Skip to main content
CVE-2026-14714 MEDIUM POC PATCH This Month

Missing authentication in CowAgent 2.1.0's /wx WeChat endpoint allows remote unauthenticated attackers to bypass server verification by supplying an empty or default wechatmp_token, causing the underlying HMAC signature check to silently degenerate into a predictable hash. The vendor confirms the flaw exists in verify_server() within channel/wechatmp/common.py, where no explicit non-empty token guard was enforced, making the endpoint fail open rather than closed. A public proof-of-concept exists (GitHub issue #2860), and the fix is available in version 2.1.1; no active exploitation has been confirmed by CISA KEV.

Authentication Bypass Chatgpt On Wechat Cowagent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14687 MEDIUM POC PATCH This Month

Partial string comparison in BettaFish's InsightEngine deduplication logic (versions up to 1.2.1) allows remote unauthenticated attackers to manipulate search-result deduplication by crafting inputs that exploit the flawed comparison in `_deduplicate_results` within `InsightEngine/agent.py`. The integrity impact is limited - attackers can cause duplicate or otherwise manipulated entries to persist in search output - but the attack requires no authentication and no user interaction, and a public proof-of-concept exploit exists. No active exploitation has been confirmed by CISA KEV; a fix pull request (PR #689) has been submitted but not yet merged.

Information Disclosure Bettafish
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14749 MEDIUM POC This Month

Remote PHP code injection in stumasy's calculator module allows unauthenticated network attackers to execute arbitrary server-side code by manipulating the `mathematical_sentence` parameter passed unsanitized into PHP's `eval()` function in calculate.php. A public proof-of-concept exploit exists (GitHub issue #5), and no patch has been released - the project maintainer has not responded to the disclosure. The rolling release model means no fixed version can be cited; the vulnerability is present through at least commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be.

Code Injection PHP RCE Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14722 MEDIUM POC This Month

Code injection in TidGi-Desktop up to version 0.13.0 allows remote attackers to execute arbitrary code through the application's Git Repository Import feature, specifically within the sub-wiki loading worker. The flaw resides in `src/services/wiki/wikiWorker/loadWikiTiddlersWithSubWikis.ts`, where externally-sourced Git repository content is processed without adequate code-injection safeguards (CWE-94). A public exploit has been disclosed and referenced via the GitHub security advisory GHSA-9hc2-hjx8-q6pv, though no CISA KEV listing exists at time of analysis.

Code Injection RCE Tidgi Desktop
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14719 MEDIUM POC This Month

Privilege escalation in SourceCodester's Onlne Examination & Learning Management System 1.0 (the product name itself contains a typo - 'Onlne' instead of 'Online') exposes an unauthenticated registration endpoint at register.php where the role parameter is not server-side validated, allowing any remote actor to self-assign elevated privileges at account creation. A publicly available exploit has been published on Pastebin, confirming the attack is trivially reproducible. No CISA KEV listing exists, but the CVSS 4.0 E:P modifier and Pastebin reference corroborate working exploit availability; no vendor patch has been identified at time of analysis.

Privilege Escalation PHP Onlne Examination Learning Management System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14690 MEDIUM POC This Month

Improper authorization in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows remote unauthenticated attackers to invoke the save_users function in classes/Users.php without valid authorization checks, enabling unauthorized user account creation or modification. The CVSS 4.0 vector confirms network-accessible, zero-privilege exploitation with low confidentiality, integrity, and availability impact on the vulnerable system. A public proof-of-concept exploit exists (GitHub), and no CISA KEV listing indicates active widespread exploitation has not been confirmed at time of analysis.

Authentication Bypass PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14688 MEDIUM POC This Month

SQL injection in itsourcecode Online Hotel Management System 1.0 exposes the admin login endpoint to remote unauthenticated exploitation via an unsanitized `email` parameter in `/admin/login.php`. A public proof-of-concept is available on GitHub (reflected in the CVSS 4.0 E:P metric), meaning exploitation requires minimal technical skill and is accessible to opportunistic attackers. No CISA KEV listing has been identified, but the zero-authentication barrier combined with available exploit code makes this a practical risk for any internet-exposed deployment.

SQLi PHP Online Hotel Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14771 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to manipulate the ID parameter of /edit_exam1.php to execute arbitrary SQL commands against the underlying database. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) confirms no authentication or special conditions are required, and the exploit has been publicly published on GitHub. Real-world impact is limited by the niche, educational-software footprint of this SourceCodester application, but any internet-exposed instance is trivially exploitable given the available POC.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14769 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/pay.php` endpoint to remote unauthenticated attackers who can manipulate the `Bankname` parameter to execute arbitrary SQL commands against the backend database. A public proof-of-concept exploit has been disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction remote reachability, though partial CIA impact scores indicate constrained blast radius rather than full database takeover; no public confirmation of active exploitation (CISA KEV) exists at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14764 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the backend database via the fdetails parameter in /admin/add_event.php. The flaw is reachable over the network with no authentication required per the CVSS 4.0 vector, enabling data extraction, modification, or disruption against the application's database. A public exploit has been disclosed on GitHub; no patch has been identified at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14763 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 allows remote attackers to manipulate the unsanitized `tour` parameter in /admin/tour_reserves.php, enabling arbitrary SQL query execution against the backend database. The CVSS 4.0 vector assigns PR:N (no privileges required), though the admin-panel endpoint raises questions about whether authentication is genuinely absent or misconfigured - a discrepancy worth verifying in deployments. A public proof-of-concept exploit has been published via GitHub, raising the practical risk despite the medium CVSS 4.0 score of 6.9 and absence of CISA KEV listing.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14756 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the reservation database to remote manipulation via the `delete_image` parameter in the admin Tour Management Page (`/admin/add_tour.php`). The CVSS 4.0 vector asserts no privileges required (PR:N), yet the vulnerable endpoint sits under an `/admin/` path - this conflict is unresolved in available data and defenders must verify whether the admin panel is publicly accessible without authentication. A public proof-of-concept is available on GitHub, elevating practical risk beyond the moderate base score, though no CISA KEV listing indicates confirmed widespread exploitation at time of analysis.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14755 MEDIUM POC This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the /admin/reservations.php endpoint to database manipulation via the unsanitized `delete` parameter. The vulnerability is reachable over the network with no confirmed complexity barriers, and a public proof-of-concept exploit has been disclosed. No vendor patch has been identified, leaving all deployments of version 1.0 exposed to database read, write, and potential full compromise of hosted reservation data.

SQLi PHP Hotel And Tourism Reservation
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14750 MEDIUM POC This Month

SQL injection in stumasy's Notes_controller grants remote unauthenticated attackers the ability to manipulate database queries through the unsanitized Password argument in the accessing_dictionary_authorization function. The affected codebase is an obscure PHP application maintained by mjperpinosa, pinned to commit 327d1b0f2915ba79d7ef8ebb74553e987609d9be as the last known vulnerable state. Publicly available exploit code exists via a GitHub issue report, and the project maintainer has not responded to disclosure, leaving no vendor-released patch at time of analysis.

SQLi PHP Stumasy
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14746 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the backend database via the `amen` parameter in `/addprojectrent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial, unauthenticated network exploitation with no attack preconditions. A publicly available proof-of-concept exploit has been disclosed via GitHub, elevating the realistic threat beyond theoretical; however, this CVE is not currently listed in the CISA KEV catalog, and the product's limited enterprise footprint constrains broad impact.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14745 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 allows remote unauthenticated attackers to manipulate the `id` parameter of `/single-list_rent.php` to read, modify, or corrupt backend database contents. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-friction unauthenticated network exploitation against a standard installation. A public proof-of-concept exploit is available on GitHub (E:P confirmed in CVSS 4.0 supplemental metrics), raising realistic risk of opportunistic automated attacks against any internet-exposed instance; no CISA KEV listing and no patch are confirmed at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14744 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes unauthenticated remote attackers a direct path to manipulate the backend database via the `loc` parameter in `/normalHomeRent.php`. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication, no user interaction, and no special configuration are required against default deployments. A public proof-of-concept exploit has been released on GitHub, materially increasing opportunistic exploitation risk despite the moderate aggregate score; no CISA KEV listing has been identified at time of analysis.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14743 MEDIUM POC This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/normalHomeSale.php` endpoint to unauthenticated remote database manipulation via the unsanitized `loc` parameter. Any internet-accessible deployment of this PHP real estate application is vulnerable to data extraction or modification without credentials. A public proof-of-concept exploit is available on GitHub, lowering the skill barrier for opportunistic attackers; however, no CISA KEV listing has been issued and no patch has been identified from the vendor.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14713 MEDIUM POC This Month

SQL injection in SourceCodester Pizzafy E-Commerce System 1.0 exposes the application to unauthenticated remote database compromise via the `id` parameter in `/admin/ajax.php?action=confirm_order`. The CVSS 4.0 vector (PR:N) indicates the vulnerable admin endpoint is reachable without authentication, compounding the severity of the unsanitized input. A publicly available exploit exists on GitHub, though the product is not listed in the CISA KEV catalog and has a very limited production deployment footprint.

SQLi PHP Pizzafy E Commerce System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14705 MEDIUM POC This Month

SQL injection in code-projects Online Examination 1.0 exposes the login endpoint to unauthenticated remote attackers via the uname and password parameters in head.php. Manipulation of either parameter enables classic SQL injection, allowing database enumeration, authentication bypass, and potential data manipulation against any deployed instance. A public proof-of-concept exploit is available on GitHub (no public exploit identified as KEV), making weaponization trivial for low-skill attackers targeting this application.

SQLi PHP Online Examination
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14700 MEDIUM POC This Month

SQL injection in code-projects Internship Management System 1.0 permits unauthenticated remote attackers to manipulate the email and password parameters of employer/login.php, altering backend SQL query logic to bypass authentication or partially expose database contents. A proof-of-concept exploit has been publicly disclosed on GitHub, materially lowering the skill threshold for exploitation. The CVSS 4.0 score of 6.9 with PR:N and no attack complexity reflects straightforward unauthenticated access, though impact is bounded at Low across confidentiality, integrity, and availability - suggesting partial rather than full database compromise.

SQLi PHP Internship Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14695 MEDIUM POC This Month

SQL injection in SourceCodester Multi-Vendor Online Grocery Management System 1.0 allows unauthenticated remote attackers to manipulate backend database queries via the Name argument in the save_client function of the registration handler. The vulnerability resides in classes/Users.php and is exploitable without any prior authentication, as it targets the public-facing user registration flow. A public proof-of-concept exploit has been published on GitHub, and no KEV listing exists, though the low-friction exploitation path and public PoC elevate urgency for any live deployment of this software.

SQLi PHP Multi Vendor Online Grocery Management System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14737 MEDIUM POC This Month

SQL injection in Hanwang e-Face General Management Platform 6.3.5.4 exposes the /sysAuthStr/querySysAuthStr.do endpoint to unauthenticated remote database manipulation via the unsanitized `order` parameter. The endpoint handles system authorization strings, meaning successful exploitation likely targets credential or access-control records - a high-sensitivity data class despite the vendor-assigned Low impact ratings. A public proof-of-concept is documented via VulDB (no CISA KEV listing at time of analysis); no EPSS score was provided in the source intelligence.

SQLi E Face General Management Platform
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14747 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the application's database to remote unauthenticated manipulation via the `amen` parameter in `/addprojectsale.php`. Any attacker with network access to the PHP web application can craft a malicious HTTP request to read, modify, or partially disrupt the underlying database without authentication. No active exploitation is confirmed in CISA KEV, but a GitHub issue filed under the researcher's CVE repository suggests reproduction steps or proof-of-concept detail is publicly accessible.

SQLi PHP Real State Services
NVD VulDB GitHub
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-49086 MEDIUM PATCH This Month

Routing header injection in Apache Camel's camel-dapr component allows any actor with publish access to a subscribed Dapr Pub/Sub topic to redirect or exfiltrate re-published messages to an arbitrary Dapr Pub/Sub component and topic. The flaw exists in routes that both consume and republish via Dapr - specifically, DaprPubSubConsumer blindly copies attacker-controlled CloudEvent fields (pub/sub-name and topic) into producer-direction routing headers (CamelDaprPubSubName and CamelDaprTopic), which DaprConfigurationOptionsProxy then prefers over the route's configured endpoint destination. No public exploit code or CISA KEV listing exists at time of analysis, but exploitation is mechanically straightforward for any publisher on the subscribed topic.

Microsoft Apache Authentication Bypass Camel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-49097 MEDIUM PATCH This Month

Header injection in Apache Camel's camel-irc component enables unauthenticated HTTP clients to redirect outgoing IRC messages to attacker-chosen channels or users by supplying non-Camel-prefixed headers (e.g., irc.sendTo) that Camel's HttpHeaderFilterStrategy fails to block. Affected versions span 4.0.0-4.14.7, 4.15.0-4.18.2, and 4.19.0-4.20.x; fixes are available in 4.14.8, 4.18.3, and 4.21.0. No public exploit code or CISA KEV listing exists at time of analysis, but the attack requires no credentials when the bridging HTTP consumer is unauthenticated, making it trivially reproducible against any qualifying deployment.

Microsoft Apache Information Disclosure Camel
NVD VulDB
CVSS 3.1
6.5
EPSS
0.2%
CVE-2026-14736 MEDIUM This Month

Unrestricted file upload in Ruijie RG-UAC unified access controller appliances (all versions through 1.0-R1.8.2.p5) allows unauthenticated remote attackers to upload arbitrary files via the upload_image parameter in user_auth_commit.php. The combination of an authentication bypass (CWE-284) and unrestricted file type acceptance creates a pathway to persistent server-side code execution if uploaded content reaches an executable web path. A public proof-of-concept exploit exists, elevating the urgency of remediation despite the absence of a CISA KEV listing.

Authentication Bypass File Upload PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-14735 MEDIUM This Month

SQL injection in code-projects Smart Parking System 1.0 exposes the `/parkings/parkings.php` endpoint to remote unauthenticated exploitation via unsanitized `street`, `city`, and `status` parameters. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms zero-barrier network access with no authentication or user interaction required. A public proof-of-concept has been disclosed via a Medium article specifically documenting escalation from SQL injection to arbitrary file read, materially increasing real-world risk beyond the moderate base score of 5.5.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14734 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to remote, unauthenticated attackers through the unsanitized ID parameter in /edit_product.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms trivial remote access with no prerequisites, yielding low-rated but real confidentiality, integrity, and availability impact against the underlying database. No public exploit identified at time of analysis is contradicted by the description and E:P supplemental metric - a public exploit exists, elevating the practical risk above what the 5.5 base score alone suggests for any internet-exposed instance.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-14753 MEDIUM This Month

Authorization bypass in stumasy, a PHP-based student management system, exposes the Note Handler and Assignment Handler endpoints at /PHP/objects/notes to unauthenticated remote exploitation by manipulating the assignment_item_id parameter. The flaw (CWE-285: Improper Authorization) allows an attacker to read, modify, or otherwise interact with notes and assignment records belonging to other users without possessing the required authorization. Public exploit code exists per the CVSS 4.0 E:P threat metric, and the project maintainer has not responded to the disclosure, meaning no patch is available at time of analysis.

Authentication Bypass PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14772 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the /edit_course1.php endpoint to remote, unauthenticated database manipulation via an unsanitized ID parameter. The CVSS 4.0 vector (PR:N, AV:N, AC:L) confirms no authentication is required and the attack is trivially executable over the network. Exploit code has been publicly disclosed per VulDB submission and a GitHub issue report, with the E:P modifier in the CVSS 4.0 vector corroborating proof-of-concept availability - though no CISA KEV listing indicates confirmed active exploitation at time of analysis.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14770 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers via the unsanitized ID parameter in /edit_room.php. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no authentication or special conditions are required, and the E:P supplemental metric confirms public exploit code exists. An attacker can read, modify, or partially disrupt the underlying database without any prior access to the application.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14768 MEDIUM This Month

SQL injection in code-projects Real State Services 1.0 exposes the `/builderHome.php` endpoint to unauthenticated remote attackers who can manipulate database queries via the unsanitized `loc` parameter. A public proof-of-concept exploit exists (referenced via GitHub), lowering the exploitation barrier to script-kiddie level. No KEV listing exists, and the product's limited real-world deployment constrains overall population risk despite the trivial attack conditions.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14762 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the backend database through the Room Management Page at /admin/rooms.php, where the `delete` parameter is passed unsanitized into SQL queries. Remote attackers can exploit this to read, modify, or potentially delete database records. Publicly available exploit code exists per the GitHub advisory by anubhavv106, raising the operational risk despite the moderate CVSS 4.0 score of 5.5 and absence of a CISA KEV listing.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14754 MEDIUM This Month

SQL injection in code-projects Hotel and Tourism Reservation 1.0 exposes the admin panel endpoint /admin/add_room.php to database manipulation via multiple unsanitized parameters. A proof-of-concept exploit has been publicly documented in a Medium article, lowering the barrier for opportunistic exploitation. The CVSS 4.0 vector rates this as network-reachable with no authentication required (PR:N), though this conflicts with the admin-panel location of the endpoint - a discrepancy that should be verified, as exploitation scope depends entirely on whether the admin interface enforces access controls.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14733 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database to unauthenticated remote attackers through the unsanitized 'ID' parameter in /edit_coursea.php. The CVSS 4.0 E:P modifier and the CVE description both confirm that public exploit code exists, lowering the bar for opportunistic exploitation. Impact is assessed as limited across confidentiality, integrity, and availability (all Low), but the absence of authentication requirements makes this accessible to any network-reachable attacker.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-14732 MEDIUM This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the application's database through the unsanitized ID parameter in /edit_exam.php, reachable by unauthenticated remote attackers. The exploit has been publicly disclosed (CVSS 4.0 E:P), allowing any actor with network access to enumerate, read, or manipulate database contents. No KEV listing is present; exploitation appears opportunistic rather than targeted, consistent with the niche deployment footprint of this product.

SQLi PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-10657 MEDIUM PATCH This Month

Out-of-bounds read in Zephyr RTOS's mDNS detection logic crashes devices resolving short-suffix hostnames when CONFIG_MDNS_RESOLVER is compiled in. The flaw in dns_resolve_name_internal() reads a fixed 7 bytes from a suffix pointer regardless of the actual string length, causing a 1-2 byte over-read past the NUL terminator for suffixes like .org, .com, .net, or .io. Under the specific runtime condition of a tightly-sized allocation adjacent to an unmapped boundary (guard page, MPU domain, or ASAN), the over-read faults and crashes the device; no public exploit has been identified at time of analysis and CVSS 3.7 with AC:H accurately reflects the narrow crash preconditions.

Denial Of Service Buffer Overflow Information Disclosure Zephyr
NVD GitHub VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-59519 MEDIUM This Month

Sensitive data exposure in Softaculous FormLayer WordPress plugin through version 1.0.6 allows remote unauthenticated attackers to retrieve embedded sensitive information from data transmitted by the plugin. The root cause (CWE-201) indicates the plugin inserts sensitive content - potentially API keys, tokens, or internal configuration - into outbound data visible to requesting clients. No public exploit code and no active exploitation have been identified at time of analysis, though the CVSS vector (AV:N/AC:L/PR:N/UI:N) confirms trivial remote accessibility.

Information Disclosure Formlayer
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-59511 MEDIUM This Month

Sensitive data exposure in Exclusive Addons Elementor (WordPress plugin by Tim Strifler) through version 2.7.9.9 enables unauthenticated remote attackers to retrieve sensitive information embedded within HTTP responses. The CWE-201 root cause indicates the plugin incorrectly includes sensitive data in outbound responses accessible to any network client without authentication, as confirmed by the CVSS vector (PR:N/UI:N). No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, though the network-accessible, zero-prerequisite attack surface warrants prompt patching on internet-facing WordPress installations.

Information Disclosure Exclusive Addons Elementor
NVD
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49099 MEDIUM PATCH This Month

Header injection in Apache Camel's camel-salesforce component allows any HTTP client to override SOQL queries, SOSL searches, Salesforce object targets, and Apex REST endpoints by setting non-Camel-prefixed Exchange headers that the framework's HttpHeaderFilterStrategy fails to block. Routes that bridge an HTTP consumer (such as platform-http) into a salesforce: producer are the attack surface; when that HTTP consumer is unauthenticated, exploitation requires zero attacker credentials. All injected operations execute under the configured Salesforce integration user's permissions, which are typically broad, enabling unauthorized data exfiltration or destructive CRUD and Apex calls across the organization's Salesforce instance. No public exploit has been identified and the vulnerability is not listed in the CISA KEV catalog at time of analysis.

Authentication Bypass Microsoft Apache Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49098 MEDIUM PATCH This Month

Header injection in Apache Camel's camel-kafka component allows HTTP clients to redirect Kafka messages to arbitrary topics in routes that bridge an HTTP consumer into a Kafka producer. The kafka.OVERRIDE_TOPIC, kafka.OVERRIDE_TIMESTAMP, and kafka.PARTITION_KEY Exchange header constants used non-CamelKafka-prefixed names, causing them to bypass HttpHeaderFilterStrategy - which blocks only the Camel/camel namespace - while remaining readable by KafkaProducer.evaluateTopic() as authoritative control directives. No public exploit code has been identified and no CISA KEV listing exists at time of analysis, but when the HTTP ingress is unauthenticated the attack requires only a standard HTTP client and a known Kafka topic name.

Microsoft Apache Information Disclosure Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-48206 MEDIUM PATCH This Month

Authorization bypass in Apache Camel's camel-jira component (versions 4.0.0 through pre-4.21.0) allows unauthenticated HTTP clients - in routes that bridge an HTTP consumer to a jira: producer - to drive arbitrary JIRA issue operations using the endpoint's configured service-account credentials, including deleting or transitioning issues, creating issues in unauthorized projects, modifying fields, and manipulating watchers. The root cause is that JIRA control header constants (IssueKey, ProjectKey, IssueTransitionId, linkType, and others) use non-Camel-prefixed string values, bypassing the HttpHeaderFilterStrategy which only guards the 'Camel/'/'camel' header namespace at the HTTP boundary. Fixes are confirmed in 4.14.8, 4.18.3, and 4.21.0; no public exploit has been identified at time of analysis, and this vulnerability is not listed in CISA KEV.

Atlassian Microsoft Apache Authentication Bypass Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-56139 MEDIUM PATCH This Month

Information disclosure in Apache Camel's camel-undertow HTTP server consumer (versions 4.0.0 through 4.21.0) exposes complete Java stack traces to unauthenticated HTTP clients whenever a route processing exception occurs, due to a misconfigured default and a code-level bypass. Unlike every other Camel HTTP server component (camel-http, camel-jetty, camel-servlet, camel-platform-http), all of which default muteException to true, camel-undertow defaulted this option to false - and for Rest DSL consumers the option was silently ignored entirely due to a hard-coded false in RestUndertowHttpBinding, meaning muteException=true gave false confidence without actual protection. No public exploit has been identified at time of analysis; however exploitation requires only the ability to send a malformed HTTP request to a reachable endpoint, making this trivially accessible to any network-level attacker.

Apache Java Information Disclosure Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-49365 MEDIUM PATCH This Month

Stack trace disclosure in Apache Camel's camel-netty-http component (versions 4.0.0-4.21.0 across three release streams) exposes full Java Throwable stack traces to unauthenticated HTTP clients whenever a route processing error occurs under the default configuration. The root cause is an insecure default: the muteException option backed by an uninitialized Java primitive boolean defaulted to false in camel-netty-http while all other Camel HTTP server components (camel-http, camel-jetty, camel-servlet, camel-platform-http) correctly default it to true. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in the CISA KEV catalog, but the low-effort triggering condition - any malformed request that causes a route exception - makes opportunistic enumeration straightforward against exposed endpoints.

Apache Java Information Disclosure Camel
NVD VulDB
CVSS 3.1
5.3
EPSS
0.2%
CVE-2026-14781 MEDIUM This Month

Keycloak's OIDC broker incorrectly applies the email_verified claim from the id_token to whichever email address is returned by the userinfo endpoint, even when those two sources disagree. An attacker who controls or compromises an upstream OIDC identity provider can exploit this desynchronization - configured with trustEmail=true - to mark an arbitrary, attacker-chosen email address as verified in Keycloak's database. The practical consequence is bypassing email verification workflows or triggering account linkage/takeover in applications that trust the email_verified flag from Keycloak for identity decisions. No public exploit code exists and no CISA KEV listing applies at time of analysis.

Authentication Bypass Red Hat Build Of Keycloak Red Hat Data Grid 8 Red Hat Jboss Enterprise Application Platform Expansion Pack Red Hat Single Sign On 7 +1
NVD VulDB
CVSS 3.1
4.8
EPSS
0.2%
CVE-2026-14699 MEDIUM PATCH This Month

Symlink following in zcaceres markdownify-mcp up to version 1.1.0 allows a local low-privilege user to read files outside the intended directory boundary by exploiting insufficient path resolution in the `assertPathAllowed` function of `src/Markdownify.ts`. The function evaluates the user-supplied symbolic path rather than its canonicalized target, enabling an attacker to bypass the path restriction check and disclose arbitrary local files. No public exploit code exists at time of analysis, the vulnerability is not listed in CISA KEV, and a fix is pending as an unmerged pull request.

Information Disclosure Markdownify Mcp
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-14723 MEDIUM PATCH This Month

Unsafe deserialization in AD-Security AD_Miner 1.9.0 allows a local low-privilege attacker to achieve code execution by supplying a crafted serialized payload as the sys.argv[1] argument to the Cache Handler's request_a function in analyse_cache.py. The attack is strictly local with no network exposure, and impacts confidentiality, integrity, and availability at a low level within the vulnerable process. No public exploit has been identified; an upstream fix exists as GitHub PR #239 but awaits acceptance, meaning no released patched version is currently available.

Deserialization Ad Miner
NVD VulDB GitHub
CVSS 4.0
4.8
EPSS
0.1%
CVE-2026-10656 MEDIUM PATCH This Month

NULL pointer dereference in the Zephyr RTOS MAX32xxx USB device controller driver (udc_max32.c) crashes devices running Zephyr v4.4.0 when a physically connected USB host aborts an in-flight EP0 control transfer by sending a new SETUP packet - a completely legal USB protocol action. The race condition between interrupt-queued transfer-completion events and asynchronous FIFO draining by the driver thread causes net_buf_add(NULL, ...) when udc_buf_get() returns NULL on an empty FIFO, producing a near-NULL pointer dereference and device fault. No active exploitation has been confirmed (not in CISA KEV), and no public proof-of-concept code has been identified at time of analysis; real-world risk is constrained by the physical access prerequisite and the specific MAX32xxx hardware dependency.

Denial Of Service Null Pointer Dereference Zephyr
NVD GitHub VulDB
CVSS 3.1
4.6
EPSS
0.2%
CVE-2026-59520 MEDIUM This Month

Cross-Site Request Forgery in the CrawlWP SEO WordPress plugin (versions through 3.0.16) allows an unauthenticated attacker to perform unauthorized state-changing actions on behalf of an authenticated site administrator. Exploitation requires social engineering - a logged-in admin must be tricked into visiting a malicious page that silently submits a forged request. The integrity impact is low, limited to unauthorized configuration changes within the plugin's functionality. No public exploit code or active exploitation has been identified at time of analysis, consistent with the vulnerability's low CVSS base score of 4.3.

CSRF Crawlwp Seo
NVD
CVSS 3.1
4.3
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy