By severity

Medium-severity vulnerabilities

CVEs rated Medium by CVSS, with SEC.co remediation and prioritization guidance.

422 published vulnerabilities · page 2 of 5

  • CVE-2025-59610MEDIUM 6.4

    A memory corruption vulnerability affects numerous Qualcomm chipsets and platforms when processing IOCTL (input/output control) requests that contain mismatched API versions. The flaw stems from concurrent modification of user-space buffers during processing, allowing a privileged local attacker to corrupt kernel memory and potentially gain elevated code execution. The vulnerability requires high privilege access and specific conditions to trigger, limiting opportunistic exploitation but posing significant risk in compromised or malicious insider scenarios.

  • CVE-2026-20454MEDIUM 6.4

    CVE-2026-20454 is a privilege escalation vulnerability in MediaTek's geniezone component affecting multiple system-on-chip (SoC) models. An attacker who already holds System privilege can exploit a race condition in memory handling to read or modify sensitive data and potentially gain higher-level control. No user interaction or network access is required—exploitation occurs locally once System privilege is obtained.

  • CVE-2026-2382MEDIUM 6.4

    The FPW Category Thumbnails WordPress plugin contains a stored cross-site scripting (XSS) vulnerability in versions up to 1.9.5. Any user with Subscriber-level access or higher can inject malicious JavaScript through the 'id' parameter in an AJAX function. This script persists in the plugin's settings and executes whenever an administrator views that page, potentially compromising administrator accounts. The vulnerability stems from the plugin failing to properly clean and escape user input before storing and displaying it.

  • CVE-2026-25600MEDIUM 6.4

    PDBM application contains a critical cryptographic weakness: a single hard-coded encryption secret embedded in the executable file that is identical across all installations. This secret is used to encrypt and decrypt user credentials stored in the application's configuration files. An attacker with local system access can extract this secret from the PDBM.exe binary, then use it to decrypt stored administrative credentials. Because the default configuration assigns these credentials administrative privileges within PDBM, successful exploitation grants attackers complete control over the application's management functions and operational capabilities.

  • CVE-2026-34993MEDIUM 6.4

    AIOHTTP, a popular Python library for building asynchronous web applications, contains a vulnerability in its cookie handling mechanism. When the `CookieJar.load()` function processes untrusted cookie files, attackers can craft malicious files that execute arbitrary code on the affected system. However, the vulnerability requires specific conditions: an application must explicitly load cookies from attacker-controlled files, which is uncommon in typical deployments where cookie data comes from trusted sources or user profiles.

  • CVE-2026-36612MEDIUM 6.4

    The Mercusys AC12G (EU) router with firmware version AC12G(EU)_V1_200909 ships with Wi-Fi Protected Setup (WPS) enabled by default. WPS is a feature designed to simplify device pairing, but this implementation has a critical weakness: after just 10 failed PIN guesses, the device locks out for only 60 seconds. This short lockout window makes brute-force attacks against the WPS PIN feasible within a reasonable timeframe, potentially allowing an attacker within wireless range to gain administrative access to the router.

  • CVE-2026-3722MEDIUM 6.4

    A WordPress plugin called 'Auto Image Attributes From Filename With Bulk Updater' fails to properly clean and display user-supplied data in image metadata fields. This allows authenticated users with Author-level permissions or higher to embed malicious code into image properties. When site visitors view pages containing the injected image, that code runs in their browsers—potentially stealing session cookies, performing actions on their behalf, or redirecting them to malicious sites. The vulnerability affects all versions up to and including 4.9.

  • CVE-2026-4080MEDIUM 6.4

    The Easy Cart plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability in its 'add_to_cart' shortcode. Attackers with Contributor-level access or above can inject malicious scripts into shortcode parameters that will execute for any user viewing the affected page. The vulnerability stems from incomplete sanitization—while HTML tags are stripped, quotation marks are not escaped, allowing attackers to break out of HTML attribute context and inject event handlers like onclick or onerror. All versions through 1.8 are affected.

  • CVE-2026-4081MEDIUM 6.4

    The ZeM STL plugin for WordPress contains a vulnerability that allows authenticated users with Contributor-level permissions or higher to inject malicious scripts into website pages. When someone visits a page containing the injected script, their browser executes the attacker's code. This happens because the plugin doesn't properly clean or escape user input when processing shortcode parameters like 'url', 'color', and 'bgcolor'. All versions up to 1.0 are affected.

  • CVE-2026-4334MEDIUM 6.4

    The Shariff Wrapper plugin for WordPress contains a stored cross-site scripting (XSS) vulnerability affecting versions up to 4.6.20. Attackers with Contributor-level access or higher can inject malicious scripts through the 'headline' parameter in the [shariff] shortcode. When other users view the affected page, the injected code executes in their browsers, potentially enabling session hijacking, credential theft, or further compromise. The vulnerability stems from the plugin's use of a permissive HTML sanitization routine followed by unsafe string replacement operations that reintroduce dangerous content after the sanitization check.

  • CVE-2026-44462MEDIUM 6.4

    Zed is a popular code editor that includes a terminal tool with permission controls meant to restrict which commands can be executed. Prior to version 0.229.0, an attacker could bypass these restrictions by chaining bash variable expansion syntax—specifically the ${var@P} expansion—to execute arbitrary commands even when they appeared to violate the allowed command prefix rules. This requires user interaction (opening a malicious project or terminal configuration) but grants the attacker code execution within the editor's process context.

  • CVE-2025-65640MEDIUM 6.3

    Arket Globe Document Intelligence version 5.0.0.559 contains a reflected cross-site scripting (XSS) vulnerability in the "Task in Progress / Recent" page. An authenticated attacker can inject malicious JavaScript into document creation fields that will execute in the browsers of other users viewing that page, potentially allowing session hijacking, credential theft, or other malicious actions performed on behalf of those users.

  • CVE-2026-10060MEDIUM 6.3

    TRENDnet's TEW-432BRP wireless router (firmware version 3.10B20) contains a command injection vulnerability in its route configuration interface. An authenticated attacker can manipulate IP, mask, or gateway parameters to inject arbitrary commands on the device. The vulnerability requires valid credentials but poses a direct threat to affected networks. Critically, this product reached end-of-life in 2009—over 15 years ago—and the vendor has stated it cannot replicate or fix vulnerabilities in legacy hardware.

  • CVE-2026-10061MEDIUM 6.3

    A command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router (firmware version 3.10B20), discovered in the WPS configuration function. An authenticated attacker can manipulate the peerPin parameter to execute arbitrary commands on the device. The vulnerability is network-accessible and requires valid login credentials. Notably, this router reached end-of-life in 2009—over 15 years ago—and TRENDnet has stated they cannot replicate or provide fixes for vulnerabilities in this legacy hardware. While exploit code is public, the practical risk is limited to organizations still operating this obsolete equipment in production environments.

  • CVE-2026-10064MEDIUM 6.3

    TRENDnet has disclosed a remote stack-based buffer overflow vulnerability in the TEW-432BRP wireless router (firmware version 3.10B20 and earlier). An authenticated attacker can exploit this flaw by sending a specially crafted request to the port forwarding configuration endpoint, potentially allowing code execution or denial of service. The vendor has confirmed this product reached end-of-life in 2009 and will not issue patches. Public exploit code is available, elevating the practical risk despite the device's age.

  • CVE-2026-10101MEDIUM 6.3

    ACM/MCE (Advanced Cluster Management / Multicluster Engine) inadvertently exposes container registry credentials in InfraEnv status messages when pull-secret validation fails. A user with read-only namespace access can view InfraEnv objects and extract the full `.dockerconfigjson` payload—including usernames, passwords, and base64-encoded authentication tokens—despite having no direct permission to read Secrets. This circumvents Kubernetes RBAC controls designed to keep registry credentials confidential.

  • CVE-2026-10127MEDIUM 6.3

    A command injection vulnerability exists in Edimax BR-6478AC wireless routers running firmware version 1.23. An authenticated attacker can send a specially crafted web request to the device's configuration interface that tricks it into executing arbitrary system commands. The vulnerability stems from improper validation of the 'rootAPmac' parameter in the device's wireless driver setup function. Because proof-of-concept code has been publicly released, there is a meaningful risk that attackers will attempt to exploit this flaw in active environments.

  • CVE-2026-10152MEDIUM 6.3

    A flaw in TaleLin's lin-cms-spring-boot framework (version 0.2.1 and earlier) allows authenticated users to bypass access controls on the book endpoint. An attacker with valid login credentials can manipulate requests to perform actions they should not be permitted to execute, such as viewing, modifying, or deleting book records without proper authorization checks. Proof-of-concept code is publicly available, increasing the risk of active exploitation.

  • CVE-2026-10166MEDIUM 6.3

    A command injection vulnerability exists in Edimax BR-6478AC version 1.23 that allows an authenticated attacker to execute arbitrary commands on the device. The flaw is in the web interface's wireless settings handler, where the rootAPmac parameter is not properly sanitized before being used in system commands. An attacker with valid login credentials can manipulate this parameter to inject malicious commands, potentially compromising router configuration, data, or availability. Public exploit details are available, increasing real-world risk.

  • CVE-2026-10168MEDIUM 6.3

    A vulnerability in OUSL-GROUP-BrinaryBrains School Student Management System allows authenticated users to manipulate resource identifiers through the marks function in the Parents.php controller, potentially exposing or modifying student data. An attacker with login credentials can exploit this remotely by injecting malicious parameters, affecting the confidentiality and integrity of educational records. Public disclosure has occurred, increasing real-world exploitation risk.

  • CVE-2026-10170MEDIUM 6.3

    A SQL injection vulnerability exists in code-projects Visitor Management System version 1.0. An authenticated attacker can manipulate the 'phone' parameter in the /vms/php/phone_0.php file to inject malicious SQL commands. This allows the attacker to read, modify, or delete database contents without special privileges. The vulnerability requires valid login credentials to exploit and has a published proof-of-concept.

  • CVE-2026-10172MEDIUM 6.3

    Bdtask Multi-Store Inventory Management System version 1.0 contains a file upload vulnerability that allows authenticated users to upload arbitrary files to the server without validation. An attacker with valid login credentials can exploit this flaw to upload malicious files, potentially leading to remote code execution or other attacks. Public exploit code is available, increasing the risk of widespread exploitation.

  • CVE-2026-10174MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a flaw in how it processes pre-commit hook arguments. An attacker with valid credentials can manipulate the git-commit-verify argument to bypass security protections that normally prevent unauthorized code commits. The vulnerability requires network access and prior authentication, making it a concern primarily for development teams using Aider in shared or untrusted environments. Public exploit code exists, increasing the practical risk.

  • CVE-2026-10175MEDIUM 6.3

    A code injection vulnerability exists in Aider-AI Aider version 0.86.3 within the Architect Mode feature. An authenticated user can manipulate the editor_coder.run function in auth.py to inject and execute arbitrary code on the system. The flaw requires valid credentials to exploit but no additional user interaction, making it a direct threat to organizations using this development assistance tool. Public exploit code is already available.

  • CVE-2026-10176MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a SQL injection vulnerability in its code generation workflow that can be exploited by authenticated users to manipulate database queries. While the vulnerability requires login credentials to trigger, an attacker with access can extract, modify, or delete sensitive data. Public exploit information is available, increasing the near-term risk of active exploitation.

  • CVE-2026-10177MEDIUM 6.3

    Aider-AI's Aider version 0.86.3 contains a server-side request forgery (SSRF) vulnerability in its AWS EC2 metadata endpoint handling. An authenticated attacker can exploit the requests.get function in api_docs.py to make the application fetch resources from arbitrary locations, potentially accessing sensitive internal services or metadata. The vulnerability is remotely exploitable and public disclosure has already occurred.

  • CVE-2026-10180MEDIUM 6.3

    A command injection vulnerability exists in the TRENDnet TEW-432BRP router (firmware version 3.10B20) that allows authenticated users to execute arbitrary system commands through the formSysCmd web interface parameter. The vulnerability is in the /goform/formSysCmd endpoint and can be exploited remotely by anyone with network access and valid credentials. TRENDnet has not patched this issue because the router reached end-of-life in 2009 and is no longer supported.

  • CVE-2026-10182MEDIUM 6.3

    A remote command injection vulnerability exists in the TRENDnet TEW-432BRP wireless router running firmware version 3.10B20. An authenticated attacker can exploit the WLAN setup function by manipulating the 'enrollee' parameter to execute arbitrary commands on the device. The vulnerability has been publicly disclosed. However, this router reached end-of-life in 2009—over 15 years ago—and the vendor has stated they cannot replicate or fix vulnerabilities in products no longer supported. Organizations still operating this hardware face unpatched exposure.

  • CVE-2026-10193MEDIUM 6.3

    OFCMS versions up to 1.1.3 contain a SQL injection vulnerability in the ComnController component. An authenticated attacker can manipulate the 'system.user.query' parameter to inject malicious SQL commands, potentially accessing, modifying, or deleting database records. The vulnerability has been publicly disclosed and exploit code is available, making active exploitation a realistic threat.

  • CVE-2026-10194MEDIUM 6.3

    A heap-based buffer overflow exists in OFFIS DCMTK 3.7.0 within the query/retrieve service component (dcmqrscp). An authenticated attacker can trigger this flaw remotely by sending specially crafted requests to the image deletion function, potentially causing memory corruption, data loss, or service disruption. The vulnerability requires valid credentials to exploit but poses moderate risk in networked medical imaging environments where DCMTK is deployed.

  • CVE-2026-10202MEDIUM 6.3

    A SQL injection vulnerability exists in OFCMS version 1.1.3 affecting the JSON Query Interface within the SystemDictController component. An authenticated attacker can send specially crafted queries to manipulate SQL commands executed by the application, potentially reading, modifying, or deleting database records. The vulnerability requires valid user credentials but can be exploited over the network without user interaction. Exploit code is publicly available, increasing the risk of active exploitation.

  • CVE-2026-10203MEDIUM 6.3

    A SQL injection vulnerability exists in OFCMS 1.1.3 within the Query function of the SystemParamController component. The flaw allows authenticated attackers to inject malicious SQL commands through the JSON Query Interface, potentially compromising database integrity and confidentiality. Public exploit code is available, increasing active exploitation risk.

  • CVE-2026-10204MEDIUM 6.3

    A SQL injection vulnerability has been discovered in OFCMS version 1.1.3, specifically in the JSON Query Interface of the user management controller. An authenticated attacker can submit specially crafted queries to execute arbitrary SQL commands against the application's database. This could allow them to read, modify, or delete sensitive data. The vulnerability is not currently on the CISA Known Exploited Vulnerabilities (KEV) catalog, but exploit code has been publicly released, increasing the practical risk of attacks.

  • CVE-2026-10205MEDIUM 6.3

    Metasoft MetaCRM version 6.4.0 contains an unrestricted file upload vulnerability in its logo upload functionality. An authenticated attacker can upload arbitrary files to the server, potentially leading to code execution or system compromise. The vulnerability affects a JSP file handling logo uploads and requires valid user credentials to exploit. Public exploit code exists for this issue.

  • CVE-2026-10209MEDIUM 6.3

    A SQL injection vulnerability exists in the Online Hospital Management System version 1.0, specifically in the appointment booking functionality. An authenticated attacker can manipulate the 'editid' parameter in the appointmentdetail.php file to inject malicious SQL commands. This allows an attacker with valid credentials to read, modify, or delete sensitive appointment and patient data without additional authorization. Since the exploit has been publicly disclosed, the risk of active exploitation is elevated.

  • CVE-2026-10210MEDIUM 6.3

    AstrBot version 4.23.6 contains a vulnerability in its skill management system that allows authenticated users to inject malicious code through the prompt description field. An attacker with login credentials can manipulate how skill prompts are processed, potentially leading to unauthorized data access, system modification, or service disruption. The vulnerability has been publicly disclosed, and exploit code is available, though the vendor has not engaged with disclosure efforts.

  • CVE-2026-10211MEDIUM 6.3

    AstrBot version 4.23.6 contains a flaw in how it validates file system paths, allowing authenticated users to bypass access restrictions and read, modify, or delete files they shouldn't be able to access. An attacker with valid credentials can exploit this remotely without user interaction. The vulnerability has already been disclosed publicly, and exploit code may be available.

  • CVE-2026-10212MEDIUM 6.3

    A flaw in AstrBot version 4.24.2 allows an authenticated attacker to manipulate the session_id parameter in the astr_main_agent function, bypassing authorization checks. This means a logged-in user could potentially access or modify resources belonging to other users or perform actions they should not be permitted to perform. The vulnerability is remotely exploitable and public exploits are available.

  • CVE-2026-10217MEDIUM 6.3

    A privilege management flaw exists in nextlevelbuilder GoClaw versions up to 3.11.3 that allows authenticated users to escalate their access or perform unauthorized actions. The vulnerability affects the RoleAdmin Gateway component, specifically in how it handles configuration saves. An attacker with valid credentials can exploit this remotely to gain elevated permissions or manipulate role-based access controls, potentially affecting data confidentiality, integrity, and availability.

  • CVE-2026-10223MEDIUM 6.3

    NousResearch's hermes-agent software contains an injection vulnerability in its memory scanning tool that allows authenticated users to inject malicious input. An attacker with valid credentials can exploit this flaw remotely to manipulate the application's memory handling logic. The vulnerability affects all versions up to 2026.4.30, and exploit code has already been publicly disclosed, raising the practical risk despite a moderate CVSS score.

  • CVE-2026-10235MEDIUM 6.3

    CodeAstro Ingredients Stock Management System version 1.0 contains a SQL injection vulnerability in its stock manager component. An authenticated attacker can manipulate the txt_search_category parameter in the /Ingredients-Stock/stock_manager.php file to execute arbitrary SQL queries. This allows unauthorized data access, modification, or deletion within the application's database. The vulnerability requires valid login credentials but can be exploited over the network without user interaction.

  • CVE-2026-10239MEDIUM 6.3

    JeecgBoot, an open-source low-code application development platform, contains a server-side request forgery (SSRF) vulnerability in its word document editing module. Specifically, the `WordUtil.addImage` function in the `/airag/word/edit` endpoint fails to properly validate image URLs, allowing an authenticated attacker to manipulate the application into making arbitrary HTTP requests on behalf of the server. This could expose internal resources, bypass firewalls, or facilitate lateral movement within a network. The vulnerability affects JeecgBoot versions up to and including 3.9.2 and has been publicly disclosed.

  • CVE-2026-10240MEDIUM 6.3

    JeecgBoot versions up to 3.9.2 contain a server-side request forgery (SSRF) vulnerability in the /airag/airagModel/test endpoint. An authenticated attacker can manipulate the baseUrl parameter to make the server perform unintended HTTP requests to internal or external systems. The vulnerability requires login credentials but does not require user interaction, and can be exploited over the network. A fix is planned for an upcoming release.

  • CVE-2026-10241MEDIUM 6.3

    JimuReport (jeecgboot) versions up to 3.9.1 contain a server-side request forgery (SSRF) vulnerability in a file download function exposed via a debug endpoint. An authenticated attacker can manipulate the application into making arbitrary network requests on behalf of the server, potentially accessing internal resources, cloud metadata, or other services not directly exposed to the internet. The vulnerability is reachable over the network and exploit code is publicly available.

  • CVE-2026-10242MEDIUM 6.3

    itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in the /instructions.php file. An attacker with user-level access can manipulate the topic_id parameter to execute unauthorized database queries, potentially reading, modifying, or deleting sensitive data. The vulnerability is remotely exploitable and public exploit code is available.

  • CVE-2026-10256MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 affecting the comment-saving functionality. An authenticated attacker can manipulate the Name parameter in /save_comment.php to execute arbitrary SQL queries, potentially reading, modifying, or deleting database contents. The vulnerability requires valid user credentials but does not require user interaction to exploit. Public exploit code is available, elevating the practical risk despite the MEDIUM CVSS score.

  • CVE-2026-10257MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0, specifically in the admin update functionality. An authenticated user can inject malicious SQL commands through the topic_id parameter when uploading images, potentially reading, modifying, or deleting database contents. Public exploit code is available, increasing near-term risk.

  • CVE-2026-10258MEDIUM 6.3

    itsourcecode Content Management System version 1.0 contains a SQL injection vulnerability in its administrative interface. An authenticated attacker can manipulate the topic_id parameter in the /admin/add_sub_topic.php file to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid login credentials but can be exploited over the network without additional user interaction.

  • CVE-2026-10265MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Content Management System version 1.0 that allows authenticated users to manipulate the topic_id parameter in the /admin/edit_topic.php file to execute arbitrary SQL queries. An attacker with valid admin credentials can exploit this to read, modify, or delete database records. Public exploits are available, elevating operational risk.

  • CVE-2026-10269MEDIUM 6.3

    A vulnerability in decolua 9router allows an authenticated user to bypass authorization controls by manipulating the Host HTTP header. The flaw exists in the authentication logic of the dashboard guard component and can be exploited remotely by someone with valid login credentials. Affected versions up to 0.4.0 should be updated immediately to 0.4.1.

  • CVE-2026-10271MEDIUM 6.3

    A flaw in a4m4 Student-Management-System allows an attacker to manipulate a parameter in the admin endpoint, causing the application to execute code after a redirect. The vulnerability requires user interaction but can be triggered remotely. An exploit has already been published publicly, increasing risk. The vendor uses rolling releases without traditional version numbers, making tracking more difficult for defenders.

  • CVE-2026-10274MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in the aem-mcp-server project maintained by indrasishbanerjee. The flaw is in the getAssetMetadata function, which processes an assetPath parameter without proper validation. An authenticated attacker can manipulate this parameter to cause the server to make unintended HTTP requests to internal or external systems, potentially accessing sensitive data or interacting with restricted resources. The vulnerability is publicly known and exploit code may be in circulation.

  • CVE-2026-10276MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in Jenkins-server-mcp version 0.1.0, a Jenkins integration tool. An authenticated attacker can manipulate the jobPath parameter in build status, log retrieval, or build trigger operations to make the server issue malicious requests to internal or external systems. The vulnerability requires valid login credentials but no user interaction, and the exploit code has already been made public.

  • CVE-2026-10277MEDIUM 6.3

    A security flaw exists in the MCP Google Workspace integration's Gmail tool that allows authenticated users to bypass access controls and manipulate file storage operations. An attacker with valid login credentials can remotely exploit this vulnerability to gain unauthorized access to data or perform unintended modifications. The vulnerability affects the component up to commit 831790e7d5c2663325733d9f5579cc339a267c4c, and a patch has been released.

  • CVE-2026-10278MEDIUM 6.3

    A path traversal vulnerability exists in the excel-mcp project (versions up to 1.0.2) that allows authenticated users to access files and directories outside the intended scope by manipulating file path parameters. An attacker with valid credentials can read or write files on the affected system by crafting malicious file path arguments, potentially exposing sensitive data or modifying system files. The vulnerability has been publicly disclosed, increasing the risk of active exploitation.

  • CVE-2026-10279MEDIUM 6.3

    A remote command injection vulnerability exists in wezterm-mcp version 0.1.0, a WezTerm terminal multiplexer control plane component. An authenticated attacker can manipulate the pane_id parameter in requests to the switch_pane/write_to_specific_pane function to inject arbitrary operating system commands. The vulnerability requires valid credentials to exploit but poses a meaningful risk in environments where WezTerm MCP is exposed to untrusted users or networked clients.

  • CVE-2026-10283MEDIUM 6.3

    Bottelet DaybydayCRM contains an authentication bypass vulnerability in its Settings Handler component. An authenticated attacker can manipulate application settings to gain unauthorized access to functionality they should not have, potentially viewing sensitive data, modifying records, or disrupting service availability. The vulnerability affects versions up to 2.2.1 and requires an attacker to already have valid login credentials to exploit it.

  • CVE-2026-10286MEDIUM 6.3

    CodeAstro Payroll System version 1.0 contains a SQL injection vulnerability in its employee home page functionality. An authenticated attacker can inject malicious SQL commands through the emp_id parameter, allowing them to read, modify, or delete database records. This vulnerability requires valid login credentials and is reachable over the network. Public exploit information is available, increasing the immediate risk of exploitation.

  • CVE-2026-10296MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the Username parameter in the /ajax.php endpoint to execute arbitrary SQL queries. An attacker with valid login credentials can exploit this flaw to read, modify, or delete database contents. The vulnerability requires authentication but is otherwise straightforward to exploit and has been publicly disclosed.

  • CVE-2026-10297MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the course management functionality. An authenticated attacker can manipulate the ID parameter in the /manage_course.php endpoint to execute arbitrary SQL queries against the underlying database. The vulnerability requires valid login credentials but can be exploited over the network without additional interaction. Exploit code is publicly available, elevating the practical risk.

  • CVE-2026-10302MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 within the /manage_fee.php file. An authenticated attacker can manipulate the ID parameter to inject malicious SQL commands, potentially allowing unauthorized access to, modification of, or deletion of database records. The vulnerability requires valid user credentials to exploit but can be triggered remotely over the network.

  • CVE-2026-10550MEDIUM 6.3

    A command injection vulnerability exists in elunez eladmin versions up to 2.7 within the Application Deployment Module. An authenticated user can manipulate the uploadPath argument to inject arbitrary commands, leading to remote code execution on the affected system. The vulnerability requires valid credentials to exploit but does not need user interaction once authenticated. Public exploit code is available, increasing the risk of active exploitation.

  • CVE-2026-10558MEDIUM 6.3

    SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its administrative interface. An attacker with valid login credentials can manipulate the 'page' parameter in /admin/index.php to include and execute arbitrary files on the server. This allows an authenticated attacker to read sensitive files, modify system behavior, or potentially execute code. The vulnerability is publicly known and proof-of-concept code is available.

  • CVE-2026-10559MEDIUM 6.3

    SourceCodester Pizzafy Ecommerce System version 1.0 contains a file inclusion vulnerability in its index.php file. An authenticated attacker can manipulate the 'page' parameter to include arbitrary files, potentially exposing sensitive data or executing unintended code. The vulnerability requires valid credentials but can be exploited over the network without user interaction.

  • CVE-2026-10568MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_payment.php file to execute arbitrary SQL queries against the backend database. This vulnerability requires valid login credentials to exploit, but can lead to unauthorized data access, modification, or deletion. Public exploit code is available, increasing the practical risk of exploitation.

  • CVE-2026-10581MEDIUM 6.3

    DedeCMS 5.7.88 contains a server-side request forgery (SSRF) vulnerability in its download functionality. An authenticated attacker can manipulate the Link parameter passed to the base64_decode function in /plus/download.php to cause the server to make unintended requests to internal or external systems. This allows an attacker with login credentials to potentially access restricted resources, exfiltrate data, or pivot to other systems on the network.

  • CVE-2026-10662MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in ahujasid blender-mcp, a tool that handles ZIP file operations. An authenticated attacker can manipulate the ZIP file URL parameter to force the server to make HTTP requests to arbitrary internal or external systems. This could allow an attacker to access sensitive internal services, exfiltrate data, or pivot deeper into a network. The vulnerability affects versions up to commit 7636d13, and a patch is available.

  • CVE-2026-10690MEDIUM 6.3

    A server-side request forgery (SSRF) vulnerability exists in DesktopCommanderMCP version 0.2.37. The flaw allows authenticated attackers to manipulate URL parameters passed to the read_file function, enabling the server to make arbitrary HTTP requests on behalf of the attacker. This could expose internal services, exfiltrate data, or compromise systems that trust the affected server.

  • CVE-2026-10693MEDIUM 6.3

    SourceCodester Online Boat Reservation System version 1.0 contains a flaw in its administrative endpoints that fails to properly verify user permissions. An authenticated attacker can exploit this improper authorization to access or modify administrative functions they shouldn't have access to. The vulnerability requires an existing user account but can be exploited over the network without user interaction. The flaw affects multiple administrative endpoints, and exploit details have been publicly disclosed.

  • CVE-2026-10703MEDIUM 6.3

    A use-after-free memory safety flaw exists in EIPStackGroup OpENer versions up to 2.3.0 within the SendRRData request handler. An authenticated attacker can remotely trigger memory corruption by crafting malicious messages, potentially leading to information disclosure or service disruption. The vulnerability has been publicly disclosed but the vendor has not yet acknowledged or released a patch.

  • CVE-2026-10806MEDIUM 6.3

    CVE-2026-10806 is a medium-severity file upload vulnerability in mjperpinosa stumasy affecting the add_post.php component. An authenticated attacker can manipulate the up_file_to_post parameter to upload files without proper restrictions, potentially allowing arbitrary file placement on the server. The vulnerability requires valid login credentials but can be exploited over the network. Exploit code has been publicly disclosed, increasing practical risk.

  • CVE-2026-10807MEDIUM 6.3

    A file upload vulnerability exists in mjperpinosa stumasy that allows authenticated users to upload files without proper validation. By manipulating the profile image upload parameter in the application's profile management component, an attacker with login credentials can bypass upload restrictions and place arbitrary files on the server. The vulnerability requires authentication but poses meaningful risk to confidentiality, integrity, and availability of the affected system.

  • CVE-2026-10808MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0 that allows authenticated users to manipulate the ID parameter in the /manage_student.php file, potentially enabling unauthorized data access, modification, or deletion. The vulnerability requires valid login credentials but can be exploited remotely over the network. Public exploit code is available, elevating the risk of active attack.

  • CVE-2026-10809MEDIUM 6.3

    CVE-2026-10809 is a SQL injection vulnerability in itsourcecode Fees Management System version 1.0. An authenticated attacker can manipulate the ID parameter in the /manage_user.php file to inject malicious SQL commands, potentially reading, modifying, or deleting database records. The flaw requires valid login credentials but can be exploited over the network without user interaction. Public exploit code is available, elevating the practical risk despite the medium CVSS score.

  • CVE-2026-10811MEDIUM 6.3

    A SQL injection vulnerability exists in itsourcecode Fees Management System version 1.0. The flaw resides in the /receipt.php file, specifically in how the application processes the ef_id parameter. An authenticated attacker can manipulate this parameter to inject malicious SQL commands, potentially allowing them to read, modify, or delete database records. Public disclosure of this vulnerability means exploitation techniques are already available, elevating the practical risk.

  • CVE-2026-10815MEDIUM 6.3

    A missing authorization vulnerability was discovered in the Hostel Management System PHP application, specifically in the Admin Dashboard Page's index.php file. An authenticated attacker can manipulate the ID parameter to bypass authorization checks, potentially gaining unauthorized access to sensitive administrative functions. The vulnerability requires valid login credentials but does not require user interaction once authenticated. Public exploit code is available, increasing the practical risk.

  • CVE-2026-10874MEDIUM 6.3

    A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 affecting the admin dashboard. An authenticated attacker can manipulate the 'social_insta' parameter in the /admin/adminHome.php file to inject malicious SQL commands. This allows unauthorized access to sensitive database information, modification of data, or potential system disruption. The vulnerability requires valid login credentials but has no other technical barriers to exploitation.

  • CVE-2026-10875MEDIUM 6.3

    A SQL injection vulnerability exists in projectworlds Online Art Gallery Shop Project version 1.0 that allows authenticated users to inject malicious SQL commands through the social_twitter parameter in the admin panel. An attacker with login credentials can exploit this flaw to read, modify, or delete database records. Public exploit code has been released, increasing the risk of active exploitation.

  • CVE-2026-21404MEDIUM 6.3

    NAVTOR NavBox versions up to 4.16.1.20 contain hard-coded credentials embedded in its SOAP (Windows Communication Foundation) implementation. When SOAP functionality is enabled, a local user with basic system access can extract these credentials, authenticate to the SOAP interface, and gain unauthorized access to privileged methods that allow arbitrary file write and overwrite operations on the system. This vulnerability requires local access to trigger but bypasses intended security workflows entirely.

  • CVE-2026-25599MEDIUM 6.3

    This vulnerability affects Orca heat pump devices and their control portal. An attacker can intercept unencrypted communications between older Orca heat pumps and the control server, impersonate a legitimate device, and inject malicious code into the web portal. This injected code can steal user session cookies, compromise accounts, expose sensitive information, and grant attackers unauthorized access to the portal. The core issues are the lack of authentication, unencrypted HTTP connections, and missing input validation.

  • CVE-2026-35716MEDIUM 6.3

    A stack-based buffer overflow vulnerability exists in VIVOTEK FD8136 IP cameras that allows an authenticated attacker to run arbitrary code with root privileges. The flaw is in the motion privacy configuration endpoint, which fails to validate the size of user input before copying it into a fixed-size buffer on the stack. Because the camera firmware lacks stack protection mechanisms, an attacker can overwrite return addresses and hijack program execution. An authenticated attacker on the network can exploit this remotely by sending a specially crafted POST request.

  • CVE-2026-35717MEDIUM 6.3

    A stack-based buffer overflow exists in the export_language.cgi binary on VIVOTEK FD8136 IP cameras running firmware FD8136-VVTK-0300a. An authenticated attacker can send a specially crafted POST request to the language export endpoint with a malicious Content-Length value that causes the application to read more data than a 60-byte stack buffer can hold, overwriting critical return address information. This allows the attacker to execute arbitrary code with root privileges on the affected device. The vulnerability requires valid credentials to exploit but succeeds because the binary lacks stack protection mechanisms.

  • CVE-2026-39107MEDIUM 6.3

    Kimi AI v1.0 has a cross-site scripting (XSS) vulnerability in its Preview feature. When the AI generates code and displays it in the Preview tab, the application fails to sanitize the output properly. An attacker can embed malicious JavaScript in AI-generated responses, which then executes in a user's browser with the privileges of that session. This could allow theft of session cookies, unauthorized actions on behalf of the user, or credential harvesting.

  • CVE-2026-42538MEDIUM 6.3

    IRIS is a collaborative platform designed to help incident responders coordinate during security investigations by sharing technical findings. A file validation flaw in versions before 2.4.28 allows authenticated users to upload files without proper checks. This can enable attackers to host malicious content—such as phishing pages—directly within the platform, and also introduces a Cross-Site Scripting (XSS) vulnerability that could compromise other users' sessions or steal credentials when they interact with uploaded files.

  • CVE-2026-44287MEDIUM 6.3

    FastGPT, an AI Agent building platform, contains a sandbox escape vulnerability in versions before 4.15.0-beta1. The issue stems from an incomplete regex filter designed to block dynamic imports in a JavaScript sandbox environment. An attacker with valid platform access can craft a specially formatted import statement using block comments to bypass the filter, gaining the ability to execute arbitrary system commands within the sandbox container. This allows an authenticated user to break out of the intended sandbox isolation and run code with the permissions of the sandbox process.

  • CVE-2018-25423MEDIUM 6.2

    Arm Whois version 3.11 has a buffer overflow flaw that allows local users to crash the application by entering an extremely long string into IP address or domain input fields. An attacker with local access can supply a malicious 700-byte input to trigger a denial of service, making the tool temporarily unavailable but without risking data theft or system compromise.

  • CVE-2026-0046MEDIUM 6.2

    CVE-2026-0046 is a local privilege escalation vulnerability affecting Google Android that exploits a weakness in the InputInterceptor component of Letterbox.java. An attacker can overlay malicious UI elements on top of legitimate permission prompts, tricking users into granting permissions they did not intend to approve. What makes this particularly concerning is that exploitation requires no special system privileges and occurs without user awareness—the victim merely sees what appears to be a normal permission dialog. The result is unauthorized elevation of the attacker's application privileges within the Android system.

  • CVE-2026-0055MEDIUM 6.2

    A path traversal vulnerability in Android's PackageInstallerService allows an attacker to write a Device Policy Controller (DPC) application to an unintended directory. By exploiting this flaw, an unprivileged local process can escalate its privileges without requiring user interaction or additional system permissions. The vulnerability affects multiple Android versions and could allow an attacker with local access to gain elevated capabilities on the device.

  • CVE-2019-25731MEDIUM 6.1

    Zuz Music version 2.1 has a flaw that lets anyone send malicious code through the contact form without needing to log in. When site administrators read these messages, the injected code runs in their browsers, potentially allowing attackers to steal session data, modify settings, or trick them into performing unwanted actions. This is a persistent vulnerability, meaning the malicious payload stays stored on the server and affects every admin who views the inbox.

  • CVE-2019-25737MEDIUM 6.1

    Live Chat Unlimited version 2.8.3 contains a stored cross-site scripting (XSS) vulnerability in its chat input field. An unauthenticated attacker can inject malicious JavaScript code that persists in the system and executes when administrators access the chat interface. This allows attackers to steal admin session cookies, redirect users to phishing sites, or perform unauthorized actions within the admin dashboard without requiring authentication.

  • CVE-2026-10305MEDIUM 6.1

    Samsung's rlottie animation library contains a vulnerability that allows reading data beyond the intended buffer boundaries. When processing specially crafted animation files, the library may access memory it shouldn't, potentially exposing sensitive information or causing the application to crash. The issue stems from insufficient bounds checking during buffer operations. While the vulnerability requires user interaction (opening a malicious animation file) and is limited to local access, the combination of integrity impact and high availability risk warrants prompt attention.

  • CVE-2026-10510MEDIUM 6.1

    A cross-site scripting (XSS) vulnerability exists in the GeniexWebView component of Transsion's AI Assistant Lifestyle application for Android. An attacker can craft a malicious URL containing injected JavaScript code in the web_action_data parameter, which the vulnerable WebView will execute with the same privileges as the application. This allows arbitrary JavaScript execution in the context of the app, potentially compromising user data or enabling phishing attacks. The vulnerability affects all versions of the application currently in distribution.

  • CVE-2026-10856MEDIUM 6.1

    MISP dashboard widgets contain a URL validation flaw that allows attackers to craft malicious buttons appearing to link within the application while actually redirecting users to external sites. The vulnerability stems from incomplete validation that accepts paths like '/\example.com', which browsers may normalize into scheme-relative URLs pointing to attacker-controlled domains. An attacker with dashboard configuration access can embed these crafted buttons to redirect legitimate users, creating phishing and credential-theft opportunities.

  • CVE-2026-10861MEDIUM 6.1

    MISP, a widely-used threat intelligence sharing platform, contains an open redirect vulnerability in its post-login redirect logic. When a user logs in, the application redirects them to a URL stored in the session without properly validating that the destination is actually part of the MISP application. An attacker can craft a malicious link that tricks users into visiting their legitimate MISP instance, then redirects them to an attacker-controlled website after they authenticate. This could be weaponized for phishing by appearing to come from a trusted source or to deliver malware from a domain the victim might not otherwise visit.

  • CVE-2026-10916MEDIUM 6.1

    CVE-2026-10916 is a cross-site scripting vulnerability in Google Chrome's developer tools that allows an attacker to inject malicious scripts or HTML content into a webpage. The attack requires two conditions: first, the attacker must have already compromised Chrome's renderer process (the component that executes web content), and second, the user must be tricked into visiting a specially crafted HTML page. While the initial compromise is a significant prerequisite, once achieved, this vulnerability enables the attacker to execute arbitrary code with the privileges of the browser session, potentially stealing sensitive data or performing actions on behalf of the user.

  • CVE-2026-11034MEDIUM 6.1

    Google Chrome on Android contains a vulnerability in its Tab Group Sync feature that allows attackers to inject malicious scripts or HTML into web pages. An attacker with network access can craft malicious traffic to exploit insufficient input validation, potentially displaying fake content or stealing user information from websites. This affects Chrome versions prior to 149.0.7827.53.

  • CVE-2026-1450MEDIUM 6.1

    The rognone WordPress plugin contains a reflected cross-site scripting (XSS) flaw that allows unauthenticated attackers to inject malicious scripts into web pages. The vulnerability exists in how the plugin handles the 'mode' parameter—it fails to properly sanitize user input and escape output, creating an opening for attackers to craft malicious links. If a user clicks such a link while using a site running the vulnerable plugin, the attacker's script executes in their browser with access to session data and sensitive information.

  • CVE-2026-1451MEDIUM 6.1

    The rognone plugin for WordPress contains a reflected cross-site scripting (XSS) vulnerability that allows attackers to inject malicious JavaScript into pages viewed by unsuspecting users. An attacker could craft a malicious link containing JavaScript in the 'a' parameter and trick a user into clicking it, causing the script to execute in their browser within the context of the WordPress site. This works because the plugin fails to properly sanitize user input or escape output before displaying it. The vulnerability affects versions up to and including 0.6.2.

  • CVE-2026-20175MEDIUM 6.1

    A remote attacker can trick a user into clicking a malicious link that causes their browser to load files from an attacker-controlled location while interacting with Cisco Finesse. Because the application doesn't properly validate where those files come from, an attacker can inject malicious scripts or steal sensitive information visible in the user's active session—all without needing to authenticate first.

  • CVE-2026-20233MEDIUM 6.1

    Cisco Webex Meetings contained a cross-site scripting (XSS) vulnerability in its web interface that could allow an attacker to inject malicious scripts if a user clicked a crafted link. The vulnerability resulted from weak input validation. Cisco has already patched the service, and users do not need to take action—the fix has been deployed automatically.