Skip to main content
CVE-2026-8275 LOW POC PATCH Monitor

Integer coercion error in bettercap's zerogod IPP service allows remote attackers to trigger information disclosure via malformed chunked HTTP requests. Versions up to 2.41.5 are affected. The vulnerability exists in the ippReadChunkedBody function where integer type conversions lack proper bounds validation, enabling attackers to cause memory access violations that leak sensitive data. Publicly available exploit code exists, and while CVSS 2.9 indicates low severity, the attack requires high complexity and has limited impact; however, the vulnerability is confirmed remotely exploitable without authentication.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-8264 LOW POC Monitor

Remote authenticated command injection in Tenda AC6 router firmware version 15.03.06.23 allows authenticated attackers to execute arbitrary OS commands via manipulation of the wl2g.public.country or wl5g.public.country parameters in the /goform/WifiApScan endpoint. The vulnerability affects the httpd component's formWifiApScan function and has publicly available exploit code, presenting moderate risk to affected deployments.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
2.7%
CVE-2026-8346 LOW POC Monitor

A vulnerability was detected in D-Link DIR-816 1.10CNB05_R1B011D88210. This affects the function portForward. Performing a manipulation of the argument ip_address results in command injection. The attack can be initiated remotely. The exploit is now public and may be used.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-8345 LOW POC Monitor

A security vulnerability has been detected in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this issue is the function sub_445E7C of the file /goform/singlePortForward. Such manipulation of the argument ip_address leads to command injection. It is possible to launch the attack remotely. The exploit has been disclosed publicly and may be used.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-8344 LOW POC Monitor

A weakness has been identified in D-Link DIR-816 1.10CNB05_R1B011D88210. Affected by this vulnerability is the function sub_445E7C of the file /goform/formDMZ.cgi. This manipulation causes command injection. It is possible to initiate the attack remotely. The exploit has been made available to the public and could be used for attacks.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.5%
CVE-2026-8265 LOW POC Monitor

Remote command injection in Tenda AC6 version 15.03.06.23 allows authenticated remote attackers to execute arbitrary OS commands via the wans.flag parameter in the /goform/getLogFile endpoint. The vulnerability has publicly available exploit code and may be actively exploited. Attack complexity is low, requiring only network access and high-level authentication privileges, with potential for confidentiality, integrity, and authenticity impacts.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.6%
CVE-2026-8259 LOW POC Monitor

OS command injection in Tenda AC6 2.0/15.03.06.23 httpd daemon allows authenticated remote attackers to execute arbitrary system commands via the lan.ip parameter in /goform/telnet endpoint. The vulnerability requires high-level administrative privileges and has publicly available exploit code; real-world risk is limited by authentication requirement despite network accessibility and low attack complexity.

Tenda Command Injection
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.6%
CVE-2026-8291 LOW POC PATCH Monitor

Denial of service in Open5GS NRF component up to version 2.7.7 allows remote authenticated attackers to exhaust the nf_service memory pool via the ogs_nnrf_nfm_handle_nf_profile function, causing the process to abort via failed assertion. Publicly available exploit code exists, and a vendor patch is available but awaits acceptance into the main branch.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-8288 LOW POC PATCH Monitor

Denial of service in Open5GS SMF (Session Management Function) via crafted PDU Session Modification messages allows remote authenticated attackers to trigger unvalidated parameter processing in gsm_handle_pdu_session_modification_qos_flow_descriptions(), causing service disruption. The vulnerability stems from insufficient pre-validation of QoS flow parameter identifiers and bitrate units before state mutation, potentially leaving the SMF in an inconsistent state. Publicly available exploit code exists, and a fix awaits upstream acceptance in PR #4513.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-8349 LOW POC PATCH Monitor

Memory corruption in OMEC Project AMF up to version 2.1.1 occurs in the NGAP Message Handler when processing malformed mobile identity payloads, allowing authenticated remote attackers to cause denial of service through buffer overflow. Publicly available exploit code exists; vendor released patched version 2.2.0 via GitHub PR #666. CVSS 4.3 (low severity) reflects authentication requirement (PR:L) and availability-only impact, but real-world exploitation risk depends on deployment context.

Buffer Overflow Amf
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8292 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the NRF component by manipulating the hnrf-uri argument passed to the yuarel_parse function in /lib/sbi/conv.c. The vulnerability has a publicly available exploit and low CVSS score (4.3) due to authentication requirement and limited scope, but affects a critical 5G network function with potential operational impact.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8290 LOW POC Monitor

Denial of service in Open5GS through version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) by manipulating the smf_nsmf_handle_update_data_in_vsmf function in nsmf-handler.c. Publicly available exploit code exists, and the project maintainers have not yet responded to the early disclosure notification despite awareness of the issue.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8289 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) by manipulating the qosFlowProfile argument in the smf_nsmf_handle_update_data_in_vsmf function. Publicly available exploit code exists, and the vulnerability affects the 5G core network's ability to manage quality-of-service parameters, though the project maintainers have not yet responded to early disclosure.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8270 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Session Management Function (SMF) via manipulation of QoS rule parsing in the ogs_nas_parse_qos_rules function. The vulnerability has a low CVSS score of 2.1 but public exploit code is available; however, exploitation requires prior authentication and causes only availability impact without confidentiality or integrity compromise.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8269 LOW POC Monitor

Denial of service vulnerability in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component's smf_nsmf_handle_create_sm_context function, allowing authenticated remote attackers to crash or degrade the 5G core network service through malformed session context creation requests. Public exploit code exists and the vulnerability has low real-world severity (CVSS 2.1) due to requirement for authenticated access and availability impact only, though active 5G infrastructure targeting remains a concern given the critical nature of SMF in telecom deployments.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8268 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 affects the SMF component's OpenAPI_list_create function, allowing authenticated remote attackers to cause service unavailability through resource manipulation. The vulnerability has low to moderate severity (CVSS 4.3) with publicly disclosed proof-of-concept code, though the vendor has not yet responded to early disclosure notification.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8267 LOW POC Monitor

Remote authenticated denial of service in Open5GS up to version 2.7.7 affects the SMF (Session Management Function) component, specifically in the smf_nsmf_handle_created_data_in_vsmf function. An authenticated attacker can remotely trigger a denial of service condition by sending crafted requests. Public exploit code is available (CVE-2026-8267 GitHub issue #4448), though the vendor has not yet released a patched version despite early notification.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8266 LOW POC Monitor

Denial of service in Open5GS up to version 2.7.7 allows authenticated remote attackers to crash the Service Management Function (SMF) via manipulation of the PDU session establishment acceptance function, resulting in service unavailability. The CVSS score of 4.3 reflects low severity due to authentication requirements and availability-only impact, though publicly available exploit code exists and the vulnerability has been reported to the project without acknowledged response.

Denial Of Service Open5gs
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-8271 LOW POC Monitor

OS command injection in D-Link DNS-320 firmware 2.06B01 allows remote authenticated attackers with high privileges to execute arbitrary system commands via multiple CGI parameters in /cgi-bin/network_mgr.cgi (cgi_speed, cgi_dhcpd_lease, cgi_ddns, cgi_set_ip, cgi_upnp_del, cgi_dhcpd, cgi_upnp_add, cgi_upnp_edit). Publicly available exploit code exists and the vulnerability has been documented with proof-of-concept on GitHub.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-8272 LOW POC Monitor

OS command injection in D-Link DNS-320 2.06B01 webfile_mgr.cgi allows remote authenticated attackers with high privileges to execute arbitrary commands through manipulated file operation parameters (delete, rename, copy, move, chmod, chown). Publicly available exploit code exists; CVSS 2.0 reflects high privilege requirement and limited confidentiality/integrity impact on the vulnerable system only.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-8320 LOW POC Monitor

Server-side request forgery in jshERP up to version 3.6 allows authenticated administrators to manipulate the weixinUrl parameter in the updatePlatformConfigByKey endpoint, enabling remote requests to arbitrary servers. The vulnerability affects the getUserByWeixinCode function in UserService.java and can be exploited remotely by high-privilege users to access internal resources, exfiltrate data, or pivot to backend systems. Publicly available exploit code exists, and the project maintainers have not responded to early disclosure.

SSRF Java
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-8261 LOW POC Monitor

Heap-based buffer overflow in Squirrel up to version 3.2 within the SQFunctionProto::Load function allows local attackers to cause memory corruption with limited confidentiality, integrity, and availability impact. Publicly available exploit code exists for this vulnerability, and the vulnerability exhibits low CVSS score (2.0) due to local-only attack vector and minimal scope, though the disclosure and POC availability increase practical risk for embedded and scripting environments using Squirrel.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-8256 LOW POC Monitor

Reflected cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /accounts/mr-save endpoint, enabling session hijacking or credential theft with user interaction. Exploit code is publicly available and the vendor has not responded to disclosure efforts, leaving affected deployments without an official patch.

XSS Erp Online
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8255 LOW POC Monitor

Cross-site scripting (XSS) vulnerability in Devs Palace ERP Online versions up to 4.0.0 allows authenticated users with high privileges to inject malicious scripts via the /inventory/add_new_customer endpoint. The vulnerability requires user interaction (UI:P) and has publicly available exploit code, but real-world impact is significantly limited by the requirement for authenticated high-privilege access and user interaction, resulting in a CVSS score of only 1.9 despite network accessibility.

XSS Erp Online
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8258 LOW POC Monitor

Stack-based buffer overflow in Squirrel up to version 3.2 within the validate_format function of sqstdlib/sqstdstring.cpp allows local authenticated attackers to corrupt stack memory, potentially achieving code execution or denial of service. Public exploit code is available, and the vulnerability has been reported to the project with no vendor response documented at time of analysis.

Stack Overflow Buffer Overflow Squirrel
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8257 LOW POC PATCH Monitor

Denial of service via reachable assertion in WebAssembly Binaryen up to version 117 allows local attackers with low privileges to crash the BrOn parser component by providing malformed WebAssembly bytecode that triggers an unhandled assertion in the IRBuilder::makeBrOn function, with publicly available exploit code and vendor patch already released.

Denial Of Service Binaryen
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8274 LOW POC PATCH Monitor

Path traversal vulnerability in cramfs-tools up to version 2.1 allows local authenticated users to escape directory restrictions via malformed filenames in the Directory Handler component (do_directory function in cramfsck.c). Publicly available exploit code exists. CVSS score of 1.9 reflects low confidentiality, integrity, and availability impact combined with local-only attack vector and required low privilege level; however, the vulnerability enables directory traversal that could facilitate unauthorized file access or modification on systems where cramfs-tools processes untrusted filesystem images.

Path Traversal Cramfs Tools
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-44582 LOW PATCH GHSA Monitor

Cache poisoning in Next.js React Server Component responses allows attackers to poison shared cache entries through collisions in the _rsc cache-busting mechanism, potentially serving incorrect response variants to users. The vulnerability affects Next.js versions 13.4.6 through 15.5.15 and 16.0.0 through 16.2.4 in deployments using shared caches with insufficient response partitioning. No public exploit code or active exploitation has been identified at time of analysis, though the low CVSS score (3.7) reflects the requirement for specific cache architecture conditions and lack of confidentiality impact.

Information Disclosure
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-44572 LOW PATCH GHSA Monitor

Cache poisoning in Next.js middleware redirect handling allows attackers to inject a malicious x-nextjs-data request header, causing middleware to replace the standard Location header with an internal x-nextjs-redirect header that browsers ignore. When deployed behind a CDN or reverse proxy that caches 3xx responses without varying on this header, a single attacker request can poison the cached redirect, resulting in denial of service for that redirect path for all subsequent visitors until cache expiration. Affects Next.js versions 12.2.0-15.5.15 and 16.0.0-16.2.4; vendor-released patches available in 15.5.16 and 16.2.5.

Denial Of Service
NVD GitHub VulDB HeroDevs
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-44474 LOW PATCH GHSA Monitor

Ella Core fails to enforce 3GPP TS 33.501 §6.9.5.1 security rules, allowing concurrent NAS Security Mode Command and N2 handover procedures that produce KgNB key mismatches between UE and target gNB, causing handover failures. Exploitation requires a stalled gNB combined with a re-registration race condition. Vendor-released patch: version 1.10.0.

Information Disclosure
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-28957 LOW PATCH Monitor

An issue with app access to camera metadata was addressed with improved logic. This issue is fixed in iOS 18.7.9 and iPadOS 18.7.9, iOS 26.5 and iPadOS 26.5, visionOS 26.5. An app may be able to capture a user's screen.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-28910 LOW PATCH Monitor

Improper permissions checking in macOS before version 26.4 allows a malicious app with local user privileges to access arbitrary files without user interaction, potentially exposing sensitive data. The vulnerability has a low EPSS score (0.01%) and no confirmed active exploitation, making it a low-priority but real local privilege escalation risk for systems where untrusted applications may execute.

Authentication Bypass Apple
NVD
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-8276 LOW PATCH Monitor

Integer coercion error in bettercap's MySQL Server module allows remote attackers to trigger information disclosure through malformed MySQL handshake packets. Versions up to 2.41.5 are affected. The vulnerability requires high attack complexity and has no impact on confidentiality, integrity, or service availability per CVSS 4.0 scoring (VA:L indicates only availability of a non-critical resource), but the described integer manipulation coupled with CWE-189 (numeric errors) suggests potential for partial data exposure or undefined behavior in packet parsing.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.9
EPSS
0.0%
CVE-2026-44658 LOW PATCH Monitor

Zen Browser prior to 1.19.12b fails to validate item links within RSS/Atom feeds, allowing high-privileged users to inject malicious URLs that bypass feed URL restrictions and are opened as trusted tabs. An attacker with administrative or high privileges can craft a malicious RSS feed containing non-HTTP(S) links that are processed without validation and opened with elevated trust, potentially enabling script injection or protocol handler abuse.

Mozilla Information Disclosure
NVD GitHub
CVSS 3.1
2.4
EPSS
0.0%
CVE-2026-34089 LOW PATCH Monitor

Cross-site scripting (XSS) vulnerability in Wikimedia Scribunto 1.45.0 through 1.45.1 allows authenticated users to inject malicious scripts that may be executed in the context of other users' browsers, potentially compromising session security and enabling unauthorized actions on affected wiki installations. The vulnerability requires login credentials and elevated attack complexity but carries low availability impact; CVSS 2.3 reflects limited real-world threat when combined with the authentication requirement.

XSS Scribunto
NVD
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-42865 LOW PATCH Monitor

Cross-account email event leakage in Inbox Zero prior to 2.29.3 allows authenticated users of the cleaner feature to receive thread events intended for other authenticated accounts via a shared Redis subscription listener. The vulnerability requires both accounts to be actively using the cleaner feature simultaneously and affects only confidentiality of email metadata, with low attack complexity but requiring prior authentication and precise timing.

Redis Information Disclosure
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-5266 LOW PATCH Monitor

Exposure of Sensitive Information to an Unauthorized Actor vulnerability in Wikimedia Foundation Echo. This vulnerability is associated with program files includes/Api/ApiEchoNotifications.Php. This issue affects Echo: from * before 1.43.7, 1.44.4, 1.45.2.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44993 LOW PATCH Monitor

OpenClaw before version 2026.4.20 misclassifies direct messages as group conversations in Feishu card-action callbacks, allowing authenticated attackers to bypass dmPolicy restrictions and trigger card-action flows that should have been blocked. The vulnerability affects direct message handling in the Feishu integration and requires authenticated access (PR:L per CVSS vector) but achieves both confidentiality and integrity impact with moderate CVSS score of 5.4.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-45000 LOW PATCH Monitor

Server-side request forgery in OpenClaw before version 2026.4.20 allows authenticated attackers to bypass strict-mode SSRF policy checks during browser CDP profile creation by storing profiles pointing to private-network or metadata endpoints, which are later probed during normal profile status operations. The vulnerability affects only strict-mode deployments that explicitly restrict private-network CDP targets; default configurations allow private-network endpoints and are not vulnerable. Vendor-released patch: 2026.4.20.

SSRF Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44991 LOW PATCH Monitor

Authorization bypass in OpenClaw before 2026.4.21 allows non-owner senders to execute owner-enforced slash commands when channels are configured with wildcard inbound senders (allowFrom: ["*"]) without explicit owner allowFrom settings. Attackers with legitimate channel access can exploit this to bypass owner-only command authorization checks and execute commands such as /send, /config, or /debug. The vulnerability requires authenticated access to affected channels but is limited to command-owner authorization and does not grant tool access or gateway administrator scope.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44998 LOW PATCH Monitor

OpenClaw before version 2026.4.20 allows authenticated local agents to bypass tool policy restrictions by appending bundled MCP and LSP tools to the effective tool set after policy filtering has completed. Attackers with local agent access can circumvent profile policies, allow/deny lists, owner-only restrictions, sandbox policies, and subagent policies, potentially gaining unauthorized access to restricted tools. This vulnerability requires a configured bundled tool source and an operator-defined restrictive policy; no active exploitation has been identified.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-44997 LOW PATCH Monitor

OpenClaw before 2026.4.22 fails to propagate security envelope constraints when spawning ACP child sessions, allowing authenticated restricted subagents to bypass depth limits, child-count restrictions, control scope, and target-agent constraints. An attacker with subagent privileges can exploit this by spawning child sessions that inherit insufficient security enforcement, potentially escalating privileges or accessing resources beyond their assigned scope.

Authentication Bypass Openclaw
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-34086 LOW PATCH Monitor

Information disclosure in Wikimedia Foundation AbuseFilter allows low-privileged authenticated users with user interaction to access limited confidential data through a network vector. The vulnerability affects AbuseFilter versions prior to 1.43.7, 1.44.4, and 1.45.2, with very low CVSS score (2.1) indicating minimal real-world impact but potential for sensitive information leakage in filtered content or filter logic contexts.

Information Disclosure Abusefilter
NVD
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-8263 LOW Monitor

OS command injection in Tenda AC6 firmware version 15.03.06.49_multi_TDE01 allows high-privilege remote attackers to execute arbitrary commands via manipulation of mac/ssid parameters in the fromSetWirelessRepeat function exposed through the /goform/WifiExtraSet HTTP endpoint. Public exploit code is available, though the CVSS 2.0 score reflects limited impact scope due to requirement of high-privilege authentication and minimal confidentiality/integrity/availability effects beyond low-severity damage.

Tenda Command Injection
NVD GitHub VulDB
CVSS 4.0
2.0
EPSS
0.6%
CVE-2026-34092 LOW PATCH Monitor

MediaWiki versions before 1.43.7, 1.44.4, and 1.45.2 expose sensitive information to unauthorized actors through improper handling in the Skin.php component. The vulnerability requires authenticated user access and user interaction (CVSS:4.0/AV:N/AC:H/PR:L/UI:P), resulting in low confidentiality impact. With an EPSS score of 2.1 and no evidence of active exploitation, this poses limited real-world risk but should be patched as part of routine maintenance.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-43969 LOW PATCH Monitor

Improper Neutralization of CRLF Sequences ('CRLF Injection') vulnerability in ninenines cowlib allows HTTP request splitting and cookie smuggling via unvalidated cookie name and value fields. cow_cookie:cookie/1 in cowlib builds a client-side Cookie: request header from a list of name-value pairs without validating either field. An attacker who controls the cookie names or values passed to this function can inject ;, ,, CR, LF, or TAB characters into the serialized header. This enables two classes of attack: cookie smuggling within a single header (e.g. injecting "; admin=1" to introduce a phantom cookie that the receiving server treats as authentic) and HTTP request header splitting (injecting CRLF to append arbitrary headers or smuggle a complete second request against a shared upstream proxy). The decoder side (parse_cookie_name/1, parse_cookie_value/1) and setcookie/3 already validate and reject these characters; the encoder alone is missing the check. This issue affects cowlib from 2.9.0.

RCE Cowlib
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-34094 LOW PATCH Monitor

Vulnerability in Wikimedia Foundation MediaWiki. This vulnerability is associated with program files includes/Page/Article.Php. This issue affects MediaWiki: from * before 1.43.7, 1.44.4, 1.45.2.

PHP Information Disclosure
NVD VulDB
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-8262 LOW Monitor

Cross-site scripting (XSS) in Devs Palace ERP Online version 4.0.0 and earlier allows authenticated high-privilege users to inject malicious scripts via the /accounts/chart-save endpoint. The vulnerability requires user interaction (UI:P) to trigger and results in limited integrity impact. Publicly available exploit code exists, though the CVSS 4.0 score of 1.9 reflects low severity due to the high privilege requirement (PR:H) and user interaction dependency.

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-8254 LOW Monitor

Cross-site scripting (XSS) in Devs Palace ERP Online up to version 4.0.0 allows high-privileged authenticated users to inject malicious scripts via the /inventory/sales_save endpoint with user interaction, resulting in integrity impact. The exploit code has been publicly released and the vendor has not responded to early disclosure attempts, leaving affected deployments without vendor-provided patches.

XSS
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-34088 LOW PATCH Monitor

MediaWiki before versions 1.43.7, 1.44.4, and 1.45.2 exposes sensitive information to unauthorized actors through a vulnerability requiring user interaction. The flaw allows information disclosure via network access without authentication, though impact is limited (CVSS 1.3) and requires user participation to trigger. Vendor-released patches are available across all affected major versions.

Information Disclosure Mediawiki
NVD VulDB
CVSS 4.0
1.3
EPSS
0.0%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy