CVE-2026-41873

UNSUPPORTED WHEN ASSIGNED Inconsistent Interpretation of HTTP Requests 'HTTP Request/Response Smuggling' vulnerability in Pony Mail leading to admin account takeover. This issue affects all versions of the Lua implementation of Pony Mail. There is a Python implementation under development under t...

CVE-2026-5835

A flaw has been found in code-projects Online Shoe Store 1.0. Affected by this vulnerability is an unknown functionality of the file /admin/adminfootball.php. Executing a manipulation of the argument productname can lead to cross site scripting. It is possible to launch the attack remotely. The...

CVE-2026-5834

A vulnerability was detected in code-projects Online Shoe Store 1.0. Affected is an unknown function of the file /admin/adminrunning.php. Performing a manipulation of the argument productname results in cross site scripting. It is possible to initiate the attack remotely. The exploit is now publi...

CVE-2026-5840

A security flaw has been discovered in PHPGurukul News Portal Project 4.1. Impacted is an unknown function of the file /admin/checkavailability.php. Performing a manipulation of the argument Username results in sql injection. Remote exploitation of the attack is possible. The exploit has been...

CVE-2026-5836

A vulnerability has been found in code-projects Online Shoe Store 1.0. Affected by this issue is some unknown functionality of the file /admin/adminproduct.php. The manipulation of the argument productname leads to cross site scripting. The attack can be initiated remotely. The exploit has been...

CVE-2026-10237

A vulnerability was found in SourceCodester Water Billing Management System 1.0. Impacted is an unknown function of the file /admin/?page=user/manageuser of the component User Management Module. Performing a manipulation of the argument ID results in sql injection. Remote exploitation of the atta...

CVE-2026-10558

A vulnerability was detected in SourceCodester Pizzafy Ecommerce System 1.0. Impacted is an unknown function of the file /admin/index.php. Performing a manipulation of the argument page results in file inclusion. The attack is possible to be carried out remotely. The exploit is now public and may...

CVE-2026-10271

A flaw has been found in a4m4 Student-Management-System up to f0c5f6842c5e8c431ff02b5260a565ca844df3a0. The affected element is an unknown function of the file admin/ of the component Admin Endpoint. This manipulation of the argument uid causes execution after redirect. It is possible to initiate...

CVE-2026-10815

A vulnerability was found in LakshayD02 Hostel-Management-System-PHP up to f87e67c283bab6f718faf2fec6ae39a13bd7036b. This issue affects some unknown processing of the file hostel/index.php of the component Admin Dashboard Page. The manipulation of the argument ID results in missing authorization...

CVE-2026-10265

A vulnerability was identified in itsourcecode Content Management System 1.0. Affected by this issue is some unknown functionality of the file /admin/edittopic.php. Such manipulation of the argument topicid leads to sql injection. The attack may be launched remotely. The exploit is publicly...

CVE-2026-36606

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 encrypts configuration backups with a hardcoded DES key using single DES in ECB mode. An attacker who obtains a backup file can decrypt it to recover all stored credentials including admin password, WiFi PSK, and DDNS credentials...

CVE-2026-36608

Mercusys AC12G EU V1 router with firmware AC12GEUV1200909 allows UPnP AddPortMapping to forward external ports to the router's own admin interface by accepting its own IP 192.168.1.1 or localhost 127.0.0.1 as InternalClient. An unauthenticated LAN attacker can expose the admin panel to the intern...

CVE-2026-36959

U-SPEED N300 router V1.0.0 does not implement rate limiting or account lockout protections on the /api/login endpoint. This allows an attacker on the local network to perform unlimited authentication attempts, enabling brute-force attacks against the administrator account and potential unauthoriz...

CVE-2026-36960

A Cross-Site Request Forgery CSRF vulnerability exists in the web management interface of the U-SPEED N300 Rounter V1.0.0. The device does not implement CSRF protection mechanisms such as anti-CSRF tokens or strict Origin/Referer validation for administrative API endpoints. An attacker can craft ...

CVE-2026-9095

Casdoor versions 2.362.0 and earlier map SAML assertions to user sessions without replay protection. The ParseSamlResponse function in object/samlsp.go calls sp.RetrieveAssertionInfo and immediately maps the result to a user session. There is no assertion ID cache, OneTimeUse condition enforcemen...

CVE-2026-9608

A vulnerability was determined in QianFox FoxCMS up to 1.2.6. The impacted element is an unknown function of the file /Tag/edit of the component Administrator Backend. Executing a manipulation can lead to cross site scripting. It is possible to launch the attack remotely. The exploit has been...

CVE-2026-9522

Improper access control in the PAM account discovery feature in Devolutions Server 2026.1.19 and earlier allows an authenticated user without administrative privileges to delete network discovery scan configurations...

CVE-2026-6489

A security flaw has been discovered in QueryMine sms up to 7ab5a9ea196209611134525ffc18de25c57d9593. This issue affects some unknown processing of the file admin/addteacher.php of the component Background Management Page. The manipulation of the argument image results in unrestricted upload. The...

CVE-2026-6495

The Ajax Load More WordPress plugin before 7.8.4 does not sanitise and escape a parameter before outputting it back in the page, leading to a Reflected Cross-Site Scripting which could be used against high privilege users such as admin...

CVE-2026-6633

A security flaw has been discovered in Yifang CMS up to 2.0.5. The impacted element is the function store of the file plugins/yifangbackendaccount/logic/admin/Lrbacadmin.php of the component Extended Management Module. The manipulation of the argument Account results in cross site scripting. The...