Skip to main content
CVE-2026-9061 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not sanitize and escape store logo metadata before storing it and outputting it on the Store Locator WordPress plugin before 1.6.9 admin page, allowing high-privileged users such as administrators to perform Stored Cross-Site Scripting attacks even when the `unfiltered_html` capability is disallowed (e.g. in a multisite network).

XSS WordPress Store Locator Wordpress
NVD WPScan VulDB
CVSS 3.1
3.5
EPSS
0.0%
CVE-2026-9062 LOW POC PATCH Monitor

The Store Locator WordPress plugin before 1.6.9 does not validate a parameter before using it in a file path, allowing high-privileged users such as administrators to read arbitrary `.php` files from the server, including configuration files that contain database credentials and authentication keys.

PHP WordPress Store Locator Wordpress Path Traversal
NVD WPScan VulDB
CVSS 3.1
3.4
EPSS
0.0%
CVE-2026-12175 LOW POC Monitor

SQL injection in CodeAstro Student Attendance Management System 1.0 enables authenticated administrators to manipulate the `admissionNumber` parameter in `/attendance-php/Admin/createStudents.php`, allowing arbitrary SQL commands to be passed to the underlying database. Exploitation is constrained to actors who already hold high-privilege admin credentials (PR:H per the CVSS 4.0 vector), but impact spans database confidentiality, integrity, and availability. A public proof-of-concept exploit is available on GitHub; the vulnerability is not listed in CISA KEV, indicating no confirmed widespread exploitation at time of analysis.

PHP SQLi Student Attendance Management System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.0%
CVE-2026-41579 LOW PATCH GHSA Monitor

Host filesystem integrity violations in runc are triggered when the container runtime processes a malicious OCI image where /dev is configured as a symbolic link rather than a directory. An attacker who can deliver such a crafted image - via a public registry, a supply-chain-compromised base image, or a shared CI/CD pipeline - can cause runc to follow the symlink during container device-node initialization, resulting in limited, unintended write operations on the host filesystem outside the container boundary. The vendor-credited reporter (Aleksa Sarai, a known runc maintainer) describes the impact as 'limited host filesystem integrity violations,' falling short of a full container escape. No public exploit has been identified at time of analysis.

Information Disclosure Runc
NVD GitHub VulDB
CVSS 3.1
3.3
EPSS
0.0%
CVE-2026-12176 LOW Monitor

Cross-site scripting in SourceCodester CET Automated Grading System with AI Predictive Analytics 1.0 allows remote attackers to inject and execute arbitrary JavaScript in a victim's browser via the unsanitized `action` parameter in `/index.php`. Publicly available exploit code exists (CVSS 4.0 E:P), and the attack requires no authentication, only that a victim interact with a crafted URL or request. No vendor-released patch has been identified at time of analysis.

PHP XSS Cet Automated Grading System With Ai Predictive Analytics
NVD VulDB
CVSS 4.0
2.1
EPSS
0.0%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy