Skip to main content
CVE-2026-10875 LOW Monitor

SQL injection in projectworlds Online Art Gallery Shop 1.0 exposes the admin panel to database manipulation via the unsanitized `social_twitter` parameter in `/admin/adminHome.ph`. Authenticated remote attackers with low-privilege credentials can craft malicious SQL payloads to read, modify, or corrupt backend database contents. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P metric and the CVE description; however, no active exploitation has been confirmed in CISA KEV, and the overall CVSS 4.0 score of 2.1 reflects limited blast radius confined to the vulnerable system.

SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10874 LOW Monitor

SQL injection in projectworlds Online Art Gallery Shop 1.0 enables remote low-privileged attackers to manipulate the `social_insta` parameter within `/admin/adminHome.php`, achieving limited read, write, and availability impact against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), though the overall CVSS 4.0 score of 2.1 reflects a constrained impact scope - no subsequent system compromise is possible. This is not listed in the CISA KEV catalog; exploitation requires authenticated access rather than open unauthenticated attack.

PHP SQLi
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10802 LOW Monitor

Uncontrolled resource consumption in KeystoneJS's GraphQL API endpoint allows a remotely authenticated attacker with low-privilege credentials to degrade server availability by submitting deeply nested GraphQL queries that exhaust CPU or memory without bound. Versions up to snapshot 20260319 of the @keystone-6/core package are affected. A public proof-of-concept exists (CVSS E:P), though the vulnerability is not listed in CISA KEV and carries a CVSS 4.0 score of 2.1 - indicating limited real-world severity under most deployments.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-10800 LOW PATCH Monitor

Hash collision weakness in PaddlePaddle FastDeploy up to version 2.4.1 allows a local attacker with low privileges to cause the MultimodalHasher component to produce identical SHA-256 digests for semantically distinct numpy arrays that share raw byte content but differ in shape or dtype. This breaks the uniqueness guarantee of the hash_features function in fastdeploy/multimodal/hasher.py, enabling integrity violations in multimodal data pipelines relying on this component for deduplication or identity checks. No public exploit exists and no active exploitation is confirmed; the CVSS 4.0 score of 2.0 accurately reflects constrained real-world risk given local-only access and high attack complexity.

Information Disclosure Fastdeploy
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-10804 LOW PATCH Monitor

Hash collision vulnerability in Streamlit's caching layer (versions up to 1.53.0) allows a local low-privileged attacker to poison the application cache by supplying crafted PIL palette-mode images or large dataframes that produce identical hash digests for distinct objects. The root cause is twofold: PIL 'P'-mode (palette-indexed) images excluded palette data from the hash computation entirely, and fixed seed values (random_state=0) were used when sampling large pandas, numpy, and polars objects - both enabling deterministic hash collisions. No public exploit identified at time of analysis beyond the public disclosure of the issue. EPSS data is not available, but the CVSS 1.1 score (AV:L/AC:H/PR:L) places real-world risk as very low.

Information Disclosure Streamlit
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-10783 LOW PATCH Monitor

Cache key collision in Gradio 6.14.0's audio processing component allows a local low-privileged attacker to trigger information disclosure by exploiting incomplete hash inputs in the `save_audio_to_cache` function. Two audio arrays with identical raw bytes but differing metadata (sample rate, format, dtype, or shape) resolve to the same cache directory path, causing one cached audio file to overwrite or be served in place of another. Publicly available exploit code exists per the CVSS 4.0 E:P modifier and CVE description, though no active exploitation has been confirmed via CISA KEV. The CVSS 4.0 score of 1.1 accurately reflects the narrow real-world impact given the mandatory local access and high attack complexity.

Information Disclosure Gradio
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-10803 LOW PATCH Monitor

Dataset digest computation in MLflow up to version 3.10.0 uses MD5 - a cryptographically broken algorithm - to fingerprint datasets, enabling a local attacker to craft colliding inputs that undermine dataset integrity tracking. Affected functions include compute_pandas_digest, compute_numpy_digest, and hash_dict_of_arrays in mlflow/data/digest_utils.py, which use a truncated 8-character MD5 digest that further reduces the collision space. Publicly available exploit code exists; this vulnerability is not confirmed actively exploited per CISA KEV, and the CVSS 4.0 score of 1.1 reflects the constrained local-only attack surface.

Information Disclosure Mlflow
NVD GitHub VulDB
CVSS 4.0
1.1
EPSS
0.0%
CVE-2026-47708 CRITICAL PATCH GHSA Act Now

Command injection in stata-mcp (MCP-for-Stata) versions prior to 1.17.3 allows attackers to execute arbitrary Stata commands - including the `shell` directive - by supplying a crafted `log_file_name` parameter to the `stata_do` MCP tool or CLI. The flaw bypasses the existing `GuardValidator` security control, which only inspects do-file content and never examines wrapper parameters, enabling remote code execution and arbitrary file writes via path traversal. Publicly available exploit code exists in the GHSA advisory PoC, though no public exploit identified at time of analysis indicates in-the-wild abuse.

Python RCE Path Traversal Command Injection
NVD GitHub
EPSS
0.6%
CVE-2026-8462 MEDIUM PATCH GHSA This Month

SQL injection in OpenMeter's meter creation API allows any authenticated tenant to execute arbitrary ClickHouse SQL against a shared database with no row-level security, enabling full cross-tenant data exfiltration. The vulnerable endpoint is POST /api/v1/meters, where the valueProperty and groupBy fields are interpolated directly into ClickHouse SELECT statements via fmt.Sprintf without parameterization, and the sanitization function (sqlbuilder.Escape) only escapes library-internal placeholder characters - not single quotes. A publicly available exploit code (PoC) exists demonstrating confirmed time-based blind injection, and no public exploit identified at time of analysis in the CISA KEV sense, though the PoC lowers the barrier to exploitation significantly.

Denial Of Service Docker Python SQLi
NVD GitHub
EPSS
0.0%
CVE-2026-47192 LOW PATCH GHSA Monitor

Late signature validation in Siemens kas (pip/kas >= 4.8, < 5.3) allows an attacker who has already compromised a referenced upstream repository to substitute the cryptographic key used to validate that repository's tag signatures, effectively bypassing integrity checks entirely. Because kas processes and applies configuration includes from external repositories before verifying their signatures, a malicious repository can redirect the signature-validation key to one under attacker control. No public exploit code has been identified at time of analysis, and exploitation requires a highly specific multi-condition scenario including prior supply-chain access to a referenced upstream repo. Vendor-released patch version 5.3 resolves all related attack vectors.

Information Disclosure Jwt Attack Siemens
NVD GitHub
EPSS
0.0%
CVE-2026-45056 MEDIUM PATCH GHSA This Month

Sender identity spoofing in matrix-sdk-crypto (Rust crate) versions 0.12.0 through 0.16.0 allows a malicious or colluding homeserver operator to forge the apparent sender of Olm-encrypted to-device messages by supplying manipulated `sender_device_keys` without a corresponding user ID validation check. The vulnerability is classified as CWE-290 (Authentication Bypass by Spoofing) and is patched in version 0.16.1. No public exploit code exists and this CVE is not listed in CISA KEV, but the attack's reliance on homeserver-level access defines a concrete and realistic threat model for federated Matrix deployments where server trust is not absolute.

Authentication Bypass
NVD GitHub
EPSS
0.1%
CVE-2026-44476 MEDIUM PATCH GHSA This Month

Authentication bypass in doorkeeper-openid_connect's Dynamic Client Registration feature allows any party with a known client_id to obtain OAuth access tokens without supplying a client_secret. The root defect is in DynamicClientRegistrationController#register (dynamic_client_registration_controller.rb:18-25), which hard-codes confidential: false on every dynamically registered application while simultaneously returning a client_secret in the response and advertising client_secret_basic/client_secret_post auth methods. Because Doorkeeper's Application.by_uid_and_secret accepts a nil secret as valid for public (non-confidential) clients, the secret returned at registration is functionally decorative - any caller can authenticate at the token endpoint using only the public client_id. No public exploit code has been identified at time of analysis, and no CISA KEV listing exists, but the advisory includes verbatim reproduction steps that document the bypass in full detail.

Authentication Bypass
NVD GitHub
EPSS
0.1%
Prev Page 12 of 12

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy