Skip to main content
CVE-2018-25423 MEDIUM POC This Month

Arm Whois 3.11 contains a buffer overflow vulnerability that allows local attackers to crash the application by supplying an oversized input string. Rated medium severity (CVSS 6.9), this vulnerability is no authentication required, low attack complexity. Public exploit code available and no vendor patch available.

Buffer Overflow Denial Of Service Arm Whois
NVD Exploit-DB VulDB
CVSS 4.0
6.9
EPSS
0.0%
CVE-2026-10111 MEDIUM POC This Month

SQL injection in sambitraj's Student Management System 1.0 exposes the login page to unauthenticated remote exploitation via a crafted email parameter, enabling attackers to manipulate backend database queries. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special conditions are required for exploitation. A public proof-of-concept exploit exists via a published GitHub issue, and the vendor has not responded to responsible disclosure - no patch is available at time of analysis.

SQLi Student Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-10110 MEDIUM POC This Month

SQL injection in code-projects Student Details Management System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized `roll` parameter in /index.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms this is exploitable over the network with no privileges or user interaction required, and a public proof-of-concept exploit is hosted on GitHub, materially lowering the barrier to exploitation. Impact is rated as partial across confidentiality, integrity, and availability (VC:L/VI:L/VA:L), though SQL injection primitives often enable escalation beyond the initial access implied by the base score.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-8594 MEDIUM PATCH This Month

Resource amplification in Text::LineFold (Unicode-LineBreak Perl distribution, versions through 2019.001) causes output to be duplicated proportionally to the number of Unicode special line break characters present in the input string. The fold() method incorrectly passes the entire input string to the break() function on each segment iteration, rather than passing only the current segment, producing amplified output that grows with each VT, FF, or similar line break character encountered. No public exploit has been identified at time of analysis and EPSS sits at the 0th percentile, but any application accepting untrusted input and passing it through fold() is exposed to potential denial of service.

Denial Of Service Text
NVD GitHub VulDB
CVSS 3.1
6.2
EPSS
0.0%
CVE-2026-48840 MEDIUM PATCH This Month

Uninitialized stack memory disclosure in Exim 4.88 through 4.99.3 allows remote unauthenticated attackers to read arbitrary stack memory contents by sending specially crafted short payloads to proxy-enabled SMTP listeners. The vulnerability is constrained to proxy configurations but requires no authentication and no user interaction (AV:N/AC:L/PR:N/UI:N), making it trivially reachable against exposed instances. No public exploit code or CISA KEV listing exists at time of analysis, and a vendor-released fix is available in Exim 4.99.4.

Information Disclosure Exim
NVD VulDB
CVSS 3.1
5.3
EPSS
0.0%
CVE-2026-10154 MEDIUM PATCH This Month

Insecure Direct Object Reference in Dolibarr ERP CRM 23.0.0-23.0.2 allows any authenticated low-privilege user to read another user's messaging records by manipulating the `id` parameter in `htdocs/user/messaging.php`. The commit diff confirms the endpoint performed zero ownership or permission validation before serving messaging data - any valid session could enumerate other users' messages by cycling numeric IDs. No public exploit code has been identified and this CVE does not appear in CISA KEV, but the vulnerability is trivially exploitable given its low complexity and minimal authentication barrier.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy