Skip to main content
CVE-2026-5337 MEDIUM POC This Month

Frontend File Manager Plugin for WordPress through version 23.6 allows authenticated Subscriber-level users and higher to read arbitrary files belonging to other users via insecure direct object reference (IDOR) in the download endpoint. By manipulating the 'file_id' parameter, attackers can bypass authorization checks and access sensitive data stored by administrators and other privileged users. Publicly available exploit code exists for this vulnerability, though EPSS scoring (0.02%) suggests limited real-world exploitation relative to its high CVSS rating.

Authentication Bypass WordPress Information Disclosure
NVD WPScan VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7698 MEDIUM POC This Month

OS command injection in Tiandy Easy7 Integrated Management Platform 7.17.0 allows remote unauthenticated attackers to execute arbitrary system commands via the 'week' parameter in the /Easy7/rest/systemInfo/updateDbBackupInfo endpoint. The vulnerability has publicly available exploit code and is being actively tracked; the vendor has not responded to disclosure attempts.

Command Injection Easy7 Integrated Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
1.0%
CVE-2026-7679 MEDIUM POC This Month

Authentication bypass in YunaiV yudao-cloud (versions up to 2026.01) allows remote unauthenticated attackers to obtain unauthorized access tokens via manipulation of the getAccessToken function in OAuth2TokenServiceImpl.java. Public exploit code exists (GitHub PoC available), enabling attackers to bypass authentication controls and gain low-level access to confidential data, integrity, and availability. EPSS risk assessment unavailable, but the combination of network attack vector, low complexity (AC:L), no authentication requirement (PR:N), and publicly available exploit creates immediate exploitation risk. Vendor was notified but did not respond, leaving no official patch timeline.

Java Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-7703 MEDIUM POC PATCH This Month

Code injection via Websocket API in AV Stumpfl Pixera Two Media Server ≤25.2 R2 allows unauthenticated remote attackers to execute arbitrary code with low complexity. Publicly available exploit code (GitHub Gist) enables network-based compromise with partial impact to confidentiality, integrity, and availability (CVSS:3.1/C:L/I:L/A:L). Vendor-released patch version 25.2 R3 addresses the vulnerability. Despite network vector and proof-of-concept availability, no CISA KEV listing or EPSS data indicates limited observed exploitation at time of analysis.

RCE Code Injection Pixera Two Media Server
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7681 MEDIUM POC This Month

Authorization bypass in jsbroks COCO Annotator up to version 0.11.1 allows remote unauthenticated attackers to modify dataset parameters via manipulation of the DatasetId argument in the Dataset API endpoint backend/webserver/api/datasets.py, enabling unauthorized access to and modification of annotation datasets. Publicly available exploit code exists, and the vendor has not responded to early disclosure notifications.

Authentication Bypass Coco Annotator
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7702 MEDIUM POC This Month

Authorization bypass in AFFiNE up to version 0.26.3 allows remote unauthenticated attackers to access restricted document previews through the Public Markdown Preview Endpoint (/workspace/:workspaceId/:docId). The allowDocPreview function fails to properly validate access permissions, enabling attackers to retrieve sensitive document content without authentication. Public exploit code is available, and the vendor has not responded to early disclosure attempts.

Authentication Bypass Affine
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7686 MEDIUM POC PATCH This Month

Improper access controls in Adblock Plus up to version 4.36.2 on Chrome allow unauthenticated remote attackers to bypass Premium activation controls via manipulation of the postMessage function in premium.preload.js, granting temporary trial access to Premium features. The vulnerability affects a deprecated legacy activation flow and has publicly available exploit code; however, vendor analysis indicates the practical impact is limited because the licensing server issues only short-lived trial licenses (approximately 24 hours) that expire on next validation against real subscriptions, and the exploit has not been weaponized at scale.

Authentication Bypass Google Chrome
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7695 MEDIUM POC This Month

SQL injection in Acrel Electrical EEMS Enterprise Power Operation and Maintenance Cloud Platform 1.3.0 allows remote unauthenticated attackers to read, modify, or delete database contents via the fCircuitids parameter in /SubstationWEBV2/main/elecMaxMinAvgValue endpoint. Publicly available exploit code exists (VulDB 360864) with low attack complexity (CVSS AC:L), enabling attackers to compromise confidentiality, integrity, and availability of backend data. EPSS data unavailable; not listed in CISA KEV. Vendor was notified but remains unresponsive, suggesting no official patch timeline.

SQLi Eems Enterprise Power Operation And Maintenance Cloud Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-7694 MEDIUM POC This Month

SQL injection in Acrel Electrical ECEMS Enterprise Microgrid Energy Efficiency Management System 1.3.0 allows remote unauthenticated attackers to manipulate the fCircuitids parameter in the /SubstationWEBV2/main/elecMaxMinAvgValue endpoint, leading to unauthorized database queries and potential information disclosure. Publicly available exploit code exists and the vulnerability affects a widely used industrial energy management system with no vendor response or patch confirmation.

SQLi Ecems Enterprise Microgrid Energy Efficiency Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-40561 MEDIUM PATCH This Month

HTTP request smuggling in Starlet through version 0.31 allows remote unauthenticated attackers to bypass header validation by exploiting incorrect precedence of Content-Length over Transfer-Encoding headers. The vulnerability violates RFC 7230 section 3.3.3, which mandates that Transfer-Encoding must take precedence when both headers are present. An attacker positioned between a client and Starlet-based backend can craft malicious requests that are interpreted differently by a front-end reverse proxy and the Starlet server, enabling request smuggling attacks with integrity impact.

Request Smuggling Information Disclosure Starlet
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy