Skip to main content
CVE-2026-8196 LOW POC Monitor

Authentication bypass in JeecgBoot 3.9.1 mLogin endpoint allows remote attackers to circumvent login controls via manipulation of an unspecified function in LoginController.java, resulting in unauthorized access with confidentiality impact. The vulnerability has high attack complexity and difficult exploitability, but publicly available exploit code exists and the vendor has not responded to disclosure.

Authentication Bypass Java
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-8192 LOW POC Monitor

Wavlink NU516U1 M16U1_V240425 is vulnerable to remote OS command injection through the wzdap function in /cgi-bin/adm.cgi, where the EncrypType and wl_Pass parameters are passed unsanitized to system commands. An authenticated remote attacker can manipulate these arguments to execute arbitrary commands with the privileges of the web server process. Exploit code is publicly available (CVSS 6.3, EPSS probability indicated by E:P vector).

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8191 LOW POC Monitor

Remote OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system commands via the skiplist1/skiplist2 parameters in the wifi_region function of /cgi-bin/adm.cgi. The vulnerability is remotely exploitable with low complexity, affects confidentiality and integrity, and has publicly available exploit code.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8190 LOW POC Monitor

OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary system commands via unsanitized WAN configuration parameters (ppp_username, ppp_passwd, rwan_ip, rwan_mask, rwan_gateway) in the /cgi-bin/adm.cgi wan function. Publicly available exploit code exists and the vendor has been notified.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8189 LOW POC Monitor

Remote authenticated command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated attackers to execute arbitrary OS commands via manipulation of wlan_bssid, sel_Automode, or sel_EncrypTyp parameters in the wzdrepeater function at /cgi-bin/adm.cgi. CVSS 6.3 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L/E:P) with public exploit code available; vendor was notified early of this disclosure.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8188 LOW POC Monitor

OS command injection in Wavlink NU516U1 M16U1_V240425 allows authenticated remote attackers to execute arbitrary commands via the change_wifi_password function in /cgi-bin/adm.cgi by manipulating the wl_channel, wl_Pass, or EncrypType parameters. Publicly available exploit code exists, and the vendor has been notified of the vulnerability.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8193 LOW POC Monitor

Server-side request forgery in Akaunting 3.1.21 allows authenticated attackers to manipulate the Invoice PDF Rendering component via the config/dompdf.php file, enabling arbitrary HTTP requests from the server to internal or external systems. The vulnerability has CVSS score 2.1 with low severity impact across confidentiality, integrity, and availability; however, publicly available exploit code exists and the vendor did not respond to early disclosure, increasing real-world exploitation risk despite low CVSS metrics.

SSRF PHP
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8194 LOW POC PATCH Monitor

Cross-site request forgery in osTicket up to version 1.18.3 allows remote attackers to bypass CSRF token validation by manipulating the _method parameter via GET requests, enabling unauthorized state-changing operations without user interaction beyond clicking a malicious link. The vulnerability exploits improper HTTP method emulation in the Dispatcher component and has publicly available proof-of-concept code; a vendor patch is available.

PHP CSRF
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8211 LOW POC Monitor

Code injection in codelibs Fess up to 15.5.1 allows remote attackers with high privileges to execute arbitrary code via manipulation of the content argument in the AdminDesignAction.java JSP file handler. Publicly available exploit code exists for this vulnerability, and the vendor has not responded to early disclosure notification.

Code Injection Java RCE
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-8213 LOW POC PATCH Monitor

Heap-based buffer overflow in OSGeo GDAL's Grid File Handler (GDSDfldsrch function in frmts/hdf4/hdf-eos/GDapi.c) affects versions up to 3.13.0dev-4, allowing authenticated local attackers to cause memory corruption through malformed HDF4 grid files. The vulnerability results from unsafe string manipulation that fails to validate metadata field list format before performing memory operations. Publicly available exploit code exists; vendor-released patch available in version 3.13.0RC1.

Buffer Overflow Gdal
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8212 LOW POC PATCH Monitor

Heap-based buffer overflow in GDAL's HDF4-EOS SWSDfldsrch function (frmts/hdf4/hdf-eos/SWapi.c) allows local authenticated attackers to cause memory corruption through manipulation of malformed HDF4 files. The vulnerability stems from unsafe string manipulation that fails to validate metadata field list format before stripping quotes, enabling out-of-bounds writes. Affects GDAL up to version 3.13.0dev-4; patch available in version 3.13.0RC1. Publicly available exploit code exists.

Heap Overflow Buffer Overflow Gdal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-44459 LOW PATCH GHSA Monitor

Improper validation of NumericDate claims (exp, nbf, iat) in hono/utils/jwt allows crafted JWT tokens with malformed time-based claims to silently bypass expiration and validity checks. This affects applications using Hono versions prior to 4.12.18. Exploitation requires the attacker to control token issuance or possess the signing key - unauthenticated remote exploitation is not possible. The vulnerability stems from combined short-circuiting logic that fails to reject non-finite, falsy, or non-numeric claim values as required by RFC 7519.

Authentication Bypass
NVD GitHub
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-45182 LOW Monitor

GrapheneOS versions before 2026050400 leak the real IP address of VPN users through a registerQuicConnectionClosePayload optimization that allows applications to request system_server transmit UDP traffic on their behalf, bypassing VPN confinement when both 'Block connections without VPN' and 'Always-on VPN' are enabled. This information disclosure affects users relying on VPN privacy protections and requires local access with user interaction to trigger, resulting in a CVSS 2.2 score despite the privacy-sensitive nature of IP address leakage.

Information Disclosure Grapheneos
NVD
CVSS 3.1
2.2
EPSS
0.0%
CVE-2026-8195 LOW Monitor

Stored cross-site scripting (XSS) in JeecgBoot up to version 3.9.1 allows remote attackers to inject malicious scripts via SVG file handling in the CommonController component, requiring user interaction to trigger payload execution. The vulnerability has publicly available exploit code and affects the system's integrity through stored script injection, with a CVSS score of 2.1 reflecting low severity due to user interaction requirement and limited impact scope.

XSS Java
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8210 LOW Monitor

Command injection in aandrew-me tgpt up to version 2.11.1 allows local authenticated attackers to execute arbitrary commands via the helper.Update function in helper.go. The vulnerability requires local file system access and an authenticated user context but results in only limited confidentiality impact. Public exploit code exists, though the vendor has not responded to early disclosure attempts, leaving affected users without an official patch.

Apple Command Injection
NVD VulDB
CVSS 4.0
1.9
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy