Skip to main content
CVE-2026-59801 CRITICAL POC Act Now

Unauthenticated CRUD on the provider-management API in 9Router (through 0.4.41) lets remote attackers with no credentials enumerate, create, modify, and delete provider connections via the Next.js routes under src/app/api/providers/*. Because the /api/providers endpoints ship without authentication middleware, attackers can harvest partial credentials, OAuth tokens, and API keys, redirect AI traffic to attacker-controlled providers, or wipe all connections for a full denial of service; the companion /api/usage/stats endpoint further leaks full plaintext API keys. Rated CVSS 4.0 9.3 (critical); no public exploit identified at time of analysis, though the trivial access makes exploitation straightforward.

Authentication Bypass Denial Of Service 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.5%
CVE-2026-61498 CRITICAL POC Act Now

Remote OS command execution in Vitec Flamingo 4.12.2 lets unauthenticated attackers run arbitrary commands as root through the admin/ajax/gen_graphs.php graph-generation endpoint. The start, end, key, and format GET parameters are passed unsanitized into a PHP passthru() shell call, and because the web server runs with passwordless sudo the impact escalates to full root compromise. Publicly available exploit code exists (VulnCheck), though there is no CISA KEV listing, so this is a high-priority, easily weaponizable flaw.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
2.2%
CVE-2026-60121 CRITICAL POC Act Now

Unauthenticated OS command injection in Vitec Flamingo 4.12.2 (IPTV distribution) lets remote attackers run arbitrary commands as root through the admin/ajax/ping.php endpoint. The flaw stems from a double-evaluation bug where a system wrapper re-uses the decoded, un-escaped host value in a second shell call executed via passwordless sudo. Publicly available exploit code exists (VulnCheck); no active exploitation is confirmed in CISA KEV at time of analysis.

Command Injection PHP Flamingo
NVD
CVSS 4.0
9.3
EPSS
1.4%
CVE-2026-11964 CRITICAL POC PATCH Act Now

Payment-verification bypass in the User Registration & Membership WordPress plugin before 5.2.2 lets unauthenticated attackers forge a payment-provider webhook to mark a subscription as paid, activating premium memberships without any real transaction. WPScan reports publicly available exploit code, though there is no public exploit identified as being used in active attacks (not in CISA KEV). The core weakness is that inbound webhook notifications are trusted and acted upon without authenticating their origin or signature.

Information Disclosure WordPress User Registration Membership
NVD WPScan
CVSS 3.1
9.1
EPSS
0.1%
CVE-2026-12582 HIGH POC PATCH This Week

The Library Management System WordPress plugin before 3.5.8 does not sanitize and escape a user-supplied parameter before using it in a SQL statement, allowing unauthenticated attackers to perform SQL injection and extract arbitrary data from the database, including user password hashes.

WordPress SQLi Library Management System
NVD WPScan VulDB
CVSS 3.1
8.6
EPSS
0.2%
CVE-2026-62240 HIGH POC PATCH This Week

Server-side request forgery in CrewAI's scraping tools before version 1.15.1 lets remote attackers reach internal services and cloud metadata endpoints by abusing a flawed validate_url function. The filter performs a single DNS resolution and blocklist check, then returns the original URL unchanged, so attacker-supplied URLs that HTTP-redirect to internal addresses or exploit DNS rebinding slip past the guard. Publicly available exploit code exists (VulnCheck advisory and issue #6520), but there is no public exploit identified as being used in active attacks.

SSRF Crewai
NVD GitHub
CVSS 4.0
8.3
EPSS
0.3%
CVE-2026-11963 HIGH POC PATCH This Week

Privilege escalation in the User Registration & Membership WordPress plugin before 5.2.2 lets any authenticated low-privileged user (e.g. a subscriber) alter another account's WordPress role and membership tier. The membership-upgrade action performs no authorization check and trusts a caller-supplied user identifier instead of the current session, so an attacker can target an arbitrary account - including their own - to gain higher roles up to administrator. Publicly available exploit code exists and a vendor patch is available, but this is not listed in CISA KEV.

Information Disclosure WordPress User Registration Membership
NVD WPScan VulDB
CVSS 3.1
8.1
EPSS
0.1%
CVE-2026-62242 HIGH POC PATCH This Week

Server-side request forgery in codecentric Spring Boot Admin Server before 4.1.2 lets unauthenticated remote attackers register a monitored instance with attacker-controlled healthUrl and managementUrl values that are never validated against private IP ranges or cloud metadata endpoints. Because the server then fetches those URLs and exposes the response bodies through its actuator proxy, an attacker can pivot into internal networks and read back sensitive data such as cloud instance-metadata credentials. Publicly available exploit code exists and the flaw was reported by VulnCheck, though there is no public exploit identified as actively exploited (not in CISA KEV).

Java SSRF Spring Boot Admin
NVD GitHub
CVSS 4.0
7.7
EPSS
0.3%
CVE-2026-15545 HIGH POC This Week

Out-of-bounds write in the Shibby Tomato router firmware (versions up to and including 1.28.0000) lets authenticated remote users corrupt memory through the apcupsd web component. The flaw sits in the main() function of www/apcupsd/tomatodata.cgi, where crafted input reaches an out-of-bounds write (CWE-787) that can crash the CGI or potentially execute code on the router. Publicly available exploit code exists (via VulDB/Gitee), but there is no confirmed active exploitation; note that this project has been superseded by FreshTomato and is effectively end-of-life.

Memory Corruption Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15544 HIGH POC This Week

Remote authenticated command execution is possible in Shibby Tomato router firmware through version 1.28.0000, where the getupsvar function in the apcupsd CGI handler (www/apcupsd/tomatodata.cgi) fails to bound the Field argument, producing a stack-based buffer overflow (CWE-121). A logged-in user can send a crafted request to corrupt the stack and hijack control flow with full confidentiality, integrity, and availability impact on the device. Publicly available exploit code exists (VulDB), though there is no evidence of active exploitation; the CVSS 4.0 score is 8.7 with an E:P (proof-of-concept) exploit-maturity flag.

Stack Overflow Buffer Overflow Tomato
NVD VulDB
CVSS 4.0
7.4
EPSS
0.4%
CVE-2026-15543 HIGH POC This Week

Buffer overflow in the Tenda CH22 router (firmware 1.0.0.1) allows a remote, authenticated attacker to corrupt memory by supplying an overlong 'Name' argument to the formCertListInfo function in the /goform/CertListInfo endpoint. The flaw was disclosed by VulDB with publicly available exploit code, and the CVSS 4.0 score of 8.7 reflects high confidentiality, integrity, and availability impact. No public exploit identified in CISA KEV, so this is a proof-of-concept-stage issue rather than confirmed in-the-wild abuse.

Tenda Buffer Overflow Ch22
NVD VulDB
CVSS 4.0
7.4
EPSS
0.5%
CVE-2026-12275 HIGH POC PATCH This Week

Broken authorization in the Tutor LMS WordPress plugin (before 3.9.13) lets authenticated subscriber-level users bypass paid/private-course access controls when the Droip or Kirki page-builder integration is active. Because these integration handlers omit the enrollment, purchase, and private-course capability checks enforced in the core course handler, low-privileged accounts can self-enroll in paid or private courses, read otherwise-restricted content, and mark arbitrary courses complete. Reported by WPScan with publicly available exploit detail and a vendor patch released; no active exploitation is currently listed in CISA KEV.

WordPress Information Disclosure Tutor Lms
NVD WPScan
CVSS 3.1
7.1
EPSS
0.1%
CVE-2026-12274 MEDIUM POC PATCH This Month

Broken object-level authorization in the Tutor LMS WordPress plugin before 3.9.13 allows any authenticated instructor-level user to overwrite and take over arbitrary posts or pages sitewide, including administrator-owned content. The content-builder save handler validates the request against an unrelated identifier rather than confirming the requesting user owns or is permitted to edit the target post, making the authorization check entirely ineffective. A publicly available proof-of-concept exploit exists; no active exploitation has been confirmed by CISA KEV at time of analysis, though the low barrier (instructor account only) and high integrity impact elevate real-world risk significantly.

Information Disclosure WordPress Tutor Lms
NVD WPScan
CVSS 3.1
6.5
EPSS
0.1%
CVE-2026-15515 MEDIUM POC This Month

Local privilege/impact abuse in Tencent PC Manager 18.1.30242.301 stems from an uncontrolled search path (CWE-427) in the QMUDisk kernel driver library qmudisk64.sys, letting a low-privileged local user coerce loading of an attacker-controlled library to achieve high confidentiality, integrity, and availability impact. Publicly available exploit code exists (the 'qmukiller' proof-of-concept on GitHub), but exploitation is rated high-complexity/difficult and requires local access with existing low-level privileges. No public exploit has been tied to active in-the-wild attacks, and the vendor did not respond to the disclosure, so no fix is currently available.

Information Disclosure Pc Manager
NVD VulDB GitHub
CVSS 4.0
6.4
EPSS
0.1%
CVE-2026-10551 MEDIUM POC PATCH This Month

Stored Cross-Site Scripting in the Breeze Cache WordPress plugin (versions before 2.5.6) allows unauthenticated attackers to inject arbitrary HTML attributes into cached page output by exploiting a predictable placeholder hash format used during HTML minification. The root cause is a weak, guessable replacement token generated during the minification pipeline combined with a flawed regular expression, meaning an attacker who can submit content to the site can anticipate the placeholder pattern and craft input that survives minification as injected markup. A publicly available proof-of-concept exploit exists; this vulnerability has not been confirmed in CISA KEV at time of analysis, but the low attack complexity and unauthenticated access requirement make it a realistic opportunistic target across WordPress deployments using this plugin.

XSS WordPress Breeze Cache
NVD WPScan
CVSS 3.1
6.1
EPSS
0.2%
CVE-2026-57811 CRITICAL Act Now

Remote code injection in the Realtyna Organic IDX WordPress plugin (real-estate-listing-realtyna-wpl) affects all versions up to and including 5.2.0, allowing remote attackers to inject and execute arbitrary code (described as 'Remote Code Inclusion') against affected WordPress sites. Patchstack assigned a maximum CVSS 3.1 base score of 10.0 with an unauthenticated network vector and scope change, indicating full compromise of the host. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV.

Code Injection RCE Realtyna Organic Idx Plugin
NVD
CVSS 3.1
10.0
EPSS
0.6%
CVE-2026-57719 CRITICAL Act Now

Arbitrary file upload in CodeRevolution's Aimogen Pro WordPress plugin (versions up to and including 2.8.3) lets attackers upload files of dangerous types, typically enabling deployment of a PHP web shell and full remote code execution on the host. The supplied CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H) rates it 10.0 critical, reflecting network-reachable, low-complexity, unauthenticated exploitation with a scope change. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

File Upload Aimogen Pro
NVD
CVSS 3.1
10.0
EPSS
0.5%
CVE-2026-61667 CRITICAL PATCH GHSA Act Now

Remote code execution in DIRAC (Distributed Infrastructure with Remote Agent Control) grid middleware lets any authenticated user run arbitrary commands on the server through the FileCatalog DatasetManager. A SQL injection (CWE-89) in the checkDataset code path lets the attacker control a value that is fed directly into a Python eval(), turning a data-layer flaw into full server compromise. Rated CVSS 9.9 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H); no public exploit identified at time of analysis, though the vendor advisory names the exact vulnerable source lines.

SQLi RCE
NVD GitHub
CVSS 3.1
9.9
CVE-2026-45579 CRITICAL PATCH GHSA Act Now

Authenticated remote code execution in DIRAC's RequestManagementSystem lets any logged-in grid user run arbitrary commands as the DIRAC service account, enabling full compromise of the DIRAC installation. The flaw stems from an eval() call reachable through the export_getRequestCountersWeb service method, and successful exploitation exposes dirac.cfg secrets, database credentials, and all stored user proxies and tokens. Rated CVSS 9.9; no public exploit code has been released, though the vendor advisory documents a complete working exploitation path.

RCE Code Injection
NVD GitHub
CVSS 3.1
9.9
CVE-2026-57710 CRITICAL Act Now

Arbitrary file upload in the WoowBot Pro Max WordPress plugin (quantumcloud) through version 14.1.7 allows an authenticated attacker to upload files of dangerous types, leading to remote code execution on the underlying WordPress host. The scope-change CVSS 9.9 reflects that a low-privileged account can pivot to full server compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but Patchstack has confirmed and cataloged the flaw.

File Upload Woowbot Pro Max
NVD VulDB
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-57401 CRITICAL Act Now

Arbitrary file deletion via path traversal in the SureDash WordPress plugin (Brainstorm Force) affects all versions up to and including 1.8.0, allowing an authenticated low-privilege user to delete files outside the plugin's intended directory by supplying crafted pathnames. The Patchstack reference explicitly characterizes the flaw as arbitrary file deletion, meaning an attacker can remove critical files such as wp-config.php to disrupt the site or force a re-installation takeover. No public exploit identified at time of analysis and the issue is not listed in CISA KEV, but the CVSS 9.9 rating reflects the low barrier to exploitation.

Path Traversal Suredash
NVD
CVSS 3.1
9.9
EPSS
0.5%
CVE-2026-51821 CRITICAL Act Now

SQL injection in Shenzhou Shihan Video Conference System v1.0 lets a remote, unauthenticated attacker inject arbitrary SQL through the /user/getUserLogin endpoint, enabling full database compromise and, per the MITRE report, arbitrary code execution. The flaw is network-reachable against default installs with no authentication or user interaction (CVSS 9.8). No CISA KEV listing exists and EPSS is low (0.27%, 18th percentile); disclosure references (a GitHub CVE issue and a cnblogs write-up) suggest public exploitation details circulate, though weaponized exploit code was not independently confirmed in this analysis.

SQLi RCE N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.3%
CVE-2026-51540 CRITICAL Act Now

Remote memory corruption in the OpENer EtherNet/IP stack (2.3.0 master branch up to commit 76b95cf) stems from an integer underflow while parsing connected explicit messages via the SendUnitData encapsulation command, allowing network attackers to corrupt memory on the target device. The CVSS 3.1 score of 9.8 (AV:N/PR:N) indicates unauthenticated remote exploitation with full confidentiality, integrity, and availability impact. A public gist by researcher MrAlaskan and a filed GitHub issue accompany the disclosure, so publicly available exploit code exists, though EPSS is low (0.15%, 5th percentile) and it is not on the CISA KEV list.

Buffer Overflow Integer Overflow N A
NVD GitHub
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-57433 CRITICAL PATCH Act Now

Denial-of-service in the Storable module for Perl (versions before 3.41) allows remote attackers to abort deserialization by supplying a crafted SX_HOOK record whose item count equals I32_MAX. The signed 32-bit count plus one wraps to a negative value, which av_extend rejects with a fatal panic, terminating any thaw() or retrieve() call on attacker-controlled data. No public exploit identified at time of analysis; despite the assigned CVSS of 9.8 (C:H/I:H/A:H), the documented outcome is a controlled abort rather than memory corruption or code execution.

Deserialization Integer Overflow Storable
NVD GitHub VulDB
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-59518 CRITICAL Act Now

PHP Object Injection in the wpWax Directorist WordPress plugin (all versions through 8.8.2) lets remote attackers pass untrusted serialized data into a PHP deserialization sink, instantiating arbitrary objects that can trigger POP gadget chains for code execution, data theft, or site compromise. The flaw carries a critical 9.8 CVSS score with an unauthenticated network vector; it was disclosed by Patchstack. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

Deserialization Directorist
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57813 CRITICAL Act Now

Privilege escalation in the MailOptin WordPress plugin (by properfraction) affects all versions up to and including 1.2.77.3, stemming from incorrect privilege assignment (CWE-266). An attacker can obtain elevated privileges within the WordPress site, potentially reaching administrator-level control that yields full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and the flaw is not listed in CISA KEV; it was reported by Patchstack.

Privilege Escalation Mailoptin
NVD
CVSS 3.1
9.8
EPSS
0.5%
CVE-2026-57770 CRITICAL Act Now

PHP Object Injection in the ThemeGoods Grand Photography WordPress theme (all versions up to and including 5.7.8) lets remote attackers deliver crafted serialized data to an unsafe unserialize() sink, potentially achieving code execution, file operations, or SQL injection through POP gadget chains. The CVSS 9.8 rating reflects unauthenticated network exploitation (PR:N/UI:N) with full confidentiality, integrity, and availability impact. No public exploit identified at time of analysis, and it is not listed in CISA KEV.

Deserialization Grand Photography
NVD VulDB
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57744 CRITICAL Act Now

PHP Object Injection in the RT-Theme 18 | Extensions plugin (rt18-extensions) for WordPress affects all versions up to and including 2.5, allowing remote attackers to inject arbitrary PHP objects by supplying crafted serialized data to an unsafe deserialization sink. Because the CVSS vector reports PR:N/UI:N, exploitation does not require authentication or user interaction, and impact escalates to full compromise (confidentiality, integrity, availability all High) when a usable POP gadget chain is present in the WordPress stack. No public exploit identified at time of analysis, and the vulnerability is not listed in CISA KEV; the 9.8 base score reflects worst-case object-injection potential rather than confirmed in-the-wild activity.

Deserialization Rt Theme 18 Extensions
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57738 CRITICAL Act Now

Remote PHP object injection in the axiomthemes '777' (triple-seven) WordPress theme allows attackers to instantiate arbitrary PHP objects by supplying crafted serialized data to a vulnerable unserialize() call, affecting all versions up to and including 1.13.0. With the reported CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N) scoring 9.8, an unauthenticated network attacker can achieve high-impact compromise if a usable POP gadget chain is present. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV.

Deserialization 777
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-57724 CRITICAL Act Now

Object injection in the Themeum Kirki WordPress customizer framework (all versions through 6.0.12) allows attackers to abuse PHP deserialization of untrusted data (CWE-502), potentially leading to arbitrary object instantiation and, given a suitable POP gadget chain, remote code execution or full site compromise. Reported by Patchstack with a maximum CVSS 9.8 rating; no public exploit identified at time of analysis and the flaw is not listed in CISA KEV. Because Kirki is a developer toolkit bundled into many premium WordPress themes, exposure depends on which theme/plugin code passes attacker-controllable input into its deserialization path.

Deserialization Kirki
NVD
CVSS 3.1
9.8
EPSS
0.6%
CVE-2026-52533 CRITICAL Act Now

Privilege escalation in D-Link DIR-1253 firmware v1.0.1.250923.142435 stems from improper handling of the /etc/shadow file - the store of hashed local credentials - letting an attacker obtain or elevate to root-level access on the device. Publicly available exploit code exists (referenced via the zuh.re/codeberg advisory), but there is no public exploit identified as actively exploited and the CVE is not on the CISA KEV list. The published CVSS of 9.8 (AV:N) appears optimistic given that the core issue centers on a local system credential file, so the true remote-unauthenticated reach should be verified against the vendor advisory.

Privilege Escalation D-Link N A
NVD
CVSS 3.1
9.8
EPSS
0.2%
CVE-2026-14453 CRITICAL PATCH Act Now

Server-Side Template Injection in Centreon's centreon-open-tickets module enables authenticated users to achieve remote code execution on the Centreon Infra Monitoring server. The message_confirm field is persisted without sanitization and later rendered by the Smarty template engine with no security policy applied, so injected template directives execute as server-side code. Rated CVSS 9.6 with a scope change; no public exploit identified at time of analysis and no EPSS score supplied, but the low authentication barrier and RCE outcome make this a high-priority patch.

Code Injection RCE Infra Monitoring
NVD GitHub
CVSS 3.1
9.6
EPSS
0.5%
CVE-2026-15517 MEDIUM POC This Month

SQL injection in Jinher OA 1.0 exposes the PlanGiveOut.aspx endpoint to remote unauthenticated exploitation via the unsanitized `httpOID` parameter, enabling database enumeration, data exfiltration, and record manipulation. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms no prerequisites beyond network access. A public proof-of-concept exploit has been published on GitHub (CVE-2026-15517 issue tracker), the vendor did not respond to coordinated disclosure, and no patch exists at time of analysis.

SQLi Oa
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15597 MEDIUM POC This Month

SQL injection in SourceCodester Class and Exam Timetabling System 1.0 exposes the `/edit_exam2.php` endpoint to remote unauthenticated database manipulation via the unsanitized `ID` parameter. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:N/UI:N) confirms exploitation requires no authentication, no user interaction, and no special preconditions, making this trivially exploitable over the network. A public exploit has been released on GitHub (no public exploit identified at time of analysis for KEV, but publicly available exploit code exists per POC data), and while the vulnerability is not listed in the CISA KEV catalog, the zero-friction attack path elevates real-world risk above what the moderate 5.5 CVSS score might suggest.

SQLi PHP Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-6875 CRITICAL Act Now

Remote code execution in the ServiceNow AI Platform allows an unauthenticated attacker, under certain (unspecified) circumstances, to execute arbitrary code within the ServiceNow platform, carrying a critical CVSS 4.0 base score of 9.5. ServiceNow has patched hosted instances directly and issued fixes to self-hosted customers and partners; there is no public exploit identified at time of analysis, and the vendor states it is not currently aware of exploitation. The high CVSS complexity metric (AC:H) indicates the exploit is not trivially reproducible against arbitrary instances, tempering the otherwise maximal impact rating.

RCE Servicenow Ai Platform Code Injection
NVD VulDB
CVSS 4.0
9.5
EPSS
0.5%
CVE-2026-15557 MEDIUM POC This Month

Authentication bypass in waooAI waoowaoo through version 0.4.1 allows unauthenticated remote attackers to spoof internal user identity by manipulating the x-internal-user-id HTTP request header, defeating the authentication controls implemented across multiple auth functions in the API layer. Affected are the getInternalTaskSession, getAuthSession, requireUserAuth, requireProjectAuth, and requireProjectAuthLight functions in src/lib/api-auth.ts, meaning both user-level and project-level authorization gates can be circumvented. A publicly available exploit (POC) exists via GitHub issue #200; the vendor has not yet responded to the disclosure, and no patch has been released.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.5%
CVE-2026-22093 CRITICAL PATCH Act Now

Man-in-the-middle interception and traffic manipulation in the EVbee Service Android app (v1.4.101.00) is possible because the app negotiates HTTPS but never validates the server's TLS certificate, and further protects payloads only with RC4 under a hardcoded key. An attacker positioned on the network path can decrypt and alter app-to-server traffic and harvest charging-station access codes. There is no public exploit identified at time of analysis and it is not listed in CISA KEV, but the flaw is trivially reproducible with standard interception tooling.

Information Disclosure Google Evbee Service
NVD
CVSS 4.0
9.5
EPSS
0.2%
CVE-2026-15537 MEDIUM POC This Month

SQL injection in SourceCodester Online Book Store System 1.0 exposes the admin authentication panel to remote, unauthenticated exploitation via the Username parameter in admin/login.php. A publicly available proof-of-concept - explicitly titled 'SQL Injection Leading to Authentication Bypass' - demonstrates that an attacker can bypass admin login entirely without valid credentials. No active exploitation is confirmed by CISA KEV, but the combination of a publicly released exploit and a trivially low attack complexity significantly elevates real-world risk above what the base CVSS 4.0 score of 6.9 suggests.

SQLi PHP Online Book Store System
NVD VulDB
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-15530 MEDIUM POC This Month

Information disclosure in WuzhiCMS up to version 4.1.0 exposes sensitive server-side data through the Attachment API's `config/listimage` function, reachable at `/index.php?m=attachment&f=index&v=upload`. Remote unauthenticated attackers can exploit this endpoint without any privileges or user interaction, as confirmed by a publicly available proof-of-concept published via a GitHub issue report. The vendor has not responded to the disclosure, leaving no patch available and all deployments exposed.

PHP Information Disclosure Wuzhicms
NVD VulDB GitHub
CVSS 4.0
5.5
EPSS
0.3%
CVE-2026-61500 CRITICAL PATCH Act Now

Administrator session forgery in Rejetto HFS (HTTP File Server) versions 3.0.0 through 3.2.0 lets a remote unauthenticated attacker derive the server's session-cookie signing key. Because HFS seeds that key from JavaScript's non-cryptographic Math.random() and simultaneously leaks outputs of the same generator to clients during login, an attacker can sample a few login responses, reconstruct the PRNG state, and mint a valid admin cookie - yielding full administrative control and remote code execution through the server_code configuration feature. No public exploit is identified at time of analysis, but the flaw was reported by VulnCheck/Horizon3.ai and a vendor patch (v3.2.1) exists.

RCE Hfs
NVD GitHub VulDB
CVSS 4.0
9.3
EPSS
0.7%
CVE-2026-14934 CRITICAL PATCH Act Now

Cross-tenant privilege escalation in the repository creation functionality shared by Google Cloud BigQuery, Dataform, and Colab Enterprise allowed an authenticated GCP user to take over repositories belonging to other tenants. Rated CVSS 4.0 9.4 (critical) with a scope-changing cross-tenant impact, the flaw was a Missing Authorization (CWE-862) issue affecting the managed services between October 2025 and 10 May 2026. Google reports no public exploit identified at time of analysis; the defect was fixed server-side on 10 May 2026 with no customer action required.

Authentication Bypass Google Bigquery Dataform Colab Enterprise
NVD VulDB
CVSS 4.0
9.4
EPSS
0.2%
CVE-2026-12396 MEDIUM POC PATCH This Month

Missing authorization in WP Job Portal WordPress plugin before 2.5.5 allows any self-registered subscriber to approve, feature, or reject arbitrary job listings owned by other users, bypassing both capability and ownership checks entirely. The subscriber role is self-registerable on most WordPress sites, meaning an unauthenticated attacker can trivially obtain the access level needed to exploit this flaw with no admin interaction required. A publicly available proof-of-concept exists; no CISA KEV listing indicates confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Wp Job Portal
NVD WPScan VulDB
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-12271 MEDIUM POC PATCH This Month

Missing ownership verification in Tutor LMS WordPress plugin before 3.9.13 allows any authenticated subscriber-level user to overwrite other students' quiz attempt records, including their scores and pass/fail status. The flaw is an insecure direct object reference (IDOR) pattern: the plugin writes to quiz attempts without confirming the requesting user owns that attempt. A public exploit exists per WPScan, meaning the technique is documented and reproducible; however, this CVE is not listed in the CISA KEV catalog, indicating no confirmed mass exploitation at time of analysis.

Information Disclosure WordPress Tutor Lms
NVD WPScan
CVSS 3.1
5.4
EPSS
0.1%
CVE-2026-62327 CRITICAL Act Now

Unauthenticated API key disclosure in 9Router (npm package '9router' by decolua) through version 0.4.41 lets any remote attacker retrieve full plaintext API keys for every connected AI provider by issuing a single GET to the /api/usage/stats endpoint, which lacks authentication middleware. The same missing-auth flaw class extends to unauthenticated CRUD on /api/providers and exposure of full conversation histories, so an attacker can harvest credentials, hijack provider accounts, and commit billing fraud or quota exhaustion. Reported by VulnCheck with a critical CVSS 4.0 base of 9.3; no public exploit identified at time of analysis and no vendor-released patch identified at time of analysis.

Authentication Bypass Information Disclosure 9Router
NVD GitHub
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-62239 MEDIUM POC PATCH This Month

Arbitrary file write via symlink attack in FlashAttention's build toolchain (through 2.8.3.post1) allows a local low-privileged attacker to redirect NVIDIA archive extraction to attacker-controlled paths by pre-planting a symlink in the predictable cache directory before a victim initiates a build. The hopper/setup.py download_and_copy() function called tarfile.extractall() without symlink validation or path confinement, meaning extracted NVIDIA toolchain binaries could be written anywhere accessible to the victim's process. No active exploitation is confirmed in CISA KEV, but a publicly available proof-of-concept exists at GitHub issue #2637 and a vendor patch is available in commit 0816ef1.

Nvidia Information Disclosure Flash Attention
NVD GitHub
CVSS 4.0
5.3
EPSS
0.1%
CVE-2026-6847 CRITICAL Act Now

Remote code execution in ThemisNETPanel (vendor 4real) allows unauthenticated network attackers to fully compromise the underlying server by abusing a file-upload endpoint that lacks any authentication check. An attacker submits a base64-encoded PHP payload, writes it as an arbitrary PHP file, and executes it in the web application's context. Reported by CERT-PL with a CVSS 4.0 base score of 9.3; no public exploit identified at time of analysis and it is not listed in CISA KEV.

Authentication Bypass File Upload RCE PHP Themisnetpanel
NVD
CVSS 4.0
9.3
EPSS
0.6%
CVE-2026-22103 CRITICAL PATCH Act Now

Command injection in the evbee DC-80 EV charger allows remote unauthenticated attackers to execute arbitrary operating-system commands via the 'NPC start' endpoint exposed on the device's web server at TCP port 8090. Reported by DIVD (Dutch Institute for Vulnerability Disclosure), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable vector (AV:N/PR:N/UI:N) and high impact to confidentiality, integrity, and availability. No public exploit identified at time of analysis, and the issue is not listed in CISA KEV; no EPSS score was supplied.

Command Injection Dc 80
NVD
CVSS 4.0
9.3
EPSS
1.3%
CVE-2026-22097 CRITICAL PATCH Act Now

Arbitrary code execution in the EVBEE DC-80 EV charging station stems from a firmware update mechanism that ships without cryptographic signature validation (CWE-347), letting an attacker who reaches the update capability push a malicious firmware image and have it executed by the device. Reported by DIVD (advisory DIVD-2026-00001) with a CVSS 4.0 base score of 9.3 and a 'Jwt Attack' angle noted in triage tags, the flaw grants full compromise of the charger. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

RCE Jwt Attack Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.3%
CVE-2026-22102 CRITICAL PATCH Act Now

Arbitrary file write in the Evbee DC-80 EV charging station lets remote unauthenticated attackers overwrite any file on the device by sending a POST request whose Content-Disposition filename parameter is trusted without validation. Because a written file can clobber system files (denial of service) or replace shell scripts that are later executed, this escalates to remote code execution. There is no public exploit identified at time of analysis, but the CVSS 4.0 base score of 9.3 and CWE-20 root cause make this a critical, high-priority flaw.

Denial Of Service Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.4%
CVE-2026-22096 CRITICAL PATCH Act Now

Missing authentication on the evbee DC-80 EV charging station exposes an administrative web server on TCP port 8090 that requires no login, allowing remote unauthenticated attackers to read sensitive data such as configured passwords and to upload arbitrary files via multiple endpoints. Reported through the DIVD CSIRT coordinated-disclosure program (DIVD-2026-00001), the flaw carries a CVSS 4.0 base score of 9.3 with a fully network-exploitable, no-privilege vector. There is no public exploit identified at time of analysis and the issue is not listed in CISA KEV.

Authentication Bypass Dc 80
NVD
CVSS 4.0
9.3
EPSS
0.4%
Page 1 of 8 Next

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy