Skip to main content
CVE-2026-15486 MEDIUM PATCH Monitor

OS command injection in TRENDnet TEW-821DAP firmware 1.11B03 allows a network-adjacent authenticated attacker to execute arbitrary shell commands by manipulating the hostname, username, or password parameters in the DDNS configuration handler at /goform/tools_ddns. The affected product is officially end-of-life - the vendor has declined to issue a patch and disputes ability to confirm the vulnerability on the v1.0R hardware revision. No public exploit code or CISA KEV listing has been identified at time of analysis, though the CWE-78 vulnerability class is trivial to weaponize once firmware internals are mapped via the linked IOT research repository.

Command Injection Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15485 MEDIUM PATCH Monitor

OS command injection in the TRENDnet TEW-821DAP 1.11B03 wireless access point allows authenticated remote attackers to execute arbitrary operating system commands by manipulating the nslookup_target or dns_server arguments passed to the DNS Lookup Handler at /goform/tools_nslookup (function sub_43F2C4). The affected device is end-of-life and the vendor has explicitly declined to patch it, stating they cannot confirm the vulnerability's existence for the TEW-821DAP v1.0R. No public exploit code or CISA KEV listing has been identified at time of analysis, though the network-accessible attack surface and EOL status make remediation by replacement the only viable long-term strategy.

Command Injection Tew 821Dap
NVD VulDB GitHub
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-15502 MEDIUM This Month

SQL injection in AojiaoZero Antaris 1.0 exposes the application database through the PayPal IPN payment callback endpoint, where the `_rewardPurchase` function fails to sanitize the `item_number` parameter before incorporating it into SQL queries. An authenticated remote attacker who can send a crafted POST request to `/ipn.php` can manipulate the underlying database query, potentially reading sensitive records, modifying data, or degrading availability. No public exploit code has been identified at time of analysis, and the vendor did not respond to disclosure, leaving the vulnerability unpatched.

SQLi PHP Antaris
NVD VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56252 MEDIUM PATCH This Month

Scope isolation failure in Capgo's POST /webhooks/test endpoint allows authenticated app-scoped API keys to invoke org-scoped webhook operations, bypassing the intended limited_to_apps authorization boundary. All Capgo instances prior to version 12.128.2 are affected, enabling credential holders with narrow, app-level access to trigger signed outbound webhook deliveries targeting arbitrary organization webhooks they should not control. No public exploit code has been identified and this vulnerability is not listed in the CISA KEV catalog, but the CVSS 4.0 vector (PR:L, AV:N) confirms low-privilege network exploitation is straightforward once credentials are in hand.

Authentication Bypass Capgo
NVD GitHub VulDB
CVSS 4.0
5.3
EPSS
0.2%
CVE-2026-56281 MEDIUM PATCH This Month

SQL injection in Capgo's POST /private/admin_stats endpoint allows platform administrators to inject arbitrary SQL fragments into Cloudflare Analytics Engine queries via an unsanitized limit parameter. Affected versions are all Capgo releases before 12.128.2. An attacker holding valid platform admin credentials can exploit this to enumerate analytics dataset schemas, extract analytics data, or cause denial-of-service against the analytics backend. No public exploit has been identified at time of analysis, and the high-privilege requirement (PR:H) substantially limits realistic blast radius.

SQLi Capgo
NVD GitHub VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-15493 MEDIUM This Month

Cross-site scripting in Akpali9 Attendance-Management-System allows a remote, low-privileged attacker to inject malicious JavaScript via the export_date parameter in absent.php, executing in the browser context of any victim user who interacts with attacker-crafted content. All versions up to commit 70b91fe38f4195b701a45f0edcd4f42d5f64aeee are affected; the project's rolling release model means no discrete patched version exists, and the vendor did not respond to disclosure. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis.

XSS PHP Attendance Management System
NVD VulDB
CVSS 4.0
5.1
EPSS
0.2%
CVE-2026-10664 MEDIUM PATCH This Month

Out-of-bounds stack write in Zephyr's nRF70 Wi-Fi driver exposes embedded systems to memory corruption when the nRF70 co-processor returns a power-save event with more than eight TWT flow entries. The vulnerable function `nrf_wifi_event_proc_get_power_save_info()` blindly copies co-processor-supplied TWT entries into a fixed 8-element stack array without validating `num_twt_flows` against `WIFI_MAX_TWT_FLOWS`, enabling heap/stack corruption of approximately 40 bytes per excess entry. No public exploit code exists and the flaw is not listed in CISA KEV, but the adjacent-network attack vector and the indirect over-the-air influence path via a rogue AP manipulating TWT sessions make this a meaningful risk in Wi-Fi 6 (802.11ax) deployment environments running Zephyr with `CONFIG_NRF70_STA_MODE`.

Memory Corruption Buffer Overflow Zephyr
NVD GitHub VulDB
CVSS 3.1
5.0
EPSS
0.1%
CVE-2026-10668 LOW PATCH Monitor

Denial of service in Zephyr RTOS's Nuvoton NuMaker HSUSBD USB device-controller driver allows a physical or adjacent USB host to permanently wedge the device's USB control endpoint. The driver unconditionally arms the control Data IN stage without accounting for the hardware's inability to disarm an already-armed transfer, so a host that cancels an in-flight control transfer and then re-issues a SETUP packet drives the driver out of sync. Repeated cancel-and-re-SETUP cycles cause the control endpoint to NAK every subsequent transfer, rendering the USB function non-operational until a USB reset or re-plug. No public exploit identified at time of analysis.

Denial Of Service Zephyr
NVD GitHub VulDB
CVSS 3.1
2.4
EPSS
0.1%
CVE-2026-61874 LOW PATCH Monitor

Path normalization failure in filebrowser's DeleteWithPathPrefix function allows authenticated users on versions before 2.63.17 to leave stale public share records intact by deleting directories with trailing-slash paths. After deletion, an attacker can recreate the same directory path and cause its new contents to be silently exposed through the previously dormant, still-valid public share URL. No public exploit code has been identified at time of analysis, and the vendor-confirmed CVSS 4.0 score of 2.3 reflects the high complexity and limited confidentiality impact.

Authentication Bypass Filebrowser
NVD GitHub VulDB
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-15477 LOW PATCH Monitor

SQL injection in Bahmni bahmnicore up to version 0.93 allows low-privileged authenticated remote attackers to manipulate backend database queries via the additionalParams argument at the /openmrs/ws/rest/v1/bahmnicore/sql Search Endpoint. Public exploit code exists (confirmed by E:P in CVSS 4.0 supplemental metrics and the CVE description), lowering the bar for exploitation to any user with valid application credentials. Fixed versions spanning all active release branches (0.93.1 through 2.0.1) were released July 2026, and organizations running affected versions in healthcare environments should prioritize patching given the sensitivity of stored patient and clinical data.

SQLi Bahmnicore
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-15507 LOW Monitor

Missing authorization in Coolify's Policy Handler allows authenticated remote attackers to bypass resource-level access controls in versions up to 4.1.1. The flaw resides in the /app/Policies/ component, where policy enforcement checks are absent or incomplete, enabling low-privileged users to access or manipulate resources beyond their intended authorization scope. A public proof-of-concept exploit is available, raising the urgency for operators running self-hosted Coolify instances.

Authentication Bypass
NVD GitHub VulDB
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15492 LOW Monitor

Cross-site scripting in igweze Wizgrade's dashboard/studentConductManager.php allows remote, unauthenticated attackers to inject and execute malicious scripts in a victim's browser upon interaction with a crafted request. The vulnerability was publicly disclosed with exploit code available (CVSS 4.0 E:P), and the vendor did not respond to pre-disclosure contact, leaving no official patch or remediation guidance. No active exploitation has been confirmed via CISA KEV, though the public exploit raises the risk of opportunistic targeting of school or academic institutions using this PHP-based student management system.

XSS PHP Wizgrade
NVD VulDB
CVSS 4.0
2.1
EPSS
0.4%
CVE-2026-15505 LOW Monitor

Cross-site scripting in vnotex vnote up to version 3.20.1 allows a remote attacker with low-level privileges to inject malicious scripts via the YAML frontmatter `p_metaData` argument processed by `/src/data/extra/web/js/markdownit.js`. When a victim views or renders a specially crafted note containing malicious YAML metadata, the injected script executes in their browser context, enabling limited integrity manipulation. No patch is available at time of analysis - the vendor did not respond to responsible disclosure contact - and exploit code is publicly referenced via VulDB.

XSS Vnote
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
Prev Page 2 of 2

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy