PoC Week 2026-03-16
The most featured CVEs in this week’s security newsletters, with public Proof-of-Concepts, ordered by mention count.
For the most up-to-date and accurate info, visit the NIST links. Always audit PoCs thoroughly before running them. I don’t vouch for any links in this list: follow them with caution.
CVE-2026-28289 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: FreeScout
- Description: FreeScout is affected by a remote code execution vulnerability resulting from a patch bypass in its file upload sanitization component. An attacker can circumvent security restrictions by using zero-width space characters in filenames to upload restricted file types such as <.htaccess>.
- Remediation:
- More Info: NVD - CVE-2026-28289
- PoC:
CVE-2026-24898 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: OpenEMR < 8.0.0
- Description: OpenEMR is a free and open source electronic health records and medical practice management application. Prior to 8.0.0, an unauthenticated token disclosure vulnerability in the MedEx callback endpoint allows any unauthenticated visitor to obtain the practice’s MedEx API tokens, leading to complete third-party service compromise, PHI exfiltration, unauthorized actions on the MedEx platform, and HIPAA violations. The vulnerability exists because the endpoint bypasses authentication ($ignoreAut…
- Remediation:
- More Info: NVD - CVE-2026-24898
- PoC:
CVE-2026-2628 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress, 2.2.5
- Description: The All-in-One Microsoft 365 & Entra ID / Azure AD SSO Login plugin for WordPress is vulnerable to authentication bypass in all versions up to, and including, 2.2.5. This makes it possible for unauthenticated attackers to bypass authentication and log in as other users, including administrators.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-2628
- PoC:
CVE-2026-1492 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin for WordPress, 5.1.2
- Description: The User Registration & Membership – Custom Registration Form Builder, Custom Login Form, User Profile, Content Restriction & Membership Plugin plugin for WordPress is vulnerable to improper privilege management in all versions up to, and including, 5.1.2. This is due to the plugin accepting a user-supplied role during membership registration without properly enforcing a server-side allowlist. This makes it possible for unauthenticated attackers to create administrator accounts by sup…
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-1492
- PoC:
CVE-2026-27636 NEW
- Severity: 8.8 HIGH
- Impacted Products: FreeScout
- Description: FreeScout is affected by an unrestricted file upload vulnerability that allows authenticated users to achieve remote code execution. This issue stems from a failure to include server configuration files, such as .htaccess or .user.ini, in the application’s restricted file extension list.
- Remediation:
- More Info: NVD - CVE-2026-27636
- PoC:
CVE-2026-20127
- Severity: 10.0 CRITICAL
- Impacted Products: Cisco Catalyst SD-WAN Controller, Cisco Catalyst SD-WAN Manager
- Description: Cisco Catalyst SD-WAN Controller and Cisco Catalyst SD-WAN Manager are affected by an authentication bypass vulnerability in the peering authentication mechanism. This flaw allows an unauthenticated remote attacker to gain administrative privileges and manipulate network configurations by sending crafted requests to the system.
- Remediation:
- More Info: NVD - CVE-2026-20127
- PoC:
CVE-2026-3703 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Wavlink NU516U1 251208
- Description: A flaw has been found in Wavlink NU516U1 251208. This affects the function sub_401A10 of the file /cgi-bin/login.cgi. Executing a manipulation of the argument ipaddr can lead to out-of-bounds write. The attack may be performed from remote. The exploit has been published and may be used. Upgrading the affected component is recommended. The vendor was contacted early, responded in a very professional manner and quickly released a fixed version of the affected product.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-3703
- PoC:
CVE-2026-30957 NEW
- Severity: 9.9 CRITICAL
- Impacted Products: OneUptime prior to version 10.0.21
- Description: OneUptime is affected by a remote code execution vulnerability in the oneuptime-probe component prior to version 10.0.21. This flaw allows an authenticated user to execute arbitrary commands on the server by leveraging exposed Playwright objects within the Synthetic Monitor environment.
- Remediation:
- More Info: NVD - CVE-2026-30957
- PoC:
CVE-2026-30863 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Parse Server
- Description: Parse Server is affected by an improper authentication vulnerability in its Google, Apple, and Facebook authentication adapters. This flaw allows an attacker to bypass identity verification by providing a JSON Web Token (JWT) issued for a different application.
- Remediation:
- More Info: NVD - CVE-2026-30863
- PoC:
CVE-2026-30862 NEW
- Severity: 9.0 CRITICAL
- Impacted Products: Appsmith, 1.96
- Description: Appsmith is a platform to build admin panels, internal tools, and dashboards. Prior to 1.96, a Critical Stored XSS vulnerability exists in the Table Widget (TableWidgetV2). The root cause is a lack of HTML sanitization in the React component rendering pipeline, allowing malicious attributes to be interpolated into the DOM. By leveraging the “Invite Users” feature, an attacker with a regular user account (user@gmail.com) can force a System Administrator to execute a high-privileged API call (/…
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-30862
- PoC:
CVE-2026-29042 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Nuclio versions prior to 1.15.20
- Description: Nuclio versions prior to 1.15.20 are affected by a command injection vulnerability in the Shell Runtime component. This flaw allows an attacker with function invocation permissions to execute arbitrary operating system commands by providing malicious input in HTTP headers.
- Remediation:
- https://github.com/nuclio/nuclio/commit/5352d7e16cf92f4350a2f8d806c4b80b626b5c5a
- [Security] Fix CVE-2026-29042 - OS Command Injection in shell runtime by rokatyy · Pull Request #4030 · nuclio/nuclio · GitHub
- Nuclio Shell Runtime Command Injection Leading to Privilege Escalation · Advisory · nuclio/nuclio · GitHub
- More Info: NVD - CVE-2026-29042
- PoC:
CVE-2026-29000 NEW
- Severity: 9.1 CRITICAL
- Impacted Products: pac4j-jwt 4.5.9, pac4j-jwt 5.7.9, pac4j-jwt 6.3.3
- Description: pac4j-jwt versions prior to 4.5.9, 5.7.9, and 6.3.3 are affected by an authentication bypass vulnerability in the JwtAuthenticator component when processing encrypted JSON Web Tokens (JWTs). This flaw allows remote attackers to forge authentication tokens and impersonate any user, including administrators, by providing a specially crafted encrypted token.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-29000
- PoC:
CVE-2026-28802 NEW
- Severity: 7.3 HIGH
- Impacted Products: Authlib 1.6.5 to before 1.6.7
- Description: Authlib is a Python library which builds OAuth and OpenID Connect servers. From version 1.6.5 to before version 1.6.7, previous tests involving passing a malicious JWT containing alg: none and an empty signature was passing the signature verification step without any changes to the application code when a failure was expected.. This issue has been patched in version 1.6.7.
- Remediation:
- More Info: NVD - CVE-2026-28802
- PoC:
CVE-2026-28794 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: @orpc/client < 1.13.6
- Description: oRPC is an tool that helps build APIs that are end-to-end type-safe and adhere to OpenAPI standards. Prior to version 1.13.6, a prototype pollution vulnerability exists in the RPC JSON deserializer of the @orpc/client package. The vulnerability allows unauthenticated, remote attackers to inject arbitrary properties into the global Object.prototype. Because this pollution persists for the lifetime of the Node.js process and affects all objects, it can lead to severe security breaches, includin…
- Remediation:
- More Info: NVD - CVE-2026-28794
- PoC:
CVE-2026-27966 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Langflow < 1.8.0
- Description: Langflow is affected by a remote code execution vulnerability in its CSV Agent node due to improper control of code generation. An attacker can exploit this flaw via prompt injection to execute arbitrary Python and operating system commands on the host server.
- Remediation:
- More Info: NVD - CVE-2026-27966
- PoC:
CVE-2026-27944 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Nginx UI prior to version 2.3.3
- Description: Nginx UI is affected by an unauthenticated information disclosure vulnerability in the /api/backup endpoint that allows for the theft and decryption of system backups. This flaw exists because the application fails to require authentication for backup downloads and exposes encryption keys in response headers.
- Remediation:
- More Info: NVD - CVE-2026-27944
- PoC:
CVE-2026-27849 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: MR9600: 1.0.4.205530, MX4200: 1.0.13.210200
- Description: Due to missing neutralization of special elements, OS commands can be injected via the update functionality of a TLS-SRP connection, which is normally used for configuring devices inside the mesh network. This issue affects MR9600: 1.0.4.205530; MX4200: 1.0.13.210200.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-27849
- PoC:
CVE-2026-27626 NEW
- Severity: 9.9 CRITICAL
- Impacted Products: OliveTin 3000.10.0
- Description: OliveTin is affected by an OS command injection vulnerability that allows for arbitrary code execution through improper input validation in its shell command interface. This issue stems from two distinct vectors involving the failure to sanitize password-typed arguments and the bypass of safety checks during webhook processing.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-27626
- PoC:
CVE-2026-27606 NEW
- Severity: 9.1 CRITICAL
- Impacted Products: Rollup < 2.80.0, Rollup < 3.30.0, Rollup < 4.59.0
- Description: Rollup is affected by a path traversal vulnerability in its core engine that allows for arbitrary file writes. This issue exists in versions prior to 2.80.0, 3.30.0, and 4.59.0, enabling an attacker to bypass directory restrictions by providing malicious output filenames containing traversal sequences.
- Remediation:
- More Info: NVD - CVE-2026-27606
- PoC:
CVE-2026-27507
- Severity: 9.8 CRITICAL
- Impacted Products: Binardat 10G08-0800GSM network switch firmware V300SP10260209 and prior
- Description: Binardat 10G08-0800GSM network switch firmware version V300SP10260209 and prior contain hard-coded administrative credentials that cannot be changed by users. Knowledge of these credentials allows full administrative access to the device.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-27507
- PoC:
CVE-2026-26198
- Severity: 9.8 CRITICAL
- Impacted Products: Ormar 0.9.9, Ormar 0.10.0, Ormar 0.11.0, Ormar 0.12.0, Ormar 0.13.0
- Description: Ormar is a async mini ORM for Python. In versions 0.9.9 through 0.22.0, when performing aggregate queries, Ormar ORM constructs SQL expressions by passing user-supplied column names directly into
sqlalchemy.text()without any validation or sanitization. - Remediation:
- More Info: NVD - CVE-2026-26198
- PoC:
CVE-2026-26030
- Severity: 9.9 CRITICAL
- Impacted Products: Semantic Kernel Python SDK, versions prior to 1.39.4
- Description: Semantic Kernel, Microsoft’s semantic kernel Python SDK, has a remote code execution vulnerability in versions prior to 1.39.4, specifically within the
InMemoryVectorStorefilter functionality. The problem has been fixed in versionpython-1.39.4. Users should upgrade this version or higher. As a workaround, avoid usingInMemoryVectorStorefor production scenarios. - Remediation:
- More Info: NVD - CVE-2026-26030
- PoC:
CVE-2026-25177 NEW
- Severity: 8.8 HIGH
- Impacted Products: Active Directory Domain Services
- Description: Improper restriction of names for files and other resources in Active Directory Domain Services allows an authorized attacker to elevate privileges over a network.
- Remediation:
- More Info: NVD - CVE-2026-25177
- PoC:
CVE-2025-69985 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: FUXA 1.2.8 and prior
- Description: FUXA 1.2.8 and prior contains an Authentication Bypass vulnerability leading to Remote Code Execution (RCE). The vulnerability exists in the server/api/jwt-helper.js middleware, which improperly trusts the HTTP “Referer” header to validate internal requests. A remote unauthenticated attacker can bypass JWT authentication by spoofing the Referer header to match the server’s host. Successful exploitation allows the attacker to access the protected /api/runscript endpoint and execute arbitrary N…
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2025-69985
- PoC:
CVE-2025-62878 NEW
- Severity: 9.9 CRITICAL
- Impacted Products: Rancher Local Path Provisioner
- Description: A malicious user can manipulate the parameters.pathPattern to create PersistentVolumes in arbitrary locations on the host node, potentially overwriting sensitive files or gaining access to unintended directories.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2025-62878
- PoC:
CVE-2025-54309
- Severity: 9.8 CRITICAL
- Impacted Products: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23
- Description: CrushFTP 10 before 10.8.5 and 11 before 11.3.4_23, when the DMZ proxy feature is not used, mishandles AS2 validation and consequently allows remote attackers to obtain admin access via HTTPS, as exploited in the wild in July 2025.
- Remediation: Follow developer advice.
- More Info: NVD - CVE-2025-54309
- PoC: https://github.com/issamjr/CVE-2025-54309-EXPLOIT
CVE-2025-50187 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Chamilo 1.11.27, Chamilo 1.11.26, Chamilo 1.11.25, Chamilo 1.11.24, Chamilo 1.11.23
- Description: Chamilo is a learning management system. Prior to version 1.11.28, parameter from SOAP request is evaluated without filtering which leads to Remote Code Execution. This issue has been patched in version 1.11.28.
- Remediation:
- More Info: NVD - CVE-2025-50187
- PoC:
CVE-2025-31161
- Severity: 10.0 CRITICAL
- Impacted Products: CrushFTP 10.0.0 through 10.8.3, CrushFTP 11.0.0 through 11.3.0
- Description: CrushFTP versions 10.0.0 through 10.8.3 and 11.0.0 through 11.3.0 are affected by a vulnerability in the S3 authorization header processing that allows authentication bypass. Remote and unauthenticated HTTP requests to CrushFTP with known usernames can be used to impersonate a user and conduct actions on their behalf, including administrative actions and data retrieval.
- Remediation:
- More Info: NVD - CVE-2025-31161
- PoC:
CVE-2025-15467
- Severity: 9.8 CRITICAL
- Impacted Products: OpenSSL
- Description: OpenSSL is affected by a stack-based buffer overflow vulnerability when parsing Cryptographic Message Syntax (CMS) structures, which can lead to a denial of service or arbitrary code execution. This issue occurs when the library processes maliciously crafted messages containing oversized Initialization Vectors (IV) in certain Authenticated Encryption with Associated Data (AEAD) cipher configurations.
- Remediation:
- More Info: NVD - CVE-2025-15467
- PoC:
CVE-2025-1242 NEW
- Severity: 9.1 CRITICAL
- Impacted Products: Gardyn IoT Hub
- Description: The administrative credentials can be extracted through application API responses, mobile application reverse engineering, and device firmware reverse engineering. The exposure may result in an attacker gaining full administrative access to the Gardyn IoT Hub exposing connected devices to malicious control.
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2025-1242
- PoC:
CVE-2024-4040
- Severity: 10.0 CRITICAL
- Impacted Products: CrushFTP versions before 10.7.1 and 11.1.0 across all platforms
- Description: CVE-2024-4040 is a critical server-side template injection vulnerability in CrushFTP, allowing unauthenticated remote attackers to read files from the filesystem outside of the VFS Sandbox, bypass authentication, and perform remote code execution.
- Remediation: Update CrushFTP to version 10.7.1 or 11.1.0 to mitigate this vulnerability.
- More Info: NVD NIST CVE-2024-4040
- PoC: https://github.com/rbih-boulanouar/CVE-2024-4040/tree/main
CVE-2021-22054 NEW
- Severity: 7.5 HIGH
- Impacted Products: VMware Workspace ONE UEM console
- Description: VMware Workspace ONE UEM console contains a Server Side Request Forgery (SSRF) vulnerability. VMware has evaluated the severity of this issue to be in the Critical severity range with a maximum CVSSv3 base score of 9.1.
- Remediation:
- More Info: NVD - CVE-2021-22054
- PoC:
CVE-2026-3224 NEW
- Severity: 9.8 CRITICAL
- Impacted Products: Microsoft Entra ID, Devolutions Server 2025.3.15.0 and earlier
- Description: Authentication bypass in the Microsoft Entra ID (Azure AD) authentication mode in Devolutions Server 2025.3.15.0 and earlier allows an unauthenticated user to authenticate as an arbitrary Entra ID user via a forged JSON Web Token (JWT).
- Remediation:
- More Info: NVD - CVE-2026-3224
- PoC:
CVE-2026-20131 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: Cisco Secure Firewall Management Center (FMC) Software
- Description: Cisco Secure Firewall Management Center (FMC) Software is affected by a vulnerability in its web-based management interface that allows an unauthenticated, remote attacker to execute arbitrary Java code with root privileges. This flaw is caused by the insecure deserialization of user-supplied Java byte streams.
- Remediation:
- More Info: NVD - CVE-2026-20131
- PoC:
CVE-2026-20079 NEW
- Severity: 10.0 CRITICAL
- Impacted Products: Cisco Secure Firewall Management Center (FMC) Software
- Description: Cisco Secure Firewall Management Center (FMC) Software is affected by an authentication bypass vulnerability in its web interface. This flaw allows a remote, unauthenticated attacker to execute arbitrary scripts and obtain root access to the underlying operating system.
- Remediation:
- More Info: NVD - CVE-2026-20079
- PoC:
CVE-2026-0628
- Severity: 8.8 HIGH
- Impacted Products: Google Chrome versions prior to 143.0.7499.192
- Description: Google Chrome is affected by a vulnerability involving insufficient policy enforcement in the tag component. This flaw allows a malicious extension to inject scripts or HTML into privileged browser pages, such as internal settings pages.
- Remediation:
- More Info: NVD - CVE-2026-0628
- PoC:
CVE-2026-31816 NEW
- Severity: 9.1 CRITICAL
- Impacted Products: Budibase 3.31.4 and earlier
- Description: Budibase is a low code platform for creating internal tools, workflows, and admin panels. In 3.31.4 and earlier, the Budibase server’s authorized() middleware that protects every server-side API endpoint can be completely bypassed by appending a webhook path pattern to the query string of any request. The isWebhookEndpoint() function uses an unanchored regex that tests against ctx.request.url, which in Koa includes the full URL with query parameters. When the regex matches, the authorized() m…
- Remediation: Follow vendor security advisories and apply the latest patches. Review affected systems and prioritize patching based on exploitability and business impact.
- More Info: NVD - CVE-2026-31816
- PoC:
References
This list was scraped from the quite amazing and highly recommended newsletters below:
Thanks for reading! For corrections, omissions (e.g. newsletter recs) feel free to get in touch.