Skip to main content
CVE-2026-9269 LOW POC PATCH Monitor

The Secure Copy Content Protection and Content Locking WordPress plugin before 5.1.5 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

XSS WordPress Secure Copy Content Protection And Content Locking
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-12131 LOW POC Monitor

SQL injection in CodeAstro Human Resource Management System 1.0 enables authenticated remote attackers to manipulate the unsanitized `ID` parameter within the `Invoice` function of `application/controllers/Payroll.php`, allowing arbitrary database reads and writes against the underlying HR and payroll data store. A public proof-of-concept exploit is hosted on GitHub, confirming the vulnerability is actively weaponizable by any attacker holding a low-privilege account. No vendor patch has been identified; the CVE is not in CISA KEV, but the CVSS 4.0 vector carries E:P (exploit published), reflecting confirmed public exploit availability.

PHP SQLi Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-12130 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated low-privilege user to inject persistent malicious script via the `protitle` argument on the `/Projects/Add_Projects` endpoint. When any other authenticated user (e.g., an HR administrator) subsequently views the Projects Management Page, the stored payload executes in their browser context, enabling session hijacking, credential theft, or unauthorized actions on their behalf. A public proof-of-concept exploit is hosted on GitHub, lowering the bar for exploitation, though KEV listing is absent and the CVSS 4.0 score of 2.0 reflects the constrained impact scope.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-12129 LOW POC Monitor

Stored cross-site scripting in CodeAstro Human Resource Management System 1.0 allows an authenticated remote attacker to inject persistent malicious scripts via the `todo_data` parameter at the `/dashboard/add_tod` endpoint. When a higher-privileged user subsequently views the to-do list in the dashboard, the stored payload executes silently in their browser context, enabling session hijacking or unauthorized privileged actions. A public proof-of-concept exploit is available on GitHub; no CISA KEV listing exists at time of analysis, but the low barrier to exploitation for any authenticated user elevates practical risk above the CVSS 4.0 score of 2.0 implies.

XSS Human Resource Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-12065 LOW POC Monitor

Improper authorization in the WebView URL Handler of the Groww Stock, Mutual Fund, Gold App for Android (all versions up to build 20260805) allows a low-privileged attacker with physical device access to invoke custom URL scheme handlers without proper authorization, enabling unauthorized in-app navigation or bypass of client-side access controls. The CVSS 4.0 score of 0.3 reflects severe exploitation constraints: physical access is mandatory, attack complexity is high, and impact is limited to low integrity compromise with no confirmed confidentiality exposure. A public proof-of-concept is available on GitHub and Google Drive; the vulnerability is not listed in CISA KEV and no vendor patch has been confirmed at time of analysis.

Google Information Disclosure Stock Mutual Fund Gold App
NVD VulDB GitHub
CVSS 4.0
0.3
EPSS
0.0%
CVE-2026-53607 LOW Monitor

Server-Side Request Forgery in ApostropheCMS through version 4.30.0 allows unauthenticated remote attackers to pivot the Node.js application process into issuing outbound HTTP requests to arbitrary hosts on the internal network when the `prettyUrls` SEO feature is explicitly enabled on the `@apostrophecms/file` module. The attack exploits the raw `Host` HTTP request header, which the pretty-URL handler uses verbatim to construct and `fetch()` an upstream URL, streaming the full HTTP response - status code, headers, and body - back to the requester. Practical impact is constrained to blind SSRF (network-topology probing via response-code and timing oracles, and verbose proxy or WAF error-body disclosure) rather than arbitrary data exfiltration; no patch exists at time of publication and no public exploit has been identified.

Node.js SSRF Apostrophe
NVD GitHub
CVSS 3.1
3.7
EPSS
0.0%
CVE-2026-53826 LOW PATCH Monitor

Information disclosure in OpenClaw before 2026.4.26 leaks the real host workspace path through sandboxed session spawning, exposing filesystem location and potentially related memory context to child AI model prompts. Authenticated users with low-privilege access can trigger this by spawning child sessions from sandboxed parent sessions, undermining the isolation guarantees of the sandbox environment. With a CVSS 4.0 score of 2.3, no public exploit code, and no CISA KEV listing, this is a low-severity but architecturally meaningful sandbox escape of information relevant to AI agent deployments.

Information Disclosure Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53835 LOW PATCH Monitor

Configuration enforcement bypass in OpenClaw's Feishu dynamic-agent binding subsystem permits authenticated senders to create or update sender-agent bindings while circumventing configured config-write access controls. All OpenClaw versions prior to 2026.5.6 are affected; an attacker holding valid sender credentials can modify binding state beyond intended policy, potentially redirecting or hijacking agent associations belonging to other users. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog; the CVSS 4.0 score of 2.3 reflects the narrow impact scope and prerequisite deployment conditions.

Authentication Bypass Openclaw
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.0%
CVE-2026-53724 LOW PATCH GHSA Monitor

Stored XSS in Parse Server is achievable by authenticated users who bypass the file upload extension blocklist by appending a trailing dot to a blocked filename (e.g., `poc.svg.`), causing the extension parser to return an empty string and skip the block check. The attacker-supplied Content-Type is forwarded unchanged to cloud storage adapters (S3, GCS), which persist and serve the file under that active MIME type - enabling script execution in a victim's browser when the file URL is opened. No active exploitation is confirmed (not in CISA KEV, EPSS 0.05% at 15th percentile), but the attack mechanism is low-complexity and fully documented in the vendor's fix PRs. Patches are available in versions 8.6.79 and 9.9.1-alpha.4.

File Upload XSS Node.js Parse Server
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.0%
CVE-2026-48485 LOW PATCH Monitor

Mention injection in Quest Bot prior to version 1.1.6 allows Discord server moderators to embed @everyone or @here mass-ping triggers inside warning reasons, which are later replayed unsanitized when the /warns command outputs stored records. While the bot correctly suppresses Discord mentions during warning creation and several other moderation actions (unbanning, unwarning, kicking, muting, unmuting), the /warns display path lacks equivalent output encoding, creating an inconsistent trust boundary. The issue is patched in version 1.1.6 with no public exploit code identified at time of analysis.

Information Disclosure Questbot
NVD GitHub
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy