Skip to main content
CVE-2026-15481 HIGH POC This Week

Command injection in the TRENDnet TEW-635BRM wireless router (firmware through 1.00.03) lets an authenticated remote attacker inject OS commands via the ipoa_ipaddr argument handled by the ipoa_test function in /sbin/rc during IPoA WAN connection setup. Publicly available exploit code exists (published via VulDB and a researcher write-up), and because the device runs its control logic as a privileged system process, successful injection yields full command execution on the router. The product has been end-of-life since 2011 and the vendor will not issue a fix, so exposure is permanent for still-deployed units; there is no CISA KEV listing or confirmation of active exploitation.

Command Injection Tew 635Brm
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15480 HIGH POC This Week

Stack-based buffer overflow in the TRENDnet TEW-635BRM wireless router (firmware up to 1.00.03) lets an authenticated remote attacker overflow a fixed-size stack buffer through the device_name argument handled by the start_httpd function in /sbin/rc, potentially achieving arbitrary code execution on the device. Publicly available exploit code exists (VulDB), though it is not listed in CISA KEV, so there is no public exploit identified as actively exploited at time of analysis. The device has been end-of-life since 2011 and the vendor declined to confirm the flaw, meaning no fix will be issued.

Buffer Overflow Stack Overflow Tew 635Brm
NVD VulDB GitHub
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15506 HIGH POC This Week

Local privilege escalation in SecureAge CatchPulse endpoint protection (versions up to and including 10.9.3) stems from a heap-based buffer overflow in the kernel driver saappctl.sys, where an authenticated local user can corrupt kernel heap memory to gain code execution at ring 0. Publicly available exploit code exists (demonstrated in a YouTube proof-of-concept), but there is no public exploit identified as being used in active attacks and the issue is not on CISA KEV. The CVSS 4.0 base score of 7.1 reflects local-only reachability but full compromise of confidentiality, integrity, and availability on the host once triggered.

Heap Overflow Buffer Overflow Catchpulse
NVD VulDB GitHub
CVSS 4.0
7.1
EPSS
0.2%
CVE-2026-15497 MEDIUM POC Monitor

Code injection in SonicCloudOrg sonic-agent through version 2.7.2 allows remote unauthenticated attackers to inject and execute arbitrary code via the ExchangeController endpoint, which bypasses or is excluded from the JWT Authentication Filter. The vulnerability carries a public proof-of-concept exploit named 'Unauth_ExchangeSend', confirming the endpoint is reachable without authentication. Critically, the affected product is end-of-life with no vendor support, and the maintainer did not respond to disclosure - no patch is forthcoming.

Code Injection Java RCE Sonic Agent
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.4%
CVE-2026-15479 MEDIUM POC This Month

Unauthenticated remote password modification on H3C NX15 V100R017 routers allows any network-reachable attacker to overwrite the administrator password via the change_passwd function at the /api/login/modify endpoint, effectively seizing full administrative control of the device. The vulnerability stems from a missing authentication or authorization check on the password modification API (CWE-640), meaning no credentials or session token are required to invoke it. A public proof-of-concept exploit is available on GitHub, and no vendor patch has been identified at time of analysis.

Information Disclosure Nx15
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-61876 CRITICAL Act Now

Stored cross-site scripting in OpenWrt's LuCI web interface lets an adjacent-network attacker inject executable HTML/JavaScript by supplying a malicious DHCPv6 Client FQDN hostname, which the DHCP lease status tables render without proper output encoding. When an administrator views the DHCP lease page, the payload executes in their authenticated browser session, enabling router admin-panel compromise. Rated CVSS 4.0 9.4 (Critical) by the vendor; no public exploit identified at time of analysis and it is not listed in CISA KEV.

XSS Luci
NVD GitHub VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-15511 HIGH This Week

OS command injection in the Comfast CF-WR631AX V3 WiFi router (firmware through 2.7.0.8) lets remote attackers execute arbitrary operating-system commands by manipulating the filename argument in the system_wl_upload_pic_file routine of the /usr/bin/webmgnt FastCGI backend. The CVSS 4.0 vector (AV:N/AC:L/PR:N/UI:N) indicates unauthenticated network exploitation, and publicly available exploit code exists (E:P). It is not listed in CISA KEV, so there is no confirmed active exploitation, but the public disclosure lowers the barrier for opportunistic attacks against exposed devices.

Command Injection
NVD GitHub VulDB
CVSS 4.0
8.9
EPSS
2.7%
CVE-2026-56271 CRITICAL PATCH Act Now

Authentication bypass in Flowise 3.0.13 and earlier lets remote unauthenticated attackers forge valid JWTs and impersonate any user, including administrators, because the enterprise passport authentication middleware silently falls back to publicly known hardcoded secrets ('auth_token', 'refresh_token') and default audience/issuer values ('AUDIENCE', 'ISSUER') whenever the JWT_AUTH_TOKEN_SECRET, JWT_REFRESH_TOKEN_SECRET, JWT_AUDIENCE, and JWT_ISSUER environment variables are unset. Reported by VulnCheck and rated CVSS 4.0 9.3 (Critical), it grants full account takeover, though there is no public exploit identified at time of analysis and no CISA KEV listing.

Authentication Bypass Flowise
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-56260 HIGH PATCH This Week

Arbitrary file write in Crawl4AI's Docker API server (versions before 0.8.7) lets remote unauthenticated attackers overwrite any file writable by the service account by abusing the unvalidated output_path parameter on the /screenshot and /pdf endpoints. Reported by VulnCheck and disclosed in GitHub advisory GHSA-365w-hqf6-vxfg, the flaw enables path traversal or absolute-path writes that corrupt server files and cause denial of service. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the network-reachable, no-privileges attack surface makes it a straightforward target once a Crawl4AI Docker server is exposed.

Path Traversal Denial Of Service Docker Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.4%
CVE-2026-56259 HIGH PATCH This Week

Credential exfiltration in Crawl4AI's Docker API server (all versions before 0.8.8) lets remote unauthenticated attackers steal secrets from the host. By abusing the exposed /md, /llm, and /llm/job endpoints, an attacker supplies a malicious base_url to redirect outbound LLM API calls and sets api_token to the special form env:VARIABLE_NAME, causing the server to resolve and leak arbitrary environment variables - including provider API keys and the JWT SECRET_KEY, which in turn enables full authentication bypass. No public exploit identified at time of analysis, but the flaw is trivially exploitable and reported by VulnCheck with an assigned CVSS 4.0 score of 8.8.

Authentication Bypass Docker Information Disclosure Crawl4ai
NVD GitHub VulDB
CVSS 4.0
8.8
EPSS
0.3%
CVE-2026-15484 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (firmware 1.12B01) wireless access point lets an authenticated remote attacker corrupt memory through the ssi-driven /goform/tools_nslookup handler (function sub_41EC14), enabling likely remote code execution or device crash. The device is end-of-life and the vendor has stated it cannot confirm or fix the issue, so no official patch is expected. A public technical write-up describing the overflow exists on GitHub (VulDB-coordinated disclosure), but there is no confirmed active exploitation in CISA KEV.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-15483 HIGH PATCH Monitor

Buffer overflow in the TRENDnet TEW-821DAP (v1.0R, firmware 1.12B01) dual-band access point lets an authenticated remote attacker corrupt memory via the ssi handler sub_41EC14, reachable through the /goform/tools_nslookup endpoint. Supplying an oversized nslookup_target value overruns a fixed buffer (CWE-120), enabling denial of service and likely arbitrary code execution on the device. No public exploit has been identified at time of analysis; the product is end-of-life and the vendor states it cannot confirm the flaw.

Buffer Overflow Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-61875 HIGH This Week

Stored cross-site scripting in OpenWrt's luci-app-upnp lets an unauthenticated LAN client persist a JavaScript payload that executes in the router administrator's browser. By supplying malicious HTML in the NewPortMappingDescription field of a UPnP IGD AddPortMapping SOAP request, an attacker gets miniupnpd to store the value and luci-app-upnp to render it unencoded on the UPnP and Status pages. No public exploit identified at time of analysis, and it is not listed in CISA KEV; the CVSS 4.0 base score is 8.7 (High).

XSS Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.3%
CVE-2026-59260 HIGH This Week

Privilege escalation to root in OpenWrt's luci-app-samba4 (LuCI web interface) lets authenticated delegated users invoke the root-owned Samba daemon with attacker-controlled arguments. The package's 'read' ACL improperly grants file.exec permission on /usr/sbin/smbd, so a low-privileged operator can launch smbd with global options like 'message command' and achieve arbitrary command execution as root when SMB messages are processed. Reported by VulnCheck with a GHSA advisory published; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Privilege Escalation Luci
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.7%
CVE-2026-56238 HIGH PATCH This Week

Unauthenticated information disclosure in Capgo before 12.128.2 exposes confidential business metrics through the Supabase PostgREST /rest/v1/global_stats endpoint, which lacks row-level security enforcement. Any remote party holding only the public (anon) Supabase apikey - a value embedded in Capgo client apps and therefore trivially obtainable - can read MRR, total and plan-tier revenue, customer counts, and operational telemetry. Reported by VulnCheck via a GitHub security advisory; no public exploit code or active exploitation has been identified at time of analysis, though the CVSS 4.0 score of 8.7 reflects high confidentiality impact with no barriers to access.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
8.7
EPSS
0.4%
CVE-2026-56308 HIGH PATCH This Week

Account takeover in Capgo before 12.128.2 arises because the email-change endpoint performs no current-password re-authentication and no verification of the existing email address, letting an attacker who already holds a valid session cookie or an authenticated browser silently repoint the account email. By seizing the recovery address, the attacker captures password-reset flows and sidesteps multi-factor authentication, converting a hijacked session into durable full account control. There is no public exploit identified at time of analysis, but the flaw is vendor-confirmed via GitHub Security Advisory GHSA-9px4-w25f-mvm4 and reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
8.4
EPSS
0.2%
CVE-2026-58596 HIGH PATCH Exploit Likely This Week

Privilege elevation in Microsoft Edge (Chromium-based) lets a network attacker escalate privileges by luring a victim into loading crafted web content that triggers an untrusted pointer dereference (CWE-822). Microsoft rates it CVSS 8.3, driven by a scope change (sandbox/boundary crossing) and full confidentiality, integrity, and availability impact, but exploitation requires user interaction and is of high attack complexity. No public exploit identified at time of analysis (E:U), it is not on CISA KEV, and an official vendor fix is available.

Authentication Bypass Microsoft Google Microsoft Edge Chromium Based
NVD VulDB
CVSS 3.1
8.3
EPSS
0.5%
CVE-2026-10666 HIGH PATCH This Week

Out-of-bounds stack write in the Zephyr RTOS IPv4 address parser (parse_ipv4() in subsys/net/ip/utils.c) lets an attacker corrupt memory when an application resolves an attacker-influenced "a.b.c.d:port" string, causing at minimum denial of service and potentially control-flow hijack on the affected embedded device. The defect exists in every release from v1.9.0 through v4.4.0 and is reachable through the standard socket resolver (zsock_getaddrinfo), DNS server-string configuration, and the eswifi Wi-Fi DNS-response path. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but a vendor fix (two upstream commits and advisory GHSA-532c-7g7f-jhmh) is available.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
8.1
EPSS
0.3%
CVE-2026-10667 HIGH PATCH This Week

Kernel memory corruption in the Zephyr RTOS (versions v1.14.0 through v4.4.0) lets an unprivileged user-mode thread corrupt the kernel's dynamic object-tracking list across the userspace security boundary. The flaw is a use-after-free race (CWE-416) in the obj_list traversal, exploitable only on builds combining CONFIG_SMP, CONFIG_USERSPACE, and CONFIG_DYNAMIC_OBJECTS, and can yield privilege escalation or a kernel crash. No public exploit identified at time of analysis; a vendor patch is available.

Memory Corruption Buffer Overflow Denial Of Service Use After Free Privilege Escalation +1
NVD GitHub VulDB
CVSS 3.1
7.8
EPSS
0.1%
CVE-2026-10665 HIGH PATCH This Week

Out-of-bounds write in the WireGuard subsystem of Zephyr RTOS 4.4.0 lets a malicious or compromised WireGuard peer (or an on-path attacker driving an established session) corrupt memory by sending an oversized transport-data datagram. Because the flawed copy occurs before the Poly1305 authentication check, exploitation needs only a valid receiver session index rather than a valid authenticator, and reliably yields at least a remote denial of service on the target device. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV; the Zephyr project has published advisory GHSA-3wqm-wgx2-9367 and an upstream fix.

Memory Corruption Denial Of Service Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
7.4
EPSS
0.4%
CVE-2026-56241 HIGH PATCH This Week

Privilege escalation in Capgo before 12.128.2 lets demoted super_admin users retain organization-wide bundle management rights because the org_users.user_right column is not cleared when their role binding is deleted. A user who once held super_admin can continue invoking the delete_non_compliant_bundles and count_non_compliant_bundles RPCs to enumerate and bulk-delete non-compliant bundles across the entire organization indefinitely, well after their privileges were supposedly revoked. Reported by VulnCheck; no public exploit identified at time of analysis and not listed in CISA KEV.

Authentication Bypass Privilege Escalation Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.2%
CVE-2026-56313 HIGH PATCH This Week

Cross-organization account disruption in Capgo before 12.128.2 lets an enterprise administrator in one organization destroy the email/password login of users belonging to different organizations. By abusing the SSO prelink-users endpoint, an attacker holding the org.update_settings permission with an active SSO provider can permanently remove password identities for any user whose email matches the provider's domain, locking victims out of native authentication and forcing them onto the attacker's SSO or a password-reset recovery flow. There is no public exploit identified at time of analysis and it is not listed in CISA KEV; the flaw was reported by VulnCheck.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
7.2
EPSS
0.3%
CVE-2026-15491 MEDIUM This Month

Missing authentication in RafyMrX TOKO-ONLINE-ROTI, an Indonesian online bakery shop management application, allows remote unauthenticated attackers to access restricted application functionality with low-level impact across confidentiality, integrity, and availability. All code through commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 is affected, and no patch exists because the vendor did not respond to coordinated disclosure. No public exploit code and no CISA KEV listing exist at time of analysis.

Authentication Bypass Toko Online Roti
NVD VulDB
CVSS 4.0
6.9
EPSS
0.5%
CVE-2026-56336 MEDIUM PATCH This Month

Unauthenticated information disclosure in Capgo's /private/sso/check-domain endpoint exposes internal org_id and provider_id values to any network-reachable attacker. All Capgo deployments prior to version 12.128.2 are affected, with the vulnerable endpoint accessible without credentials. An attacker can systematically enumerate email domains against this endpoint to construct a detailed mapping of domains to organization UUIDs and SSO provider identifiers, enabling targeted reconnaissance against Capgo tenants - no public exploit identified at time of analysis.

Information Disclosure Capgo
NVD GitHub VulDB
CVSS 4.0
6.9
EPSS
0.2%
CVE-2026-15498 MEDIUM This Month

SQL injection in SmartHomeAdatum's users.php Login component exposes the backend database to unauthenticated remote manipulation via a crafted Login argument. All commits up to cf495353d81b680675eb8d9aa14a318aa45ce12c of this PHP-based smart home application are affected, with no patch available and a vendor that did not respond to disclosure. No public exploit code or CISA KEV listing exists at time of analysis, though the CVSS 4.0 vector confirms low-complexity unauthenticated network exploitation.

SQLi PHP Smarthomeadatum
NVD VulDB
CVSS 4.0
6.9
EPSS
0.3%
CVE-2026-15495 LOW POC Monitor

OS command injection in SonicCloudOrg sonic-agent (all versions up to 2.7.2) enables remote code execution through the Android WebSocket Server component. An authenticated remote attacker can manipulate the `path` argument in AndroidWSServer.java to inject arbitrary OS commands on the host running the agent. Publicly available exploit code exists (GitHub PoC by xpp3901), no vendor patch will be issued as the product is end-of-life, and the vendor is unresponsive to disclosure - creating a permanent, unmitigable risk for any active deployment.

Command Injection Java Google Sonic Agent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.5%
CVE-2026-56877 MEDIUM This Month

Skillable's hosted SCORM lab launch endpoint at scorm.skillable.com enforces per-user lab allocation limits against a client-supplied userId query parameter that is never validated against the authenticated SCORM session token, enabling any enrolled learner to bypass rate limits, provision concurrent cloud VM lab instances at the course provider's expense, and exhaust another enrolled user's lab or exam allocation to deny them access. The vulnerability (CWE-639) was confirmed against the reporter's own account and a consenting fellow student on 2026-05-03; the vendor subsequently acknowledged in a private customer advisory that exam allocations and another learner's active session details are also reachable via the same mechanism. No fix is planned for the SCORM launch path; the vendor characterises the weakness as an inherent SCORM limitation and recommends migration to API or LTI 1.3 integrations. No public exploit code has been released, but the attack technique is trivially reproducible by any enrolled student with a proxy.

Denial Of Service
NVD
CVSS 3.1
6.3
EPSS
0.4%
CVE-2026-15509 LOW POC Monitor

Privilege escalation in Leantime up to 3.8.0 allows authenticated low-privileged users to elevate their role to owner by manipulating the role argument in JSON-RPC requests to the editUser/addUser endpoint. The server fails to verify whether the calling user is authorized to assign elevated roles, a CWE-285 Improper Authorization flaw. A public proof-of-concept exploit has been disclosed, and the vendor did not respond to coordinated disclosure, meaning no patch is confirmed available.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15508 LOW POC Monitor

Server-side request forgery in Helicone ai-gateway (up to 0.2.0-beta.30) allows a low-privileged remote attacker to manipulate the `extracted_path_and_query` argument within the `build_target_url` function of the AWS Metadata Service component, causing the gateway to issue unauthorized server-side HTTP requests to internal infrastructure. For deployments on AWS, this most critically targets the EC2 Instance Metadata Service (IMDS) at 169.254.169.254, potentially exposing IAM role credentials that carry blast radius far exceeding the assigned CVSS 5.3 score. A public exploit exists via GitHub, and the vendor was unresponsive to pre-disclosure contact, meaning no vendor-confirmed patch is available at time of analysis.

SSRF Ai Gateway
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15478 LOW POC Monitor

SQL injection in IceHRM 35.0.1 and earlier allows authenticated remote attackers to manipulate backend database queries via the `employeeList` parameter in the EmployeeAttendanceReport PHP component, yielding partial confidentiality, integrity, and availability impact. A public proof-of-concept is available via a GitHub issue report, and the IceHRM project has not responded to the disclosure, leaving no vendor patch available. No CISA KEV listing exists, so widespread active exploitation at scale is unconfirmed, but the public PoC and unpatched status materially elevate practical risk for any organization running this software.

SQLi PHP Icehrm
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15474 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 enables remote authenticated attackers to access call recordings they are not permitted to view by manipulating the `callId` parameter in the `/callrec/audio.jsp` endpoint. The flaw follows a classic Insecure Direct Object Reference (IDOR) pattern under CWE-285, where the application fails to enforce per-user ownership checks on recording identifiers. A public exploit has been released and no vendor patch exists - the vendor did not respond to responsible disclosure - making compensating controls the only available mitigation at this time.

Authentication Bypass Call Recording Software
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15472 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to bypass access controls on the /callrec/composeEmailAction.do endpoint, exposing limited confidential data. The flaw (CWE-285) means the application fails to enforce authorization decisions for at least one action reachable by low-privileged authenticated users. A publicly available proof-of-concept exploit has been disclosed via VulDB, and no vendor patch exists - the vendor did not respond to the coordinated disclosure. No public exploit identified at time of analysis as actively exploited (not in CISA KEV), though exploit code exists.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15471 LOW POC Monitor

Improper authorization on the /callrec/pci_dss_status.jsp endpoint in Eleveo Call Recording Software 9.7.0 allows authenticated low-privilege users to access PCI DSS compliance status data they are not authorized to view. The exposed information reveals the payment card compliance posture of the organization, which could be leveraged to identify exploitable compliance gaps and inform targeted attacks against payment infrastructure. A public proof-of-concept exploit exists; the vendor did not respond to responsible disclosure, leaving no official patch or advisory available.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15501 LOW POC Monitor

Server-side request forgery in AstrBot's dashboard MCP Test Endpoint allows low-privileged authenticated users to coerce the server into issuing arbitrary HTTP requests via a manipulated `mcp_server_config.url` parameter. All AstrBot versions through 4.25.2 are affected via the `ToolsRoute.test_mcp_connection` function in `astrbot/dashboard/routes/tools.py`. A publicly available proof-of-concept exploit exists, and the vendor has not responded to disclosure, leaving no vendor-issued patch at time of analysis.

SSRF Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15473 LOW POC Monitor

Improper authorization in Eleveo Call Recording Software 9.7.0 allows authenticated remote attackers to perform unauthorized operations on the Recorded Calls Page via the `/callrec/restoreCallAction.do` endpoint, potentially accessing or restoring call recordings outside their permitted scope. The vulnerability stems from CWE-285 (Improper Authorization), meaning the application fails to enforce access controls on the restore call action, permitting privilege escalation within the recording management interface. A publicly available proof-of-concept exploit exists per the CVSS 4.0 E:P supplemental metric; no patch has been confirmed by the vendor, who did not respond to disclosure attempts.

Authentication Bypass Call Recording Software
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-10663 MEDIUM PATCH This Month

Use-after-free and double-free in Zephyr RTOS's experimental USB host stack (CONFIG_USB_HOST_STACK, introduced in v4.4.0) allows an attacker with physical USB access to crash the target device or corrupt live kernel slab objects by bouncing a USB device connection to trigger a second removal event after the slab has already been freed. The flaw exists because usbh_device_disconnect() frees the root usb_device slab object without clearing the cached ctx->root pointer, and UHC controller drivers (uhc_max3421e, uhc_mcux_common) emit UHC_EVT_DEV_REMOVED directly from hardware line-state with no debounce or re-entry guard. No public exploit identified at time of analysis, and no CISA KEV listing; the physical-access prerequisite substantially constrains the realistic attacker population.

Memory Corruption Buffer Overflow Denial Of Service Use After Free Zephyr
NVD GitHub VulDB
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-15513 LOW POC PATCH Monitor

OS command injection in the Wavlink WL-NU516U1 router's CGI web administration interface allows authenticated network attackers to execute arbitrary operating system commands by injecting shell metacharacters into the lan_ip parameter of the adm.cgi endpoint. The wlink_uci_set_value function passes attacker-controlled input unsanitized into OS-level commands, enabling full compromise of the underlying Linux-based router OS. A public proof-of-concept exploit is available on GitHub (no public exploit identified at time of analysis for KEV), and the vendor has released a patched firmware as of June 22, 2026.

Command Injection Wl Nu516U1
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.4%
CVE-2026-15512 LOW POC Monitor

Remote code injection in pig-mesh Pig's pig-codegen module through version 3.9.2 allows low-privileged authenticated attackers to execute arbitrary code server-side via the GeneratorServiceImpl component, reachable over the network. A publicly available proof-of-concept exploit exists at GitHub (sombra0316/CVE-2026), elevating the urgency for defenders. No vendor patch has been released, and the vendor did not respond to responsible disclosure, leaving affected deployments without an official remediation path.

Code Injection Java RCE Pig
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-15510 LOW POC Monitor

Broken access control in Leantime's API component (versions up to 3.8.0) allows authenticated low-privileged users to invoke the Setting::saveSetting function and modify application settings beyond their authorization level. The flaw is classified under CWE-285 (Improper Authorization) and is tagged as an authentication bypass and broken access control issue, meaning the application fails to enforce permission boundaries after login. A publicly available proof-of-concept exploit exists per VulDB and bytium.com; no CISA KEV listing was identified at time of analysis, and the vendor has not responded to disclosure.

Authentication Bypass Leantime
NVD VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15500 LOW POC Monitor

Server-side request forgery in AstrBot up to version 4.25.2 allows authenticated remote attackers to cause the server to issue arbitrary HTTP requests by supplying a malicious value for the `custom_registry` parameter at the `market_list` plugin marketplace endpoint. The affected function is `get_online_plugins` in `astrbot/dashboard/routes/plugin.py`. A public proof-of-concept exploit is available on GitHub, though this vulnerability is not listed in the CISA KEV catalog. The CVSS 4.0 score of 2.1 reflects the authentication barrier and constrained impact, making this a lower-priority but tactically exploitable issue for attackers with dashboard access.

SSRF Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15499 LOW POC Monitor

Improper authorization in AstrBot's Scheduled Task Handler allows a remote low-privileged user to bypass authorization controls by manipulating the payload["note"] argument in FutureTaskTool.call (astrbot/core/tools/cron_tools.py), affecting all versions up to and including 4.25.2. A publicly available proof-of-concept exploit (GitHub gist) demonstrates exploitation. No patch has been released and the vendor did not respond to disclosure; EPSS and CVSS 4.0 score this at 5.3, indicating moderate-to-low real-world severity, but the active POC elevates practical risk for deployed instances. Not currently listed in CISA KEV.

Authentication Bypass Astrbot
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15496 LOW POC Monitor

OS command injection in SonicCloudOrg sonic-agent up to version 2.7.2 allows remote low-privileged attackers to execute arbitrary system commands via the evalIsFailed function in the Groovy Script Handler component. The public proof-of-concept - titled 'Unsandboxed_RCE' - confirms that Groovy scripts are executed without a security sandbox, enabling full host-level command execution. Critically, this is an end-of-life product with no vendor response and no patch, meaning no fix is forthcoming; no public exploit identified in CISA KEV at time of analysis, but a public POC exists.

Command Injection Java Sonic Agent
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
1.2%
CVE-2026-15494 LOW POC Monitor

SQL injection in AMTT Hotel Broadband Operation System 1.0 exposes the `manager/network/switch_status.php` endpoint to database manipulation via an unsanitized `ID` parameter, exploitable by authenticated remote attackers. A public proof-of-concept exploit exists (GitHub issue referenced in VulDB entry), though the vulnerability is not listed in CISA KEV. The CVSS 4.0 score of 2.0 reflects the high-privilege authentication barrier (PR:H) that significantly constrains real-world attack surface, limiting this primarily to insider threat or post-compromise escalation scenarios within hotel network management environments.

SQLi PHP Hotel Broadband Operation System
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15475 LOW POC PATCH Monitor

Improper access controls in MiniTool Partition Wizard's signed kernel driver pwdrvio.sys (versions up to 13.6) allow a local low-privileged user to interact with privileged driver functionality without authorization. The vulnerability is tagged as an authentication bypass against a kernel-mode component, meaning a standard user account can invoke driver operations that should be restricted to administrative or system-level callers. A publicly available proof-of-concept exploit lowers the practical exploitation bar, though no active exploitation is confirmed via CISA KEV at time of analysis.

Authentication Bypass Partition Wizard
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15476 LOW POC PATCH Monitor

Improper access control in the diskbckp.sys kernel driver of QILING Disk Master 6.0.0.0 allows local low-privileged users to bypass authorization checks and interact with privileged kernel driver functionality. Tagged as an authentication bypass, the flaw resides in an unknown function within the kernel driver component, enabling manipulation of access control logic without elevated credentials. A public proof-of-concept exploit has been disclosed (no CISA KEV listing); the vendor has released a patch via beta download.

Authentication Bypass Disk Master
NVD VulDB
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15490 MEDIUM This Month

SQL injection in RafyMrX TOKO-ONLINE-ROTI (up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99) allows remote unauthenticated attackers to manipulate database queries via the kode_produk and kd_cs parameters in proses/add.php. The CVSS 4.0 vector confirms no privileges or user interaction are required, and a public exploit (E:P) has been released, lowering the skill threshold for opportunistic attacks. The vendor did not respond to coordinated disclosure, leaving no official patch available at time of analysis.

SQLi PHP Toko Online Roti
NVD VulDB
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-15489 MEDIUM This Month

SQL injection in TOKO-ONLINE-ROTI's login endpoint exposes all deployments up to commit ddfe1cd587be0a0b5135d8b6e85cce2ec3aece99 to unauthenticated remote database manipulation via the Username parameter in proses/login.php. A public exploit is available (CVSS 4.0 E:P), and the vendor has not responded to responsible disclosure, meaning no vendor-released patch exists and no remediation guidance has been issued. No public exploit identified at time of analysis as confirmed active exploitation (CISA KEV), but the combination of a fully unauthenticated attack path, low complexity, and available proof-of-concept code elevates real-world risk above the 5.5 base score suggests.

SQLi PHP
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15482 MEDIUM This Month

SQL injection in Aster Telecom Azcall 10/11 exposes a network-reachable administrative endpoint to unauthenticated query manipulation via the nome, perfil, and status HTTP parameters in the store management handler. The CVSS 4.0 vector confirms no authentication or special prerequisites are required (AV:N/AC:L/PR:N/UI:N), and public exploit code is available (E:P). The vendor did not respond to coordinated disclosure, meaning no official patch exists at time of analysis.

SQLi PHP Azcall
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15488 MEDIUM This Month

Unrestricted file upload in shiroiAdmin versions 1.1 and 1.3 (PHP admin panel by hcr707305003) exposes the `FileController::upload` function to unauthenticated remote exploitation, enabling attackers to upload arbitrary files - including PHP webshells - to the server without authentication. A public exploit has been disclosed (CVSS 4.0 E:P), and the vendor did not respond to coordinated disclosure. Exploitation conditions are severe: the CVSS 4.0 vector confirms network-accessible, zero-authentication, low-complexity exploitation with no user interaction required.

Authentication Bypass File Upload PHP
NVD GitHub VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15487 MEDIUM Monitor

OS command injection in the TRENDnet TEW-821DAP wireless access point firmware enables authenticated remote attackers to execute arbitrary operating system commands by manipulating the Hostname parameter submitted to the /goform/system_ntp endpoint, processed by function sub_41FBD0. The device (v1.0R hardware, firmware 1.11B03) is confirmed end-of-life, and the vendor has explicitly declined to investigate or remediate the issue. No patch will be released; no public exploit code is confirmed at time of analysis, and the vulnerability is not listed in the CISA KEV catalog.

Command Injection
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
Page 1 of 2 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy