Skip to main content
CVE-2026-11408 LOW POC PATCH Monitor

OS command injection in vertex-app vertex (all versions through 2026.02.12) allows remote low-privileged authenticated users to execute arbitrary operating system commands via the Log Viewer Endpoint. The root cause is direct interpolation of the user-controlled `req.query.type` parameter into a shell-executed `execSync()` call in `app/model/LogMod.js`, enabling shell metacharacter injection without any sanitization or allowlist validation. A publicly available proof-of-concept exists on GitHub Gist and Google Drive; no public exploit identified at time of analysis as confirmed actively exploited (CISA KEV), but the CVSS temporal score includes E:P (proof-of-concept) and RC:C (confirmed), elevating real-world urgency.

Command Injection Vertex
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.9%
CVE-2026-11406 LOW POC PATCH Monitor

Command injection in GL.iNet MT3000 routers running firmware up to version 4.4.5 allows authenticated remote attackers to execute arbitrary OS commands by supplying a crafted OpenVPN configuration file through the device's OpenVPN Client Import Workflow. The shell script ovpnclient.sh processes imported .ovpn files without adequately sanitizing user-controlled content, enabling embedded shell metacharacters or directives to execute at the OS level. A public proof-of-concept exploit is available on GitHub; an official vendor-released patch exists in beta firmware, and no public exploit identified at time of analysis has been confirmed by CISA KEV as actively exploited in the wild.

Command Injection Mt3000
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.7%
CVE-2026-11412 LOW POC Monitor

SQL injection in Jinher OA C6's GetFormSn.aspx endpoint allows remote low-privilege authenticated attackers to manipulate the queryID parameter, potentially reading, modifying, or deleting backend database records. A public proof-of-concept exploit is available on GitHub, lowering the barrier to exploitation. No patch exists - the vendor was notified early but did not respond, leaving no official remediation path.

SQLi Oa
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-11411 LOW POC Monitor

Path traversal in iAI Lab PDF AI App 4.21.0 on Android allows a local low-privileged attacker to manipulate the `_display_name` argument within the `getExternalCacheDir` function of the `chatpdf.pro` component, enabling unauthorized file system access outside the intended cache directory. The CVSS 4.0 score of 1.9 reflects the strictly local attack surface and limited integrity and availability impact with no confidentiality breach. A public proof-of-concept exploit has been released; the vendor was contacted prior to disclosure and did not respond, leaving the vulnerability unpatched.

Google Path Traversal
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.0%
CVE-2026-11434 LOW POC Monitor

Cross-site scripting in FluentCMS 0.0.5 allows a remote, highly-privileged attacker to inject malicious JavaScript via the /admin/blocks endpoint of the Blocks Plugin. The attack requires high privileges (admin-level authentication) and victim user interaction, constraining real-world impact significantly - the CVSS base score of 2.4 reflects this narrow exploitation surface. A publicly available proof-of-concept exists per HackMD, and the vendor has not responded to disclosure, leaving no official patch in place. No public exploit identified at time of analysis as reaching CISA KEV status.

XSS Fluentcms
NVD VulDB
CVSS 4.0
1.9
EPSS
0.0%
CVE-2025-12656 LOW Monitor

Arbitrary directory deletion in the WPvivid Backup & Migration WordPress plugin (all versions through 0.9.128) allows authenticated administrators to remove arbitrary server-side folders by submitting a crafted path to the delete_cancel_staging_site() function. Impact is confined to integrity and availability - server files and directories can be irreversibly destroyed - with no confidentiality exposure. No public exploit identified at time of analysis, and exploitation requires high-privilege WordPress credentials, substantially limiting real-world risk.

Information Disclosure WordPress
NVD VulDB
CVSS 3.1
3.8
EPSS
0.0%
CVE-2026-11436 LOW Monitor

Reflected cross-site scripting in Mage AI's sign-in flow (versions up to and including 0.9.79) allows unauthenticated remote attackers to inject and execute arbitrary JavaScript in a victim's browser by manipulating the query.redirect_url parameter passed to the useMutation hook in the SignForm component. A public proof-of-concept exploit exists (referenced via GitHub gist), elevating real-world risk despite the low CVSS 4.0 score of 2.1. The vendor was notified prior to disclosure but did not respond, meaning no patch is currently available.

XSS
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy