Skip to main content
CVE-2026-12814 LOW POC Monitor

OS command injection in Comfast CF-WR631AX V3 firmware (versions 2.7.0.0 through 2.7.0.8) allows an authenticated remote attacker to execute arbitrary operating system commands by injecting shell metacharacters into the `destination` parameter of the ping configuration API endpoint at /cgi-bin/mbox-config?section=ping_config. A detailed public exploit analysis report is available on GitHub, materially lowering the exploitation barrier, though no CISA KEV listing confirms active in-the-wild campaigns at time of analysis. The vendor was notified prior to disclosure and did not respond, leaving all known firmware versions without a patch.

Command Injection Cf Wr631Ax V3
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12813 LOW POC Monitor

Server-side request forgery in Activepieces through version 0.83.0 enables authenticated remote attackers to coerce the server into issuing arbitrary HTTP requests to attacker-controlled destinations via the `handleUrlFile` function in the File URL Handler component. The vulnerability spans the entire documented release history from 0.1 to 0.83.0, and a public exploit write-up is available on GitHub, materially lowering the exploitation barrier. The vendor did not respond to responsible disclosure, meaning no patch has been released at time of analysis and no official remediation guidance exists.

SSRF Activepieces
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12810 LOW POC Monitor

Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows network-adjacent authenticated attackers to execute arbitrary OS commands via the `command` argument in POST requests to the `/goform/mp` endpoint. The vulnerability is rooted in insufficient input sanitization in the `mp` form handler, exposing the router's underlying OS to attacker-controlled commands. A public proof-of-concept exploit has been released and the vendor has not responded to disclosure, leaving no patch available - the device remains unmitigated at time of analysis.

Command Injection Br 6478Ac V2
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12809 LOW POC Monitor

Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privilege credentials to execute arbitrary OS commands by embedding shell metacharacters in the `newpass` argument of POST requests to the `/goform/wiz_5in1_redirect` endpoint. A public proof-of-concept exploit exists and is referenced in the VulDB disclosure, making this straightforwardly reproducible. The vendor has not responded to coordinated disclosure, leaving no official patch available - a significant concern for a SOHO network gateway that sits at the perimeter of home and small-office networks.

Command Injection Br 6478Ac V2
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12808 LOW POC Monitor

Command injection in the Edimax BR-6478AC V2 router (firmware 1.23) allows authenticated remote attackers to execute arbitrary OS commands by manipulating the `interface` argument in POST requests to `/goform/stainfo`. No patch is available - Edimax did not respond to coordinated disclosure - and a public proof-of-concept exploit exists, making this a persistent, unmitigated risk on deployed devices. The vendor-reported CVSS 4.0 score of 2.1 appears to significantly understate actual impact, as unrestricted command injection on embedded router firmware typically enables full system control rather than merely low-severity limited access.

Command Injection Br 6478Ac V2
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12807 LOW POC Monitor

Command injection in Edimax BR-6478AC V2 firmware 1.23 allows remote attackers with low-privileged web interface access to execute arbitrary OS commands by injecting shell metacharacters into WAN credential parameters submitted via POST to /goform/setWAN. A public proof-of-concept exploit is documented and available, the vendor did not respond to coordinated disclosure, and no patch exists - leaving only compensating controls as mitigation. No public exploit identified at time of analysis in CISA KEV, but the combination of public PoC, zero vendor response, and SOHO device deployment patterns represents materially elevated real-world risk.

Command Injection Br 6478Ac V2
NVD VulDB
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12788 LOW POC Monitor

XML External Entity (XXE) injection in zhilink ADP Application Developer Platform 1.0.0 enables authenticated remote attackers to manipulate the XML parser at the /adpweb/a/base/barcodeDetail/import endpoint, potentially exposing local files or facilitating server-side request forgery against internal infrastructure. The CVSS 4.0 vector (PR:L, E:P) confirms low-privilege exploitation with a publicly disclosed proof-of-concept published on Feishu. The vendor did not respond to pre-disclosure contact, leaving no official patch available at time of analysis.

XXE Adp Application Developer Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12787 LOW POC Monitor

Unsafe deserialization in zhilink ADP Application Developer Platform 1.0.0 exposes the testConnection endpoint to remote exploitation by low-privilege authenticated users via manipulation of the jdbcUrl parameter. A public exploit has been published (linked via Feishu document) despite vendor non-response to coordinated disclosure. No public exploit identified at time of analysis meets the KEV threshold, but the combination of public PoC, network-accessible endpoint, and no patch raises operational risk - particularly for organizations running this Chinese low-code/RAD platform internally.

Deserialization Adp Application Developer Platform
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-12776 LOW POC Monitor

SQL injection in Montodel House-Rental-Management exposes database contents and integrity to authenticated remote attackers via the unsanitized ID parameter at /index.php?page=houses. All tracked commits up to 90010017b81265eb1ef3810268909f7719a33863 are affected, with no patched release available as the vendor did not respond to coordinated disclosure. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), lowering the bar for exploitation; however, the required authenticated context and limited per-query impact keep the overall risk score low at CVSS 4.0 2.1.

SQLi PHP House Rental Management
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-56412 MEDIUM PATCH This Month

Use-after-free in libexpat before 2.8.2 arises from the `doCdataSection` function omitting `beforeHandler`/`afterHandler` depth-tracking calls for `XML_TOK_DATA_CHARS` tokens during CDATA section parsing - an incomplete fix for the related CVE-2026-50219. When a policy violation occurs during handler callback invocation in this code path, the parser's internal call-depth counter becomes inconsistent, enabling a use-after-free condition. An attacker supplying specially crafted XML to any libexpat-consuming application may trigger limited memory corruption, information disclosure, or availability impact under high-complexity conditions; no public exploit is identified at time of analysis and no CISA KEV listing exists.

Information Disclosure Use After Free Memory Corruption Libexpat Red Hat +1
NVD GitHub VulDB
CVSS 3.1
5.9
EPSS
0.1%
CVE-2026-56384 MEDIUM PATCH This Month

Missing authorization in the Craft CMS `assets/preview-thumb` Control Panel endpoint allows any authenticated low-privilege CP user to obtain signed transform preview URLs for private assets they are not permitted to view, by supplying an attacker-controlled `assetId`. Affected installations span the 4.x branch (4.0.0-RC1 through 4.17.7) and 5.x branch (5.0.0-RC1 through 5.9.13); patches are available in 4.17.8 and 5.9.14. No public exploit or active exploitation has been identified at time of analysis.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-12771 LOW POC Monitor

Improper authorization in LiteLLM's M2M JWT Handler (litellm/proxy/auth/user_api_key_auth.py) enables remote attackers holding low-level credentials to bypass authorization controls in versions 1.82.0 through 1.82.2. The flaw resides in the machine-to-machine JWT authentication pathway of the LiteLLM proxy layer, where manipulated JWT inputs cause the handler to make incorrect authorization decisions, potentially granting unauthorized access to proxied LLM API resources. No active exploitation has been confirmed by CISA KEV, though publicly available exploit code exists (GitHub gist by YLChen-007), and the CVSS 4.0 vector carries an E:P temporal modifier reflecting this proof-of-concept availability; overall risk is tempered by high attack complexity.

Authentication Bypass Litellm
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-56385 MEDIUM PATCH This Month

Authorization bypass in Craft CMS's `assets/preview-file` endpoint exposes private asset preview content to authenticated low-privileged users who lack view permission on the targeted asset. Affected installations running Craft CMS 4.0.0-RC1 through 4.17.7 or 5.0.0-RC1 through 5.9.13 with mixed-privilege users and private assets are vulnerable to unauthorized disclosure of preview HTML and private asset image routes. No public exploit or CISA KEV listing has been identified; patches are available in versions 4.17.8 and 5.9.14.

Authentication Bypass Cms
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56383 MEDIUM PATCH This Month

Stored XSS in Craft CMS's Table field component allows an authenticated administrator to persist arbitrary JavaScript via the Row Heading column type's default values, executing in the browser of any subsequent user who views a page rendering the affected table field. Affected deployments span Craft CMS 4.5.0-beta.1 through 4.16.18 and 5.0.0-RC1 through 5.8.22; patches are available in 4.16.19 and 5.8.23. No public exploit code has been identified at time of analysis and the CVE is not listed in CISA KEV, though the GHSA advisory published a working proof-of-concept payload, and real-world risk is substantially constrained by the non-default allowAdminChanges production setting.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56393 MEDIUM PATCH This Month

Stored XSS in Craft CMS 4.x and 5.x allows an authenticated administrator to persist malicious JavaScript payloads in settings fields - section names, volume names, user group names, global set names, generated field names, checkbox/radio option labels, and custom source labels - that execute in other users' control-panel browser sessions when those pages are visited. The attack surface spans seven distinct injection points across the admin settings UI, all sharing the same root defect in Twig template rendering. No public exploit identified at time of analysis, though a proof of concept is documented in the upstream security advisory GHSA-4mgv-366x-qxvx, and the upstream CHANGELOG characterizes the severity as low.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.2%
CVE-2026-56381 MEDIUM PATCH This Month

Stored XSS in Craft CMS (versions 5.0.0-RC1 through 5.8.21) allows an admin-level attacker to permanently embed malicious JavaScript into the User Permissions page by crafting a user group name with an unsanitized HTML payload. The script executes in the browser of any user who subsequently opens the Permissions tab on a user's edit page, creating a persistent cross-user attack vector within the control panel. Vendor-confirmed proof-of-concept steps are publicly documented in GHSA-g3hp-vvqf-8vw6; no confirmed active exploitation or CISA KEV listing at time of analysis.

XSS Cms
NVD GitHub VulDB
CVSS 4.0
4.6
EPSS
0.1%
CVE-2026-12821 LOW Monitor

Path traversal in FlowiseAI Flowise's S3 Document Loader component (packages/components/nodes/documentloaders/S3/S3.ts) enables authenticated remote attackers to manipulate S3 object key inputs to access files outside the intended storage scope. Versions 3.1.0 through 3.1.2 are confirmed affected. Publicly available exploit code exists (E:P in the CVSS 4.0 vector), and the vendor did not respond to responsible disclosure, leaving no vendor-confirmed patch at time of analysis.

Path Traversal Flowise
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12815 LOW Monitor

OS command injection in Coolify 4.0.0's Image Name Handler allows authenticated remote attackers to execute arbitrary operating system commands by manipulating image name inputs. Coolify is a self-hosted PaaS that orchestrates Docker deployments, making server-side command injection in its image handling pipeline particularly high-impact - the platform typically operates with Docker daemon privileges. Publicly available exploit code exists (CVSS 4.0 E:P, corroborated by a GitHub PoC writeup); no public confirmation of active exploitation is present, and no vendor response to the coordinated disclosure was received.

Command Injection Coolify
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-12804 LOW Monitor

Open redirect in LemonLDAP::NG versions up to and including 2.23.0 allows unauthenticated remote attackers to manipulate the `url` argument within the SAML Common Domain Cookie (CDC) endpoint, causing authenticated SSO users to be silently forwarded to arbitrary attacker-controlled domains. The SSO context makes this particularly high-consequence for phishing: victims trust the identity provider's domain, lowering suspicion of the crafted redirect URL. Publicly available exploit code exists (CVSS 4.0 E:P); no vendor patch has been confirmed, as the vendor was unresponsive to responsible disclosure by VulDB.

Open Redirect Lemonldap Ng
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-12789 LOW Monitor

SQL injection in ILIAS Learning Management System 11.0 allows a remote, high-privileged attacker to manipulate database queries via the Learning Progress Tracking component. The `troup_table_nav` argument passed to `ilTrQuery::executeQueries` in `components/ILIAS/Tracking/classes/class.ilTrQuery.php` is incorporated into SQL statements without adequate sanitization, enabling low-impact reads and writes against the underlying database. Publicly available exploit code exists (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, meaning no official patch has been issued.

SQLi PHP Learning Management System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-12812 LOW Monitor

HTML injection in Radware Cyber Controller's HTML Report Generation component allows authenticated remote attackers to embed arbitrary HTML tags - including script-related content - into generated reports, enabling potential cross-site scripting scenarios targeting users who view those reports. All 10.x releases through 10.11.0 are confirmed affected per ENISA EUVD-2026-38198. A public proof-of-concept exploit has been disclosed (CVSS 4.0 E:P); the vendor was notified but did not respond, leaving no vendor-released patch available at time of analysis.

XSS Cyber Controller
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy