Skip to main content
CVE-2026-15191 LOW POC Monitor

Authorization bypass in mettle Sendportal up to version 3.0.1 permits authenticated remote users to circumvent object-level access controls at the Campaign Creation Endpoint, potentially allowing cross-tenant campaign manipulation. The root cause is CWE-639 (Authorization Bypass Through User-Controlled Key), a class of IDOR flaw where the server trusts a user-supplied identifier to gate resource access without re-verifying ownership. A publicly available exploit exists via GitHub issue #339, and the vendor has not responded to responsible disclosure; no patch is available at time of analysis.

Authentication Bypass PHP Sendportal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15188 LOW POC Monitor

Improper access control in manjurulhoque's django-job-portal allows authenticated remote attackers to manipulate the `role` argument via the `EditEmployeeProfileAPIView` endpoint, enabling unauthorized privilege escalation within the Employee Dashboard. All commits up to dfa352f305bba44445ac5dc12e9b2a98c9dcd71f are affected under a rolling release model with no fixed version available. A publicly available proof-of-concept exploit exists via GitHub issue #91; the project maintainer has not responded to disclosure and no patch has been released.

Authentication Bypass Python Django Job Portal
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15187 LOW POC Monitor

Prototype pollution in the enquirer npm package (versions up to 2.4.1) allows remote authenticated attackers to manipulate JavaScript Object.prototype attributes by injecting a crafted value into the question.name argument of the Enquirer.set() function. The vulnerability carries a low CVSS 4.0 score of 2.1, reflecting limited integrity-only impact scoped to the vulnerable system with no confidentiality or availability consequence. Publicly available exploit code exists via GitHub issue #487, though no active exploitation has been confirmed in CISA KEV.

Information Disclosure Prototype Pollution Enquirer
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15311 LOW POC PATCH Monitor

Cross-site scripting in NousResearch hermes-agent (all versions through 2026.5.29.2) stems from unsanitized markdown-to-HTML conversion in the Matrix Adapter component, allowing an authenticated remote attacker to inject malicious scripts into Matrix platform messages. When a victim views the crafted content, the injected script executes in their browser context. Publicly available exploit code exists (GitHub issue #42667), though no public exploit identified at time of analysis maps to confirmed active exploitation - the CVSS 4.0 score of 2.0 reflects the low severity, limited scope, and required victim interaction.

XSS Hermes Agent
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15185 LOW POC PATCH Monitor

Out-of-bounds read in GPAC MP4Box version 26.03-DEV allows local low-privileged attackers to cause a low-severity availability impact by supplying a crafted input that manipulates the `num_langs` argument in the `vobsub_read_idx` function of `vobsub.c`. A proof-of-concept exploit has been publicly disclosed via GitHub issue #3611 and the CVSS 4.0 E:P modifier confirms its availability. Two upstream commits have been applied to address the flaw, though no standalone patched release version has been independently confirmed.

Buffer Overflow Information Disclosure Gpac
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15184 LOW POC PATCH Monitor

Null pointer dereference in GNU LibreDWG up to 0.13.4 allows a local low-privileged attacker to crash any application that processes a maliciously crafted DWG file via the `dwg_next_entity` function in `src/dwg.c`, resulting in denial of service. A proof-of-concept exploit file is publicly available (CVSS 4.0 E:P), though no active exploitation is confirmed in CISA KEV. The issue is fully resolved by upgrading to version 0.14, which includes a committed upstream patch.

Denial Of Service Null Pointer Dereference Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15182 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG up to version 0.13.4 allows local low-privileged attackers to corrupt heap memory via a specially crafted DWG file containing malicious BMP image data processed by the dwg_bmp function in src/dwg.c. A public proof-of-concept exploit (a crafted R13/R2000 .dwg file) has been disclosed on GitHub, raising the urgency for affected deployments that process untrusted DWG input. No confirmed active exploitation (CISA KEV) has been recorded, and a vendor-released patch in version 0.14 fully resolves the issue.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-59269 LOW Monitor

Privilege escalation in VMware Pinniped's Kubernetes authentication layer allows an attacker who already controls Active Directory group distinguished names to gain elevated Kubernetes RBAC permissions beyond their legitimate entitlements. The flaw affects Pinniped v0.11.0 through v0.46.0 when the Supervisor is configured with an ActiveDirectoryIdentityProvider and a specific empty groupName attribute, and only when an attacker simultaneously holds write access to AD group entries and valid AD user credentials. No public exploit code exists and this is not listed in CISA KEV; the vendor CVSS score of 3.8 (Low) reflects the highly constrained exploitation prerequisites.

Kubernetes Information Disclosure Pinniped
NVD GitHub
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-59215 LOW PATCH Monitor

Cross-channel thread context disclosure in Open WebUI prior to 0.10.0 allows authenticated low-privilege users to reference messages from private or DM channels they do not have access to, leaking thread content across channel boundaries. The root cause is a missing channel-binding validation on the parent_id parameter in thread reply handling - the server does not verify that the referenced parent message belongs to the channel specified in the URL. No public exploit or active exploitation has been identified; this is a low-severity, high-complexity authorization bypass with confirmed vendor fix in v0.10.0.

Authentication Bypass Open Webui
NVD GitHub VulDB
CVSS 3.1
3.1
EPSS
0.3%
CVE-2026-0282 LOW PATCH Monitor

Unauthenticated file deletion in Palo Alto Networks PAN-OS allows network-reachable attackers to delete files from a temporary directory via the management web interface, affecting PA-Series and VM-Series firewalls and Panorama appliances. Real-world risk is substantially bounded by the vendor's documented best-practice guidance to restrict management interface access to trusted internal IP addresses, which eliminates external attack surface. No public exploit code has been identified, CISA KEV listing is absent, and the vendor-provided CVSS 4.0 score of 2.7 with an E:U supplemental metric reflects no known active exploitation.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
2.7
EPSS
0.4%
CVE-2026-0281 LOW PATCH Monitor

Web session token theft from PAN-OS management interfaces affects PA-Series and VM-Series firewalls and Panorama deployments, enabling a network-adjacent unauthenticated attacker to hijack authenticated administrator sessions. Exploitation depends on a legitimate management user clicking an attacker-crafted malicious link while an active session exists - a social engineering prerequisite that substantially reduces real-world risk. No public exploit code exists (CVSS 4.0 E:U) and the issue is not listed in CISA KEV; the vendor rates overall CVSS 4.0 severity at 2.1, reflecting these mitigating factors.

Information Disclosure Paloalto Pan Os
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-15138 LOW Monitor

Path traversal in tumf mcp-text-editor up to version 1.0.2 allows remote attackers to read, write, or delete files outside the intended directory by supplying manipulated file path arguments to the `_validate_file_path` function in `mcp_text_editor/text_editor.py`. A public exploit has been disclosed (confirmed by VulDB and reflected in the CVSS 4.0 E:P modifier), and the vendor has closed the tracking GitHub issue without explanation, leaving the vulnerability unpatched. The CVSS 4.0 base score of 2.1 reflects limited confidentiality, integrity, and availability impact alongside a required user interaction step.

Path Traversal
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15202 LOW Monitor

Cross-site scripting in YzmCMS through version 7.5 allows unauthenticated remote attackers to inject and execute arbitrary JavaScript by manipulating the HTTP Host header processed by the `get_url` function in `/yzmphp/yzmphp.php`. The Header Handler component reflects the attacker-controlled `HTTP_HOST` value into generated page output without sanitization, enabling payload execution in a victim's browser upon page visit. A public proof-of-concept exploit has been disclosed; no patch exists and the vendor did not respond to coordinated disclosure, leaving all deployments at or below v7.5 exposed.

XSS PHP
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15195 LOW Monitor

Prototype pollution in apidevtools json-schema-ref-parser up to v15.3.5 allows low-privileged remote attackers to modify Object prototype attributes via crafted input to the Refs.set/Pointer.set functions in lib/pointer.ts. The vulnerability is tagged RCE and Code Injection, reflecting the theoretical worst-case of prototype pollution in Node.js environments where polluted properties propagate to dangerous sinks; however, the CVSS 4.0 score of 2.1 with limited (L/L/L) impact ratings suggests the direct, exploitable impact is constrained. A proof-of-concept exists (CVSS 4.0 E:P) but no confirmed active exploitation has been recorded in CISA KEV.

Code Injection RCE
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15186 LOW Monitor

Resource identifier manipulation in macrozheng mall up to 1.0.3 allows authenticated remote attackers to access or affect return-application records belonging to other users by substituting arbitrary orderId values in POST requests to /returnApply/create. The flaw is classified as CWE-99 (Improper Control of Resource Identifiers), consistent with an Insecure Direct Object Reference (IDOR) pattern in the Portal Endpoint. A public exploit is available, and the vendor deleted the corresponding GitHub issue without comment, raising concerns about coordinated disclosure and patch status.

Information Disclosure Mall
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-0275 LOW PATCH Monitor

Privilege escalation in Palo Alto Networks Prisma® Browser on macOS enables a locally authenticated administrator with access to the local filesystem to perform actions at root privilege level. The vulnerability is scoped exclusively to macOS deployments of Prisma Browser - no other platforms or Palo Alto products are implicated per the advisory. No public exploit identified at time of analysis; the CVSS 4.0 base score of 2.0 reflects the substantial exploitation prerequisites that materially constrain real-world risk despite the full-system impact potential at root level.

Privilege Escalation Apple Paloalto Prisma Browser
NVD
CVSS 4.0
2.0
EPSS
0.1%
CVE-2026-15276 LOW Monitor

Denial of service in pdeljanov Symphonia up to version 0.6.0 can be triggered locally by a low-privileged attacker who supplies a crafted audio file to the Metadata Handler component, causing improper resource release and application unavailability. The root cause is CWE-404 (Improper Resource Shutdown or Release) within the metadata parsing subsystem, with no impact on confidentiality or data integrity. A proof-of-concept exploit has been published; however, no patched release exists as the upstream fix (PR #514) remains unmerged at time of analysis.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15274 LOW Monitor

Denial-of-service in fbxcel up to 0.9.0 allows a local, low-privileged attacker to crash any application embedding this Rust FBX-parsing library by supplying a crafted FBX file that triggers improper resource handling in the v7400 Node Header Handler. Impact is limited to availability with no confidentiality or integrity consequence, consistent with the CVSS 4.0 base score of 1.9. A public proof-of-concept exists (CVSS 4.0 E:P), though exploitation is constrained entirely to local access paths; no KEV listing or active exploitation has been reported.

Denial Of Service
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15194 LOW Monitor

Use-after-free in Open5GS 2.7.7's AMF component allows a local low-privileged user to access freed memory within the `amf_context_final` function in `src/amf/context.c`, producing a low-severity confidentiality exposure. Exploitation is strictly local - no network vector exists - and a public proof-of-concept is confirmed by the CVSS 4.0 E:P supplemental modifier. This vulnerability is not listed in the CISA KEV catalog and carries a CVSS 4.0 base score of 1.9, reflecting its constrained real-world impact on what is a niche, telecom-research-oriented software stack.

Denial Of Service Buffer Overflow
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15193 LOW Monitor

OS command injection in the Android WebView JavaScript bridge of openclaw-android (versions up to 0.4.0) permits a local, low-privileged attacker to execute arbitrary OS commands through the `JsBridge.kt` component. Exploitation is constrained to local device access, limiting real-world blast radius, but a publicly disclosed proof-of-concept exists per the CVSS 4.0 E:P supplemental metric. No patch has been released - a remediation pull request (#137) is pending acceptance, leaving all users on version 0.4.0 or earlier exposed.

Command Injection Java Google
NVD GitHub VulDB
CVSS 4.0
1.9
EPSS
0.7%
CVE-2026-0280 LOW PATCH Monitor

Security policy bypass in Palo Alto Networks PAN-OS exposes protected services behind the firewall to traffic that should be blocked, exploitable by unauthenticated remote attackers via crafted IPv6 packets targeting the dataplane. The CVSS 4.0 score of 1.7 reflects that direct impact on the firewall itself is nil (VC:N/VI:N/VA:N), with only low-severity downstream effect on subsequent systems (SC:L/SI:L), and specific attack conditions must be present (AT:P). No public exploit code exists and no active exploitation has been reported (E:U), though the automatable flag (AU:Y) indicates the attack could in principle be scripted once conditions are met.

Authentication Bypass Paloalto Pan Os
NVD VulDB
CVSS 4.0
1.7
EPSS
0.5%
CVE-2026-0279 LOW PATCH Monitor

Multiple stored and reflected cross-site scripting vulnerabilities in PAN-OS expose the User-ID Authentication Portal (Captive Portal), GlobalProtect gateway/portal, and Clientless VPN web interfaces to unauthenticated attackers who can inject and execute arbitrary JavaScript in victim browsers. Affected deployments span PA-Series and VM-Series firewalls and Panorama management platforms; Cloud NGFW is explicitly not affected. No public exploit code exists (CVSS 4.0 E:U), and the vendor states risk is substantially reduced - potentially minimized - when portal and management access is restricted to trusted internal IP ranges per Palo Alto's recommended hardening guidelines.

XSS Paloalto Pan Os
NVD VulDB
CVSS 4.0
1.3
EPSS
1.2%
CVE-2026-0276 LOW PATCH Monitor

Privilege escalation in Palo Alto Networks Cortex XDR Broker VM permits locally authenticated users to perform operations as the root user within the appliance. The vulnerability is constrained to the Broker VM itself - the CVSS 4.0 vector (SC:N/SI:N/SA:N) confirms no scope change to subsequent or adjacent systems, limiting the blast radius to the VM appliance. No public exploit exists (E:U) and no CISA KEV listing is present; the vendor-assigned CVSS 4.0 score of 1.1 reflects this low-urgency posture.

Privilege Escalation Paloalto Cortex Xdr Broker Vm
NVD VulDB
CVSS 4.0
1.1
EPSS
0.1%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy