Skip to main content
CVE-2021-47951 MEDIUM POC This Month

WordPress Picture Gallery 1.4.2 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts through the Edit Content URL field in the Access. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47950 MEDIUM POC This Month

Advanced Guestbook 2.4.4 contains a persistent cross-site scripting vulnerability in the smilies administration interface that allows authenticated attackers to inject malicious scripts by. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS PHP
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47926 MEDIUM POC This Month

Contact Form to Email 1.3.24 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by creating forms with script tags in the form name. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Contact Form To Email
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47907 MEDIUM POC This Month

Rocket LMS 1.1 contains a persistent cross-site scripting vulnerability in the support ticket module that allows authenticated users to inject malicious script code through the title parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Rocket Lms
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50970 MEDIUM POC This Month

WordPress Plugin AAWP 3.16 contains a reflected cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by manipulating the tab parameter. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50961 MEDIUM POC This Month

WordPress Plugin IP2Location Country Blocker 2.26.7 contains a stored cross-site scripting vulnerability that allows authenticated users to inject arbitrary JavaScript code through the Frontend. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50960 MEDIUM POC This Month

WordPress International Sms For Contact Form 7 Integration version 1.2 contains a reflected cross-site scripting vulnerability in the page parameter of the admin settings interface. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS PHP
NVD Exploit-DB VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50949 MEDIUM POC This Month

WordPress Plugin Videos sync PDF 1.7.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by exploiting unsanitized nom, pdf, mp4,. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50948 MEDIUM POC This Month

Motopress Hotel Booking Lite 4.2.4 contains a stored cross-site scripting vulnerability that allows authenticated attackers to inject malicious scripts by submitting payloads in accommodation type. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

XSS Motopress Hotel Booking Lite
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2022-50946 MEDIUM POC This Month

WordPress Plugin Netroics Blog Posts Grid 1.0 contains a stored cross-site scripting vulnerability that allows authenticated editors to inject malicious scripts by failing to sanitize the post_title. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available and no vendor patch available.

WordPress XSS
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2021-47948 MEDIUM POC This Month

WordPress GetPaid Plugin 2.4.6 contains an HTML injection vulnerability that allows authenticated attackers to inject arbitrary HTML code by exploiting the Help Text field in payment forms. Rated medium severity (CVSS 5.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

XSS WordPress
NVD Exploit-DB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-45180 HIGH This Week

Session ID disclosure in Catalyst::Plugin::Statsd for Perl (versions ≤0.10.0) occurs when the StatsD communication channel lacks encryption, leaking authentication tokens over unsecured UDP to remote StatsD daemons. CVSS 7.5 (High) reflects network-accessible confidentiality impact, but EPSS score of 0.03% (9th percentile) and SSVC assessment (no observed exploitation, partial technical impact) indicate limited real-world exploitation activity. Vendor advisory from GitHub Security (GHSA-gjvr-hq83-fc38) confirms the issue with related advisories for similar Plack-Middleware-Statsd vulnerability (CVE-2026-45179).

Information Disclosure Catalyst
NVD GitHub
CVSS 3.1
7.5
EPSS
0.0%
CVE-2026-8177 HIGH PATCH This Week

Out-of-bounds heap read in XML::LibXML for Perl (all versions through 2.0210) allows remote attackers to trigger denial-of-service crashes by supplying XML node names with truncated UTF-8 sequences. The parser fails to validate multi-byte UTF-8 boundaries in node names, reading past allocated memory into adjacent heap regions. No public exploit identified at time of analysis, with EPSS score of 0.01% indicating very low observed exploitation probability. Vendor-released patch available via upstream commit 15652bd9.

Denial Of Service Information Disclosure Buffer Overflow Xml
NVD GitHub VulDB
CVSS 3.1
7.5
EPSS
0.0%
CVE-2025-14179 HIGH PATCH This Week

SQL injection in PHP's PDO Firebird driver allows remote attackers to manipulate database queries when applications use PDO::quote() with attacker-controlled input containing NUL bytes. The vulnerability affects PHP versions 8.2.* through 8.5.* across all maintained branches, with vendor patches released (8.2.31, 8.3.31, 8.4.21, 8.5.6). CVSS 7.4 with network attack vector but requires user interaction and precise timing conditions (AT:P). Proof-of-concept exploitation status confirmed (E:P), though no active exploitation identified in CISA KEV at time of analysis.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
7.4
EPSS
0.0%
CVE-2026-8216 MEDIUM This Month

Improper authentication in IAS Canias ERP 8.03 allows remote unauthenticated attackers to bypass authentication via the iasServerRemoteInterface.doAction function in the Java RMI Session Management component, granting unauthorized access to ERP functionality without valid credentials. CVSS 6.9 indicates moderate severity with low confidentiality and integrity impact. No public exploit code or active exploitation has been confirmed at time of analysis.

Authentication Bypass Java
NVD VulDB
CVSS 4.0
6.9
EPSS
0.1%
CVE-2026-8242 LOW POC Monitor

Information disclosure in Industrial Application Software IAS Canias ERP 8.03 allows remote attackers to extract sensitive data through observable response discrepancies in the Login RMI Interface doAction function. The vulnerability requires high attack complexity but can be exploited without authentication or user interaction. Publicly available exploit code exists, though the vendor has not responded to early disclosure notifications.

Information Disclosure Canias Erp
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-8243 MEDIUM This Month

Hard-coded cryptographic key in Canias ERP 8.03 JNLP Deployment Endpoint allows unauthenticated remote attackers to obtain sensitive information through manipulation of the affected component. The vulnerability affects the Java Network Launch Protocol deployment mechanism, enabling key discovery and potential decryption of encrypted communications. No vendor patch has been released despite early disclosure notification.

Information Disclosure
NVD VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-45191 MEDIUM PATCH This Month

Net::CIDR::Lite before version 0.24 accepts CIDR mask values with extraneous leading zeros (such as '/00' or '/01'), causing them to parse identically to their unpadded equivalents ('/0' or '/1'). This permits attackers to bypass IP-based access control lists by supplying alternate representations of the same network prefix, potentially granting unauthorized access to restricted resources. The vulnerability affects all Perl installations using vulnerable versions of this library and is rated with CVSS 6.5 (moderate integrity and availability impact). No active exploitation has been confirmed by CISA, but the flaw is automatable and exploitable remotely without authentication.

Authentication Bypass Suse Red Hat
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-45190 MEDIUM PATCH This Month

Net::CIDR::Lite Perl module versions before 0.24 fail to properly validate IP address and CIDR mask inputs, allowing attackers to bypass IP-based access control lists by supplying malformed addresses that are re-encoded differently by the parser. Inputs with trailing newlines or non-ASCII digit characters pass validation but resolve to unintended IP addresses, causing find() and bin_find() functions to incorrectly match or miss addresses. This affects network security controls that rely on CIDR matching for authorization decisions.

Authentication Bypass Net Red Hat Suse
NVD GitHub VulDB
CVSS 3.1
6.5
EPSS
0.0%
CVE-2026-7263 MEDIUM PATCH This Month

The DOMNode::C14N() method in PHP 8.4.x before 8.4.21 and 8.5.x before 8.5.6 incorrectly processes XML data, creating circular linked lists in the document structure that trigger infinite loops during subsequent XML processing, causing denial of service. Unauthenticated remote attackers can trigger this by submitting malformed XML to applications using affected PHP versions, though attack complexity is noted as present in the CVSS vector.

Denial Of Service PHP
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-6104 MEDIUM PATCH This Month

Out-of-bounds read in PHP's mbstring extension allows remote attackers to trigger information disclosure or denial of service via specially crafted encoding names containing NUL bytes passed to mb_convert_encoding() and related functions. Affected versions: PHP 8.4.0-8.4.20 and 8.5.0-8.5.5. The vulnerability stems from unsafe string length comparison logic that misinterprets strncasecmp() return values when NUL bytes are present, potentially exposing global memory contents or crashing the application. No public exploit code identified at time of analysis.

PHP Information Disclosure Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
6.3
EPSS
0.0%
CVE-2026-8230 LOW POC Monitor

OS command injection in Wavlink NU516U1 240425 via the ipaddr parameter in /cgi-bin/login.cgi allows authenticated remote attackers to execute arbitrary system commands with limited impact (confidentiality, integrity, availability). The vulnerability requires valid credentials (PR:L) but can be exploited over the network without user interaction. Publicly available exploit code exists, and the vendor was notified during coordinated disclosure.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8229 LOW POC Monitor

Remote command injection in Wavlink NU516U1 240425 allows authenticated attackers to execute arbitrary OS commands via manipulation of the AuthMethod or EncrypType arguments in the WifiBasic function of /cgi-bin/wireless.cgi. Publicly available exploit code exists, and the vendor was notified early of the disclosure.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8228 LOW POC Monitor

OS command injection in Wavlink NU516U1 240425 wireless configuration module allows authenticated remote attackers to execute arbitrary system commands via manipulation of the wlan_conf/Channel/skiplist/ieee_80211h parameter in /cgi-bin/wireless.cgi. Publicly available exploit code exists, and the vendor was notified early of disclosure. CVSS 6.3 reflects the moderate impact of command execution under authenticated conditions.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8227 LOW POC Monitor

Remote OS command injection in Wavlink NU516U1 240425 via the wzdapMesh function in /cgi-bin/adm.cgi allows authenticated remote attackers to execute arbitrary operating system commands with limited system impact. Publicly available exploit code exists, and the vendor has been notified of the disclosure.

Command Injection Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8217 LOW POC Monitor

OS command injection via Runtime.getRuntime.exec in Canias ERP 8.03 RMI Interface allows authenticated remote attackers to execute arbitrary operating system commands by manipulating the troiaCode argument. The vulnerability carries low confidentiality, integrity, and availability impact (CVSS 2.1), but publicly available exploit code exists and the vendor has not responded to early disclosure.

Command Injection Canias Erp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.8%
CVE-2026-8235 LOW POC PATCH Monitor

OS command injection in 8421bit MiniClaw 0.8.0 and 0.9.0 allows local authenticated attackers to execute arbitrary system commands via the resolveSkillScriptPath function in the System Command Handler (src/kernel.ts). The vulnerability stems from unsafe command construction using string concatenation with unsanitized user input passed to shell execution. Publicly available exploit code exists, and a patch has been released by the vendor.

Command Injection Miniclaw
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
1.1%
CVE-2026-8252 LOW POC Monitor

Null pointer dereference in Open5GS Session Management Function (SMF) up to version 2.7.7 allows authenticated remote attackers to cause denial of service by manipulating the smf_nsmf_handle_create_data_in_hsmf function. Publicly available exploit code exists, and the project has been notified but has not yet released a patch.

Denial Of Service Null Pointer Dereference Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8251 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobile Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in the Policy and Charging Control (PCC) handler. The vulnerability has a CVSS score of 2.1 with low availability impact; publicly available exploit code exists, and the project maintainers have not yet responded to early disclosure.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8250 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 via the smf_n4_build_qos_flow_to_modify_list function in the SMF (Session Management Function) component allows remote authenticated attackers to crash the service with low attack complexity. The vulnerability has been publicly disclosed with exploit code available; the vendor was notified early but has not yet released a fix.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8249 LOW POC Monitor

Denial of service vulnerability in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Measurement Function (SMF) component via improper handling in the update_authorized_pcc_rule_and_qos function. The vulnerability has a publicly available exploit and moderate CVSS score (4.3) but is limited to authenticated access and results in availability impact only. The vendor has not yet released a patch despite early notification through a GitHub issue.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8248 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Mobility Function (SMF) component via manipulation of the update_authorized_pcc_rule_and_qos function in npcf-handler.c. Publicly available exploit code exists, and the vendor has not released a patch despite early notification through issue tracking.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8231 LOW POC Monitor

SQL injection in CodeAstro Online Catering Ordering System 1.0 allows authenticated remote attackers to execute arbitrary SQL queries via the ID parameter in /deleteorder.php, with publicly available exploit code disclosed. Despite a low CVSS score of 2.1 due to authentication requirements and limited impact scope, the vulnerability enables data exfiltration or manipulation within the application's database with minimal attack complexity.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8218 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/purchase_return_save endpoint. The vulnerability requires user interaction (UI:P) to trigger, and publicly available exploit code exists. The vendor has not responded to disclosure attempts, leaving affected installations without official guidance or patches.

XSS Erp Online
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8253 LOW POC Monitor

Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged users to inject malicious scripts via the /inventory/purchase_save endpoint, affecting the confidentiality of other users' sessions. The vulnerability requires administrative-level privileges and user interaction (UI:R), resulting in a low CVSS score of 2.4, though publicly available exploit code exists and the vendor has not responded to disclosure attempts.

XSS Erp Online
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8219 LOW POC Monitor

Stored cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/supplier-save endpoint, affecting data integrity and confidentiality of other users viewing the supplier data. The vulnerability requires user interaction (UI:P) and high-level privileges (PR:H), limiting its exploitation scope; however, publicly available exploit code exists and the vendor has not responded to disclosure.

XSS Erp Online
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8214 MEDIUM This Month

Authentication bypass in IAS Canias ERP 8.03 RMI Interface allows remote attackers to manipulate the sessionId parameter in the doAction function, circumventing authentication controls without requiring credentials or user interaction. Publicly available exploit code exists, and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.

Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-8215 MEDIUM This Month

Remote path traversal in Industrial Application Software IAS Canias ERP 8.03 allows unauthenticated network attackers to read arbitrary files by manipulating the m_strSourceFileName argument in the iasRequestFileEvent function of the RMI Interface. The vulnerability has been publicly disclosed with proof-of-concept code available, and the vendor has not responded to early disclosure notification.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.1%
CVE-2026-8224 MEDIUM This Month

Denial of service in Open5GS up to version 2.7.7 allows remote unauthenticated attackers to crash the Policy Control Function (PCF) by manipulating the SmPolicyContextData.ipv6AddressPrefix parameter in the pcf_sess_set_ipv6prefix function. The vulnerability has publicly available exploit code and was disclosed despite vendor non-responsiveness, making it a known attack vector against 5G service provider infrastructure.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8223 MEDIUM This Month

Denial of service in Open5GS up to version 2.7.7 via manipulation of the pcf_sess_sbi_discover_and_send function in the sm-policies endpoint allows remote unauthenticated attackers to disrupt service availability. Publicly available exploit code exists, and the upstream project has not yet issued a patch despite early notification via issue report.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8222 MEDIUM This Month

Remote denial of service in Open5GS up to version 2.7.7 affects the sm-policies endpoint's pcf_nbsf_management_handle_register function, allowing unauthenticated network attackers to trigger a crash or service disruption with low attack complexity. Publicly available exploit code exists and the vendor was notified early but has not released a fix.

Denial Of Service Open5gs
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-45179 MEDIUM PATCH This Month

Plack::Middleware::Statsd versions before 0.9.0 leak user IP addresses to unsecured statsd daemons via unencrypted UDP communication. Remote unauthenticated attackers on the same network as the statsd daemon can intercept plaintext IP addresses transmitted by the middleware. Version 0.9.0 and later disable IP logging by default and use HMAC signatures when logging is enabled, eliminating the exposure.

Information Disclosure Plack
NVD GitHub
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-8232 MEDIUM This Month

Denial of service in Dotouch XproUPF 2.0.0 through manipulation of the vlib_worker_loop function in libvlib.so allows local authenticated attackers to crash the UPF process. The vulnerability has CVSS 5.1 (AV:A/AC:L/PR:L) and targets availability rather than confidentiality or integrity. No public exploit code or active exploitation has been confirmed; the vendor was notified early during responsible disclosure.

Denial Of Service Xproupf
NVD VulDB
CVSS 4.0
5.1
EPSS
0.0%
CVE-2026-8233 LOW Monitor

Improper access controls in Dotouch XproUPF 2.0.0 (release 088aa7c4) allow local authenticated attackers to bypass authentication mechanisms and gain unauthorized access to restricted functionality within the UPF component. The vulnerability requires high attack complexity and valid user credentials but affects confidentiality, integrity, and availability of the affected system. No public exploit code or active exploitation has been identified at time of analysis.

Authentication Bypass Xproupf
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8221 LOW Monitor

Cross-site scripting (XSS) in Devs Palace ERP Online through version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/item-save endpoint, requiring user interaction (UI:P) for exploitation. Public exploit code is available, and the vendor has not responded to early disclosure notification, leaving affected deployments without an official patch and at risk of account compromise or session hijacking by attackers with high administrative privileges.

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8220 LOW Monitor

Reflected cross-site scripting in Devs Palace ERP Online up to version 4.0.0 allows authenticated high-privilege users to inject malicious scripts via the /inventory/customer-save endpoint, requiring user interaction to execute. Despite public exploit availability and early vendor notification, no patch or vendor response has been documented. CVSS score of 1.9 reflects high authentication requirements and limited impact scope, though the presence of public exploit code indicates practical demonstration of the vulnerability.

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy