Skip to main content
CVE-2026-59509 CRITICAL POC PATCH Act Now

Arbitrary MongoDB collection disclosure in cve-search allows a remote, unauthenticated attacker to read any application database collection through the POST /fetch_cve_data endpoint by manipulating the collection name, projected fields, and regex filter parameters. Attackers can dump the mgmt_users collection to harvest administrative usernames and password hashes for offline cracking. Publicly available exploit code exists (referenced in the project issue tracker) and a vendor patch is available, though no active exploitation has been reported.

Information Disclosure Cve Search
NVD GitHub VulDB
CVSS 4.0
9.2
EPSS
0.3%
CVE-2026-14721 HIGH POC This Week

Stack-based buffer overflow in the UTT HiPER 1250GW SOHO router (firmware through 3.2.7-210907-180535) lets a network-adjacent attacker corrupt memory by supplying an oversized 'ssid' argument to the /goform/ConfigWirelessBase_5g web handler, potentially achieving code execution or a device crash. The flaw is remotely reachable via the device's web management interface and carries a CVSS 4.0 base score of 7.4 (PR:L, indicating some authentication to the web UI is expected). Publicly available exploit code exists (disclosed via VulDB and a GitHub PoC), though there is no public exploit identified as being actively used in the wild.

Buffer Overflow Stack Overflow Hiper 1250Gw
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-53913 CRITICAL PATCH Act Now

Authentication bypass in Apache Camel's camel-keycloak component (versions 4.15.0-4.18.2 and 4.19.0-4.20.x) allows any caller presenting a non-null Authorization: Bearer header value - including an arbitrary string or a forged, unsigned JWT - to bypass Keycloak token verification entirely and access routes protected by KeycloakSecurityPolicy. The cryptographic token checks (signature, issuer, expiry) are embedded exclusively inside role and permission validation routines that are never invoked when requiredRoles and requiredPermissions are empty, which is the documented default 'Basic Setup.' Where the protected route connects to a code-execution-capable Camel producer, this authentication bypass can escalate to unauthenticated remote code execution; no public exploit has been identified at time of analysis.

Authentication Bypass Apache RCE Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-14714 MEDIUM POC PATCH This Month

Missing authentication in CowAgent 2.1.0's /wx WeChat endpoint allows remote unauthenticated attackers to bypass server verification by supplying an empty or default wechatmp_token, causing the underlying HMAC signature check to silently degenerate into a predictable hash. The vendor confirms the flaw exists in verify_server() within channel/wechatmp/common.py, where no explicit non-empty token guard was enforced, making the endpoint fail open rather than closed. A public proof-of-concept exists (GitHub issue #2860), and the fix is available in version 2.1.1; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Chatgpt On Wechat Cowagent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14687 MEDIUM POC PATCH This Month

Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in `_deduplicate_results` within `InsightEngine/agent.py`. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. No active exploitation has been confirmed by CISA KEV; a fix pull request (PR #689) has been submitted but not yet merged.

Information Disclosure Bettafish
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14749 MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14722 MEDIUM POC This Month

Code injection in TidGi-Desktop up to version 0.13.0 allows remote attackers to execute arbitrary code through the application's Git Repository Import feature, specifically within the sub-wiki loading worker. The flaw resides in `src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts`, where externally-sourced Git repository content is processed without adequate code-injection safeguards (CWE-94). A public exploit has been disclosed and referenced via the GitHub security advisory GHSA-9hc2-hjx8-q6pv, though no CISA KEV listing exists at time of analysis.

Code Injection RCE Tidgi Desktop
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14719 MEDIUM POC This Month

Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.

Privilege Escalation PHP Onlne Examination Learning Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14690 MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14688 MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14771 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14769 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14764 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14763 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14756 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14755 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14750 MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14746 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14745 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14744 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14743 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14713 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14705 MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14700 MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14695 MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14737 MEDIUM POC This Month

SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 exposes the /sysAuthStr/querySysAuthStr.do endpoint to unauthenticated remote database manipulation via the unsanitized `order` parameter. The endpoint handles system authorization strings, meaning successful exploitation likely targets credential or access-control records - a high-sensitivity data class despite the vendor-assigned Low impact ratings. A public proof-of-concept is documented via VulDB (no CISA KEV listing at time of analysis); no EPSS score was provided in the source intelligence.

SQLi E Face General Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-9085 HIGH PATCH This Week

Local privilege abuse in TUBITAK BILGEM Pardus-Parental-Control (versions up to and including 0.5.1, fixed in 0.7.0) lets a low-privileged local user exploit insecure file/resource permissions to tamper with the tool's DNS configuration and perform DNS spoofing. Because the CVSS scope is changed (S:C), the impact reaches beyond the application to system-wide name resolution, enabling redirection of traffic, bypass of parental filtering, and interception of connections. There is no public exploit identified at time of analysis, but the reachable local vector and low complexity make this a practical concern on shared or managed Pardus endpoints.

Information Disclosure Pardus Parental Control
NVD VulDB
CVSS 3.1
8.8
EPSS
0.1%
CVE-2026-12250 HIGH PATCH This Week

Sensitive information exposure in Pardus Domain Joiner (versions 0.5.2 up to but not including 0.5.4) lets a local low-privileged user harvest secrets — most plausibly domain-join credentials — that the tool passes as visible arguments when invoking a child process. TUBITAK BILGEM's utility enrolls Pardus (a Turkish Debian-based distribution) endpoints into a directory/domain, so the leaked material can be Active Directory or LDAP bind credentials. There is no public exploit identified at time of analysis and the flaw is not in CISA KEV, but the fix in 0.5.4 confirms the issue is vendor-acknowledged.

Information Disclosure Pardus Domain Joiner
NVD VulDB
CVSS 3.1
7.9
EPSS
0.1%
CVE-2026-6509 HIGH PATCH This Week

Local privilege escalation in Pardus Update (versions <=0.6.3, fixed in 0.6.6), the software-update component of TÜBİTAK BİLGEM's Debian-based Pardus Linux distribution, allows a low-privileged local user to perform actions they should not be authorized for and escalate to root-level control. The CWE-862 Missing Authorization flaw carries CVSS 7.8 with high confidentiality, integrity, and availability impact. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass Privilege Escalation
NVD VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-55993 HIGH PATCH This Week

Server-side request forgery and secret disclosure in Apache Camel's camel-atmosphere-websocket component allow a remote attacker to hijack downstream server-side HTTP requests by injecting Camel control headers as WebSocket query parameters. Affecting Camel 4.0.0-4.14.7, 4.15.0-4.18.2 and 4.19.0-4.20.x, the flaw lets an attacker set CamelHttpUri to redirect internal HTTP calls (e.g., to cloud metadata endpoints) and force resolution of Camel property placeholders, leaking environment variables, application properties and vault secrets. Where the WebSocket endpoint is exposed without authentication the issue is unauthenticated (CVSS 7.5); there is no public exploit identified at time of analysis and EPSS is low (0.24%).

Hashicorp SSRF Microsoft Apache Camel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-46726 HIGH PATCH This Week

Server-side request forgery and secret disclosure in Apache Camel's camel-vertx-websocket component (versions 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x) let a WebSocket client inject Camel-internal control headers such as CamelHttpUri because inbound query/path parameters are copied into the Exchange header map without a HeaderFilterStrategy. In routes that bridge the WebSocket consumer into a downstream HTTP producer, an attacker can redirect the server-side HTTP request to internal services or cloud metadata endpoints, and because the HTTP producer resolves Camel property placeholders on the attacker-supplied URI, environment variables, application properties, and vault secrets are resolved and exfiltrated. When the WebSocket endpoint is exposed without authentication (PR:N per CVSS), this is reachable by an unauthenticated remote attacker; there is no public exploit identified at time of analysis, and EPSS is low at 0.24%.

Hashicorp SSRF Microsoft Apache Camel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-14570 HIGH PATCH This Week

Crypt::DSA versions before 1.22 for Perl draw the DSA signing nonce and private key from a biased random generator, leading to private-key recovery. "Crypt::DSA::Util::makerandom forces the high bit of every value it returns to obtain an exactly N-bit integer for prime search. The signing nonce and the private key are drawn from makerandom. Because the high bit is always set, the result is not uniform: its top bit is fixed, producing insecure values." An attacker who collects a modest number of signatures under an affected key, together with the public key, can recover the private key with a lattice attack. Keys used to sign with an affected version should be considered compromised and new keys should be generated.

Information Disclosure Crypt Red Hat
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-55994 HIGH PATCH This Week

Server-side request forgery and secret disclosure in the Apache Camel camel-iggy consumer (versions 4.17.0-4.18.2 and 4.19.0-4.20.x) allow an actor able to publish to a consumed Iggy stream to inject Camel control headers such as CamelHttpUri into the Exchange. When the consumer feeds a downstream HTTP producer, the attacker redirects the server-side request to internal services or cloud metadata endpoints, and because the producer resolves Camel property placeholders on the attacker-controlled URI, environment variables, application properties, and vault secrets are exfiltrated. No public exploit identified at time of analysis, and EPSS is low (0.15%), but the confidentiality impact is rated High.

Hashicorp SSRF Microsoft Apache Camel
NVD VulDB
CVSS 3.1
7.5
EPSS
0.2%
CVE-2026-59510 HIGH PATCH This Week

Path traversal in AIL Framework's PDF object handling lets an authenticated user read files outside the intended PDF storage directory. The PDF.get_filepath() function joined the configured PDF_FOLDER with an attacker-influenced object identifier without validating the resolved location, so crafted relative traversal sequences or absolute path components could point AIL at arbitrary files readable by the service account, exposing configuration, credentials, or other local secrets. No public exploit identified at time of analysis, and the vendor notes exploitation is only potential because additional errors must be overcome before the traversal executes.

Path Traversal Ail Framework
NVD GitHub VulDB
CVSS 4.0
7.1
EPSS
0.4%
CVE-2026-14747 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-14738 LOW POC PATCH Monitor

Weak hashing in exo-explore exo up to version 1.0.71 exposes the Vision Feature Cache to hash collision attacks via the `_image_cache_key` function in `src/exo/worker/engines/mlx/vision.py`. A remote, unauthenticated attacker capable of engineering the necessary collision inputs could disclose cached vision feature data, yielding a low confidentiality impact. Publicly available exploit code exists (referenced in GitHub issue #2151), though high attack complexity (AC:H) and the absence of a CISA KEV listing indicate no confirmed widespread active exploitation at time of analysis.

Information Disclosure Exo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.2%
CVE-2026-48203 CRITICAL PATCH Act Now

Server-side request forgery and parameter/field injection in the Apache Camel camel-solr component (versions 4.0.0 through 4.14.7, 4.15.0 through 4.18.2, and 4.19.0 through 4.20.x) allow remote attackers to hijack Solr requests issued by a Camel route. Because the SolrParam. and SolrField. header prefixes lack the Camel/camel namespace, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so any client hitting a route that bridges an HTTP consumer (e.g. platform-http) into a solr: producer can inject arbitrary Solr parameters - notably shards or stream.url to force the Solr server into attacker-chosen outbound requests (internal services, cloud metadata endpoints), or qt to reach admin handlers - and inject arbitrary indexed-document fields. Rated CVSS 9.1; there is no public exploit identified at time of analysis and EPSS is low (0.18%), but SSVC marks the flaw as automatable with total technical impact.

SSRF Microsoft Apache Camel
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-48204 CRITICAL PATCH Act Now

Unauthenticated NoSQL operation hijacking in Apache Camel's camel-mongodb-gridfs component (4.0.0-4.14.7, 4.15.0-4.18.2, 4.19.0-4.20.x) lets a remote HTTP client override the intended GridFS operation and inject MongoDB query documents. When a route bridges an HTTP consumer such as platform-http into a mongodb-gridfs: producer that has no explicit operation set (the default), the raw gridfs.operation, gridfs.objectid and gridfs.metadata headers pass through the HTTP header filter because they lack the Camel/camel prefix, allowing an attacker to turn an intended upload into remove, listAll, or findOne and to inject NoSQL operators. There is no public exploit identified at time of analysis and EPSS is low (0.16%), but CVSS is 9.8 and SSVC rates technical impact as total and automatable.

Microsoft Apache File Upload Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-46456 CRITICAL PATCH Act Now

Camel-internal control header injection in the Apache Camel AWS2-SQS component (camel-aws2-sqs) lets any principal holding sqs:SendMessage on a consumed SQS queue override downstream producer behaviour in a route. Because Sqs2HeaderFilterStrategy defined only an outbound filter and no inbound filter, DefaultHeaderFilterStrategy copied sender-supplied attributes such as CamelHttpUri, CamelFileName and CamelSqlQuery verbatim into the Exchange, so an attacker can redirect HTTP producers, rename files or override SQL queries. This is a design flaw with no public exploit identified at time of analysis; EPSS is low (0.16%, 6th percentile) and it is not on CISA KEV.

Microsoft Apache Information Disclosure Camel
NVD VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-48205 CRITICAL PATCH Act Now

Server-side request forgery in the Apache Camel camel-dns component lets any HTTP client control DNS lookups when a route bridges an HTTP consumer (e.g. platform-http) into a dns: producer. Because the dns.server, dns.name, dns.domain, dns.type, dns.class and term headers lack the Camel/camel prefix, HttpHeaderFilterStrategy does not strip them at the HTTP boundary, so an attacker can point the resolver at an attacker-controlled DNS server and enumerate internal hostnames. It affects Camel 4.0.0-4.14.7, 4.15.0-4.18.2 and 4.19.0-4.20.x; no public exploit identified at time of analysis, and EPSS is low (0.15%), but SSVC rates the flaw automatable with total technical impact.

SSRF Microsoft Apache Camel
NVD VulDB
CVSS 3.1
9.1
EPSS
0.2%
CVE-2026-49086 MEDIUM PATCH This Month

Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. No public exploit code or CISA KEV listing exists at time of analysis, but exploitation is mechanically straightforward for any publisher on the subscribed topic.

Microsoft Apache Authentication Bypass Camel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49097 MEDIUM PATCH This Month

Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. No public exploit code or CISA KEV listing exists at time of analysis, but the attack requires no credentials when the bridging HTTP consumer is unauthenticated, making it trivially reproducible against any qualifying deployment.

Microsoft Apache Information Disclosure Camel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14704 LOW POC Monitor

Cross-site scripting in stephen-kruger bluebox up to version 4.5.12 allows remote attackers to inject and execute arbitrary JavaScript in victims' browsers by manipulating the 'code' argument in an unspecified function. The attack requires user interaction (CVSS 4.0 UI:P), meaning a victim must be induced to click a crafted link or visit a malicious page. A public exploit exists via a GitHub issue report, though no CISA KEV listing confirms active widespread exploitation. The CVSS 4.0 score of 2.1 reflects the constrained integrity-only impact and passive user-interaction requirement.

XSS Bluebox
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-14691 LOW POC Monitor

Code injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote low-privileged attackers to execute arbitrary PHP code by manipulating the `content[]` argument passed to the `update_settings_info` function in `classes/SystemSettings.php`. A public proof-of-concept exploit has been disclosed on GitHub, and exploitation requires only a low-privileged authenticated session over the network. No CISA KEV listing exists, but the public exploit materially lowers the barrier for opportunistic attacks against any internet-exposed instance.

Code Injection PHP RCE Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14748 LOW POC Monitor

Server-side request forgery in the mcp-wiki/wiki-summary component of AIAnytime Awesome-MCP-Server (up to commit a884bb51) allows a remote, low-privileged attacker to manipulate the `url` argument in `mcp-wiki/src/mcp_wiki/server.py`, causing the server to issue arbitrary HTTP requests to internal or external resources on the attacker's behalf. Successful exploitation can expose internal services, cloud metadata endpoints, or other backend infrastructure inaccessible from the public internet. A publicly available exploit exists (POC confirmed via GitHub issue #35); this CVE is not currently listed in CISA KEV. The CVSS 4.0 score of 5.3 reflects a moderate severity with low-privilege authentication required and partial confidentiality, integrity, and availability impact.

SSRF Awesome Mcp Server
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14693 LOW POC Monitor

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows a low-privileged remote attacker to invoke the cancel_order function in classes/Master.php against orders they do not own, enabling unauthorized order cancellation and limited disruption of platform integrity. The vulnerability stems from CWE-285 (Improper Authorization) - the application fails to verify that the requesting user has authority over the targeted order resource. A proof-of-concept exploit has been publicly disclosed on GitHub, lowering the bar for exploitation; however, no confirmed active exploitation (CISA KEV) has been identified at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14716 LOW POC Monitor

Incorrect authorization in nextlevelbuilder GoClaw's WebSocket RPC Handler allows authenticated low-privilege remote attackers to bypass access controls on restricted methods. Affects all versions up to and including 3.13.0-beta.2. No public exploit identified as actively exploited (not in CISA KEV), but a publicly available proof-of-concept exists, lowering the barrier for exploitation against any exposed GoClaw deployment.

Authentication Bypass Goclaw
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14777 LOW POC Monitor

Unrestricted file upload in SourceCodester's "Onlne Examination & Learning Management System" 1.0 (note: product name contains a known typo per CVE data) exposes the /announcements.php endpoint to arbitrary file upload by low-privileged authenticated users. A publicly available proof-of-concept, referenced under the title 'OE-LMS-RCE-3-announcements.md', demonstrates that the flaw can be leveraged for remote code execution - a significantly more severe real-world impact than the low CIA metrics in the provided CVSS 4.0 score suggest. No active exploitation (CISA KEV) has been confirmed, but the combination of low-complexity exploitation, a network-accessible vector, and a public POC elevates practical risk well above the 5.3 base score.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14776 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 (a PHP-based web application whose product name contains a documented typo - 'Onlne' rather than 'Online') permits remote low-privileged authenticated users to upload arbitrary files, including PHP webshells, via the /upload_files.php endpoint by exploiting inadequate extension validation in the pathinfo() function. Publicly available exploit code exists on GitHub, with the exploit document explicitly titled to reference remote code execution against this specific upload handler. No vendor-released patch has been identified, and the vulnerability is not listed in the CISA KEV catalog, though the public exploit materially lowers the barrier to exploitation.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-14775 LOW POC Monitor

Unrestricted file upload in SourceCodester Onlne Examination & Learning Management System 1.0 allows network-accessible, low-privilege attackers to upload arbitrary file types - including executable PHP webshells - via the `user_id` parameter in `/process_lesson.php`, with the publicly available proof-of-concept explicitly framed as a remote code execution chain. No CISA KEV listing exists, but a working exploit is publicly available on GitHub under the title 'OE-LMS-RCE-1'. The assigned CVSS 4.0 score of 2.1 with low-impact metrics materially understates the realistic impact; CWE-434 in PHP environments routinely enables full server compromise when uploads land in web-executable directories.

PHP File Upload Onlne Examination Learning Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
Page 1 of 3 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy