By weakness (CWE)
CWE-74: related vulnerabilities
CVEs classified under CWE-74. Understanding the weakness class helps prioritize systemic fixes over one-off patches.
68 published vulnerabilities
- CVE-2026-41234HIGH 7.6
Froxlor, an open-source server administration platform, contains a vulnerability in its DNS management API that allows authenticated users to break out of TXT record fields and inject malicious DNS directives. An attacker with customer-level DNS editing permissions can inject newline characters into TXT record values, causing them to span multiple lines in the generated BIND zone file. This allows injection of arbitrary BIND directives like `$INCLUDE` or `$GENERATE`, as well as unauthorized DNS records (A, MX, CNAME entries). The vulnerability affects all versions prior to 2.3.7 and is notable because it bypassed an earlier attempted fix for similar issues in other record types.
- CVE-2026-10110HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Details Management System version 1.0 affecting the /index.php file. An attacker can manipulate the 'roll' parameter to inject arbitrary SQL commands, potentially accessing, modifying, or deleting sensitive student records. The vulnerability requires no authentication and can be exploited remotely over the network. Public exploit code is already available, increasing the risk of active exploitation.
- CVE-2026-10111HIGH 7.3
A SQL injection vulnerability exists in the Login Page of sambitraj STUDENT-MANAGEMENT-SYSTEM version 1.0. An attacker can manipulate the email parameter during login to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication or user interaction and can be exploited remotely. Exploit code has already been published publicly, elevating the practical risk.
- CVE-2026-10178HIGH 7.3
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows unauthenticated remote attackers to inject malicious SQL commands through the ID parameter in the admin album editing interface. The flaw permits reading, modifying, or deleting database records without authorization. Public exploit code is available, elevating immediate risk.
- CVE-2026-10184HIGH 7.3
SourceCodester Hospitals Patient Records Management System version 1.0 contains a SQL injection vulnerability in its user deletion function. An attacker can send a specially crafted request to the /classes/Users.php endpoint that manipulates the ID parameter, allowing unauthorized database queries. Because this flaw requires no authentication and can be exploited over the network, it poses a significant risk to hospital operations and patient data confidentiality.
- CVE-2026-10185HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Hospitals Patient Records Management System version 1.0. An attacker can send a malicious request to the /classes/Users.php file with a crafted ID parameter that causes the application to execute unintended database commands. No authentication is required, and the vulnerability is accessible over the network. Public exploit code is available, increasing the risk of active exploitation.
- CVE-2026-10186HIGH 7.3
CVE-2026-10186 is a SQL injection vulnerability in code-projects Online Hospital Management System version 1.0. An attacker can craft a malicious request to the /patient.php file, manipulating the 'editid' parameter to execute arbitrary SQL commands against the backend database. No authentication is required, and the exploit can be triggered remotely over the network. Public exploit details are available, increasing the practical risk of active exploitation.
- CVE-2026-10208HIGH 7.3
A SQL injection vulnerability exists in the Online Hospital Management System version 1.php, specifically in the login_user function of login_1.php. An attacker can manipulate the Username parameter during login to inject malicious SQL commands. This allows unauthorized access and data compromise without requiring authentication or user interaction. The vulnerability is remotely exploitable and public exploit code has already been released.
- CVE-2026-10220HIGH 7.3
NousResearch's hermes-agent application contains a vulnerability in how it handles plugin skill requests. An attacker can send specially crafted input to the skill_view function that gets injected into backend operations, potentially compromising the confidentiality, integrity, and availability of the affected system. The vulnerability is network-accessible, requires no authentication, and can be triggered without user interaction. Because exploit details have been publicly disclosed, the attack surface is visible to potential adversaries.
- CVE-2026-10221HIGH 7.3
A code injection vulnerability exists in NousResearch's hermes-agent software, affecting versions up to 0.12.0. The flaw resides in the context compression function and allows remote attackers to inject malicious code without requiring authentication or user interaction. Public exploit code is available, increasing the practical risk of exploitation.
- CVE-2026-10225HIGH 7.3
A SQL injection vulnerability exists in raisulislamg4's student management system (PHP-based). An attacker can manipulate the Username parameter in the login_check.php file to inject malicious SQL commands. The vulnerability is network-accessible, requires no authentication, and doesn't require user interaction. Exploit code is publicly available. The project uses a rolling release model, making it difficult to track specific patched versions.
- CVE-2026-10226HIGH 7.3
A SQL injection vulnerability exists in the raisulislamg4 student management system (a PHP-based open-source project). An attacker can manipulate parameters in the delete.php file—specifically user_id, course_id, teacher_id, student_id, or application_id—to inject malicious SQL commands. This can be exploited remotely without authentication or user interaction, allowing an attacker to read, modify, or delete database records. Proof-of-concept code has been published, increasing the risk of active exploitation.
- CVE-2026-10227HIGH 7.3
A SQL injection vulnerability exists in the student management system by raisulislamg4 (up to commit 310d950e) that allows unauthenticated attackers to manipulate the role parameter in the user creation process. An attacker can submit malicious input through the add_user_check.php endpoint to execute arbitrary SQL commands, potentially reading, modifying, or deleting database contents. The vulnerability has been publicly disclosed and proof-of-concept information is available, increasing the likelihood of active exploitation.
- CVE-2026-10249HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 within the admin request-viewing interface. An unauthenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive patient data, modification of records, or system disruption. Public exploits are already available, elevating the practical risk.
- CVE-2026-10250HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online Blood Bank Management System version 1.0 that allows unauthenticated attackers to manipulate the hospital parameter in the /admin/campsdetails.php file, potentially compromising the confidentiality, integrity, and availability of the system and its data. The vulnerability is remotely exploitable and public exploit code is available, elevating active exploitation risk.
- CVE-2026-10251HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. An attacker can send a specially crafted request to the login functionality via the Username parameter to execute arbitrary database commands. Because the vulnerability requires no authentication and can be triggered remotely, it poses a significant risk to exposed instances. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10252HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0 that allows unauthenticated attackers to inject malicious SQL commands through the ID parameter in the /manage_tenant.php file. This could enable attackers to read, modify, or delete tenant data stored in the application's database without requiring any special credentials or user interaction. The vulnerability is publicly known and exploit code is available.
- CVE-2026-10253HIGH 7.3
A SQL injection vulnerability exists in itsourcecode Online House Rental System version 1.0. The vulnerability is located in the /manage_payment.php file, specifically in how it processes the ID parameter. An attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing unauthorized access to sensitive payment and rental data. The vulnerability requires no authentication, can be exploited over the network, and exploit code is publicly available.
- CVE-2026-10260HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its admin job deletion function. An attacker can manipulate the ID parameter in the /admin/jobs-admins/delete-jobs.php file to inject malicious SQL commands, potentially compromising the database. The vulnerability requires no authentication and can be exploited over the network. Proof-of-concept code has been released publicly, increasing the likelihood of active exploitation.
- CVE-2026-10261HIGH 7.3
CodeAstro Online Job Portal version 1.0 contains a SQL injection vulnerability in its application status checking functionality. An attacker can manipulate the ID parameter in the /users/application_status.php file to inject malicious SQL commands, potentially gaining unauthorized access to the database. The vulnerability can be exploited remotely without authentication, making it accessible to anyone on the internet.
- CVE-2026-10262HIGH 7.3
A SQL injection vulnerability exists in Real State Services version 1.0 that allows an attacker to manipulate the Username parameter in the login form (/loginuser.php) to inject malicious SQL commands. Because no authentication is required and the vulnerability can be triggered over the network, an attacker can exploit this remotely to read, modify, or delete sensitive database information without needing valid credentials. The flaw has been publicly disclosed, increasing the risk of active exploitation.
- CVE-2026-10263HIGH 7.3
A SQL injection vulnerability exists in SourceCodester Computer Repair Shop Management System version 1.0 and earlier. An attacker can manipulate the ID parameter in the product management interface to inject malicious SQL commands, potentially exposing, modifying, or deleting sensitive data. The vulnerability requires no authentication and can be exploited remotely by anyone with network access to the application.
- CVE-2026-10290HIGH 7.3
A SQL injection vulnerability exists in the Hotel and Tourism Reservation System version 1.0, specifically in the tour.php file's GET parameter handler. An attacker can manipulate the 'tour' parameter to inject arbitrary SQL commands, potentially compromising the confidentiality, integrity, and availability of the database. Because the vulnerability is remotely exploitable without authentication, and public exploits are available, organizations running this software face immediate risk.
- CVE-2026-10606HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its feedback handling system. An attacker can manipulate user input passed to the TrimMsg function in the feedback component to inject malicious SQL commands. Since no authentication is required and the attack can be performed over the network, this vulnerability poses a significant risk to any organization running the affected version. The vulnerability has already been disclosed publicly, increasing the likelihood of active exploitation.
- CVE-2026-10607HIGH 7.3
DedeCMS 5.7.88 contains a SQL injection vulnerability in its friend links management function. An attacker can manipulate the 'msg' parameter in /plus/flink.php to inject malicious SQL commands, allowing unauthorized database access, modification, or deletion. No authentication is required, and the vulnerability can be exploited over the network. Public exploit code exists, elevating the practical risk.
- CVE-2026-10608HIGH 7.3
DedeCMS version 5.7.88 contains a SQL injection vulnerability in its RemoveXSS function within the /plus/carbuyaction.php file. An attacker can inject malicious SQL commands through the postname or des parameters without authentication, potentially compromising data confidentiality, integrity, and availability. The vulnerability is remotely exploitable and proof-of-concept code has been publicly released.
- CVE-2026-10620HIGH 7.3
A SQL injection vulnerability exists in code-projects Student Admission System version 1.0. The flaw resides in the /index.php file and can be exploited by manipulating the eid or did parameters. An attacker can inject malicious SQL commands without authentication, potentially reading or modifying sensitive student and admission data. Public exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10704HIGH 7.3
SourceCodester's Pizzafy E-Commerce System version 1.0 contains a SQL injection vulnerability in the administrative login function. An attacker can manipulate the username field during authentication to inject malicious SQL commands, potentially gaining unauthorized database access without needing credentials or user interaction. The vulnerability is network-accessible and exploits are now publicly available.
- CVE-2026-10060MEDIUM 6.3
TRENDnet's TEW-432BRP wireless router (firmware version 3.10B20) contains a command injection vulnerability in its route configuration interface. An authenticated attacker can manipulate IP, mask, or gateway parameters to inject arbitrary commands on the device. The vulnerability requires valid credentials but poses a direct threat to affected networks. Critically, this product reached end-of-life in 2009—over 15 years ago—and the vendor has stated it cannot replicate or fix vulnerabilities in legacy hardware.
- CVE-2026-10061MEDIUM 6.3
A command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20), discovered in the WPS configuration function. An authenticated attacker can manipulate the peerPin parameter to execute arbitrary commands on the device. The vulnerability is network-accessible and requires valid login credentials. Notably, this router reached end-of-life in 2009—over 15 years ago—and TRENDnet has stated they cannot replicate or provide fixes for vulnerabilities in this legacy hardware. While exploit code is public, the practical risk is limited to organizations still operating this obsolete equipment in production environments.
- CVE-2026-10127MEDIUM 6.3
A command injection vulnerability exists in Edimax BR-6478AC wireless routers running firmware version 1.23. An authenticated attacker can send a specially crafted web request to the device's configuration interface that tricks it into executing arbitrary system commands. The vulnerability stems from improper validation of the 'rootAPmac' parameter in the device's wireless driver setup function. Because proof-of-concept code has been publicly released, there is a meaningful risk that attackers will attempt to exploit this flaw in active environments.
- CVE-2026-10166MEDIUM 6.3
A command injection vulnerability exists in Edimax BR-6478AC version 1.23 that allows an authenticated attacker to execute arbitrary commands on the device. The flaw is in the web interface's wireless settings handler, where the rootAPmac parameter is not properly sanitized before being used in system commands. An attacker with valid login credentials can manipulate this parameter to inject malicious commands, potentially compromising router configuration, data, or availability. Public exploit details are available, increasing real-world risk.
- CVE-2026-10170MEDIUM 6.3
A SQL injection vulnerability exists in code-projects Visitor Management System version 1.0. An authenticated attacker can manipulate the 'phone' parameter in the /vms/php/phone_0.php file to inject malicious SQL commands. This allows the attacker to read, modify, or delete database contents without special privileges. The vulnerability requires valid login credentials to exploit and has a published proof-of-concept.
- CVE-2026-10175MEDIUM 6.3
A code injection vulnerability exists in Aider-AI Aider version 0.86.3 within the Architect Mode feature. An authenticated user can manipulate the editor_coder.run function in auth.py to inject and execute arbitrary code on the system. The flaw requires valid credentials to exploit but no additional user interaction, making it a direct threat to organizations using this development assistance tool. Public exploit code is already available.
- CVE-2026-10176MEDIUM 6.3
Aider-AI's Aider version 0.86.3 contains a SQL injection vulnerability in its code generation workflow that can be exploited by authenticated users to manipulate database queries. While the vulnerability requires login credentials to trigger, an attacker with access can extract, modify, or delete sensitive data. Public exploit information is available, increasing the near-term risk of active exploitation.
- CVE-2026-10180MEDIUM 6.3
A command injection vulnerability exists in the TRENDnet TEW-432BRP router (firmware version 3.10B20) that allows authenticated users to execute arbitrary system commands through the formSysCmd web interface parameter. The vulnerability is in the /goform/formSysCmd endpoint and can be exploited remotely by anyone with network access and valid credentials. TRENDnet has not patched this issue because the router reached end-of-life in 2009 and is no longer supported.
- CVE-2026-10182MEDIUM 6.3
A remote command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. An authenticated attacker can exploit the WLAN setup function by manipulating the 'enrollee' parameter to execute arbitrary commands on the device. The vulnerability has been publicly disclosed. However, this router reached end-of-life in 2009—over 15 years ago—and the vendor has stated they cannot replicate or fix vulnerabilities in products no longer supported. Organizations still operating this hardware face unpatched exposure.
- CVE-2026-10193MEDIUM 6.3
OFCMS versions up to 1.1.3 contain a SQL injection vulnerability in the ComnController component. An authenticated attacker can manipulate the 'system.user.query' parameter to inject malicious SQL commands, potentially accessing, modifying, or deleting database records. The vulnerability has been publicly disclosed and exploit code is available, making active exploitation a realistic threat.
- CVE-2026-10202MEDIUM 6.3
A SQL injection vulnerability exists in OFCMS version 1.1.3 affecting the JSON Query Interface within the SystemDictController component. An authenticated attacker can send specially crafted queries to manipulate SQL commands executed by the application, potentially reading, modifying, or deleting database records. The vulnerability requires valid user credentials but can be exploited over the network without user interaction. Exploit code is publicly available, increasing the risk of active exploitation.
- CVE-2026-10203MEDIUM 6.3
A SQL injection vulnerability exists in OFCMS 1.1.3 within the Query function of the SystemParamController component. The flaw allows authenticated attackers to inject malicious SQL commands through the JSON Query Interface, potentially compromising database integrity and confidentiality. Public exploit code is available, increasing active exploitation risk.
- CVE-2026-10204MEDIUM 6.3
A SQL injection vulnerability has been discovered in OFCMS version 1.1.3, specifically in the JSON Query Interface of the user management controller. An authenticated attacker can submit specially crafted queries to execute arbitrary SQL commands against the application's database. This could allow them to read, modify, or delete sensitive data. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, but exploit code has been publicly released, increasing the practical risk of attacks.
- CVE-2026-10209MEDIUM 6.3
A SQL injection vulnerability exists in the Online Hospital Management System version 1.0, specifically in the appointment booking functionality. An authenticated attacker can manipulate the 'editid' parameter in the appointmentdetail.php file to inject malicious SQL commands. This allows an attacker with valid credentials to read, modify, or delete sensitive appointment and patient data without additional authorization. Since the exploit has been publicly disclosed, the risk of active exploitation is elevated.
- CVE-2026-10210MEDIUM 6.3
AstrBot version 4.23.6 contains a vulnerability in its skill management system that allows authenticated users to inject malicious code through the prompt description field. An attacker with login credentials can manipulate how skill prompts are processed, potentially leading to unauthorized data access, system modification, or service disruption. The vulnerability has been publicly disclosed, and exploit code is available, though the vendor has not engaged with disclosure efforts.
- CVE-2026-10223MEDIUM 6.3
NousResearch's hermes-agent software contains an injection vulnerability in its memory scanning tool that allows authenticated users to inject malicious input. An attacker with valid credentials can exploit this flaw remotely to manipulate the application's memory handling logic. The vulnerability affects all versions up to 2026.4.30, and exploit code has already been publicly disclosed, raising the practical risk despite a moderate CVSS score.
- CVE-2026-10235MEDIUM 6.3
CodeAstro Ingredients Stock Management System version 1.0 contains a SQL injection vulnerability in its stock manager component. An authenticated attacker can manipulate the txt_search_category parameter in the /Ingredients-Stock/stock_manager.php file to execute arbitrary SQL queries. This allows unauthorized data access, modification, or deletion within the application's database. The vulnerability requires valid login credentials but can be exploited over the network without user interaction.
- CVE-2026-10242MEDIUM 6.3
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in the /instructions.php file. An attacker with user-level access can manipulate the topic_id parameter to execute unauthorized database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is remotely exploitable and public exploit code is available.
- CVE-2026-10256MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 affecting the comment-saving functionality. An authenticated attacker can manipulate the Name parameter in /save_comment.php to execute arbitrary SQL queries, potentially reading, modifying, or deleting database contents. The vulnerability requires valid user credentials but does not require user interaction to exploit. Public exploit code is available, elevating the practical risk despite the MEDIUM CVSS score.
- CVE-2026-10257MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0, specifically in the admin update functionality. An authenticated user can inject malicious SQL commands through the topic_id parameter when uploading images, potentially reading, modifying, or deleting database contents. Public exploit code is available, increasing near-term risk.
- CVE-2026-10258MEDIUM 6.3
itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the topic_id parameter in the /admin/add_sub_topic.php file to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.
- CVE-2026-10265MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 that allows authenticated users to manipulate the topic_id parameter in the /admin/edit_topic.php file to execute arbitrary SQL queries. An attacker with valid admin credentials can exploit this to read, modify, or delete database records. Public exploits are available, elevating operational risk.
- CVE-2026-10286MEDIUM 6.3
CodeAstro Payroll System version 1.0 contains a SQL injection vulnerability in its employee home page functionality. An authenticated attacker can inject malicious SQL commands through the emp_id parameter, allowing them to read, modify, or delete database records. This vulnerability requires valid login credentials and is reachable over the network. Public exploit information is available, increasing the immediate risk of exploitation.
- CVE-2026-10296MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the Username parameter in the /ajax.php endpoint to execute arbitrary SQL queries. An attacker with valid login credentials can exploit this flaw to read, modify, or delete database contents. The vulnerability requires authentication but is otherwise straightforward to exploit and has been publicly disclosed.
- CVE-2026-10297MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the course management functionality. An authenticated attacker can manipulate the ID parameter in the /manage_course.php endpoint to execute arbitrary SQL queries against the underlying database. The vulnerability requires valid login credentials but can be exploited over the network without additional interaction. Exploit code is publicly available, elevating the practical risk.
- CVE-2026-10302MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the /manage_fee.php file. An authenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid user credentials to exploit but can be triggered remotely over the network.
- CVE-2026-10550MEDIUM 6.3
A command injection vulnerability exists in elunez eladmin versions up to 2.7 within the Application Deployment Module. An authenticated user can manipulate the uploadPath argument to inject arbitrary commands, leading to remote code execution on the affected system. The vulnerability requires valid credentials to exploit but does not need user interaction once authenticated. Public exploit code is available, increasing the risk of active exploitation.
- CVE-2026-10568MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_payment.php file to execute arbitrary SQL queries against the backend database. This vulnerability requires valid login credentials to exploit, but can lead to unauthorized data access, modification, or deletion. Public exploit code is available, increasing the practical risk of exploitation.
- CVE-2026-10808MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the ID parameter in the /manage_student.php file, potentially enabling unauthorized data access, modification, or deletion. The vulnerability requires valid login credentials but can be exploited remotely over the network. Public exploit code is available, elevating the risk of active attack.
- CVE-2026-10809MEDIUM 6.3
CVE-2026-10809 is a SQL injection vulnerability in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_user.php file to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The flaw requires valid login credentials but can be exploited over the network without user interaction. Public exploit code is available, elevating the practical risk despite the medium CVSS score.
- CVE-2026-10811MEDIUM 6.3
A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. The flaw resides in the /receipt.php file, specifically in how the application processes the ef_id parameter. An authenticated attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing them to read, modify, or delete database records. Public disclosure of this vulnerability means exploitation techniques are already available, elevating the practical risk.
- CVE-2026-10874MEDIUM 6.3
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 affecting the admin dashboard. An authenticated attacker can manipulate the 'social_insta' parameter in the /admin/adminHome.php file to inject malicious SQL commands. This allows unauthorized access to sensitive database information, modification of data, or potential system disruption. The vulnerability requires valid login credentials but has no other technical barriers to exploitation.
- CVE-2026-10875MEDIUM 6.3
A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 that allows authenticated users to inject malicious SQL commands through the social_twitter parameter in the admin panel. An attacker with login credentials can exploit this flaw to read, modify, or delete database records. Public exploit code has been released, increasing the risk of active exploitation.
- CVE-2026-10222MEDIUM 5.6
A vulnerability exists in NousResearch's hermes-agent software that allows attackers to inject malicious code through improper sanitization of environment variables. The flaw resides in the configuration parsing logic and can be exploited remotely, though successful exploitation requires substantial technical knowledge and effort. While a public exploit exists, the attack surface is limited by high complexity requirements. This is a medium-severity issue affecting versions up to 2026.4.30.
- CVE-2026-10688MEDIUM 5.5
A code injection vulnerability exists in ahujasid blender-mcp, a tool used for integrating Blender with model context protocol systems. An authenticated attacker can inject and execute arbitrary code by manipulating the 'code' parameter passed to the execute_blender_code function in the server. The vulnerability has been publicly disclosed and exploit code is available. The project uses rolling releases, making it difficult to identify fixed versions; however, the maintainers have been notified but have not yet responded with a patch or mitigation guidance.
- CVE-2026-10155MEDIUM 4.7
A SQL injection vulnerability exists in Bdtask Multi-Store Inventory Management System version 1.0 within the Accounts Report Handler. An authenticated attacker can manipulate the 'dtpToDate' parameter in the accounts report search function to inject malicious SQL commands. While the vulnerability requires high privileges to exploit, successful attacks could leak sensitive financial data, modify account records, or disrupt reporting functionality. Public exploit code is available, increasing real-world risk.
- CVE-2026-10171MEDIUM 4.7
A SQL injection vulnerability exists in code-projects Online Music Site version 1.0 that allows authenticated administrators to manipulate the ID parameter in the album update functionality. An attacker with admin credentials can inject malicious SQL commands through the /Administrator/PHP/AdminUpdateAlbum.php endpoint, potentially compromising database integrity and confidentiality. The vulnerability has been publicly disclosed and exploit code is available, increasing the likelihood of active exploitation.
- CVE-2026-10237MEDIUM 4.7
A SQL injection vulnerability was identified in SourceCodester Water Billing Management System version 1.0. An authenticated administrator can manipulate the ID parameter in the user management interface to inject malicious SQL commands, potentially reading or modifying sensitive database records. The vulnerability requires administrative privileges to exploit but poses a risk to data integrity and confidentiality within billing systems. Public proof-of-concept code exists, elevating the practical risk of exploitation.
- CVE-2026-10248MEDIUM 4.7
SourceCodester's Pharmacy Sales and Inventory System version 1.0 and earlier contains a CSV injection vulnerability in its supplier creation interface. An authenticated attacker with high privileges can inject malicious CSV formulas through the Address or Company Name fields when exporting supplier data, potentially causing data corruption, formula execution, or information disclosure when a user opens the exported file in a spreadsheet application.
- CVE-2026-10661MEDIUM 4.3
A vulnerability in the blender-mcp project allows an authenticated attacker to inject malicious input through the input_image_url parameter in the Open function of src/blender_mcp/server.py. Because authentication is required and the vulnerability only exposes limited information (not enabling code execution or system availability impact), the overall risk is moderate. However, the public disclosure means exploitation techniques are now accessible to threat actors.