Skip to main content
CVE-2026-12219 LOW POC Monitor

Command injection in Yealink SIP-T46U firmware 108.86.0.118 enables remote authenticated attackers to execute arbitrary OS commands via the unsanitized `Time` argument passed to the `mod_diagnose.CommandShellByType` function at the `/api/diagnosis/start` diagnostic endpoint. The exploit leverages the Web FastCGI Service's failure to neutralize shell metacharacters before invoking underlying system commands, consistent with CWE-77. A public proof-of-concept exploit archive is confirmed available, no CISA KEV listing exists at time of analysis, and the vendor did not respond to disclosure - leaving the vulnerability unpatched.

Command Injection Sip T46U
NVD VulDB
CVSS 4.0
2.1
EPSS
1.5%
CVE-2026-12223 LOW POC Monitor

Command injection in the Yealink SIP-T46U IP phone firmware 108.86.0.118 enables authenticated, adjacent-network attackers to execute arbitrary operating system commands by manipulating the `ip` or `port` arguments submitted to the `/api/inner/tftpuploadiperf` Web FastCGI endpoint. Publicly available exploit code exists, and Yealink did not respond to responsible disclosure, meaning no vendor-released patch has been identified at time of analysis. No KEV listing confirms active exploitation, but the combination of a public proof-of-concept, an absent vendor response, and a default-enabled attack surface on widely deployed enterprise VoIP phones elevates practical risk beyond the moderate CVSS 4.0 score of 5.1.

Command Injection Sip T46U
NVD VulDB
CVSS 4.0
2.0
EPSS
1.5%
CVE-2026-12210 LOW POC Monitor

Server-side request forgery in python-utcp 1.1.0's utcp-gql and utcp-websocket components allows remote low-privileged attackers to coerce the server into issuing arbitrary outbound HTTP requests, potentially reaching internal infrastructure not exposed to the public internet. The affected library implements the universal-tool-calling-protocol and the vulnerable code paths reside in its GraphQL and WebSocket transport handlers. A public exploit has been disclosed via GitHub, and the vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.

Python SSRF Python Utcp
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12207 LOW POC Monitor

Patient record exposure in medkey EHR (up to commit fc09b7ba9441ff590b72d428d5380834216b09ed) allows authenticated remote users to retrieve arbitrary patient records by manipulating the `id` parameter of the `actionGetPatientById` REST API endpoint - a textbook Insecure Direct Object Reference (BOLA/IDOR) flaw classified under CWE-99. A publicly available proof-of-concept exploit is hosted on GitHub (onyxglitch/Medkey-EHR-IDOR-PoC), materially lowering the exploitation barrier. The vendor did not respond to coordinated disclosure, leaving no confirmed patch and no official advisory for this rolling-release EHR system.

PHP Information Disclosure Medkey
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12206 LOW POC Monitor

SQL injection in Grit42 Grit through version 0.11.0 allows remote low-privileged attackers to manipulate database queries via the DataTableEntity function in the assays module backend. The CVSS 4.0 vector (AV:N/PR:L/E:P) indicates network-exploitable, low-complexity exploitation by authenticated users with a publicly available proof-of-concept. The vendor was notified but did not respond, leaving no official patch available at time of analysis.

SQLi Grit
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12211 LOW POC PATCH Monitor

Path traversal in the Intelbras iNVU 7016 FT NVR web interface allows authenticated high-privilege remote users to read arbitrary files outside the intended syslog directory via the /RPC2_Loadfile/syslog/ endpoint. Affected firmware is version 3.004.00IB000.0.T Build 2025-09-26; the vendor has since released a patched firmware build (2026-05-29). No public exploit identified at time of analysis as KEV-confirmed active exploitation, but a public proof-of-concept writeup exists, elevating practical risk above baseline.

Path Traversal Invu 7016 Ft
NVD VulDB
CVSS 4.0
2.0
EPSS
0.4%
CVE-2026-12202 LOW POC Monitor

Cross-site scripting in Intelliants Subrion CMS up to version 4.0.3 allows an authenticated high-privilege attacker to inject malicious JavaScript via the CSS class name argument in the Blocks Endpoint, executing in a victim user's browser upon viewing the manipulated block. Publicly available exploit code exists (disclosed on HackMD), and the vendor did not respond to responsible disclosure, leaving no patch available at time of analysis. Exploitation is constrained by a high-privilege authentication requirement and mandatory user interaction, limiting opportunistic mass exploitation but posing meaningful insider-threat and compromised-credential risk.

XSS Subrion Cms
NVD VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-12201 LOW POC Monitor

Permission misconfiguration in IObit Malware Fighter's DLL Handler component (versions up to 13.2.0) allows a local low-privileged attacker to exploit insecure resource permissions, resulting in low-severity confidentiality, integrity, and availability impacts. The vulnerability stems from CWE-275 (Improper Permission Assignment for a Resource), and a public proof-of-concept exploit is available via GitHub and a researcher blog post. The vendor was notified prior to disclosure but did not respond, meaning no official patch or mitigation guidance has been issued.

Information Disclosure Malware Fighter
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-48709 LOW POC PATCH GHSA Monitor

OliveTin's ValidateArgumentType RPC endpoint exposes action binding IDs and argument configurations to unauthenticated network requesters in all versions prior to 3000.13.0, functioning as an enumeration oracle. The bypass is particularly counterintuitive because it manifests specifically when AuthRequireGuestsToLogin is enabled - the hardened security posture - meaning operators who consciously locked down their instance are the ones exposed. The confidentiality impact is limited to internal action metadata (no credentials, no command execution), and no public exploit has been identified at time of analysis.

Authentication Bypass Oracle Olivetin
NVD GitHub
CVSS 3.1
3.7
EPSS
0.3%
CVE-2026-53540 LOW PATCH GHSA Monitor

Memory exhaustion in python-multipart's parse_form() function allows a remote attacker to force unbounded body buffering by supplying a negative Content-Length header, degrading server availability under concurrent load. Affected deployments are narrowly scoped: only bespoke WSGI or http.server handlers that pass raw, unvalidated client-supplied Content-Length values directly into parse_form(). Mainstream consumers such as Starlette, FastAPI, and Werkzeug are not affected. No public exploit code exists and this vulnerability is not listed in the CISA KEV catalog, consistent with the low CVSS base score of 3.7.

Denial Of Service
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-53538 LOW PATCH GHSA Monitor

Parser differential in python-multipart's QuerystringParser enables HTTP parameter pollution against applications protected by WHATWG-compliant upstream components (WAFs, API gateways). Versions prior to 0.0.30 tokenize semicolons as field separators in application/x-www-form-urlencoded bodies - diverging from WHATWG, modern browsers, and Python's urllib.parse - allowing an attacker to craft a request body whose fields are parsed differently by an upstream body inspector than by the backend, smuggling form parameters the intermediary never validated. No public exploit code and no CISA KEV listing have been identified at time of analysis, but the attack primitive is well-understood and mirrors the class of issue fixed in CPython as CVE-2021-23336.

Python Information Disclosure
NVD GitHub VulDB
CVSS 3.1
3.7
EPSS
0.2%
CVE-2026-49356 LOW PATCH GHSA Monitor

Arbitrary source map file read in @babel/core allows an attacker who controls Babel's input source code to exfiltrate any source map file (.map) accessible to the process running Babel, provided the attacker can also read the compilation output and knows the target file path. This affects all @babel/core versions up to and including 7.29.0 and the 8.0.0 alpha/rc series prior to 8.0.0-rc.6. No public exploit is identified at time of analysis, and exploitation is constrained by three simultaneous conditions, but the vulnerability is significant in environments that compile untrusted or externally submitted code - such as online transpilers, CI/CD pipelines accepting external PRs, or multi-tenant build services.

Path Traversal
NVD GitHub VulDB
CVSS 3.1
3.6
EPSS
0.1%
CVE-2026-53663 LOW PATCH GHSA Monitor

Incomplete CSRF protection in React Router v7 Framework Mode leaves PUT, PATCH, and DELETE document requests unguarded while POST requests are correctly validated. Applications running react-router 7.12.0-7.15.0 or @remix-run/server-runtime 2.17.3-2.17.4 in Framework Mode are the exclusive attack surface - Declarative and Data Mode deployments are unaffected. Real-world exploitability is substantially constrained by modern browser defaults (SameSite=Lax cookies, CORS preflight), meaning successful exploitation requires a browser or cookie configuration that bypasses these ambient controls; no public exploit code exists and this vulnerability is not in CISA KEV.

CSRF
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.1%
CVE-2026-54275 LOW PATCH GHSA Monitor

TLS SNI hostname validation in aiohttp is silently bypassed when a keep-alive connection is reused from the connection pool, allowing per-request `server_hostname` overrides to be ignored on subsequent requests to the same host. Applications relying on dynamic per-request SNI to enforce tenant isolation, proxy routing, or custom certificate validation are at risk of connecting under the wrong TLS identity without any error raised. No public exploit code has been identified and the vulnerability is not listed in CISA KEV; a vendor-released patch is available in aiohttp 3.14.1.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.7
EPSS
0.3%
CVE-2026-12212 LOW Monitor

Improper access controls in Huly Platform's RPC interface allow an authenticated remote attacker with low privileges to invoke the `getMailboxSecret` function in `server/account/src/operations.ts` and retrieve mailbox secrets they are not authorized to access. Versions up to and including 0.7.0 of hcengineering's Huly Platform are confirmed affected. A public proof-of-concept exploit has been disclosed (reflected in the CVSS 4.0 E:P modifier); no vendor patch exists as the vendor did not respond to responsible disclosure, leaving all users of affected versions exposed with no official remediation path.

Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12213 LOW Monitor

Improper authorization in Huly Platform up to version 0.7.0 allows authenticated low-privilege users to remotely invoke the `getAccountInfo` function in `server/account/src/operations.ts` and retrieve account information beyond their authorized scope. The vulnerability is classified under CWE-266 (Incorrect Privilege Assignment), with impact confined to limited confidentiality disclosure - no integrity or availability impact is present. A public proof-of-concept exploit exists (CVSS 4.0 E:P); no vendor patch is available as the vendor did not respond to coordinated disclosure.

Information Disclosure
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12216 LOW Monitor

Memory corruption in Duktape's bytecode API (duk_api_bytecode.c) allows local low-privilege attackers to corrupt process memory by supplying a crafted count_instr argument during bytecode processing. All Duktape versions up to 2.99.99 are affected. A public proof-of-concept exploit exists, though the CVSS 4.0 score of 1.9 reflects constrained real-world impact - local access and low privileges are required, and confidentiality, integrity, and availability impact is rated low. No patch is available; the vendor did not respond to coordinated disclosure.

Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-54280 LOW PATCH GHSA Monitor

Resource leak in aiohttp's response write_eof method allows unauthenticated remote attackers to cause temporary file descriptor exhaustion by repeatedly disconnecting mid-response. All aiohttp versions up to and including 3.14.0 fail to invoke Payload.close() when a write is interrupted by a client disconnection, exception, or asyncio task cancellation, leaving file handles and similar OS-level resources open until Python's garbage collector intervenes. No public exploit code exists and no active exploitation has been confirmed; however, the attack requires no authentication, no special configuration, and is straightforward to automate against any endpoint serving file-backed responses. The advisory's 'Information Disclosure' tag appears inconsistent with the actual impact, which is purely availability (transient resource starvation).

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.7
EPSS
0.2%
CVE-2026-54279 LOW PATCH GHSA Monitor

Cookie scope escalation in aiohttp's CookieJar persistence layer causes host-only cookies to lose their host-restricted status after a save/load cycle, allowing them to be transmitted to subdomains that the original server never authorized to receive them. Applications using pip/aiohttp <= 3.14.0 that invoke CookieJar.save() and CookieJar.load() for session persistence are affected. No public exploit code has been identified at time of analysis, but the impact is information disclosure: sensitive cookies - including session tokens or authentication credentials - may be sent to unintended subdomain endpoints, violating the HTTP cookie scoping model.

Information Disclosure
NVD GitHub VulDB
CVSS 4.0
1.3
EPSS
0.3%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy