Skip to main content
CVE-2026-11339 LOW POC Monitor

Command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows remote authenticated attackers to execute arbitrary OS commands via the `ussdValue` parameter of the `/boafrm/formUSSDSetup` endpoint, processed by the vulnerable `sub_41CF20` function without input sanitization. The CVSS vector (AV:N/AC:L/PR:L/UI:N) confirms remote, low-complexity exploitation requiring only low-privilege credentials - a realistic threshold on consumer routers commonly deployed with default or weak passwords. A public proof-of-concept exploit is available on GitHub, materially elevating practical risk above what the moderate CVSS score of 6.3 suggests; no public exploit identified at time of analysis maps to confirmed active exploitation (not in CISA KEV).

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-10878 LOW POC Monitor

Command injection in D-Link DWR-M920 router firmware versions 1.1.50 and 1.1.70 allows a low-privileged, remote-authenticated attacker to inject OS commands via the action_value parameter in the SMS management endpoint /boafrm/formSmsManage. The vulnerability resides in the C function sub_41C8E8 and stems from unsanitized user input being passed directly to a command interpreter (CWE-77). A public proof-of-concept exploit is available on GitHub, lowering the bar for exploitation despite the absence of CISA KEV listing.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-11336 LOW POC Monitor

Improper authorization in tittuvarghese CollegeManagementSystem exposes the Admin Interface to privilege escalation by low-privileged authenticated users who can manipulate the UserAuthData parameter in dashboard_page/admin_page.php. A publicly available exploit exists (referenced in GitHub issue #5), raising practical risk above what the mid-range CVSS score of 6.3 alone would suggest. The vendor has not responded to the responsible disclosure, and no patch has been released; all deployed instances across the rolling release track remain exposed.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11341 LOW POC Monitor

OS command injection in D-Link DWR-M920 firmware up to version 1.1.50 allows authenticated remote attackers to execute arbitrary shell commands on the device via the IMEI_value parameter of the /boafrm/formIMEISetup endpoint. The vulnerable function sub_412DA0 fails to sanitize attacker-controlled input before passing it to an OS-level command, granting low-privilege network access sufficient to achieve code execution with the confidence of a partial proof-of-concept. A publicly available exploit has been disclosed on GitHub, elevating practical risk beyond the CVSS 6.3 score alone.

D-Link Command Injection
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-11337 LOW POC Monitor

Cross-site scripting in tittuvarghese's PHP-based CollegeManagementSystem exposes users to script injection via the unvalidated `department_name` parameter in `/dashboard_page/forms/fetch.php`, exploitable remotely without authentication but requiring victim interaction. Publicly available exploit code (GitHub issue #6) lowers the technical barrier for opportunistic attacks, though CVSS scope remains unchanged with only low integrity impact. No patch has been released and the project maintainer has not responded to the coordinated disclosure, leaving all deployed instances permanently exposed under the rolling release model.

PHP XSS
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11335 LOW POC Monitor

Session fixation in tittuvarghese CollegeManagementSystem enables remote attackers to hijack authenticated user sessions by pre-setting a session identifier via the UserAuthData argument passed to session_start() in /login-form.php. Successful exploitation requires a victim to complete login through an attacker-crafted URL, granting the attacker access to the victim's authenticated session with partial confidentiality, integrity, and availability impact (C:L/I:L/A:L). A publicly available exploit exists via a published GitHub issue, but no patch has been released and the maintainer has not responded to responsible disclosure.

PHP Information Disclosure Session Fixation
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11333 LOW POC Monitor

Unrestricted file upload in tittuvarghese CollegeManagementSystem exposes the Student Data Upload endpoint (`dashboard_page/forms/upload_student_data.php`) to remote exploitation by authenticated low-privilege users, allowing arbitrary file types - including PHP web shells - to be uploaded to the server by manipulating the Student-Data-CSV argument. All deployed instances across all commits are affected given the project's rolling release model, and no vendor-released patch exists as the maintainer has not responded to responsible disclosure. Publicly available exploit code exists, raising real-world risk above what the CVSS 6.3 score alone implies.

PHP File Upload
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11338 LOW POC Monitor

Stored cross-site scripting in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows a remote attacker with high-privilege (admin-level) access to inject persistent malicious JavaScript into the Username field of the user management panel at /admin/?page=user/manage_user, which then executes in the browser of any other privileged user who visits that page. The vulnerability carries a CVSS base score of only 2.4 due to the combination of required high privileges, mandatory user interaction, and limited integrity-only impact with no confidentiality or availability consequence. No public exploit identified at time of analysis as a KEV-confirmed threat, but publicly available exploit code exists via a published Medium article and VulDB report.

XSS Ship Ferry Ticket Reservation System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-11312 LOW POC Monitor

Inefficient algorithmic complexity in bytedance InfiniStore up to version 0.2.33 allows a local, low-privileged attacker to partially degrade availability by triggering worst-case execution in the purge_kv_map function. The CVSS vector (AV:L/AC:L/PR:L/UI:N/A:L) confirms limited blast radius - local-only access with no confidentiality or integrity impact - but a public proof-of-concept exists per the GitHub issue tracker and is reflected in the E:P temporal modifier. No patch has been issued; the vendor has not responded to the coordinated disclosure.

Information Disclosure Infinistore
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-11247 LOW PATCH Monitor

Cross-origin data leakage in Google Chrome's CustomTabs component on Android exposes sensitive information to remote attackers via a crafted HTML page. Affected versions are all Chrome for Android releases prior to 149.0.7827.53, where insufficient policy enforcement in the CustomTabs API fails to uphold cross-origin isolation guarantees. No public exploit identified at time of analysis and no confirmed active exploitation (CISA KEV not listed); the EPSS score of 0.03% (11th percentile) and a CVSS score of 3.1 (Low) together indicate low real-world exploitation likelihood.

Information Disclosure Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11244 LOW PATCH Monitor

Same-origin policy bypass in Google Chrome's WebAuthentication component affects all Chrome versions prior to 149.0.7827.53, exploitable only by a remote attacker who has already compromised the renderer process. Insufficient input validation in the WebAuthn subsystem allows crafted HTML pages to circumvent same-origin restrictions, resulting in limited confidentiality disclosure (C:L). Chromium's own severity classification is Low, consistent with the CVSS 3.1 score of 3.1, and no public exploit or CISA KEV listing has been identified at time of analysis. The mandatory prerequisite of renderer process compromise significantly constrains the realistic attacker population to sophisticated, multi-stage threat actors.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-48102 LOW PATCH Monitor

Heap out-of-bounds read in 7-Zip versions 9.11 through 26.00 exposes up to 3 bytes of heap memory during UDF disc image parsing, triggering when a user opens or extracts a crafted .iso or .udf file. Impact is constrained to a 1-bit information-disclosure oracle per out-of-bounds byte (inferred from open/fail behavior) and potential denial of service under hardened allocators; no write primitive exists. No public exploit code or CISA KEV listing has been identified at time of analysis, and the CVSS Low score of 3.1 accurately reflects the limited real-world severity.

Denial Of Service Information Disclosure Oracle Buffer Overflow
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11240 LOW PATCH Monitor

Site isolation bypass in Google Chrome's Loader component (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to escape Chrome's cross-site data boundary via a crafted HTML page. The vulnerability stems from insufficient validation of untrusted input in the Loader, enabling a post-exploitation primitive that leaks limited confidentiality data across site boundaries. With a CVSS score of 3.1 (Low), EPSS at 0.02% (6th percentile), no CISA KEV listing, and Chromium's own classification as Low severity, this represents a low-urgency chained-exploit stepping stone rather than a standalone critical threat; no public exploit identified at time of analysis.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-11251 LOW PATCH Monitor

Insufficient policy enforcement in Google Chrome's Password Manager (versions prior to 149.0.7827.53) allows a remote attacker who has already compromised the renderer process to bypass discretionary access control via a crafted HTML page, resulting in limited confidentiality exposure. This is a chained vulnerability: exploitation is contingent on a prior renderer process compromise, which substantially elevates attack complexity and limits realistic blast radius. No public exploit code exists and this CVE is not listed in the CISA KEV catalog. Google has rated this Low severity and released a fix in Chrome 149.0.7827.53.

Authentication Bypass Google Chrome
NVD
CVSS 3.1
3.1
EPSS
0.0%
CVE-2026-9088 LOW Monitor

Information disclosure in Red Hat Build of Keycloak's group members endpoint allows a highly privileged but delegated administrator to bypass explicitly configured user profile attribute access controls. An administrator granted only delegated read access to group memberships and user data can invoke the group members API endpoint to retrieve user attributes that have been administratively denied to that role, circumventing the intended granularity of access control. No active exploitation has been confirmed (not in CISA KEV), no public exploit code has been identified, and the CVSS score of 2.7 (Low) reflects the high privilege prerequisite and limited confidentiality impact.

Information Disclosure Red Hat Build Of Keycloak
NVD VulDB
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-45723 LOW PATCH GHSA Monitor

Path traversal in Siderolabs Omni's `CreateSchematic` gRPC endpoint allows an authenticated Operator to force the server to issue HTTP GET requests to arbitrary paths on the configured image-factory host by injecting `../` sequences into the `TalosVersion` field. The CVSS score of 2.7 (PR:H, C:L) reflects that exploitation requires a high-privilege Operator credential and yields only limited confidentiality impact - error body content from unintended image-factory endpoints is reflected back to the caller. No public exploit or CISA KEV listing exists at time of analysis, placing this in a low-priority patch tier for most deployments.

Path Traversal
NVD GitHub
CVSS 3.1
2.7
EPSS
0.0%
CVE-2026-47388 LOW PATCH GHSA Monitor

Unauthorized cross-tenant file read in NocoDB's MCP readAttachment tool allows any low-privilege MCP token holder to stream arbitrary attachment files from shared storage, including those belonging to unrelated bases and workspaces. Affected versions are all NocoDB releases up to and including 2026.05.0 (npm/nocodb). The root cause is CWE-639: the tool accepted caller-supplied path or URL values and streamed them directly without verifying that the referenced file's base_id matched the caller's MCP context. No public exploit has been identified at time of analysis, and this CVE is not listed in the CISA KEV catalog.

Authentication Bypass
NVD GitHub
CVSS 4.0
2.3
EPSS
0.0%
CVE-2024-24769 LOW PATCH GHSA Monitor

Denial Of Service
NVD GitHub
CVSS 4.0
2.1
EPSS
0.1%
CVE-2026-10876 LOW Monitor

Improper authorization in SourceCodester Ship Ferry Ticket Reservation System 1.0 allows authenticated remote attackers with low privileges to manipulate the `page` argument on the `/admin/` endpoint, bypassing access controls and gaining unauthorized access to administrative functionality. The CVSS 4.0 vector (PR:L) confirms exploitation requires a valid low-privileged account rather than unauthenticated access. Publicly available exploit code exists (E:P in CVSS 4.0 vector, corroborated by a published Medium writeup), though the overall severity is rated Low (2.1) due to limited confidentiality, integrity, and availability impact with no scope change to subsequent systems.

Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11330 LOW PATCH Monitor

Hash collision via field-boundary ambiguity in thedotmack/claude-mem through 11.0.1 allows a local low-privilege attacker to cause two semantically distinct observation records to produce identical content hashes, corrupting the SQLite-backed deduplication and integrity logic. The root cause is delimiter-free concatenation of three input fields in `computeObservationContentHash`, meaning different distributions of characters across `memorySessionId`, `title`, and `narrative` yield the same hash input and thus the same digest. No public exploit exists and exploitation is not confirmed actively in the wild; vendor-released fix version 12.0.0 is available.

Information Disclosure Claude Mem
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-11329 LOW PATCH Monitor

Weak cache key construction in onnx-mlir's torch backend (versions up to 0.5.0.0) omits tensor data type (dtype) from placeholder node hash keys, enabling cache collisions between semantically distinct nodes. A locally authenticated attacker with high-complexity manipulation can cause the compiler to incorrectly reuse cached compilation results across mismatched dtypes, yielding low-integrity and low-availability impacts. No public exploit is identified at time of analysis; the upstream fix is confirmed via commit 72c5187 and PR #3427.

Information Disclosure Python
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy