Skip to main content
CVE-2026-14628 MEDIUM POC This Month

Path traversal in NousResearch hermes-agent (all versions through 2026.5.16) exposes arbitrary server-side files via the Live Webhook Endpoint's `extract_media` function in `gateway/platforms/base.py`. Remote, unauthenticated attackers can read files outside the intended directory, resulting in low-confidentiality-impact disclosure - potentially exposing configuration files, credentials, or internal data. A public proof-of-concept exploit is available on GitHub; however, this vulnerability has not been listed in CISA KEV, indicating active exploitation is not yet confirmed at time of analysis.

Path Traversal Hermes Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.6%
CVE-2026-14622 MEDIUM POC This Month

Unauthenticated access to the administrative AJAX endpoint in jairiidriss/restaurant-website-php-mysql exposes backend admin functions to any remote attacker without credentials. The /admin/ajax_files endpoint fails to enforce authentication (CWE-306), allowing manipulation of whatever administrative operations it services - likely CRUD operations on menu items, orders, or reservations. No CISA KEV listing exists, but a public proof-of-concept was published via GitHub issue #6, and the maintainer has not responded to disclosure, leaving all deployments up to commit 521428b5b612449df0cf4a5d15ee40cba67f3d35 unpatched.

Authentication Bypass Restaurant Website Php Mysql
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14635 MEDIUM POC PATCH This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap exposes server-side files and upload directories to manipulation via the unsanitized `folder` parameter in the Vendor Multi-Image Endpoint (AddProduct.php), enabling remote attackers to read or write files outside the designated upload path. A public exploit has been released per GitHub Security Advisory GHSA-6whv-r5hm-vcjr and the CVSS 4.0 E:P modifier confirms proof-of-concept availability, with a base score of 6.9 reflecting low-complexity network exploitation. No CISA KEV listing was identified; however, all deployed instances cloned prior to patch commit 2a9497ff are exposed, as this is a rolling-release project with no discrete versioned releases.

Path Traversal PHP Ecommerce Codeigniter Bootstrap
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14641 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_course.php` endpoint to unauthenticated remote database manipulation via a malicious `id` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier remote exploitation with no authentication or user interaction required, and a public proof-of-concept exploit has been disclosed on GitHub. No active exploitation is confirmed in CISA KEV, though the combination of a public POC and fully unauthenticated attack path elevates practical risk for any internet-exposed deployment.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14660 MEDIUM POC This Month

SQL injection in code-projects Online Job Portal 1.0 exposes the login.php endpoint to remote unauthenticated exploitation via the txtUser and txtPass parameters, enabling attackers to manipulate backend SQL queries without any credentials or user interaction. A public proof-of-concept exploit is documented on GitHub, significantly lowering the barrier to attack for any internet-exposed instance. No patch has been identified from the vendor at time of analysis; the wildcard CPE suggests all versions are affected.

SQLi PHP Online Job Portal
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14653 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 enables remote, unauthenticated attackers to manipulate database queries through the user_id parameter in /admin/mensproductdeletequery.php, exposing partial confidentiality, integrity, and availability of the underlying database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) indicates no authentication or special conditions are required for exploitation over the network. A public exploit has been disclosed on GitHub, elevating the practical risk above the raw score suggests - though this is not confirmed as actively exploited by CISA KEV at time of analysis.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14652 MEDIUM POC This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the admin login interface to remote unauthenticated attackers through unsanitized input in the Username parameter of /admin/login.php. The CVSS 4.0 score of 6.9 (Medium) reflects limited per-request impact (VC:L/VI:L/VA:L), but a publicly available proof-of-concept exploit (E:P) on GitHub substantially lowers the exploitation bar for opportunistic attackers. No KEV listing exists at time of analysis; however, the trivial attack complexity (AC:L, AT:N, PR:N, UI:N) combined with public exploit code makes any internet-facing deployment of this script an immediate remediation priority.

SQLi PHP Simple And Nice Shopping Cart Script
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14642 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the database to remote unauthenticated attackers via the unvalidated ID parameter in /edit_class2.php. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms trivial, unauthenticated remote exploitation requiring no special conditions. Publicly available exploit code (E:P) lowers the bar to exploitation further, though the product's niche deployment footprint significantly limits real-world blast radius. No KEV listing; no patch identified at time of analysis.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14648 MEDIUM POC This Month

Unauthenticated SQL injection in code-projects Online Voting System 0.x-1.0 exposes the admin login endpoint to full authentication bypass and database extraction. The vulnerability resides in the `test_input` function within `/authentication.php`, where the `adminUserName` and `adminPassword` parameters are passed unsanitized into SQL queries, enabling classic injection attacks against the login form. A public proof-of-concept exploit has been published on GitHub; no vendor patch has been identified at time of analysis.

SQLi PHP Online Voting System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14640 MEDIUM POC This Month

SQL injection in CodeAstro Apartment Visitor Management System 1.0 exposes the login endpoint at /index.php to unauthenticated remote attackers who can manipulate the Username parameter to execute arbitrary SQL queries against the backend database. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero prerequisites for exploitation, and the E:P modifier reflects a publicly available proof-of-concept on GitHub. No CISA KEV listing was found at time of analysis, but the combination of an exposed login surface, no authentication barrier, and live POC code materially elevates practical risk beyond the medium CVSS score of 6.9.

SQLi PHP Apartment Visitor Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14649 MEDIUM This Month

SQL injection in code-projects Online Voting System 1.0 exposes remote unauthenticated attackers a direct path to manipulate backend database queries through four parameters in the vote submission endpoint /saveVote.php. The test_input function - intended as a sanitization layer - fails to neutralize SQL metacharacters across voterName, voterEmail, voterID, and selectedCandidate, indicating a systemic rather than isolated input-handling failure. A publicly available proof-of-concept exists on GitHub, lowering the exploitation barrier, though real-world exposure is substantially constrained by the product's near-zero production deployment footprint as an educational PHP project.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14654 MEDIUM This Month

SQL injection in SourceCodester Simple and Nice Shopping Cart Script 1.0 exposes the database to remote query manipulation via the `user_id` parameter in `/admin/girlsproductdeletequery.php`. The CVSS 4.0 vector rates this as network-exploitable with no authentication required (PR:N), though the `/admin/` path location raises questions about whether authentication is enforced in practice - a discrepancy worth verifying in deployment. A publicly available exploit exists per VulDB, though the vulnerability is not listed in CISA KEV and the overall CVSS 4.0 score of 5.5 reflects limited impact across confidentiality, integrity, and availability.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14636 MEDIUM This Month

Path traversal in kirilkirkov's Ecommerce-CodeIgniter-Bootstrap allows authenticated remote attackers to manipulate filesystem paths via the unsanitized `folder` argument in the Vendor Image Manager's `do_upload_others_images` function. The flaw in `application/modules/vendor/controllers/AddProduct.php` permits directory traversal sequences to redirect file-write operations outside the intended upload directory, resulting in limited integrity and availability impact. No active exploitation has been confirmed (not in CISA KEV), and no public exploit code has been identified at time of analysis.

Path Traversal PHP
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.3%
CVE-2024-1248 MEDIUM This Month

The silent Just-In-Time (JIT) provisioning feature in federated authentication implementations fails to properly segregate user roles during account creation when a federated user shares a username. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Information Disclosure Wso2 Api Manager Wso2 Identity Server Wso2 Identity Server As Key Manager Wso2 Open Banking Am +1
NVD
CVSS 3.1
5.3
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy