulation of the argument self.file_name leads to path traversal. The attack can only be performed from a local environment. The exploit has been disclosed publicly and may be used. The project maintainer confirms this issue: "I accept the existence of the Path Traversal vulnerability. However, as stated in the Github link, it reached EOL and as a result no actions should be expected." The GitHub repository mentions, that "[u]sers and contributors should migrate to binwalk v3." This vulnerability only affects products that are no longer supported by the maintainer.

Path Traversal Binwalk
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7135 LOW POC PATCH Monitor

A security flaw has been discovered in GPAC up to 26.03-DEV-rev105-g8f39a1eb3-master. Affected by this vulnerability is the function elng_box_read of the file src/isomedia/box_code_base.c of the component MP4Box. Performing a manipulation of the argument elng results in out-of-bounds read. The attack needs to be approached locally. The exploit has been released to the public and may be used for attacks. The patch is named cf6ac48c972eaaee2af270adc3f36615325deb3e. The affected component should be upgraded.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-7141 LOW PATCH Monitor

A vulnerability was found in vllm up to 0.19.0. The affected element is the function has_mamba_layers of the file vllm/v1/kv_cache_interface.py of the component KV Block Handler. Performing a manipulation results in uninitialized resource. It is possible to initiate the attack remotely. The attack is considered to have high complexity. The exploitability is described as difficult. The exploit has been made public and could be used. The patch is named 1ad67864c0c20f167929e64c875f5c28e1aad9fd. To fix this issue, it is recommended to deploy a patch.

Information Disclosure Vllm
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7103 LOW Monitor

Weak cryptographic hash usage in code-projects Chat System 1.0 allows remote attackers to compromise password security through the MD5 Hash Handler in update_user.php. The vulnerability stems from use of MD5 for password hashing, a cryptographically broken algorithm that enables rapid offline cracking of password hashes. Publicly disclosed exploit code exists, though exploitation requires high attack complexity. The vulnerability impacts password confidentiality with low direct severity but creates substantial downstream risks for user account compromise.

PHP Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-7102 LOW Monitor

Command injection in Tenda F456 1.0.0.5 httpd allows authenticated remote attackers to execute arbitrary commands via the mac parameter in the /goform/WriteFacMac endpoint. The vulnerability has a publicly available exploit and CVSS 5.3 score with authenticated access requirement (PR:L), limiting immediate widespread risk but affecting exposed or compromised administrative accounts.

Tenda Command Injection
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-7142 LOW PATCH Monitor

A vulnerability was determined in Wooey up to 0.13.2. The impacted element is the function add_or_update_script of the file wooey/api/scripts.py of the component API Endpoint. Executing a manipulation can lead to improper authorization. It is possible to launch the attack remotely. The exploit has been publicly disclosed and may be utilized. Upgrading to version 0.13.3rc1 and 0.14.0 is sufficient to resolve this issue. This patch is called f7846fc0c323da8325422cab32623491757f1b88. The affected component should be upgraded.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7107 LOW Monitor

Unrestricted file upload in code-projects Invoice System Laravel 1.0 allows authenticated attackers to upload arbitrary files via the logo parameter in the /company endpoint, enabling remote code execution or malicious file distribution. Public exploit code is available, and the vulnerability requires only low-privilege authenticated access with no user interaction.

Authentication Bypass File Upload
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7150 LOW Monitor

A vulnerability was found in dh1011 auto-favicon up to f189116a9259950c2393f114dbcb94dde0ad864b. This issue affects the function generate_favicon_from_url of the file src/auto_favicon/server.py of the component MCP Tool. The manipulation of the argument image_url results in server-side request forgery. The attack may be performed from remote. The exploit has been made public and could be used. This product utilizes a rolling release system for continuous delivery, and as such, version information for affected or updated releases is not disclosed. The project was informed of the problem early through an issue report but has not responded yet.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7129 LOW Monitor

Reflected cross-site scripting (XSS) in SourceCodester Pharmacy Sales and Inventory System 1.0 allows remote attackers to inject malicious scripts via the ID parameter in /index.php?page=categories. The vulnerability requires user interaction (clicking a crafted link) but has publicly available exploit code and a low CVSS score (5.3) reflecting limited impact scope, with only low integrity consequences to the victim's session or data.

PHP XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7108 LOW Monitor

Cross-site request forgery (CSRF) in code-projects Invoice System 1.0 for Laravel allows remote attackers to perform unauthorized actions via crafted requests. The vulnerability requires user interaction (clicking a malicious link) but affects the system's integrity through unvalidated state-changing operations. Exploit code is publicly available, and the CVSS 5.3 score reflects moderate severity with limited integrity impact but no confidentiality or availability harm.

CSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-7084 LOW Monitor

Server-side request forgery in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to manipulate the Link parameter in the getCodeByLink endpoint, enabling arbitrary HTTP requests from the server. The vendor acknowledges the /getCodeByLink interface is inherently high-risk and designed to fetch and execute TypeScript code locally; public exploit code exists but vendor questions the practical exploitability of the reported vulnerability.

SSRF
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2025-54505 LOW PATCH Monitor

A transient execution vulnerability within AMD CPUs may allow a local user-privileged attacker to leak data via the floating point divisor unit, potentially resulting in loss of confidentiality.

Amd Information Disclosure
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7083 LOW Monitor

SQL injection in likeadmin_php up to version 1.9.6 allows high-privilege remote attackers to manipulate SQL queries through the queryResult function in the dataTable Admin API component, potentially exposing or modifying sensitive database content. Public exploit code exists and the vendor has not yet responded to early notification, elevating risk despite the CVSS score of 5.1 reflecting high-privilege authentication requirements.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-7085 LOW Monitor

Path traversal in HBAI-Ltd Toonflow-app up to version 1.1.1 allows authenticated remote attackers to access files outside intended directories via the url parameter in the downloadApp endpoint (src/routes/setting/about/downloadApp.ts). The vulnerability requires high attack complexity and authenticated access; vendor mitigation notes that the update URL is statically compiled in official code and exploitation would require users to modify source code. Publicly disclosed exploit code exists, but real-world exploitability is disputed by the vendor and remains uncertain.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy