Skip to main content
CVE-2026-11457 MEDIUM POC This Month

Code injection in erzhongxmu JeeWMS via the JimuReport test-connection endpoint (/base-boot/jmreport/testConnection) allows remote unauthenticated attackers to inject malicious payloads through the dbType, dbDriver, dbUrl, dbUsername, and dbPassword parameters. Publicly available exploit code exists and the vendor did not respond to disclosure, leaving deployments exposed without a confirmed patched build due to the project's rolling-release model.

Code Injection Jeewms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11462 MEDIUM POC PATCH This Month

Improper authorization in the BeikeShop e-commerce platform (versions up to 1.6.0.22) allows remote unauthenticated attackers to forge Stripe payment webhook callbacks and mark unpaid orders as paid. The flawed `callback` function in `plugins/Stripe/Controllers/StripeController.php` accepts arbitrary request bodies without verifying the Stripe-Signature header, and publicly available exploit code exists on GitHub. CVSS is 7.3 with EPSS not provided; the issue is not in CISA KEV but has a public POC, raising the practical risk for any internet-exposed BeikeShop store.

PHP Authentication Bypass
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11458 MEDIUM POC This Month

Unauthenticated remote access to the Spring Boot Actuator endpoint in erzhongxmu JeeWMS exposes sensitive application internals to any network-reachable attacker. The `/base-boot/actuator` path, part of the Spring Boot management framework, is accessible without credentials, potentially leaking environment variables, configuration properties, internal service topology, and application health data. A publicly available proof-of-concept exploit exists per CVSS temporal modifier E:P and a referenced GitHub issue; however, this vulnerability has not been confirmed in CISA KEV as actively exploited at time of analysis.

Information Disclosure Jeewms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11456 MEDIUM POC This Month

SQL injection in Chanjet CRM 1.0 allows remote unauthenticated attackers to manipulate the gblOrgID parameter of /tools/jxf_dump_systable.php to inject arbitrary SQL into the backend database. Publicly available exploit code exists (referenced via a public gist), and the vendor did not respond to disclosure attempts, leaving deployments exposed without official remediation. EPSS data was not provided and the issue is not in CISA KEV, but the combination of network-reachable HTTP GET handler, no authentication requirement, and a public POC makes opportunistic exploitation realistic.

PHP SQLi
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.0%
CVE-2026-11450 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to execute arbitrary OS commands by manipulating the dev_name argument passed to the dlopen function in the /usr/lib/oui-httpd/rpc/ Path Normalization Handler, reachable via the nas-web.eject_disk RPC method. Publicly available exploit code exists on GitHub demonstrating the chain. No CISA KEV listing and EPSS data was not provided, but the network-reachable, no-authentication CVSS vector combined with public PoC makes this a meaningful risk for exposed devices.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
1.0%
CVE-2026-11451 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows remote attackers to inject shell commands via the media_dir parameter handled by the snprintf call in /cgi-bin/glc's FTP protocol handler. The CVSS vector indicates network-reachable, unauthenticated exploitation with low complexity, and publicly available exploit code exists on GitHub (StrTzz123/iot_vul). The vendor has issued firmware 4.8.1 and disputes reproducibility on the patched build, stating that escape_single_quote() now sanitizes the input before it reaches the FTP configuration write path.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
1.0%
CVE-2026-11452 MEDIUM This Month

Command injection in GL.iNet GL-MT3000 routers running firmware up to 4.4.5 allows remote attackers to inject shell commands through the Password argument of the SET_USER_PWD handler in /cgi-bin/glc (function FUN_0042e200). The flaw is network-reachable with low complexity, but no public exploit is identified at time of analysis and the vendor disputes practical exploitability, stating that single-quote escaping in the shell context blocks the reported $() and backtick payloads.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.8%
CVE-2026-11449 MEDIUM PATCH This Month

Command injection in GL.iNet GL-MT3000 router firmware 4.4.5 allows a remote, low-privileged attacker to execute arbitrary OS commands via the `rpc_sys` function exposed through the LuCI JSON-RPC interface at `/cgi-bin/luci/rpc`. The vendor has confirmed the vulnerability and released a fix in firmware 4.8.1; critically, versions after 4.7.13 no longer install LuCI by default, eliminating the attack surface for most current deployments. Publicly available exploit code exists in a GitHub repository, though no active exploitation has been confirmed by CISA KEV.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.7%
CVE-2026-11448 MEDIUM This Month

Remote command injection in GL.iNet GL-MT3000 firmware versions up to 4.4.5 enables a network-reachable, high-privilege attacker to execute arbitrary OS commands through the Minidlna service's /rpc endpoint by manipulating the kube.set argument of the realpath function. The vendor has confirmed the vulnerability and released a fix in firmware version 4.7, citing SDK-level global sanitization as the remediation. Publicly available exploit code exists in a GitHub proof-of-concept repository (StrTzz123/iot_vul), though no active exploitation has been confirmed by CISA KEV at time of analysis.

Command Injection Gl Mt3000
NVD VulDB GitHub
CVSS 4.0
5.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy