Skip to main content
CVE-2026-15594 LOW POC Monitor

Improper authorization in waoowaoo (versions up to 0.4.1) allows remote, unauthenticated attackers to bypass access controls on media resources by manipulating the storageKey argument passed to the stablePublicIdFromStorageKey function in the Media Handler component. The impact is limited to partial confidentiality disclosure (VC:L in CVSS 4.0), with no integrity or availability consequence. No vendor patch has been issued as of analysis time; a public exploit exists via a GitHub issue report (POC), though high attack complexity (AC:H) constrains opportunistic exploitation. This vulnerability is not listed in the CISA KEV catalog.

Authentication Bypass Waoowaoo
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-15516 LOW POC PATCH Monitor

Authorization bypass in MacCMS Pro's installation module allows remote attackers to circumvent access controls via the `step5` function in the installation controller, affecting all versions through 2022.1000.3005. Exploitation is rated high-complexity (AC:H), limiting opportunistic mass exploitation, though a public proof-of-concept is available on GitHub. No CISA KEV listing at time of analysis; EPSS data was not included in the available intelligence, but POC availability elevates the practical risk above the raw CVSS score alone might suggest.

Authentication Bypass PHP Maccms Pro
NVD VulDB GitHub
CVSS 4.0
2.9
EPSS
0.3%
CVE-2026-15596 LOW POC Monitor

Cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 exposes users to script injection via the unvalidated `subject` parameter in `/subject.php`, exploitable remotely by unauthenticated attackers. A publicly available proof-of-concept exists on GitHub, confirming practical exploitability with minimal attacker skill. No CISA KEV listing is present; the CVSS 4.0 score of 5.3 reflects limited integrity impact constrained by required user interaction, though POC availability meaningfully elevates real-world risk above the raw score suggests.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15607 LOW POC PATCH Monitor

Prototype pollution in TanStack DB's select() query compiler allows low-privileged remote attackers to mutate Object.prototype by supplying dot-notation alias paths containing reserved JavaScript property names such as __proto__, prototype, or constructor. Versions up to 0.6.8 are confirmed affected via CPE cpe:2.3:a:tanstack:db. A publicly available exploit exists (GitHub issue #1584), though the vulnerability is not in CISA KEV. The CVSS 4.0 base score of 2.1 reflects low integrity impact scoped to the vulnerable system, but the downstream consequences of Object.prototype mutation in JavaScript runtimes can exceed what raw scoring conveys depending on application logic.

Information Disclosure Prototype Pollution Db
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15536 LOW POC Monitor

SQL injection in itsourcecode Hospital Management System 1.0 exposes patient prescription data to remote authenticated attackers via the `delid` parameter in `/patviewprescription.php`. Low-privilege access is sufficient to exploit this CWE-89 flaw, enabling database read, write, and partial disruption. No public KEV listing exists, but a proof-of-concept exploit is publicly available on GitHub, materially lowering the barrier to exploitation beyond what the CVSS 4.0 score of 5.3 alone implies.

SQLi PHP Hospital Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15523 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate the Name parameter within /SimpleOnlineLeave/admin/dashboard.php to inject arbitrary SQL commands against the backend database. A public proof-of-concept exploit is confirmed via a GitHub issue reference, elevating real-world risk above the moderate CVSS 4.0 base score of 5.3. The CVE is not currently listed in the CISA KEV catalog, indicating no confirmed widespread active exploitation, but the low attack complexity combined with an available POC makes this a credible near-term threat for any internet-exposed deployment.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15595 LOW POC Monitor

Reflected cross-site scripting in SourceCodester Class and Exam Timetabling System 1.0 allows remote unauthenticated attackers to inject arbitrary JavaScript via the unsanitized `subject` parameter in `/forsubject.php`. A victim user must interact with a crafted URL for the payload to execute in their browser. A public proof-of-concept exploit is available on GitHub, increasing the likelihood of opportunistic exploitation against deployed instances.

PHP XSS Class And Exam Timetabling System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.3%
CVE-2026-15559 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 exposes the admin accept handler to database manipulation by low-privilege authenticated remote attackers via the `appid` POST parameter in `/SimpleOnlineLeave/admin/accept.php`. The CVSS 4.0 vector (PR:L, VC:L/VI:L/VA:L) indicates constrained but real impact against the vulnerable system's database, with confidentiality, integrity, and availability all partially compromised. A public exploit is available on GitHub and the E:P evidence tag in the CVSS 4.0 vector corroborates this - however, no CISA KEV listing exists, meaning active exploitation at scale is not confirmed at time of analysis.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15558 LOW POC Monitor

SQL injection in CodeAstro Simple Online Leave Management System 1.0 allows authenticated remote attackers to manipulate backend database queries via the 'ID' parameter in /SimpleOnlineLeave/admin/deletemp.php. The CVSS 4.0 vector (PR:L) indicates low-privilege authenticated access is sufficient to trigger the flaw, and a public proof-of-concept exploit has been disclosed on GitHub. Impact is assessed as low across confidentiality, integrity, and availability, consistent with the CVSS 4.0 score of 2.1, though the underlying SQL injection primitive could theoretically be chained to extract or corrupt database content.

SQLi PHP Simple Online Leave Management System
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15547 LOW POC Monitor

OS command injection in Shibby Tomato firmware up to 1.28.0000 allows authenticated remote attackers to execute arbitrary commands on the underlying router OS by manipulating the cifs1 or cifs2 arguments passed to the CIFS Mount Handler function sub_2D048. A publicly available proof-of-concept exploit exists on Gitee, lowering the barrier to exploitation. The risk is compounded by the fact that Shibby Tomato is an end-of-life project with no active maintenance, superseded by FreshTomato, meaning no patch is forthcoming from the original vendor.

Command Injection Tomato
NVD VulDB
CVSS 4.0
2.1
EPSS
1.1%
CVE-2026-15546 LOW POC Monitor

OS command injection in Shibby Tomato router firmware through version 1.28.0000 allows low-privileged remote attackers to execute arbitrary OS commands by manipulating the jffs2_exec argument in the start_jffs2 component's sub_2D568 function. A publicly available proof-of-concept exploit exists on Gitee, confirming exploitability beyond theoretical analysis. The project is officially abandoned and superseded by FreshTomato, meaning no vendor patch will ever be released - remediation requires migrating to supported firmware.

Command Injection Tomato
NVD VulDB
CVSS 4.0
2.1
EPSS
1.1%
CVE-2026-15540 LOW POC Monitor

Local File Inclusion (LFI) in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers to read arbitrary files on the server by manipulating the `page` parameter in `/admin/index.php`, leading to source code and sensitive file disclosure. The vulnerability stems from unsanitized user input passed directly to PHP's include/require statement (CWE-98), with a publicly available proof-of-concept exploit documented on Medium. No patch has been identified; CVSS 4.0 scores this 2.1, reflecting the limited impact scope and authenticated precondition.

Information Disclosure LFI PHP Online Book Store System
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15535 LOW POC PATCH Monitor

Unsafe deserialization in AkariAsai self-rag's `Indexer.deserialize_from` function exposes any deployment that processes externally supplied FAISS index files to potential arbitrary code execution. The vulnerability resides in `retrieval_lm/src/index.py` and is triggered when the `index_meta.faiss` argument is manipulated with a crafted payload - a classic CWE-502 pattern where Python's serialization routines (typically pickle) blindly instantiate attacker-controlled objects. A publicly available proof-of-concept exists per GitHub issue #105, elevating the practical risk beyond the moderate CVSS 4.0 score of 5.3. No active exploitation has been confirmed by CISA KEV, and the project maintainer had not formally responded to the disclosure at time of reporting.

Deserialization Self Rag
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15525 LOW POC PATCH Monitor

Server-side request forgery in kLOsk adloop through version 0.9.0 allows authenticated remote attackers to manipulate the `final_url` argument passed to the `_validate_urls` function in `src/adloop/ads/write.py`, causing the server to issue arbitrary outbound HTTP requests. Internal network services, cloud metadata endpoints, and other non-public resources reachable from the server may be exposed. A public proof-of-concept exploit exists via GitHub issue #41, and a vendor-released patch is available in version 0.10.0.

SSRF Adloop
NVD VulDB GitHub
CVSS 4.0
2.1
EPSS
0.2%
CVE-2026-15539 LOW POC Monitor

Unrestricted file upload in SourceCodester Online Book Store System 1.0 allows authenticated remote attackers with administrative access to upload arbitrary PHP files via the Book Image Upload feature at /admin/index.php?page=books, enabling remote code execution on the host server. A public exploit proof-of-concept has been disclosed on Medium under the title 'Critical Authenticated Remote Code Execution via Unrestricted File Upload,' confirming practical exploitability. While PR:H limits exposure to actors holding admin credentials, successful exploitation yields full server-side code execution, making this a high-impact finding within its threat model.

PHP File Upload Online Book Store System
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15533 LOW POC Monitor

Code injection in DedeCMS 5.7.118 exposes high-privileged remote attackers to arbitrary PHP code execution via the Column Name parameter in the Column Management component of `/plus/search.php`. The exploit document on GitHub describes a cache file writing mechanism through which attacker-supplied input is persisted to disk and subsequently executed by the PHP runtime. A public proof-of-concept exists; no active exploitation is confirmed in the CISA KEV catalog.

Code Injection PHP RCE Dedecms
NVD VulDB GitHub
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15518 LOW POC Monitor

Unrestricted file upload in AREA 17 Twill CMS (versions up to 3.6.0) allows authenticated admin users to upload arbitrary file types via the `qqfilename` parameter in the Media Library Insert Page, creating a direct path to remote code execution on the underlying server. A public proof-of-concept documenting the full exploitation chain from file upload to RCE has been published by Bytium. No vendor patch exists - the vendor was contacted during responsible disclosure and did not respond, leaving all installations on affected versions without an official remediation path.

PHP File Upload Twill Cms
NVD VulDB
CVSS 4.0
2.0
EPSS
0.2%
CVE-2026-15521 LOW POC Monitor

Path traversal in makafeli n8n-workflow-builder (versions up to 0.11.0) allows a local low-privileged attacker to manipulate the filePath argument in the update_node_from_file function within build/server.cjs, enabling arbitrary file reads and writes outside the intended directory scope. A publicly available proof-of-concept exists on GitHub (issue #28), and the vendor has not responded to the coordinated disclosure. No public exploit has been confirmed as actively exploited and it is not listed in CISA KEV, but the local requirement combined with POC availability makes this a credible insider or post-compromise risk.

Path Traversal N8N Workflow Builder
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15532 LOW POC Monitor

Stored cross-site scripting (XSS) in SourceCodester Online Book Store System 1.0 allows a high-privileged authenticated attacker to inject malicious script payloads via the Name or Username fields in the User Management Module, which then execute in the browsers of other users who view the affected page. A publicly available proof-of-concept exploit exists, documented in a Medium article specifically demonstrating authenticated stored XSS in this module. This is not confirmed in the CISA KEV catalog, and real-world impact is constrained by the niche, educational nature of the affected software and the requirement for administrative credentials to inject payloads.

XSS Online Book Store System
NVD VulDB
CVSS 4.0
1.9
EPSS
0.2%
CVE-2026-15531 LOW POC PATCH Monitor

Unsafe deserialization in HashNeRF-pytorch's Checkpoint File Handler allows a local low-privileged attacker to achieve arbitrary code execution by supplying a malicious file via the `ckpt_path` argument to `torch.load()` in `run_nerf.py`. All commits up to 82885e698295982504eb6a26d060a6b2473e3706 are affected; a fix exists as an unmerged pull request (PR #50). A public exploit has been disclosed via GitHub issue #49, though no CISA KEV listing has been identified, indicating no confirmed widespread active exploitation at time of analysis.

Deserialization Checkpoint Hashnerf Pytorch
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15528 LOW POC Monitor

Path validation bypass in kicad-mcp up to 3.3.1 enables local low-privileged users to read files outside intended directory scope by manipulating the `project_path` or `schematic_path` arguments processed by `kicad_mcp/utils/path_validator.py`. The protection mechanism in this MCP (Model Context Protocol) server for KiCad PCB design software fails to adequately sanitize or normalize supplied paths, resulting in limited confidentiality impact with no integrity or availability consequences. No public patch is available as of this analysis; a proof-of-concept exploit exists publicly via GitHub issue #57, though the project maintainer has not yet responded to the disclosure.

Information Disclosure Kicad Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15527 LOW POC Monitor

Path traversal in better-auth/better-icons (versions up to and including 1.0.5) allows a local low-privileged attacker to manipulate the icons_file argument passed to the scan_project_icons/sync_icon component, escaping the intended directory boundary to read or write arbitrary files accessible to the process. A public proof-of-concept has been disclosed via GitHub issue #18, and the vendor has not yet responded to the responsible disclosure. No CISA KEV listing exists; the CVSS 4.0 base score of 1.9 correctly reflects the constrained local-only attack surface and limited per-file impact.

Path Traversal Better Icons
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15526 LOW POC Monitor

Path traversal in augmnt augments-mcp-server 7.1.0 allows a local low-privileged attacker to read arbitrary files outside the intended project directory by manipulating the packageJsonPath argument passed to the scanProjectDeps function. The vulnerability is limited to confidentiality impact (VC:L) with no integrity or availability effect, and a proof-of-concept has been publicly disclosed via a GitHub issue. The vendor has not responded to the responsible disclosure report, meaning no patch is currently available.

Path Traversal Augments Mcp Server
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15524 LOW POC Monitor

Path traversal in alioshr memory-bank-mcp through versions 0.2.1 and 3.1 allows a local low-privileged user to read files outside the intended project directory boundary by supplying traversal sequences in the `projectName` argument processed by `list-project-files-validation-factory.ts`. A public proof-of-concept has been disclosed via GitHub issue #36, and no patch is available as the vendor has not yet responded to the coordinated disclosure. No confirmed active exploitation has been identified (not listed in CISA KEV), though the public exploit lowers the barrier for opportunistic local abuse.

Path Traversal Memory Bank Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15522 LOW POC PATCH Monitor

Path traversal in tugcantopaloglu godot-mcp 2.0.0 allows a local low-privileged user to escape the intended project directory by manipulating the projectPath argument passed to the validatePath function within the run_project component. A public proof-of-concept has been disclosed via GitHub issue #9, raising practical exploitability above the raw CVSS score of 4.8 would suggest. No active exploitation is confirmed by CISA KEV; a vendor-released patch is available in version 3.0.0.

Path Traversal Godot Mcp
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15520 LOW POC PATCH Monitor

Heap-based buffer overflow in GNU LibreDWG 0.13.4-154-g0b573035 allows a local low-privileged attacker to corrupt heap memory by supplying a crafted DWG file processed through the R2004 section decompressor, yielding partial confidentiality, integrity, and availability impact. The vulnerability resides in `decompress_R2004_section` within `src/decode.c` and is exploitable whenever LibreDWG parses attacker-controlled R2004-format DWG content. A public proof-of-concept exploit file has been disclosed on GitHub; no CISA KEV listing is present, indicating no confirmed widespread active exploitation at time of analysis.

Heap Overflow Buffer Overflow Libredwg
NVD VulDB GitHub
CVSS 4.0
1.9
EPSS
0.1%
CVE-2026-15519 LOW POC Monitor

Inclusion of functionality from an untrusted control sphere in usestrix strix (up to v1.0.2) allows remote attackers to manipulate the system_prompt.jinja template within the PyPI Handler component, achieving limited confidentiality, integrity, and availability impact. The CVSS 4.0 score of 2.3 reflects high attack complexity and required passive user interaction, placing real-world exploitation difficulty considerably higher than the network-facing attack vector alone implies. A public proof-of-concept is available on GitHub; no patch has been issued and the vendor has not responded to disclosure.

Information Disclosure Strix
NVD VulDB GitHub
CVSS 4.0
1.3
EPSS
0.2%
CVE-2026-9820 LOW Monitor

Insufficient sanitization of team objects in Mattermost's scheme teams API endpoint allows an authenticated user holding the User Manager role to extract invite links for private teams from API responses and use those links to join or redistribute access to those teams. Affected versions are 11.7.x through 11.7.2 and 10.11.x through 10.11.19. No public exploit identified at time of analysis and exploitation has not been confirmed by CISA KEV, but the low attack complexity (AC:L) means a malicious User Manager could reliably reproduce this without trial and error.

Authentication Bypass Mattermost
NVD
CVSS 3.1
3.8
EPSS
0.2%
CVE-2026-61971 LOW Monitor

Insecure Direct Object Reference (IDOR) in Cozmoslabs User Profile Picture WordPress plugin (versions through 2.6.3) allows a high-privileged authenticated attacker to modify the profile picture of arbitrary users by manipulating a user-controlled object key in requests. The flaw stems from CWE-639 - the plugin fails to validate that the authenticated user is authorized to modify the target user's resource before processing the change. No public exploit code has been identified at time of analysis, and the vulnerability is not listed in CISA KEV, consistent with its low CVSS score of 2.7.

Authentication Bypass User Profile Picture
NVD
CVSS 3.1
2.7
EPSS
0.3%
CVE-2026-15605 LOW PATCH Monitor

Artifact Integrity Validation in wandb 0.25.2.dev1 uses MD5 (a cryptographically broken hash algorithm) within ArtifactManifestEntry.download in wandb/sdk/lib/hashutil.py, enabling a sufficiently resourced attacker with write access to artifact storage or a man-in-the-middle network position to substitute a malicious artifact file that shares the same MD5 digest as a legitimate one, bypassing download integrity checks. The CVSS 4.0 base score of 2.3 reflects high attack complexity and the requirement for authenticated access (PR:L), placing real-world exploitability firmly in the theoretical-to-low range. No public exploit exists and the vulnerability has no CISA KEV listing; an upstream fix via SHA-256 supplementation is available as an unmerged GitHub PR (#12031).

Information Disclosure Wandb
NVD VulDB GitHub
CVSS 4.0
2.3
EPSS
0.2%
CVE-2026-40468 LOW PATCH Monitor

Integer overflow in GNU gawk's builtin.c (versions 5.4.0 and below) enables heap metadata corruption and memory exhaustion when gawk processes attacker-crafted input. The flaw stems from a CWE-190 integer wraparound condition that can be triggered locally to overwrite heap objects with attacker-controlled bytes, potentially escalating from a denial-of-service to memory corruption with partial integrity impact. No public exploit identified at time of analysis, and CERT-PL reported this with a low CVSS 4.0 base score of 2.1, reflecting a limited, local attack surface with specific attack prerequisites.

Integer Overflow Buffer Overflow Gawk
NVD VulDB
CVSS 4.0
2.1
EPSS
0.2%

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy